Activity Log#

Activity Log allows you to store and explore records about actions (API requests) made by any company user.


Along with the account, system user is created. All API calls made by system user are logged in the Activity Log.


By default, access to the Activity Log service is disabled for all users. You can change permissions for this service in the Users and projects section by adding the Activity log permissions to a user for any project or by adding a user with CloudTrail administrator role to any project.


Activity log permissions and CloudTrail administrator role allow users to control events in all projects of the customer, no matter for which project they’ve been given.


Several types of entities are determined within Activity log: Events, Trails, Reports


Event is a record, describing a user action. Each Event describes one request of an API method.

The important attribute of event is “Read only”. Read only events include API operations that only read the information about your resources, but don’t make changes. For example, such operations are Describe-requests, which are called every time you open almost any NGN Cloud web-interface page. Usually such events are not so important for user’s activity analysis, thats why on the “Activity log” page of web interface the default value for “Read only” filter is “No”. You can also use attribute ReadOnly for filtering when you request events via CloudTrail API.

To find the list of names of API methods, which are logging in Activity log see:

Examples of match of user actions and API methods

API method name

User action


Changing instance attributes (description, user data, instance type)


Elastic IP address association with an instance or a network interface


Creating a rule in the Network ACL


Creating an ingress rule in the security group


Creating a VPN connection


Creating/updating an alarm


Creating a trail


Actions, which are initiated within the instance (e.g. stopping the instance), aren’t the API calls. Therefore events are not created for such actions.

Event stores in JSON format and contains: user name, request parameters, etc.
By default, the Events are stored 30 days.

A detailed description of event


Trail is a configuration of saving events in the bucket of object storage. Trail instructs Cloud to save events, made by every customer’s user into specified bucket. Events are saving each 5 minutes as a tar.gz archive. To create a Trail that will save events of all customer’s projects, the user must have File service permissions in the project, where the bucket for archives storing is located. Otherwise the The AWS Access Key Id you provided does not exist in our records error will be displayed.

A detailed description of trail structure


Activity log allows you to get event reports in CSV and JSON formats. Click Create report CSV or Create report JSON on the Events page to start the report generation process. You can check the report current state and download it on the Reports page.


  • The maximum number of simultaneously stored reports – 5. After that, new reports will overwrite current.

  • The maximum number of simultaneously generating reports – 2

  • Reports storage period – 3 days

The “Activity log” section#

Use Activity log for a detailed analysis of the events in your projects and security monitoring of last 30 days. To analyse gathered data you can apply simple filters, use a case sensitive search on page Events or generate reports in CSV or JSON formats. The report generating process the last 30 days data can take some time. To decrease the number of records to download, use a certain filter or time period. You can also aggregate and store the activity logs in the object storage. For the additional information go to Trails.

Use cases#

Here are some examples of a possible use of Activity log:

  1. If you need to find the user who has made some actions on entities, e.g. has stopped instances with DB in one or some projects, on page Events choose the filter Action, enter the case sensitive full name of this action (e.g. StopInstances) and time period you want to obtain the data for (but not earlier than 30 days) and apply the filter. Now you can see the whole picture and learn the details of each event just by pressing Event details.

  2. Imagine that you need to find the user who made some actions on a particular entity, e.g. deleted the production instance i-XXXXXXXX two weeks ago. To do this on page Events choose the time period and click Create report CSV or Create report JSON. The formats CSV or JSON will help to analyse the events in detail, specify the filter conditions (e.g. TerminateInstances action and i-XXXXXXXX as the ID of the particular entity) and obtain the details of the user who performed this action (User name).


Use the specific tools to operate with CSV or JSON files for a detailed analysis of the events of your projects, to track particular changes of entities and security analysis.


Activity Log is a subscription-based service. On expiration or deactivation of the subscription the Activity log section and CloudTrail API become unavailable and trails cease aggregating the events. Events which were saved in object storage remain available.

On the subscription activation API and web interface section become available and trails continue aggregating events.

You can manage subscriptions in Billing section.

CloudTrail limitations#

The following limitations apply to CloudTrail operation:



Number of trails


Time period for which events without trail are stored

30 days

If necessary, you can relax constraints. To do this, contact the support service.