Auditing Overview

K2Cloud Auditing Capability

K2View’s auditing capability is now available to K2Cloud SaaS customers. This feature offers detailed visibility into user and system activity across Fabric.

Note: Customers using self-hosted K2Cloud environments are not eligible for this capability.

When to Enable Auditing in Production

Auditing is particularly useful in production environments, where system integrity, accountability, and regulatory compliance are essential. Enabling auditing ensures that user actions and system events are accurately recorded for analysis, compliance, and troubleshooting purposes.

Here’s a list of common activities audited in production:

Category Activity
Authentication - User logins to Web Studio / Fabric CLI / Web Framework
- Failed login attempts (authentication errors)
User Management - User creation, deletion, or modification
- Role assignment and revocation
- Changes to permissions or tokens
Configuration Changes - Updates to environment configurations
- Changes to Fabric settings via config.ini or commands
- Feature enablement/disabling (e.g., turning audit ON/OFF)
Deployment Actions - Deployment of Logical Units (LUs), flows, or configurations
- Script or service updates pushed to the Fabric runtime
Command Execution - Executed Fabric commands (e.g., GET, LIST, ALTER, GRANT)
- Batch commands and automation jobs
Data Access - Executed queries (read/write) on LU Tables or external DBs
- Use of SEARCH or CQL commands
Web Service Usage - Web service calls via Fabric endpoints
- API access patterns and integration behaviors
Job Execution - Scheduled job execution and lifecycle (start/stop/update)
- Execution of Broadway or background processes
System Operations - System restart events
- Startup/shutdown logs and audit state transitions

When Auditing Should Not Be Enabled

Auditing is not recommended in development environments, particularly when using Fabric Web Studio.

Why?

In development environments, Fabric Web Studio often executes actions on behalf of the user. If auditing is enabled:

  • Both user-driven actions and system-initiated background tasks by Web Studio will be logged.
  • This results in misleading or noisy audit records that do not accurately reflect user behavior.
  • There is no operational benefit, as this environment is typically used for prototyping or testing—not production governance or compliance.

Recommendation:
Do not enable auditing in development environments where Fabric Web Studio is employed. It provides no added value and may introduce confusion in interpreting activity logs.

Where to View Audit Logs

When auditing is enabled, audit entries are integrated into the logs shown on the Monitoring page, under the Fabric Monitor Logs panel. These entries are interspersed with standard logs and can be filtered using the search feature.

To view only audit records, enter AUDIT into the search bar (case-sensitive).

Downloading Audit Logs

Audit data can be downloaded in either CSV or plain text formats using one of the following methods:

  1. Using the UI’s Vertical 3-dot Menu (⋮):

    • Click the vertical 3-dot menu (⋮) in the log panel.
    • Navigate to: Inspect > Data
    • Choose the desired format (CSV or text) for export.
  2. Using a Keyboard Shortcut:

    • Press the i key to access the same Inspect > Data option and initiate export.

Turning Auditing On/Off

By default, Auditing is set to OFF. To enable Auditing in Fabric, set AUDIT=ON using K2admin's Configuration panel and set a configuration override for AUDIT. You then need to restart the K2cloud space.

AUDIT=ON

What Gets Audited

Fabric auditing tracks the following activity types:

  • System logins
  • All executed Fabric commands
  • Web-Service calls
  • All executed data queries (read and write)

Auditing Reporting Structure

When an activity is captured by the Fabric Auditing mechanism, it is logged with the following fields:

Name Description
Action Type of activity performed in Fabric.
Date Activity date.
User Fabric User ID.
Written at Full date and timestamp of the activity.
Address IP address of the node where the activity occurred. May include port.
Params Parameters passed to Fabric commands.
Protocol Protocol used for the activity.
Query Activity details such as query, schema info, or auth provider.
Result Outcome of the action (rows affected or status).
Session ID Correlation ID for related actions within a session or request chain.

Auditing Reporting Examples

Action Query
LOGIN ['null']
LOGOUT ['null']
Create Role Command ["create role 'audit'"]
Create Token Command ['create token audit_token']
Create User Command ['CREATE USER ksmith*** with PASSWORD ****']
Alter User Command ['ALTER USER ksmith*** with password ****']
Assign Role Command ['assign role audit to token audit_token', 'assign role audit to user ksmith***']
Deploy Command ["DEPLOY CustomerAudit WITH JAR '/tmp/fabric_upload_tmp_nura_nondev83_k2view_qa_0/ludb.jar' ZIP_FILE '/tmp/fabric_upload_tmp_nura_nondev83_k2view_qa_0/ludbXMLs.zip' WS_METHODS '' SOFT_DEPLOY false"]
Deploy Environments Command ["DEPLOY ENVIRONMENTS FROM FILE '/tmp/fabric_upload_tmp_nura_nondev83_k2view_qa_1/Environments.k2fabEnv.xml'"]
Grant Command ['grant ALL on * to audit', 'grant ALL_WS on * to audit']
Batch In Process Command ["batch_in_process filter='(?i)sync_instance'"]
Batch Process Details Command ["BATCH_DETAILS '${batch_id}'", "BATCH_DETAILS ''", "BATCH_DETAILS '51905b7e-6c8d-4914-a3db-243252c07c80'"]
Batch Process List Command ['batch_list']
Batch Process Retry Command ["batch_retry '07e05c7a-33ea-4da1-a0e7-27b6c13e5237' allow_cancelled=true"]
Batch Process Summary Command ["batch_summary '51905b7e-6c8d-4914-a3db-243252c07c80'"]
Broadway Command ['broadway k2_ws.fabricRestart']
Cancel Command ["cancel batch'13b8d066-c523-4a2d-9be5-79c22e75c786'"]
Drop Command ['drop token audit_token', 'drop role audit', 'drop lutype CustomerAudit']
Get Command ['get OracleLu.2', 'use OracleLu.3', 'get LU3.1']
GetF Command ['getf CustomerAudit.insertRowToUsers(999999)']
Job Status Command ['jobstatus']
List Command ['list config_overrides', 'list config', 'list lut']
Migrate Command ['migrate CustomerAudit.(1;2;3;4;5) with async=true', "migrate CustomerAudit from fabric using ('select user_id from common.Users where user_id<=10000') with async=true", 'migrate CustomerAudit with async=true']
Migrate Details Command ["migrate_details '${batch_id}'", "migrate_details ''", "migrate_details '51905b7e-6c8d-4914-a3db-243252c07c80'"]
Migrate In Process Command ['migrate_in_process']
Migrate List Command ['migrate_list']
Migrate Resume Command ["migrate_resume '07e05c7a-33ea-4da1-a0e7-27b6c13e5237' allow_cancelled=true"]
Migrate Summary Command ["migrate_summary '51905b7e-6c8d-4914-a3db-243252c07c80'"]
PS Command ['ps all']
QUERY ['select * from table1 where COL1=123']
QUERY_DATA_CHANGE ['begin', 'INSERT into common.USERS (...)', 'delete from table1 where COL1=123']
Release Command ['release', 'release CustomerAudit', 'release CustomerAudit; LU3']
Revoke Command ["revoke ALL on * from 'audit'"]
Set Command ['set username', 'set default', "set environment='_dev'"]
Set Global Command ['set_global config_overrides_add=?;', "set_global global 'CustomerAudit.audit_test=10'"]
Test Connection Command ['test_connection interface=anthropic timeout=30', 'test_connection interface=bedrock timeout=30', 'test_connection interface=cassandraLoader timeout=30']
Delete Instance Command ['delete instance CustomerAudit.999999']
Time Command ['time']
Version Info Command ['version basic']
Help Command ['help', 'help set', 'help deploy']

Fabric has a robust Auditing mechanism that logs various activities running on Fabric. These can be logins, Web Service calls, and various Fabric commands.

Two major Auditing features can be controlled:

  • Filtering strategies: provides full flexibility over the type of activities that are introduced to the Auditing mechanism. For instance, you may audit the Web Service calls only, without impacting the performance of other activities but with saving a lot of disk space.
  • Persistence strategies: defines the reporting channel of the Auditing mechanism. Examples for such channels are Cassandra (default), Kafka, files, etc.

The Auditing mechanism can be configured via the [audit] and [audit_kafka_producer] sections of the config.ini. By default, the persistence strategy is Cassandra, and the data is written into the k2_auditing table of the k2audit keyspace.

Auditing Reporting Structure

When an activity is logged by the Fabric Auditing mechanism, it has the following structure:

Name Description Example
action Type of activity performed in Fabric. LOGIN, GetCommand, called Web-Service name, etc.
date Activity date. 2020-11-05
user Fabric User ID. admin, etc...
written_at Activity date and timestamp. 2020-11-05 11:49:14.452000+0000
address IP address of the node where the activity is performed. In HTTP/HTTPS protocol address is a concatenation of the IP address:port. 10.21.1.1 or 10.21.1.1:3213
params Activity parameters, applicable for Fabric commands only. For example, for GetCommand: [DC_NAME=null|LU_NAME=CRM|IID=1]
protocol Contains the protocol used for the activity. The valid values are: HTTP/1.1, HTTPS/1.3 or DRIVER or JDBC driver. DRIVER
query Activity details, for example CQL query for a CQLCommand, a DESCRIBE SCHEMA CRM for a DescribeCommand, or the authentication provider for the LOGIN action. SELECT * FROM CRM.SUBSCRIBER
result Number of affected rows or activity status. Rows Affected: 3
session_id Session ID. When few actions are executed as a result of entry point (e.g. Web Service), session ID is the same for all the related entries. 07a40433-17a3-4054-9aaf-59d19378c555

For example, when the user performs login and authentication to the Web Framework, the activity is audited as follows:

  • Action = LOGIN
  • Protocol = HTTP/1.1
  • Query = LDAP/SAML/FABRIC

When the user performs login to the Fabric console, it is audited as follows:

  • Action = LOGIN
  • Protocol = DRIVER
  • Query = LDAP/FABRIC

Logouts are not audited.

The following activities in Fabric can be captured by the auditing mechanism:

  • System Login
  • Any executed Fabric commands
  • Web-Service calls
  • Any executed queries on the data, covering both read and write.

Click for more information about the User Identification and Access Management Auditing.

Turning Auditing On/Off

By default, Auditing is set to OFF. To enable Auditing in Fabric, set AUDIT=ON in the config.ini file and then restart Fabric.

AUDIT=ON

Auditing Overview

K2Cloud Auditing Capability

K2View’s auditing capability is now available to K2Cloud SaaS customers. This feature offers detailed visibility into user and system activity across Fabric.

Note: Customers using self-hosted K2Cloud environments are not eligible for this capability.

When to Enable Auditing in Production

Auditing is particularly useful in production environments, where system integrity, accountability, and regulatory compliance are essential. Enabling auditing ensures that user actions and system events are accurately recorded for analysis, compliance, and troubleshooting purposes.

Here’s a list of common activities audited in production:

Category Activity
Authentication - User logins to Web Studio / Fabric CLI / Web Framework
- Failed login attempts (authentication errors)
User Management - User creation, deletion, or modification
- Role assignment and revocation
- Changes to permissions or tokens
Configuration Changes - Updates to environment configurations
- Changes to Fabric settings via config.ini or commands
- Feature enablement/disabling (e.g., turning audit ON/OFF)
Deployment Actions - Deployment of Logical Units (LUs), flows, or configurations
- Script or service updates pushed to the Fabric runtime
Command Execution - Executed Fabric commands (e.g., GET, LIST, ALTER, GRANT)
- Batch commands and automation jobs
Data Access - Executed queries (read/write) on LU Tables or external DBs
- Use of SEARCH or CQL commands
Web Service Usage - Web service calls via Fabric endpoints
- API access patterns and integration behaviors
Job Execution - Scheduled job execution and lifecycle (start/stop/update)
- Execution of Broadway or background processes
System Operations - System restart events
- Startup/shutdown logs and audit state transitions

When Auditing Should Not Be Enabled

Auditing is not recommended in development environments, particularly when using Fabric Web Studio.

Why?

In development environments, Fabric Web Studio often executes actions on behalf of the user. If auditing is enabled:

  • Both user-driven actions and system-initiated background tasks by Web Studio will be logged.
  • This results in misleading or noisy audit records that do not accurately reflect user behavior.
  • There is no operational benefit, as this environment is typically used for prototyping or testing—not production governance or compliance.

Recommendation:
Do not enable auditing in development environments where Fabric Web Studio is employed. It provides no added value and may introduce confusion in interpreting activity logs.

Where to View Audit Logs

When auditing is enabled, audit entries are integrated into the logs shown on the Monitoring page, under the Fabric Monitor Logs panel. These entries are interspersed with standard logs and can be filtered using the search feature.

To view only audit records, enter AUDIT into the search bar (case-sensitive).

Downloading Audit Logs

Audit data can be downloaded in either CSV or plain text formats using one of the following methods:

  1. Using the UI’s Vertical 3-dot Menu (⋮):

    • Click the vertical 3-dot menu (⋮) in the log panel.
    • Navigate to: Inspect > Data
    • Choose the desired format (CSV or text) for export.
  2. Using a Keyboard Shortcut:

    • Press the i key to access the same Inspect > Data option and initiate export.

Turning Auditing On/Off

By default, Auditing is set to OFF. To enable Auditing in Fabric, set AUDIT=ON using K2admin's Configuration panel and set a configuration override for AUDIT. You then need to restart the K2cloud space.

AUDIT=ON

What Gets Audited

Fabric auditing tracks the following activity types:

  • System logins
  • All executed Fabric commands
  • Web-Service calls
  • All executed data queries (read and write)

Auditing Reporting Structure

When an activity is captured by the Fabric Auditing mechanism, it is logged with the following fields:

Name Description
Action Type of activity performed in Fabric.
Date Activity date.
User Fabric User ID.
Written at Full date and timestamp of the activity.
Address IP address of the node where the activity occurred. May include port.
Params Parameters passed to Fabric commands.
Protocol Protocol used for the activity.
Query Activity details such as query, schema info, or auth provider.
Result Outcome of the action (rows affected or status).
Session ID Correlation ID for related actions within a session or request chain.

Auditing Reporting Examples

Action Query
LOGIN ['null']
LOGOUT ['null']
Create Role Command ["create role 'audit'"]
Create Token Command ['create token audit_token']
Create User Command ['CREATE USER ksmith*** with PASSWORD ****']
Alter User Command ['ALTER USER ksmith*** with password ****']
Assign Role Command ['assign role audit to token audit_token', 'assign role audit to user ksmith***']
Deploy Command ["DEPLOY CustomerAudit WITH JAR '/tmp/fabric_upload_tmp_nura_nondev83_k2view_qa_0/ludb.jar' ZIP_FILE '/tmp/fabric_upload_tmp_nura_nondev83_k2view_qa_0/ludbXMLs.zip' WS_METHODS '' SOFT_DEPLOY false"]
Deploy Environments Command ["DEPLOY ENVIRONMENTS FROM FILE '/tmp/fabric_upload_tmp_nura_nondev83_k2view_qa_1/Environments.k2fabEnv.xml'"]
Grant Command ['grant ALL on * to audit', 'grant ALL_WS on * to audit']
Batch In Process Command ["batch_in_process filter='(?i)sync_instance'"]
Batch Process Details Command ["BATCH_DETAILS '${batch_id}'", "BATCH_DETAILS ''", "BATCH_DETAILS '51905b7e-6c8d-4914-a3db-243252c07c80'"]
Batch Process List Command ['batch_list']
Batch Process Retry Command ["batch_retry '07e05c7a-33ea-4da1-a0e7-27b6c13e5237' allow_cancelled=true"]
Batch Process Summary Command ["batch_summary '51905b7e-6c8d-4914-a3db-243252c07c80'"]
Broadway Command ['broadway k2_ws.fabricRestart']
Cancel Command ["cancel batch'13b8d066-c523-4a2d-9be5-79c22e75c786'"]
Drop Command ['drop token audit_token', 'drop role audit', 'drop lutype CustomerAudit']
Get Command ['get OracleLu.2', 'use OracleLu.3', 'get LU3.1']
GetF Command ['getf CustomerAudit.insertRowToUsers(999999)']
Job Status Command ['jobstatus']
List Command ['list config_overrides', 'list config', 'list lut']
Migrate Command ['migrate CustomerAudit.(1;2;3;4;5) with async=true', "migrate CustomerAudit from fabric using ('select user_id from common.Users where user_id<=10000') with async=true", 'migrate CustomerAudit with async=true']
Migrate Details Command ["migrate_details '${batch_id}'", "migrate_details ''", "migrate_details '51905b7e-6c8d-4914-a3db-243252c07c80'"]
Migrate In Process Command ['migrate_in_process']
Migrate List Command ['migrate_list']
Migrate Resume Command ["migrate_resume '07e05c7a-33ea-4da1-a0e7-27b6c13e5237' allow_cancelled=true"]
Migrate Summary Command ["migrate_summary '51905b7e-6c8d-4914-a3db-243252c07c80'"]
PS Command ['ps all']
QUERY ['select * from table1 where COL1=123']
QUERY_DATA_CHANGE ['begin', 'INSERT into common.USERS (...)', 'delete from table1 where COL1=123']
Release Command ['release', 'release CustomerAudit', 'release CustomerAudit; LU3']
Revoke Command ["revoke ALL on * from 'audit'"]
Set Command ['set username', 'set default', "set environment='_dev'"]
Set Global Command ['set_global config_overrides_add=?;', "set_global global 'CustomerAudit.audit_test=10'"]
Test Connection Command ['test_connection interface=anthropic timeout=30', 'test_connection interface=bedrock timeout=30', 'test_connection interface=cassandraLoader timeout=30']
Delete Instance Command ['delete instance CustomerAudit.999999']
Time Command ['time']
Version Info Command ['version basic']
Help Command ['help', 'help set', 'help deploy']

Fabric has a robust Auditing mechanism that logs various activities running on Fabric. These can be logins, Web Service calls, and various Fabric commands.

Two major Auditing features can be controlled:

  • Filtering strategies: provides full flexibility over the type of activities that are introduced to the Auditing mechanism. For instance, you may audit the Web Service calls only, without impacting the performance of other activities but with saving a lot of disk space.
  • Persistence strategies: defines the reporting channel of the Auditing mechanism. Examples for such channels are Cassandra (default), Kafka, files, etc.

The Auditing mechanism can be configured via the [audit] and [audit_kafka_producer] sections of the config.ini. By default, the persistence strategy is Cassandra, and the data is written into the k2_auditing table of the k2audit keyspace.

Auditing Reporting Structure

When an activity is logged by the Fabric Auditing mechanism, it has the following structure:

Name Description Example
action Type of activity performed in Fabric. LOGIN, GetCommand, called Web-Service name, etc.
date Activity date. 2020-11-05
user Fabric User ID. admin, etc...
written_at Activity date and timestamp. 2020-11-05 11:49:14.452000+0000
address IP address of the node where the activity is performed. In HTTP/HTTPS protocol address is a concatenation of the IP address:port. 10.21.1.1 or 10.21.1.1:3213
params Activity parameters, applicable for Fabric commands only. For example, for GetCommand: [DC_NAME=null|LU_NAME=CRM|IID=1]
protocol Contains the protocol used for the activity. The valid values are: HTTP/1.1, HTTPS/1.3 or DRIVER or JDBC driver. DRIVER
query Activity details, for example CQL query for a CQLCommand, a DESCRIBE SCHEMA CRM for a DescribeCommand, or the authentication provider for the LOGIN action. SELECT * FROM CRM.SUBSCRIBER
result Number of affected rows or activity status. Rows Affected: 3
session_id Session ID. When few actions are executed as a result of entry point (e.g. Web Service), session ID is the same for all the related entries. 07a40433-17a3-4054-9aaf-59d19378c555

For example, when the user performs login and authentication to the Web Framework, the activity is audited as follows:

  • Action = LOGIN
  • Protocol = HTTP/1.1
  • Query = LDAP/SAML/FABRIC

When the user performs login to the Fabric console, it is audited as follows:

  • Action = LOGIN
  • Protocol = DRIVER
  • Query = LDAP/FABRIC

Logouts are not audited.

The following activities in Fabric can be captured by the auditing mechanism:

  • System Login
  • Any executed Fabric commands
  • Web-Service calls
  • Any executed queries on the data, covering both read and write.

Click for more information about the User Identification and Access Management Auditing.

Turning Auditing On/Off

By default, Auditing is set to OFF. To enable Auditing in Fabric, set AUDIT=ON in the config.ini file and then restart Fabric.

AUDIT=ON