Audit events, those that come from `cf events`, are stored in Cloud Controller.
You can access them with `cf events` or you can use the API directly with `cf curl` to pull back information in more flexible ways.
https://apidocs.cloudfoundry.org/15.3.0/events/list_all_events.html (for older foundations, deprecated)
http://v3-apidocs.cloudfoundry.org/version/3.99.0/index.html#list-audit-events (for newer foundations, recommended to use this API)
There are two audit related events:
- audit.app.task.cancel
- audit.app.task.create
Basically, you just want to query with a filter for the type and indicate your type. You can then see the audit event records. I ran this in my local lab, which is older so I used the v2 API.
{
"total_results": 8,
"total_pages": 1,
"prev_url": null,
"next_url": null,
"resources": [
{
"metadata": {
"guid": "3fb2b2ad-48f9-4c19-b12b-ff714c8c3397",
"url": "/v2/events/3fb2b2ad-48f9-4c19-b12b-ff714c8c3397",
"created_at": "2021-03-04T18:27:58Z",
"updated_at": "2021-03-04T18:27:58Z"
},
"entity": {
"type": "audit.app.task.create",
"actor": "265b747a-e0f9-4448-93f4-ac2284d4811f",
"actor_type": "user",
"actor_name": "system_services",
"actor_username": "system_services",
"actee": "66b21180-1b32-43ba-a239-0f8bff9d4330",
"actee_type": "app",
"actee_name": "mytask",
"timestamp": "2021-03-04T18:27:58Z",
"metadata": {
"task_guid": "b825a12d-6c0a-4b07-a454-23642638d6fc",
"request": {
"name": "mytask",
"memory_in_mb": 1024,
"command": "[PRIVATE DATA HIDDEN]"
}
},
"space_guid": "f654f75d-51d9-43d5-b4fd-4db9f395490b",
"organization_guid": "64fcd439-7345-4d79-bcd9-1c2cb2f5a0df"
}
},
...
Some notes on this:
- The actor type is "user", so the actor guid is the user's guid. You could look that up but the actor_name/actor_username will give you the user's name.
- The actee is "app", so the actee guid is the app's guid. Again, the actee's name is the app's name so you don't necessarily need to look up the guid unless you need more info about the app.
- The metadata has details about the task
- The org & space guid's are listed. If you want the names, you'd have to look them up.
To summarize the info you're trying to get:
>1- [MISSING] Identity of who triggered the task
That would be the actee.
>2- [MISSING] Command that was executed
That is technically in the metadata, but it's redacted :(
If you want this, you'd need to look it up. There is no task API for the v2 API, so you need to use the v3 API. That is basically `cf curl /v3/tasks/<task-guid-from-metadata>`. The result will have a command property with the full unredacted command.
>3- [OK] Targetted app/space/org
In the task audit record.
>4- [OK] Stdout of run task
The only place this will show up is in the actual logs. Those are not stored in Cloud Controller. Logs go through the loggregator system & are ephemeral only (unless you send logs from Loggregator onto a syslog aggregator).
>5- [OK] Status and completion time of task
The audit record is for the creation of the task, so it doesn't have this info. You can get that from the task record though, same place as you find the command. The state field will tell you if the task was successful or failed, if it failed the result will contain a failure_reason with the reason it failed.
I believe that the updated_at field on the task record (also same as the command), is the closest there is to a completed time. Although you could probably pull the time stamp of when the container was stopped out of the log stream. That would be when the command completed, although it's going to be trickier to fetch. Usually, those two timestamps should be pretty close together though, since the task record will get updated with the final state/error message when it finishes.
Hope that helps!