Skip to content

Event Logging

PPA emits a rich set of events via Syslog. In combination with a SEIM, these can be used to create a comprehensive audit trail of activity on the appliance.

Supported events

PPA emits messages for the following events:

Event name Description
TaskStart Task has started
TaskCancel Task has been cancelled
TaskWaitHook Task wait hook has received user input
TaskLog Task has sent a custom syslog message
DelayedStartInsert Delayed Start Task has been created
DelayedStartUpdate Delayed Start Task has been updated
DelayedStartDelete Delayed Start Task has been deleted
SecretAuthorized Secret access has been authorized (by a running task)
VaultAuthorized Vault access has been authorized (by a running task)
ImageBuild Task image has built (Task Builder)
ImageDeploy Task image has been deployed (Task Builder)
ImageUpdateMetadata Task image metadata has been edited
ImageUpdateOwner Task image owner has been edited
ImageUpdateDelegates Task image delegated groups have been edited
ImageUpdateMaintainers Task image maintainer groups have been edited
ImageArchive Task image has been deleted
ImageRevisionsDelete Task image revisions have been deleted
ImageUpload Task image has been uploaded
ImageRebuild Task image has been rebuilt
PlaybookInsert Playbook has been created
PlaybookUpdate Playbook has been edited
PlaybookUpdateMaintainers Playbook maintainer groups have been edited
PlaybookDelete Playbook has been deleted
AgentInsert Agent has been created
AgentUpdate Agent has been edited
AgentDelete Agent has been deleted
RoleInsert Role has been created
RoleUpdate Role has been edited
RoleDelete Role has been deleted
VaultInsert Vault has been created
VaultUpdate Vault has been edited
VaultDelete Vault has been deleted
ScheduleInsert Schedule has been created
ScheduleUpdate Schedule has been edited
ScheduleDelete Schedule has been deleted
ConfigInsert Configuration has been created
ConfigUpdate Configuration has been edited
UserAuth User has signed in
UserSetActive User has been activated/deactivated
UserSetAuthType User authentication type has been changed
UserDelete User has been deleted
UserRestore User has been restored
UsersImported Users have been imported
GroupsImported Groups have been imported
GroupsUpdate Groups have been updated
GroupDelete Group has been removed
APIKeyRegenerate Key has been regenerated
Techout Techout has been generated
SystemEventInsert System Event log has been created
SystemEventUpdate System Event log has been updated
SystemEventDismiss System Event warning has been dismissed
SystemEventsDismiss Multiple System Event warnings have been dismissed
SystemEventsDelete Multiple System Event warnings have been deleted
SubscriptionInsert System Event subscription has been created
SubscriptionUpdate System Event subscription has been updated
SubscriptionDelete System Event subscription has been deleted
TaskLogsCleanup Scheduled tasks logs cleanup has finished

Message fields

PPA provides the following additional fields:

Field name Description
user User responsible for triggering the event
image Task image name (if relevant)
task Task uuid (if relevant)
details Additional contextual information

The details field contains different information depending on the type of event. Here are some examples:


  "context": {
    "addr": "123.456.789.10",
    "auth_type": "password"


  "context": {
    "trigger": "ui"
  "type": "task",
  "owner": "ppa.demo.user"


  "inserted": {
    "driver": "hashicorp-vault",
    "host": "ppa.demo.vault:8200",
    "name": "PPA demo vault"
  "type": "vault"


  "updated": {
    "name": {
      "current": "Current Name",
      "previous": "Previous Name"
    "tags": {
      "added": ["demo", "qa", "v2.5.0"],
      "removed": ["v2.4.0"]
  "type": "image",
  "owner": "ppa.demo.user"