As ArcGIS Online organizations grow in the number of members, content items, and purposes, we receive frequent requests for tools to help organizations understand members’ specific activity in the organization. With the September 2018 update of ArcGIS Online, administrators can download a CSV file with a history of actions made to content, members, organizations, and groups in your ArcGIS Online organization. The new activity log download link is available to administrators on the Overview tab of the organization status page. Just specify the time span and number of events you want to see in the log.
Generating the activity log in 3 easy steps:
- Navigate to Organization> Overview and click on the link.
- Specify the start date and the number of events you want to view.
- Click on the download and explore the log.
Like any good history, the activity log contains columns of information that can be used to explain the who, what, when, where, and why of each event. Although sorting and reading through a CSV file line by line may not be your favourite way to spend a Tuesday afternoon, understanding what the fields and values mean can help identify events and answer questions about your members and content in ArcGIS Online. You can use the audit log as a tool to find specific event entries, or ingest the CSV file with scripting, alerting administrators of specific events.
Below is an example of the downloaded audit log. This article outlines what data that is tracked in this log and how to find answers to specific questions. A complete description of all fields that can be exported or used as parameters for a REST API request are outlined in this documentation.
Finding out the who, what, when, where with the activity log
What
The Type ID (idType) is an important primary filter to understand What type of event the activity log is describing. There are four common values for idType:
a – organization i – item u – user g – group
These identify whether an event occurred with an item, user, group, or organization properties. Fig 1 displays user event types by using an idType filter of ‘u’ on the column. The action field identifies the specific action for each event, further defining the what of the event log. In fig 1, all actions are updates. By reading this example, it is understood that user update actions occurred.
Tip. Use filters to identify events that occur for users, like password reset, account creation, or updates.
Who
Understanding Who is identified in the log entry helps to further understand the event. The id, owner, and actor fields are used to identify ArcGIS Online members and items in the log events. The id field is the target of the event; for idType user (u), the target is a username of a member in the organization (fig. 1), for idType item(i), the target is an item ID which identifies the item (fig. 2). The owner field identifies the owner of the target and the actor is the identity of the user who performs the action.
The highlighted line in fig. 2 shows that Kelly_Tay (actor) deleted (action) item ID 463beb78f5ad4a4c9177b96e85cf9234 (id), which was owned by Brenda Analyst (owner). Most of the time, members delete and update their own items, but the actor field allows administrators to identify events when other members with appropriate privileges update other users’ items.
What ‘refined’
Author’s note: That’s right, there are two whats in this article.
Although action specifies the type of action performed in the event—for example, create update and share— the request and data field can also be helpful to understand more about the action. The request and data fields further refine the specific action, by displaying the request sent by ArcGIS Online during the event and the data (when appropriate) that is changed. This information can be particularly helpful when identifying sharing changes to an item (Fig 3).
When
The when of the event can be identified with the created_utc field. This displays the date and time of the event in UTC. If it seems strange that Brandon was sharing items at 3:00 am, adjust this time for your local time zone. The created field includes the Unix timestamp.
Where
IP Address specifies the IP address of the computer that submitted the event. This can help to identify the location of the computer.
Why
Why an event occurred is something that you will have to explore when you have identified what happened and who was involved in the action. Check out the REST API documentation for more information and the following examples on GeoNet for some for quick tips.
Summary of Activity Log Fields
| Field Name | Description | Example Values |
|---|---|---|
| id | Action target id identifier | username, group ID, item ID, organization ID |
| idType | The type of event the activity log is describing | a-organization, i-item, u-user, g-group |
| orgId | Identifier of the organization (should be the same) | Nw12seS… |
| owner | Identifies the owner of the target ID | username |
| actor | Identifies the username who performed the action | username |
| ip | IP address of the location where the action was submitted | IP Address |
| action | The specific action identified for a specific event | create, share, update, add… |
| created | Unix Time Stamp of date and time of event | 1532642318215 |
| created_utc | Date and time of an event in a date format, in UTC | 7/26/2018 9:58:38 PM |
| request | The request sent to perform the action | ‘/sharing/rest/content/users/Kelly_Tay/addItem’ |
| reqId | Unique identifier of logged event | 1b6350f1e2d64e68bf6fee0a4fdd7bb4 |
| data | Free form field that can include data sent with request | “{\”everyone\”:true,\”org\”:true,\”groups\”:[]}” |
Find Detailed examples on Geonet:
Find events related to a specific item with the activity log
Monitor User Activity with REST API
Monitor Login Activity with REST API
How To: Download an ArcGIS Online Organization Audit log for events related to a specific item ID
Commenting is not enabled for this article.