Activity log

Activity log allows customers to store and analyse records about actions made in CROC Cloud web interface and API by all of his users.

Access

By default, the access to the Activity log service is disabled for all users. You can change permissions for this service in the Users and projects section by adding the Activity log permissions to a user for any project or by adding a user with CloudTrail administrator role to any project.

Important

Activity log permissions and CloudTrail administrator role allow users to control events in all projects of the customer, no matter for which project they’ve been given.

Definitions

Several types of entities are determined within Activity log: Events, Trails

Events

Event is a record, describing a user action. Each Event describes one request of an API method.

The important attribute of event is “Read only”. Read only events include API operations that only read the information about your resources, but don’t make changes. For example, such operations are Describe-requests, which are called every time you open almost any CROC Cloud web-interface page. Usually such events are not so important for user’s activity analysis, thats why on the “Activity log” page of web interface the default value for “Read only” filter is “No”. You can also use attribute ReadOnly for filtering when you request events via CloudTrail API.

To find the list of names of API methods, which are logging in Activity log see:

Examples of match of user actions and API methods

API method name User action
ModifyInstanceAttribute Changing instance attributes (description, user data, instance type)
AssociateAddress Elastic IP address association with an instance or a network interface
CreateNetworkAclEntry Creating a rule in the Network ACL
AuthorizeSecurityGroupIngress Creating an ingress rule in the security group
CreateVpnConnection Creating a VPN connection
PutMetricAlarm Creating/updating an alarm
CreateTrail Creating a trail
Event stores in JSON format and contains: user name, request parameters, etc.
By default, the Events are stored 30 days.

A detailed description of Event

Trails

Trail is a configuration of saving events in the bucket of object storage. Trail instructs Cloud to save events, made by every customer’s user into specified bucket. Events are saving each 5 minutes as a tar.gz archive. To create a Trail that will save events of all customer’s projects, the user must have File service permissions in the project, where the bucket for archives storing is located. Otherwise the The AWS Access Key Id you provided does not exist in our records error will be displayed.

A detailed description of Trail structure

The “Activity log” tab

Use Activity log for a detailed analysis of the events in your projects and security monitoring of last 30 days. To analyse gathered data you can apply simple filters, use a case sensitive search on page Events or download formats CSV or JSON. The downloading of data for the last 30 days can take some time. To decrease the number of records to download, use a certain filter or time period. You can also aggregate and store the activity logs in the object storage. For the additional information go to Trails.

Use cases

Here are some examples of a possible use of Activity log:

  1. If you need to find the user who has made some actions on entities, e.g. has stopped instances with DB in one or some projects, on page Events choose the filter Action, enter the case sensitive full name of this action (e.g. StopInstances) and time period you want to obtain the data for (but not earlier than 30 days) and apply the filter. Now you can see the whole picture and learn the details of each event, pressing the button Event details.
  2. Imagine that you need to find the user who made some actions on a particular entity, e.g. deleted the production instance i-XXXXXXXX two weeks ago. To do this on page Events choose the time period and press the Download as CSV or Download as JSON button. The formats CSV or JSON will help analyse the events in detail, specify the filter conditions (e.g. TerminateInstances action and i-XXXXXXXX as the ID of the particular entity) and obtain the details of the user who performed this action (User name).

Note

Use the specific tools to operate with CSV or JSON files for a detailed analysis of the events of your projects, to track particular changes of entities and security analysis

CloudTrail limitations

The following limitations apply to CloudTrail operation:

Value Limitation
Number of Trails 2
Time period for which Events without Trail are stored 30 days