Knowledge Base Academy Community My Tickets
Fabric 8.3
Fabric 8.3 Fabric 8.2 Fabric 8.1 Fabric 8.0 Fabric 7.2 Fabric 7.1 Fabric 7.0 Fabric 6.5

Fabric Auditing

Fabric has a robust Auditing mechanism that logs various activities running on Fabric. These can be logins, Web Service calls, and various Fabric commands.

Table of Contents

  1. When to Enable Auditing in Production
  2. When Auditing Should Not Be Enabled
  3. Turning Auditing On/Off
  4. What Gets Audited
  5. Auditing Reporting Structure
  6. Auditing Reporting Examples

When to Enable Auditing in Production

Auditing is particularly useful in production environments, where system integrity, accountability, and regulatory compliance are essential. Enabling auditing ensures that user actions and system events are accurately recorded for analysis, compliance, and troubleshooting purposes.

Here’s a list of common activities audited in production:

Category Activity
Authentication - User logins to Web Studio / Fabric CLI / Web Framework
- Failed login attempts (authentication errors)
User Management - User creation, deletion, or modification
- Role assignment and revocation
- Changes to permissions or tokens
Configuration Changes - Updates to environment configurations
- Changes to Fabric settings via config.ini or commands
- Feature enablement/disabling (e.g., turning audit ON/OFF)
Deployment Actions - Deployment of Logical Units (LUs), flows, or configurations
- Script or service updates pushed to the Fabric runtime
Command Execution - Executed Fabric commands (e.g., GET, LIST, ALTER, GRANT)
- Batch commands and automation jobs
Data Access - Executed queries (read/write) on LU Tables or external DBs
- Use of SEARCH or CQL commands
Web Service Usage - Web service calls via Fabric endpoints
- API access patterns and integration behaviors
Job Execution - Scheduled job execution and lifecycle (start/stop/update)
- Execution of Broadway or background processes
System Operations - System restart events
- Startup/shutdown logs and audit state transitions

When Auditing Should Not Be Enabled

Auditing is not recommended in development environments, particularly when using Fabric Web Studio.

Why?

In development environments, Fabric Web Studio often executes actions on behalf of the user. If auditing is enabled:

  • Both user-driven actions and system-initiated background tasks by Web Studio will be logged.
  • This results in misleading or noisy audit records that do not accurately reflect user behavior.
  • There is no operational benefit, as this environment is typically used for prototyping or testing—not production governance or compliance.

Recommendation:
Do not enable auditing in development environments where Fabric Web Studio is employed. It provides no added value and may introduce confusion in interpreting activity logs.

Turning Auditing On/Off

By default, Auditing is set to OFF. To enable Auditing in Fabric, set AUDIT=ON using K2admin's Configuration panel and set a configuration override for AUDIT. You then need to restart the K2cloud space.

AUDIT=ON

What Gets Audited

Fabric auditing tracks the following activity types:

  • System logins
  • All executed Fabric commands
  • Web-Service calls
  • All executed data queries (read and write)

Auditing Reporting Structure

When an activity is captured by the Fabric Auditing mechanism, it is logged with the following fields:

Name Description
Action Type of activity performed in Fabric.
Date Activity date.
User Fabric User ID.
Written at Full date and timestamp of the activity.
Address IP address of the node where the activity occurred. May include port.
Params Parameters passed to Fabric commands.
Protocol Protocol used for the activity.
Query Activity details such as query, schema info, or auth provider.
Result Outcome of the action (rows affected or status).
Session ID Correlation ID for related actions within a session or request chain.

Auditing Reporting Examples

Action Query
LOGIN ['null']
LOGOUT ['null']
Create Role Command ["create role 'audit'"]
Create Token Command ['create token audit_token']
Create User Command ['CREATE USER ksmith*** with PASSWORD ****']
Alter User Command ['ALTER USER ksmith*** with password ****']
Assign Role Command ['assign role audit to token audit_token', 'assign role audit to user ksmith***']
Deploy Command ["DEPLOY CustomerAudit WITH JAR '/tmp/fabric_upload_tmp_nura_nondev83_k2view_qa_0/ludb.jar' ZIP_FILE '/tmp/fabric_upload_tmp_nura_nondev83_k2view_qa_0/ludbXMLs.zip' WS_METHODS '' SOFT_DEPLOY false"]
Deploy Environments Command ["DEPLOY ENVIRONMENTS FROM FILE '/tmp/fabric_upload_tmp_nura_nondev83_k2view_qa_1/Environments.k2fabEnv.xml'"]
Grant Command ['grant ALL on * to audit', 'grant ALL_WS on * to audit']
Batch In Process Command ["batch_in_process filter='(?i)sync_instance'"]
Batch Process Details Command ["BATCH_DETAILS '${batch_id}'", "BATCH_DETAILS ''", "BATCH_DETAILS '51905b7e-6c8d-4914-a3db-243252c07c80'"]
Batch Process List Command ['batch_list']
Batch Process Retry Command ["batch_retry '07e05c7a-33ea-4da1-a0e7-27b6c13e5237' allow_cancelled=true"]
Batch Process Summary Command ["batch_summary '51905b7e-6c8d-4914-a3db-243252c07c80'"]
Broadway Command ['broadway k2_ws.fabricRestart']
Cancel Command ["cancel batch'13b8d066-c523-4a2d-9be5-79c22e75c786'"]
Drop Command ['drop token audit_token', 'drop role audit', 'drop lutype CustomerAudit']
Get Command ['get OracleLu.2', 'use OracleLu.3', 'get LU3.1']
GetF Command ['getf CustomerAudit.insertRowToUsers(999999)']
Job Status Command ['jobstatus']
List Command ['list config_overrides', 'list config', 'list lut']
Migrate Command ['migrate CustomerAudit.(1;2;3;4;5) with async=true', "migrate CustomerAudit from fabric using ('select user_id from common.Users where user_id<=10000') with async=true", 'migrate CustomerAudit with async=true']
Migrate Details Command ["migrate_details '${batch_id}'", "migrate_details ''", "migrate_details '51905b7e-6c8d-4914-a3db-243252c07c80'"]
Migrate In Process Command ['migrate_in_process']
Migrate List Command ['migrate_list']
Migrate Resume Command ["migrate_resume '07e05c7a-33ea-4da1-a0e7-27b6c13e5237' allow_cancelled=true"]
Migrate Summary Command ["migrate_summary '51905b7e-6c8d-4914-a3db-243252c07c80'"]
PS Command ['ps all']
QUERY ['select * from table1 where COL1=123']
QUERY_DATA_CHANGE ['begin', 'INSERT into common.USERS (...)', 'delete from table1 where COL1=123']
Release Command ['release', 'release CustomerAudit', 'release CustomerAudit; LU3']
Revoke Command ["revoke ALL on * from 'audit'"]
Set Command ['set username', 'set default', "set environment='_dev'"]
Set Global Command ['set_global config_overrides_add=?;', "set_global global 'CustomerAudit.audit_test=10'"]
Test Connection Command ['test_connection interface=anthropic timeout=30', 'test_connection interface=bedrock timeout=30', 'test_connection interface=cassandraLoader timeout=30']
Delete Instance Command ['delete instance CustomerAudit.999999']
Time Command ['time']
Version Info Command ['version basic']
Help Command ['help', 'help set', 'help deploy']

Auditing Settings

Two major Auditing features can be controlled:

  • Filtering strategies: provides full flexibility over the type of activities that are introduced to the Auditing mechanism. For instance, you may audit the Web Service calls only, without impacting the performance of other activities but with saving a lot of disk space. Read here for more details.
  • Persistence strategies: defines the reporting channel of the Auditing mechanism. Examples for such channels are system_db (default), Kafka, files, etc. Read here for more details.

The Auditing mechanism can be configured via the [audit] and [audit_kafka_producer] sections of the config.ini. By default, the persistence strategy is system database, and the data is written into the k2_auditing table of the k2audit keyspace.

Fabric Auditing

Fabric has a robust Auditing mechanism that logs various activities running on Fabric. These can be logins, Web Service calls, and various Fabric commands.

Table of Contents

  1. When to Enable Auditing in Production
  2. When Auditing Should Not Be Enabled
  3. Turning Auditing On/Off
  4. What Gets Audited
  5. Auditing Reporting Structure
  6. Auditing Reporting Examples

When to Enable Auditing in Production

Auditing is particularly useful in production environments, where system integrity, accountability, and regulatory compliance are essential. Enabling auditing ensures that user actions and system events are accurately recorded for analysis, compliance, and troubleshooting purposes.

Here’s a list of common activities audited in production:

Category Activity
Authentication - User logins to Web Studio / Fabric CLI / Web Framework
- Failed login attempts (authentication errors)
User Management - User creation, deletion, or modification
- Role assignment and revocation
- Changes to permissions or tokens
Configuration Changes - Updates to environment configurations
- Changes to Fabric settings via config.ini or commands
- Feature enablement/disabling (e.g., turning audit ON/OFF)
Deployment Actions - Deployment of Logical Units (LUs), flows, or configurations
- Script or service updates pushed to the Fabric runtime
Command Execution - Executed Fabric commands (e.g., GET, LIST, ALTER, GRANT)
- Batch commands and automation jobs
Data Access - Executed queries (read/write) on LU Tables or external DBs
- Use of SEARCH or CQL commands
Web Service Usage - Web service calls via Fabric endpoints
- API access patterns and integration behaviors
Job Execution - Scheduled job execution and lifecycle (start/stop/update)
- Execution of Broadway or background processes
System Operations - System restart events
- Startup/shutdown logs and audit state transitions

When Auditing Should Not Be Enabled

Auditing is not recommended in development environments, particularly when using Fabric Web Studio.

Why?

In development environments, Fabric Web Studio often executes actions on behalf of the user. If auditing is enabled:

  • Both user-driven actions and system-initiated background tasks by Web Studio will be logged.
  • This results in misleading or noisy audit records that do not accurately reflect user behavior.
  • There is no operational benefit, as this environment is typically used for prototyping or testing—not production governance or compliance.

Recommendation:
Do not enable auditing in development environments where Fabric Web Studio is employed. It provides no added value and may introduce confusion in interpreting activity logs.

Turning Auditing On/Off

By default, Auditing is set to OFF. To enable Auditing in Fabric, set AUDIT=ON using K2admin's Configuration panel and set a configuration override for AUDIT. You then need to restart the K2cloud space.

AUDIT=ON

What Gets Audited

Fabric auditing tracks the following activity types:

  • System logins
  • All executed Fabric commands
  • Web-Service calls
  • All executed data queries (read and write)

Auditing Reporting Structure

When an activity is captured by the Fabric Auditing mechanism, it is logged with the following fields:

Name Description
Action Type of activity performed in Fabric.
Date Activity date.
User Fabric User ID.
Written at Full date and timestamp of the activity.
Address IP address of the node where the activity occurred. May include port.
Params Parameters passed to Fabric commands.
Protocol Protocol used for the activity.
Query Activity details such as query, schema info, or auth provider.
Result Outcome of the action (rows affected or status).
Session ID Correlation ID for related actions within a session or request chain.

Auditing Reporting Examples

Action Query
LOGIN ['null']
LOGOUT ['null']
Create Role Command ["create role 'audit'"]
Create Token Command ['create token audit_token']
Create User Command ['CREATE USER ksmith*** with PASSWORD ****']
Alter User Command ['ALTER USER ksmith*** with password ****']
Assign Role Command ['assign role audit to token audit_token', 'assign role audit to user ksmith***']
Deploy Command ["DEPLOY CustomerAudit WITH JAR '/tmp/fabric_upload_tmp_nura_nondev83_k2view_qa_0/ludb.jar' ZIP_FILE '/tmp/fabric_upload_tmp_nura_nondev83_k2view_qa_0/ludbXMLs.zip' WS_METHODS '' SOFT_DEPLOY false"]
Deploy Environments Command ["DEPLOY ENVIRONMENTS FROM FILE '/tmp/fabric_upload_tmp_nura_nondev83_k2view_qa_1/Environments.k2fabEnv.xml'"]
Grant Command ['grant ALL on * to audit', 'grant ALL_WS on * to audit']
Batch In Process Command ["batch_in_process filter='(?i)sync_instance'"]
Batch Process Details Command ["BATCH_DETAILS '${batch_id}'", "BATCH_DETAILS ''", "BATCH_DETAILS '51905b7e-6c8d-4914-a3db-243252c07c80'"]
Batch Process List Command ['batch_list']
Batch Process Retry Command ["batch_retry '07e05c7a-33ea-4da1-a0e7-27b6c13e5237' allow_cancelled=true"]
Batch Process Summary Command ["batch_summary '51905b7e-6c8d-4914-a3db-243252c07c80'"]
Broadway Command ['broadway k2_ws.fabricRestart']
Cancel Command ["cancel batch'13b8d066-c523-4a2d-9be5-79c22e75c786'"]
Drop Command ['drop token audit_token', 'drop role audit', 'drop lutype CustomerAudit']
Get Command ['get OracleLu.2', 'use OracleLu.3', 'get LU3.1']
GetF Command ['getf CustomerAudit.insertRowToUsers(999999)']
Job Status Command ['jobstatus']
List Command ['list config_overrides', 'list config', 'list lut']
Migrate Command ['migrate CustomerAudit.(1;2;3;4;5) with async=true', "migrate CustomerAudit from fabric using ('select user_id from common.Users where user_id<=10000') with async=true", 'migrate CustomerAudit with async=true']
Migrate Details Command ["migrate_details '${batch_id}'", "migrate_details ''", "migrate_details '51905b7e-6c8d-4914-a3db-243252c07c80'"]
Migrate In Process Command ['migrate_in_process']
Migrate List Command ['migrate_list']
Migrate Resume Command ["migrate_resume '07e05c7a-33ea-4da1-a0e7-27b6c13e5237' allow_cancelled=true"]
Migrate Summary Command ["migrate_summary '51905b7e-6c8d-4914-a3db-243252c07c80'"]
PS Command ['ps all']
QUERY ['select * from table1 where COL1=123']
QUERY_DATA_CHANGE ['begin', 'INSERT into common.USERS (...)', 'delete from table1 where COL1=123']
Release Command ['release', 'release CustomerAudit', 'release CustomerAudit; LU3']
Revoke Command ["revoke ALL on * from 'audit'"]
Set Command ['set username', 'set default', "set environment='_dev'"]
Set Global Command ['set_global config_overrides_add=?;', "set_global global 'CustomerAudit.audit_test=10'"]
Test Connection Command ['test_connection interface=anthropic timeout=30', 'test_connection interface=bedrock timeout=30', 'test_connection interface=cassandraLoader timeout=30']
Delete Instance Command ['delete instance CustomerAudit.999999']
Time Command ['time']
Version Info Command ['version basic']
Help Command ['help', 'help set', 'help deploy']

Auditing Settings

Two major Auditing features can be controlled:

  • Filtering strategies: provides full flexibility over the type of activities that are introduced to the Auditing mechanism. For instance, you may audit the Web Service calls only, without impacting the performance of other activities but with saving a lot of disk space. Read here for more details.
  • Persistence strategies: defines the reporting channel of the Auditing mechanism. Examples for such channels are system_db (default), Kafka, files, etc. Read here for more details.

The Auditing mechanism can be configured via the [audit] and [audit_kafka_producer] sections of the config.ini. By default, the persistence strategy is system database, and the data is written into the k2_auditing table of the k2audit keyspace.

© Copyright 2025 K2VIEW