Event logs provide information about user actions, such as event name, the user who triggered the event, and the time and location of the event. As an Organization Owner user, you review audit events for your Organization by using an associated instance of VMware Aria Operations for Logs.
VMware Cloud services captures a range of audit events about users' activity in Cloud Services Console with access and account management, billing and subscription. If automation is used to manage some resources in your Oganization, some events may be triggered by a caller instead of a user.
Searching and Filtering VMware Cloud Services Audit Events
You can search for and filter the log events for your Organization in one of two ways: by using saved queries from the Audit Events for VMware Cloud Services content pack and by creating custom queries.
You access content packs from the Content Packs menu of your vRealize Log Insight Cloud instance. For more information, see Working with Content Packs.
You can search for and filter log events in the Explore Logs page of vRealize Log Insight Cloud service by using custom queries for VMware Cloud Services audit events. To view only audit events for VMware Cloud Services, as a search criteria, select log_type, then Contains and enter csp-audit. To search for specific events, create a query that contains the event type.
Audit Events for VMware Cloud Services
| Audit Event Name | Event Type | Description |
|---|---|---|
| UserLogin | csp__user_login | Successful user login. |
| UserLogout | csp__user_logout | Successful user logout. |
| GenerateApiToken | csp__generate_api_token | User generated a personal API token. |
| RevokeApiToken | csp__revoke_api_token | User revoked a personal API token. |
| RevokeAllApiTokens | csp__revoke_all_api_tokens | User revoked all personal API tokens. |
| RefreshTokenExchangeFailed | csp__refresh_token_exchange_failed | User made an unsuccessful attempt to generate access token by API token refresh. |
| FirstLogin | csp__first_login | User was assigned the roles from the invitation upon first log in. |
| LinkAccount | csp__link_account | User linked their corporate federated account to their VMware ID account. This action allowed user to log in VMware Cloud Services with their corporate credentials. |
| UnlinkAccount | csp__unlink_account | User changed the account linked to their VMware ID. |
| CreateOrgOAuthApp | csp__create_org_o_auth_app | Caller created an OAuth app in an Organization. |
| UpdateOrgOAuthApp | csp__update_org_o_auth_app | Caller updated an OAuth app in an Organization. |
| DeleteOrgOAuthApp | csp__delete_org_o_auth_app | Caller deleted an OAuth app in an Organization. |
| OrgOAuthAppNewSecretRotation | csp__org_o_auth_app_new_secret_rotation | Caller rotated the secret of an OAuth app in an Organization. |
| ActivateMfa | csp__activate_mfa | User with VMware ID activated an MFA device. |
| DeactivateMfa | csp__deactivate_mfa | User with VMware ID deactivated an MFA device. |
| TurnOnMfa | csp__turn_on_mfa | User with VMware ID turned on Multi-factor authentication for their account. |
| TurnOffMfa | csp__turn_off_mfa | User with VMware ID turned off Multi-factor authentication for their account. |
| RegenerateMfaRecoveryCodes | csp__regenerate_mfa_recovery_codes | User with VMware ID regenerated a new set of recovery codes for Multi-factor authentication. |
| UpdateMfaAttributes | csp__update_mfa_attributes | User with VMware ID updated the MFA settings for their account. |
| GenerateNewMfaActivationSecret | csp__generate_new_mfa_activation_secret | User with VMware ID generated a new activation secret for setting up MFA for their account. |
| InvitationSentAck | csp__invitation_sent_act | Internal notification created when an invitation was sent to a user. |
| CreateMspInvitation | csp__create_msp_invitation | Email invitation to onboard a new provider Organization was sent to a new service provider. |
| UpdateMspInvitation | csp__update_msp_invitation | An updated email invitation to onboard a new provider Organization was sent to a new service provider. |
| DeleteMspInvitation | csp__delete_msp_invitation | Email invitation to onboard a new provider Organization sent to a new service provider was revoked. |
| Audit Event Name | Event Type | Description |
|---|---|---|
| CreateOrganization | csp__create_org | User created a new Organization. |
| UpdateOrganization | csp__update_org | User updated an existing Organization. |
| DeleteOrganization | csp__delete_org | User deleted an existing Organization. |
| InviteExistingUserToOrganization | csp__invite_existing_user_to_org | Existing user was added to an Organization. |
| RemoveUserFromOrganization | csp__remove_user_from_org | Existing user was removed from an Organization. |
| UpdateUserRolesOnOrganization | csp__update_user_roles_on_org | The roles of an existing user were updated. |
| InviteNonExistingUserToOrganization | csp__invite_non_existing_user_to_org | Email invitation was sent to a new user. |
| RevokeUserInvitations | csp__revoke_user_invitations | Invitations sent to users by email were revoked. |
| RemoveClientFromOrganization | csp__remove_client_from_org | User removed an OAuth app assigned to an Organization. The action did not delete the OAuth app. |
| AssignRolesToClientOnOrganization | csp__assign_roles_to_client_on_org | Caller assigned service/Organization roles to a client in an Organization. The action indicates a first time assignment to a client that had never had roles assigned before. |
| UpdateClientRolesOnOrganization | csp__update_client_roles_on_org | Caller updated service/Organization roles to a client in an Organization. |
| UpdateUserDefaultOrganization | csp__update_user_default_org | User updated the default Organization displayed for their account. This action applies only to users who are members of more than one Organization. |
| Audit Event Name | Event Type | Description |
|---|---|---|
| RemoveGroupFromOrganization | csp__remove_group_from_org | User removed an existing group from an Organization. |
| AssignRolesToGroupOnOrganization | csp__assign_roles_to_group_on_org | User assigned Organization and service roles to a newly created group in an Organization. |
| UpdateGroupRolesOnOrganization | csp__update_group_roles_on_org | User updated role assignments of an existing group in an Organization. |
| CustomGroupAddClients | csp__custom_group_add_clients | User added new members to a custom group in an Organization. |
| CustomGroupRemoveClients | csp__custom_group_remove_clients | User removed existing members from a custom group in an Organization. |
| Audit Event Name | Event Type | Description |
|---|---|---|
| CreateSubscription | csp__create_subscription | User created a subscription for a new or existing service. |
| AddOrgPaymentMethod | csp__add_org_payment_method | User added a new payment method to their Organization. |
| RemoveOrgPaymentMethod | csp__remove_org_payment_method | User removed a payment method from their Organization. |
| UpdateOrgDefaultPaymentMethod | csp__update_org_default_payment_method | User updated the default payment method of an Organization. |
| AddDetailsToOrg | csp__add_details_to_org | User added a company address and/or other Billing and Subscription details to an Organization. |
| UpdateOrgAddress | csp__update_org_address | User updated the company's address in the Billing and Subscription details for their Organization. |
| UpdateOrgCommerceData | csp__update_org_commerce_data | User updated the Billing and Subscription details for their Organization (currency, annual billing date, etc.) |
| UpdateOrgTaxId | csp__updated_org_tax_id | User updated the Tax ID in the Billing and Subscription details for their Organization. |
| UpdateOrgPoReferenceNumber | csp__update_org_po_reference_number | User set a new Organization PO reference number. |
| IncomingOrder | csp__incoming_order | Caller created an order for a service subscription. |
| Audit Event Name | Event Type | Description |
|---|---|---|
| ApproveDenyEntitlementRequest | csp__iga_entitlements_requests_approval | An entitlement request was approved or denied by Organization Owner. |
| CreateEntitlementRequest | csp__iga_register_entitlements_request | User created an entitlement request. |
| CreateEntitlementRequestForNonOrgMember | csp__iga_register_entitlements_request_non_org_member | New non Organization user created an entitlement request. |
| CancelEntitlementRequest | csp__iga_delete_entitlement_request | User canceled an entitlement request. |
| CancelEntitlementRequestForNonOrg | csp__iga_delete_entitlement_request_non_org_member | New non Organization user canceled an entitlement request that was already submitted by the same user. |
| EnablingGovernance | csp__iga_status_change | Identity Governance and Administration was activated for Organization. |
| UpdateGovernancePolicies | csp__iga_update_governance_policies_request | User updated Identity Governance and Administration policies. |
