Monitor activity

💡 10 min read

Learn about the API endpoints that you can use to monitor the platform activity


In Onna you can keep track of the platform activity using two endpoints: @activityLog and @auditLog. Both return data of the events tracked in JSON format and have date filtering options for more granular tracking of activities. With these endpoints you can retrieve logs and export them into a tool of your choice.

There is a difference in the type of activity these endpoints track and in how you interact with them to retrieve the events Read on to learn more about them.

Info

Access to both endpoints requires a service account. Contact support[at]onna.com to request one.

In this article, you'll find:

# The @activityLog endpoint

The @activityLog endpoint focuses on tracking user interactions with the Onna UI, such as elements users click on, like the navigation bar. For this reason, this endpoint returns very verbose results.

You can retrieve the events recorded by making a GET request to the endpoint.

The name of an event is returned as a value of the action parameter. Additional information about the event, along with some user login information, is returned in the payload parameter in JSON format.

For further information, check the table with examples of what events are logged.

# Filtering the @activityLog endpoint's data

When queried, the endpoint will return all the records for every user in your account. However, you can filter the period of the results by adding the epoch_from and epoch_to parameters to your query.

TIP

The @activityLog endpoint supports dates in Unix time (opens new window) format up to seconds. You can use tools like Epoch Converter (opens new window) to convert them.

# @activityLog endpoint request examples

In this section you can find examples of common filtering use cases for the @activityLog endpoint.

Always remember to include your bearer token in the request.

# Filter the activity log by date

This example shows how to filter results by date when sending a request to the @activityLog endpoint.

For example, you can send a request like: [Remember to turn the below request into a CURL]

curl --request GET 'https://enterprise.onna.com/ACMECORP/ACMECORP/@activityLog?epoch_from=1562684703&epoch_to=1562857503' \
--header 'Authorization: Bearer dem0d3moOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2MDc2MDIwODAsImV4cCI6MTYwODIwNjg4MCwidG9rZW4iOiIxZjNmMjFhYTZkZDU0NWM1OGFjMjgzOTRmMmMyMGJmOSIsImxvZ2luIjoic3RlZmFub0Bvc2NpbGxhdG9yLmVzIiwibmFtZSI6IlN0ZWZhbm8iLCJzdXBlcnVzZXIiOmZhbHNlLCJhaWQiOm51bGwsInN1YiI6InN0ZWZhbm9Ab3NjaWxsYXRvci5lcyIsImF2IjoxLCJndCI6ImF1dGhvcml6YXRpb25fY29kZSJ9.gemyMZfMTmjoWG-bnfJ6ts0u4defsb59P2Pf4kefAke' \
1
2

You will obtain a response like:

Expand to see an example response
[
    {
        "_index": "user-activity-account-2019-07-11",
        "_type": "doc",
        "_id": "f4k3kN8cdf4k3ma3f4k3",
        "_score": null,
        "_source": {
            "type": "log",
            "action": "nav-menu-opened",
            "payload": {
                "session-timestamp": 1562857496133,
                "route": "/dashboard/workspace/list",
                "element": "nav-menu-opened",
                "x": 42,
                "y": 42,
                "width": 1280,
                "height": 1024,
                "user_hash": "[sha256]f4k32a374c4f4k364311f4k3dcaf4k32836f4k33fe9f4k3e1f4k32ef4k37f4k3",
                "user": "acmeuser@acmecorp.com",
                "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/76.0.3809.62 Safari/537.36",
                "origin": "https://enterprise.onna.com/ACMECORP",
                "session-id": "f4k3147335df4k30b48ef4k3f684f4k3",
                "account": "ACMECORP"
            },
            "date": "2019-07-11",
            "@timestamp": "1562857496000"
        },
        "sort": [
            1562857496000
        ]
    },
    {
        "_index": "user-activity-account-2019-07-11",
        "_type": "doc",
        "_id": "AWvhkNsQdgM3tma3FpB8",
        "_score": null,
        "_source": {
            "type": "log",
            "action": "tracking-session",
            "payload": {
                "screen-width": 1440,
                "screen-height": 900,
                "os": "MacIntel",
                "browser": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/76.0.3809.62 Safari/537.36",
                "user_hash": "[sha256]3f4k32a374c4f4k364311f4k3dcaf4k32836f4k33fe9f4k3e1f4k32ef4k37f4k3",
                "user": "acmeuser@acmecorp.com",
                "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/76.0.3809.62 Safari/537.36",
                "origin": "https://enterprise.onna.com/ACMECORP",
                "session-id": "f4k3147335df4k30b48ef4k3f684f4k3",
                "account": "ACMECORP"
            },
            "date": "2019-07-11",
            "@timestamp": "1562857495000"
        },
        "sort": [
            1562857495000
        ]
    },
    {
        "_index": "user-activity-account-2019-07-11",
        "_type": "doc",
        "_id": "AWvhkMu-dgM3tma3Foru",
        "_score": null,
        "_source": {
            "type": "log",
            "action": "tracking-session",
            "payload": {
                "screen-width": 1440,
                "screen-height": 900,
                "os": "MacIntel",
                "browser": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/76.0.3809.62 Safari/537.36",
                "user_hash": "[sha256]30b52a374c4a20b643114e69dca39012836474r3fe91916e1dcdd2e1d5b784a9",
                "user": "robot.integration.test@gmail.com",
                "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/76.0.3809.62 Safari/537.36",
                "origin": "https://enterprise.onna.com/ACMECORP",
                "session-id": "37c8358bd3174e2da82f3341faa2bd60",
                "account": "account"
            },
            "date": "2019-07-11",
            "@timestamp": "1562857491000"
        },
        "sort": [
            1562857491000
        ]
    },
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

# What's logged by the @activityLog endpoint

This table contains the details of some events logged by the @activityLog endpoint.

Event Description
add-gdrive-datasource A GDrive Datasource has been added
add-workplace-datasource when a new Datasource is added to a workspace
advanced-search-edit The advanced search form has been edited
advanced-search-submit-advSearchForm Advanced search form was submitted
confirm-deletion when an item is about to be deleted
confirm-label group-deletion A group label has been deleted
confirm-label-deletion A single label has been deleted
confirm-source-deletion A source has been deleted
confirm-user-deletion The confirmation for deleting a user has been shown
export-created Export has been deleted
exports-IMetadata Metadata selection screen has been shown when creating an Export
exports-IOrigin When an export is being built, it needs to determine the Origin
exports-load-file-format when an export is being built, it needs to determine the file format of its contents
group-added when a user adds a group
login A user has logged in
logout A user has logged out
nav-menu-add-workspace A user has clicked on the add workspace UI element
nav-menu-admin-users-management the navigation menu that leads to the user management screens
nav-menu-advanced-search A user has clicked on the advanced search menu item
nav-menu-closed A user has clicked on the UI element to close the navigation menu
nav-menu-opened A user has clicked on the UI element to open the navigation menu
nav-menu-shared-with-me when a user clicks on the 'Shared with me' navigation button
nav-menu-sources When a user clicks on the Sources navigation button
nav-menu-workspaces When a user clicks on the Workspaces navigation button
right-toolbar-user-panel When a user clicks on the Users navigation button
search The search bar has been selected
search-bar-submit A user has submitted a search query
sharing A resource or source has been shared with a user
sharing-add-user A previously shared resource or source has been shared with another user
sharing-update-sharing A resource or source’s sharing has been updated

# The @auditLog endpoint

The @auditLog focuses on tracking CRUD activities by users on files stored in Onna, such as creating a new Slack collection. Among other values, the endpoint logs the username, URL, action, and IP addresses. For further information, check the table with examples of what events are logged.

You can retrieve the events recorded by making a POST request to the endpoint.

In the response, the action parameter describes the type of action performed on content. More granular details about the action are provided in the message parameter. The payload parameter contains user login information in JSON format.

# Filtering the @auditLog endpoint's data

Due to its more verbose logging, filtering the @auditLog endpoint requires a more complex set of information that you can refine in the request body in JSON format.

We recommend to always filter requests to the @auditLog endpoint to avoid verbose results, which may also take long to retrieve.

TIP

The @auditLog endpoint supports dates in Unix time (opens new window) format up to milliseconds. You can use tools like Epoch Converter (opens new window) to convert them.

# @auditLog endpoint request examples

Always remember to include your bearer token and declare application/json as the content type.

# Generic request

This example shows a generic request made to the @auditLog endpoint, with the goal of showcasing the structure of the content returned in the response.

curl --request POST 'https://enterprise.onna.com/ACMECORP/ACMECORP/@auditLog' \
--header 'Authorization: Bearer dem0d3moOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2MDc2MDIwODAsImV4cCI6MTYwODIwNjg4MCwidG9rZW4iOiIxZjNmMjFhYTZkZDU0NWM1OGFjMjgzOTRmMmMyMGJmOSIsImxvZ2luIjoic3RlZmFub0Bvc2NpbGxhdG9yLmVzIiwibmFtZSI6IlN0ZWZhbm8iLCJzdXBlcnVzZXIiOmZhbHNlLCJhaWQiOm51bGwsInN1YiI6InN0ZWZhbm9Ab3NjaWxsYXRvci5lcyIsImF2IjoxLCJndCI6ImF1dGhvcml6YXRpb25fY29kZSJ9.gemyMZfMTmjoWG-bnfJ6ts0u4defsb59P2Pf4kefAke' \
--header 'Content-Type: application/json' \
1
2
3
Expand to see an example response
{
    "items": [
        {
            "_index": "user-activity-account-2019-07-11",
            "_type": "doc",
            "_id": "AWvhjIEJdgM3tma3FfkT",
            "_score": null,
            "_source": {
                "type": "log",
                "date": "2019-07-11",
                "@timestamp": "2019-07-11T15:00:10.104770+00:00",
                "action": "add",
                "message": "Added SlackDatasource source: \"DEMO DATASOURCE\" (https://enterprise.onna.com/ACMECORP/acmeuser@acmecorp.com/dashboard/datasource/details/acmeuser@acmecorp.com/0bc602cd5ef9440c97789c6a91f3db65)",
                "payload": {
                    "account": "ACMECORP",
                    "ip": "12.34.56.789",
                    "method": "POST",
                    "request_url": "https://enterprsie.onna.com/api/ACMECORP/ACMECORP/acmeuser@acmecorp.com",
                    "user": "acmeuser@acmecorp.com",
                    "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36",
                    "user_name": "Acmeuser",
                    "code": "DS001",
                    "log_type": "success",
                    "category": "source",
                    "action": "add",
                    "message": "Added SlackDatasource source: \"DEMO DATASOURCE\" (https://enterprise.onna.com/ACMECORP/acmeuser@acmecorp.com/dashboard/datasource/details/acmeuser@acmecorp.com/0bc602cd5ef9440c97789c6a91f9be95)"
                }
            },
            "sort": [
                1562857210104
            ]
        },
        {
            "_index": "user-activity-account-2019-07-11",
            "_type": "doc",
            "_id": "AWvhjFmtdgM3tma3FfX9",
            "_score": null,
            "_source": {
                "type": "log",
                "date": "2019-07-11",
                "@timestamp": "2019-07-11T15:00:00.010341+00:00",
                "action": "delete",
                "message": "Deleted SlackDatasource source: \"ACMECORP\" (https://enterprise.onna.com/ACMECORP/acmeuser@acmecorp.com/dashboard/datasource/details/acmeuser@acmecorp.com/797dbb405bf84141aee36ace6fffe58e)",
                "payload": {
                    "account": "Acmeuser",
                    "ip": "12.34.56.789",
                    "method": "DELETE",
                    "request_url": "https://enterprise.onna.com/ACMECORP/acmeuser@acmecorp.com/dashboard/datasource/details/acmeuser@acmecorp.com/797dbb405bf84141aee36ace6fffe58e",
                    "user": "acmeuser@acmecorp.com",
                    "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36",
                    "user_name": "account User",
                    "code": "DS002",
                    "log_type": "success",
                    "category": "source",
                    "action": "delete",
                    "message": "Deleted SlackDatasource source: \"ACMECORP\" https://enterprise.onna.com/ACMECORP/acmeuser@acmecorp.com/dashboard/datasource/details/acmeuser@acmecorp.com/797dbb405bf84141aee36ace6fffe58e)"
                }
            },
            "sort": [
                1562857200010
            ]
        }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

# Filter the audit log by date

This example shows how to filter requests to the @auditLog endpoint by date.

The start date of the filter is indicated by the character >, while the end date by the character <. You can provide the date values in Epoch format in the @timestamp parameters.










 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


curl --request POST 'https://enterprise.onna.com/ACMECORP/ACMECORP/@auditLog' \
--header 'Authorization: Bearer dem0d3moOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2MDc2MDIwODAsImV4cCI6MTYwODIwNjg4MCwidG9rZW4iOiIxZjNmMjFhYTZkZDU0NWM1OGFjMjgzOTRmMmMyMGJmOSIsImxvZ2luIjoic3RlZmFub0Bvc2NpbGxhdG9yLmVzIiwibmFtZSI6IlN0ZWZhbm8iLCJzdXBlcnVzZXIiOmZhbHNlLCJhaWQiOm51bGwsInN1YiI6InN0ZWZhbm9Ab3NjaWxsYXRvci5lcyIsImF2IjoxLCJndCI6ImF1dGhvcml6YXRpb25fY29kZSJ9.gemyMZfMTmjoWG-bnfJ6ts0u4defsb59P2Pf4kefAke' \
--header 'Content-Type: application/json' \
  --data-raw '{
    "size": 50,
    "sort": {
        "field": "@timestamp",
        "direction": "desc"
    },
    "advanced": {
        "and": [
            {
                ">": [
                    {
                        "var": "@timestamp"
                    },
                    1586031963641
                ]
            },
            {
                "<": [
                    {
                        "var": "@timestamp"
                    },
                    1588623963641
                ]
            }
        ]
    }
}'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

# Filter by IP address

This example shows how to filter requests to the @auditLog endpoint by IP address.

You can provide the IP address in the payload.ip.keyword parameter.










 
 
 
 
 
 
 
 
 
 
 
 
 
 


curl --request POST 'https://enterprise.onna.com/ACMECORP/ACMECORP/@auditLog' \
--header 'Authorization: Bearer dem0d3moOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2MDc2MDIwODAsImV4cCI6MTYwODIwNjg4MCwidG9rZW4iOiIxZjNmMjFhYTZkZDU0NWM1OGFjMjgzOTRmMmMyMGJmOSIsImxvZ2luIjoic3RlZmFub0Bvc2NpbGxhdG9yLmVzIiwibmFtZSI6IlN0ZWZhbm8iLCJzdXBlcnVzZXIiOmZhbHNlLCJhaWQiOm51bGwsInN1YiI6InN0ZWZhbm9Ab3NjaWxsYXRvci5lcyIsImF2IjoxLCJndCI6ImF1dGhvcml6YXRpb25fY29kZSJ9.gemyMZfMTmjoWG-bnfJ6ts0u4defsb59P2Pf4kefAke' \
--header 'Content-Type: application/json' \
--data-raw '
    "size": 50,
    "sort": {
        "field": "@timestamp",
        "direction": "desc"
    },
    "advanced": {
        "and": [
            {
                "in": [
                    {
                        "var": "payload.ip.keyword"
                    },
                    [
                        "10.9.4.29"
                    ]
                ]
            }
        ]
    }
}'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

# What's logged by the @auditLog endpoint

This table contains the details of some events logged by the @auditLog endpoint.

Event Description
Created Workspace A user has created a Workspace
Custom field change A custom field has changed on a resource or workspace
Datasource Added A new source has been added
Datasource Failed Syncing a source failed
Datasource Removed Source has been removed due to retention policy
Datasource Shared Source has been shared
Deleted Workspace Source has been deleted by user action
Resource removed Resource has been deleted by a user
Resource removed by retention policy Resource has been removed due to retention policy
Resource visited Resource was navigated to by a user
Resource was shared with user Resource has been shared with a user
Workspace was shared with user Workspace shared with a user

Last Updated: 9/14/2021, 12:41:32 PM