Event logs provide information about user actions, such as event name, the user who triggered the event, and the time and location of the event. As an Organization Owner user, you review audit events for your Organization by using an associated instance of VMware Aria Operations for Logs.

VMware Cloud services captures a range of audit events about users' activity in Cloud Services Console with access and account management, billing and subscription. If automation is used to manage some resources in your Oganization, some events may be triggered by a caller instead of a user.

Searching and Filtering VMware Cloud Services Audit Events

You can search for and filter the log events for your Organization in one of two ways: by using saved queries from the Audit Events for VMware Cloud Services content pack and by creating custom queries.

You access content packs from the Content Packs menu of your vRealize Log Insight Cloud instance. For more information, see Working with Content Packs.

You can search for and filter log events in the Explore Logs page of vRealize Log Insight Cloud service by using custom queries for VMware Cloud Services audit events. To view only audit events for VMware Cloud Services, as a search criteria, select log_type, then Contains and enter csp-audit. To search for specific events, create a query that contains the event type.

Audit Events for VMware Cloud Services

Table 1. Account Management
Audit Event Name Event Type Description
UserLogin csp__user_login Successful user login.
UserLogout csp__user_logout Successful user logout.
GenerateApiToken csp__generate_api_token User generated a personal API token.
RevokeApiToken csp__revoke_api_token User revoked a personal API token.
RevokeAllApiTokens csp__revoke_all_api_tokens User revoked all personal API tokens.
RefreshTokenExchangeFailed csp__refresh_token_exchange_failed User made an unsuccessful attempt to generate access token by API token refresh.
FirstLogin csp__first_login User was assigned the roles from the invitation upon first log in.
LinkAccount csp__link_account User linked their corporate federated account to their VMware ID account. This action allowed user to log in VMware Cloud Services with their corporate credentials.
UnlinkAccount csp__unlink_account User changed the account linked to their VMware ID.
CreateOrgOAuthApp csp__create_org_o_auth_app Caller created an OAuth app in an Organization.
UpdateOrgOAuthApp csp__update_org_o_auth_app Caller updated an OAuth app in an Organization.
DeleteOrgOAuthApp csp__delete_org_o_auth_app Caller deleted an OAuth app in an Organization.
OrgOAuthAppNewSecretRotation csp__org_o_auth_app_new_secret_rotation Caller rotated the secret of an OAuth app in an Organization.
ActivateMfa csp__activate_mfa User with VMware ID activated an MFA device.
DeactivateMfa csp__deactivate_mfa User with VMware ID deactivated an MFA device.
TurnOnMfa csp__turn_on_mfa User with VMware ID turned on Multi-factor authentication for their account.
TurnOffMfa csp__turn_off_mfa User with VMware ID turned off Multi-factor authentication for their account.
RegenerateMfaRecoveryCodes csp__regenerate_mfa_recovery_codes User with VMware ID regenerated a new set of recovery codes for Multi-factor authentication.
UpdateMfaAttributes csp__update_mfa_attributes User with VMware ID updated the MFA settings for their account.
GenerateNewMfaActivationSecret csp__generate_new_mfa_activation_secret User with VMware ID generated a new activation secret for setting up MFA for their account.
InvitationSentAck csp__invitation_sent_act Internal notification created when an invitation was sent to a user.
CreateMspInvitation csp__create_msp_invitation Email invitation to onboard a new provider Organization was sent to a new service provider.
UpdateMspInvitation csp__update_msp_invitation An updated email invitation to onboard a new provider Organization was sent to a new service provider.
DeleteMspInvitation csp__delete_msp_invitation Email invitation to onboard a new provider Organization sent to a new service provider was revoked.
Table 2. Organization Management
Audit Event Name Event Type Description
CreateOrganization csp__create_org User created a new Organization.
UpdateOrganization csp__update_org User updated an existing Organization.
DeleteOrganization csp__delete_org User deleted an existing Organization.
InviteExistingUserToOrganization csp__invite_existing_user_to_org Existing user was added to an Organization.
RemoveUserFromOrganization csp__remove_user_from_org Existing user was removed from an Organization.
UpdateUserRolesOnOrganization csp__update_user_roles_on_org The roles of an existing user were updated.
InviteNonExistingUserToOrganization csp__invite_non_existing_user_to_org Email invitation was sent to a new user.
RevokeUserInvitations csp__revoke_user_invitations Invitations sent to users by email were revoked.
RemoveClientFromOrganization csp__remove_client_from_org User removed an OAuth app assigned to an Organization. The action did not delete the OAuth app.
AssignRolesToClientOnOrganization csp__assign_roles_to_client_on_org Caller assigned service/Organization roles to a client in an Organization. The action indicates a first time assignment to a client that had never had roles assigned before.
UpdateClientRolesOnOrganization csp__update_client_roles_on_org Caller updated service/Organization roles to a client in an Organization.
UpdateUserDefaultOrganization csp__update_user_default_org User updated the default Organization displayed for their account. This action applies only to users who are members of more than one Organization.
Table 3. Groups
Audit Event Name Event Type Description
RemoveGroupFromOrganization csp__remove_group_from_org User removed an existing group from an Organization.
AssignRolesToGroupOnOrganization csp__assign_roles_to_group_on_org User assigned Organization and service roles to a newly created group in an Organization.
UpdateGroupRolesOnOrganization csp__update_group_roles_on_org User updated role assignments of an existing group in an Organization.
CustomGroupAddClients csp__custom_group_add_clients User added new members to a custom group in an Organization.
CustomGroupRemoveClients csp__custom_group_remove_clients User removed existing members from a custom group in an Organization.
Table 4. Billing and Subscription
Audit Event Name Event Type Description
CreateSubscription csp__create_subscription User created a subscription for a new or existing service.
AddOrgPaymentMethod csp__add_org_payment_method User added a new payment method to their Organization.
RemoveOrgPaymentMethod csp__remove_org_payment_method User removed a payment method from their Organization.
UpdateOrgDefaultPaymentMethod csp__update_org_default_payment_method User updated the default payment method of an Organization.
AddDetailsToOrg csp__add_details_to_org User added a company address and/or other Billing and Subscription details to an Organization.
UpdateOrgAddress csp__update_org_address User updated the company's address in the Billing and Subscription details for their Organization.
UpdateOrgCommerceData csp__update_org_commerce_data User updated the Billing and Subscription details for their Organization (currency, annual billing date, etc.)
UpdateOrgTaxId csp__updated_org_tax_id User updated the Tax ID in the Billing and Subscription details for their Organization.
UpdateOrgPoReferenceNumber csp__update_org_po_reference_number User set a new Organization PO reference number.
IncomingOrder csp__incoming_order Caller created an order for a service subscription.
Table 5. Identity Governance and Administration
Audit Event Name Event Type Description
ApproveDenyEntitlementRequest csp__iga_entitlements_requests_approval An entitlement request was approved or denied by Organization Owner.
CreateEntitlementRequest csp__iga_register_entitlements_request User created an entitlement request.
CreateEntitlementRequestForNonOrgMember csp__iga_register_entitlements_request_non_org_member New non Organization user created an entitlement request.
CancelEntitlementRequest csp__iga_delete_entitlement_request User canceled an entitlement request.
CancelEntitlementRequestForNonOrg csp__iga_delete_entitlement_request_non_org_member New non Organization user canceled an entitlement request that was already submitted by the same user.
EnablingGovernance csp__iga_status_change Identity Governance and Administration was activated for Organization.
UpdateGovernancePolicies csp__iga_update_governance_policies_request User updated Identity Governance and Administration policies.