ThingWorx Audit Messages
This topic provides details about the content of ThingWorx audit messages in the following sections:
Types of Audit Messages
The Audit Subsystem generates messages for different activities in the ThingWorx Platform. The messages fall into the following general types:
Changes to an Object—Auditing of changes such as creation, deletion, or modification of an entity. The entity may be a Thing or a non-Thing, such as a subsystem or organization.
Changes to Users—Auditing of changes such as creation or modification of a user or application key.
Operations on an Object—Auditing of operations on an entity. Examples include remote session activity (tunneling) on a Thing.
Operations on the System—Audits where no target object exists for the message, such as user login and import/export operations.
Audit messages contain audit entries, which provide the information about the activity.
* 
For information on auditing a switch in security context, see Auditing the Switching of Security Context .
Audit Entries
Each audit entry is comprised of two components, an Audit Category Key and an Audit Message Key:
The Audit Category Key is a localization token that specifies the functional area, or category, with which the audit message is associated. This key is a STRING. For a list of categories, see . Audit Categories
The Audit Message Key is a localization token that points to the text of the audit message. This key is a STRING.
The value for each component is pulled from the corresponding, built-in event definition or instance. Note that auditing of user-defined events is not supported.
Audit Message Arguments
The audit message provides arguments that are used to generate a localized text message and the name of the entity that performed the operation. A ValueCollection of substitution name/value pairs is used to generate the localized text message. This information is retrieved from the eventData fields of the event instance. A ThingWorx entity, such as a Thing or a user, is associated with an audit message, including who or what performed the operation that is the subject of the audit message.
Audit Categories
All audit entries are associated with an audit category. Audit categories make it very easy to filter audit data and look at a trend of activities for a certain category of operations. In addition, audit categories can help you to detect attempts at unauthorized access or problems with an edge device not being able to connect to your ThingWorx Platform.
Each audit entry has a single category, which is stored as a string with the audit entry. The displayed audit category string is localized. Based on the user's preferred locale, the audit category is displayed in the appropriate language.
The following table lists and briefly describes the categories available in the audit subsystem.
Category
Description
Examples
Localization Token
ANALYTICS
Actions related to analytics entities. Operations performed by ThingWorx Analytics.
Create, edit, delete operations on data analysis definitions.
Other actions within ThingWorx Analytics.
audit.AuditCategory.Analytics
AUTHENTICATION
Actions related to authentication.
Successful and unsuccessful user login, user locked out, and errors related to using application keys. For example: Login successful for user: Administrator.
audit.AuditCategory.Authentication
COLLABORATION
Actions related to collaboration entities.
Create, edit, and delete operations on blogs and wikis.
audit.AuditCategory.Collaboration
DATA_MANAGEMENT
Actions related to managing or using data.
Delete operations on data.
audit.AuditCategory.DataManagement
DATA_STORAGE
Actions related to data storage entities and related subsystems.
Create, edit, and delete operations on data tables, streams, and other data storage entities.
audit.AuditCategory.DataStorage
DEVICE_COMMUNICATION
Actions and events related to communication with edge devices.
Important services invoked on Remote Things (RestartThing, EnableThing, DisableThing).
The CloseWebSocketSessions service of the WSCommunicationSubsystem is audited. For details about the service, see WebSocket Communications Subsystem.
audit.AuditCategory.DeviceCommunication
FILE_TRANSFER
Actions and events related to file uploads and downloads.
For file transfers, successful completion of a transfer, cancellation of a transfer, and generation of errors during a transfer.
audit.AuditCategory.FileTransfer
IMPORT_EXPORT
Actions related to import and export of data to and from ThingWorx.
Model and data import/export operations.
Import of an extension.
audit.AuditCategory.ImportExport
LIFECYCLE
Actions related to a Thing-specific event, such as ThingStart
ThingStart event
audit.AuditCategory.Lifecycle
MODELING
Actions related to Modeling entities.
Create, edit, delete operations on Things, Thing Templates, Thing Shapes, Data Shapes, networks, projects, models, tags.
audit.AuditCategory.Modeling
REMOTE_ACCESS
Actions related to remote access (tunneling).
Session start/end (TunnelSession event), cancel session.
audit.AuditCategory.RemoteAccess
SCM (Software Content Management)
Actions related to packages, deployments, and configuration changes.
Create, edit, publish, and delete packages. Create, start, transition, and delete deployments. Includes test and actual deployments, assets specified for a test deployment, and the success or failure of package installation. Configuration changes for automatic purging and for concurrent deployments.
audit.AuditCategory.SoftwareManagement
SECURITY_CONFIGURATION
Actions related to security entities and permissions.
Create, edit, and delete operations on users, user groups, organizations, application keys, directory services, authenticators.
Entity permission changes (all entity types).
Switching security context. See .
audit.AuditCategory.SecurityConfiguration
SYSTEM
Actions related to system entities.
Create, edit, and delete operations on localization tables, resources, subsystems, and logs.
Subsystem configuration changes and actions, including start, stop, and restart. All subsystem-related entries are in this category and will not appear at all in other categories.
* 
The restart operation results in either two or three audit messages, depending on the state of the subsystem when the restart is invoked. If the status of the subsystem is RUNNING, three messages are written, one each for restart, stop, and start. If the status of the subsystem is not RUNNING, two messages are written, one each for restart and start. The stop action is not performed in this case.
audit.AuditCategory.System
VISUALIZATION
Actions related to Visualization entities.
Create, edit, and delete operations on mashups, masters, gadgets, dashboards, menus, media entities, style definitions, and state definitions.
audit.AuditCategory.Visualization