Reviewing the activity log
Download and review audit log files for your IBM Bob Enterprise organization to monitor authentication events and administrative activity.
The activity log provides a downloadable record of security-relevant events across your IBM Bob Enterprise organization. It is available to admins only and is accessible from the Admin UI.
What is logged
The activity log is organized into two categories, each available on its own tab in the Admin UI.
Authentication
Authentication logs are stored globally and record session-related events:
- User sign-in and sign-out events
- Token renewals
Admin activity
Admin activity logs are stored per region and record changes made by administrators:
- User creation, updates, and removal
- Team creation, updates, and deletion
- Team membership changes, including setting a user's default team
- Seat assignments
Downloading log files
The activity log does not display individual events inline. Instead, it groups events into log files by date and hour, which you can download as JSON files.
To download log files:
- Go to the Admin UI and select Activity log.
- From the list of files, select the files you want to download.
- Select Download.
Each file you select downloads separately. If you select multiple files, you receive one download per file.
Each log file covers a one-hour window and is identified by its date and hour.
Log file format
Log files are in JSON format and follow the CADF (Cloud Auditing Data Federation) standard. Each event in a log file includes the following fields:
| Field | Description |
|---|---|
action | The operation that was performed, for example admin.user.create or bob-authn.session.authenticate. |
outcome | The result of the operation: success or failure. |
eventTime | The time the event occurred, in UTC. |
initiator.id | The email address of the user who performed the action. |
attachments[].content.subscription_id | The subscription ID of the organization where the event occurred. |
attachments[].content.instance_id | The instance ID where the event occurred. |
attachments[].content.category | The log category: authn for authentication events, or admin for admin activity events. |