Introduction

Ever wondered the following?

• I want to know who has modified the credentials on CPI?
• I want to know who has undeployed my Iflows on CPI?

If you are from a CPI on Neo background this feature used you be available out of the box. On Cloud Foundry an additional Application / Service called the Audit Log Viewer and Audit Log Management Service needs to be enabled. These services provides you with the option to view Audit Logs from your CPI tenant.

Configure Entitlements

• Go to you SAP BTP Sub account and Entitlement

• Select Audit Log Viewer Service -> Free

• Do not forget to Save!

Subscribe to Audit Log Viewer Service

Go to Services – > Service Marketplace -> Select Audit Log Viewer Service -> Create

Create a Role Collection for Audit Log Viewer Service

By default the roles are not a part of any role collection and hence you need to create a new Role Collection on BTP for Audit Log Viewer Service.

• Navigate to Security -> Role Collections and Create a Role Collection
• Provide a Name to the Role Collection -> RC_AuditLog in my case
• Assign the below Roles to the RoleCollection
  • Template : Auditlog_Auditor
  • ApplicationIdentifier : auditlog-management & auditlog_viewer
• Assign your user to the Role Collection

Check your Logs in AuditLog Viewer

• Navigate to Services -> Instances and Subscriptions -> Audit Log Viewer Service
• Your AuditLog viewer service is now enabled for you to view all Logs.
• Make sure you change the end time and then perform any deployment or undeployment on your CPI tenant.
• You should be able to see the logs and search for them as per the following screenshots

Search and View Detailed Logs in Audit Log Viewer

Audit Log Raw JSON Example

{
  "message_uuid": "5de9a80d-b085-4f4c-738c-5684794d1d5d",
  "time": "2023-07-11T11:38:36.735Z",
  "tenant": "978897df-41a0-432b-ad9f-327a0df2b239",
  "org_id": "92f1da92-e5b3-4cc5-8c90-964165af11c8",
  "space_id": "92f1da92-e5b3-4cc5-8c90-964165af11c8",
  "app_or_service_id": "92f1da92-e5b3-4cc5-8c90-964165af11c8",
  "als_service_id": "d9ceb06d-45e9-4f42-b29a-e8a998dfe79b",
  "user": "bhavesh.kantilal@xxx.com",
  "category": "audit.configuration",
  "format_version": "",
  "message": {
    "uuid": "5de9a80d-b085-4f4c-738c-5684794d1d5d",
    "user": "bhavesh.kantilal@xxx.com",
    "time": "2023-07-11T11:38:36.735Z",
    "id": "a4079f09-0839-45d7-be80-28a73a0fcc55",
    "object": {
      "type": "Undeployment",
      "id": {
        "type": "BUNDLE",
        "description": "Undeployment"
      }
    },
    "attributes": [
      {
        "name": "symbolicName",
        "old": "GetBusinessPartnerSpecified",
        "new": ""
      },
      {
        "name": "tenantName",
        "old": "cpiTenant",
        "new": "cpiTenant"
      },
      {
        "name": "id",
        "old": "107fd206-e772-4628-92b3-89d18ccf2001",
        "new": ""
      },
      {
        "name": "version",
        "old": "1.0.0",
        "new": ""
      },
      {
        "name": "creator",
        "old": "bhavesh.kantilal@xxx.com",
        "new": ""
      },
      {
        "name": "created",
        "old": "Tue Apr 25 09:46:03 UTC 2023",
        "new": ""
      }
    ],
    "category": "audit.configuration",
    "tenant": "978897df-41a0-432b-ad9f-327a0df2b239",
    "customDetails": {}
  }
}

Final Thoughts

Enabling Audit Log viewer service is very easy and straight forward. Any user who needs access to this need to be assigned the right Roles to view the logs. There are additional APIs available on Audit Log Viewer API to query this APIs and ship them to external systems.

Further Reading

• Audit Log Viewer Service on SAP Discovery Center
• Audit Logging on CF