// Audit trail investigation on SAP Converged Cloud using Hermes. Triggers: audit, who changed, what happened, hermes, events, compliance, CADF, activity log, trace action, who did, what was done, event history
Autoscaling operations via Castellum. Triggers: autoscaling, castellum, resize, scaling, threshold, auto-resize, capacity management. NOT for: manual quota changes (use sapcc-quota/Limes).
Bare metal node operations via Ironic. Triggers: baremetal, bare metal, ironic, node, provision state, hardware, physical server. NOT for: virtual servers (use sapcc-compute/Nova).
Manage compute instances on SAP Converged Cloud. Covers server lifecycle, flavor selection, status transitions, and cross-service correlation with networking and storage. Use when: listing VMs, checking server status, debugging instance issues, performing server actions (start/stop/reboot), selecting flavors, or investigating why a server won't start. NOT for container workloads (use sapcc-registry) or bare metal.
Archer endpoint service management for private network connectivity in SAP Converged Cloud. Triggers: endpoint service, private link, archer, private connectivity, service endpoint, internal access, cross-project access
DNS zone and recordset operations via Designate. Triggers: dns, zone, recordset, domain, designate. NOT for: network ports, floating IPs (use sapcc-networking).
Email service operations via Cronus. Triggers: email, cronus, smtp, template, email usage, sending. NOT for: monitoring alerts (use sapcc-metrics/Maia).
| name | sapcc-audit |
| description | Audit trail investigation on SAP Converged Cloud using Hermes. Triggers: audit, who changed, what happened, hermes, events, compliance, CADF, activity log, trace action, who did, what was done, event history |
| version | 1.0.0 |
| metadata | {"service":["hermes"],"task":["investigate","compliance","trace","audit"],"persona":["platform-engineer","security","developer"]} |
Hermes is SAP CC's centralized audit service. It records all API actions across all OpenStack services in CADF (Cloud Auditing Data Federation) format. Events are immutable — the audit trail cannot be modified or deleted by tenants.
| Tool | Purpose | Key Parameters |
|---|---|---|
hermes_list_events | Search/filter audit events | target_type, target_id, initiator_name, initiator_id, action, outcome, observer_type, time_gte, time_lte, limit, offset, sort |
hermes_get_event | Full CADF event by UUID | event_id (required) |
hermes_list_attributes | Discover valid filter values | attribute (required: target_type, action, outcome, observer_type, initiator_type) |
All Hermes tools are read-only. No write or admin tiers exist — audit events are immutable.
2024-03-15T14:22:00Z)field:direction (e.g., time:desc, target_type:asc,time:desc)Every audit event follows this structure:
initiator (who) → action (what) → target (to what) → outcome (result)
| Field | Description | Example |
|---|---|---|
initiator.name | Username who performed the action | D012345 |
action | The operation performed | update |
target.type_uri | Resource type in slash format | compute/server |
target.id | UUID of the affected resource | abc-123-def |
outcome | Result of the operation | success |
eventTime | When it occurred (UTC) | 2024-03-15T14:22:01Z |
See references/cadf-event-format.md for the full event schema.
Correct: compute/server, network/port, identity/project, dns/zone
Wrong: nova/server, server, neutron/port, VM
The format is <service-category>/<resource>. Call hermes_list_attributes with attribute=target_type to discover valid values if unsure.
The parameter name itself encodes the comparison:
time_gte="2024-01-01T00:00:00Z" — events at or after this timetime_lte="2024-01-01T23:59:59Z" — events at or before this timeThe value is a plain ISO 8601 timestamp. Do NOT embed operators in the value string.
Valid outcomes: success, failure, pending
NOT: 200, 404, 500, created, error. Use hermes_list_attributes with attribute=outcome to confirm.
Valid: create, update, delete, read, authenticate, start, stop
NOT past tense: created, updated, deleted. NOT nouns: creation, deletion. Call hermes_list_attributes with attribute=action to see all tracked actions.
When unsure about valid filter values for target_type, action, or outcome, always call hermes_list_attributes before hermes_list_events. Avoids empty results from typos or wrong format.
If you need a complete picture (compliance reviews, full resource history), set limit=200 or higher. Default 50 may miss critical events in active projects.
Format: sort="time:desc" or sort="time:asc"
Default is newest first (time:desc). Use time:asc when building a chronological narrative of what happened.
Events appear seconds to minutes after the action occurs. If you just performed an action and see no event, wait 30-60 seconds and retry. Do not tell the user "no events exist" immediately after an action.
Filter by human-readable username (e.g., D012345, technical_user_xyz), not the user's Keystone UUID. This is the name that appears in Keystone token info.
The Hermes API has a hard ceiling at offset 10,000. If you set limit=15000 or paginate past 10,000 events, the server returns HTTP 500 (not a helpful error). For large audit queries:
time_gte/time_lte to window your query below 10k resultstarget_type, action, or outcome to reduce result setThe CLI tool hermescli has an --over-10k-fix flag that automates this workaround. The MCP tool does not — you must manage it manually by keeping queries scoped.
Valid sort fields: time, observer_type, target_type, target_id, initiator_type, initiator_id, outcome, action.
Each supports :asc or :desc suffix. Multiple sort keys can be comma-separated: sort="target_type:asc,time:desc". Default direction is ascending if omitted.
hermes_get_event returns the complete CADF event including attachments — these contain the actual API request body and response. Essential for answering "what exactly changed?" (e.g., which field was updated, what value was set).
1. hermes_list_events(target_id="<resource-uuid>", sort="time:desc", limit=20)
2. Review initiator.name on each event → identifies who made changes
3. For detail on a specific change: hermes_get_event(event_id) → check attachments
1. Calculate time_gte = current time minus 1 hour (ISO 8601 UTC)
2. hermes_list_events(time_gte="2024-03-15T13:00:00Z", limit=100)
3. Group by target_type for overview, or filter by action/outcome
1. hermes_list_events(initiator_name="<username>", sort="time:desc", limit=50)
2. Optionally narrow with time range or target_type
3. Shows all actions taken by that user across all services
1. hermes_list_events(outcome="failure", sort="time:desc", limit=50)
2. Optionally narrow by time range or target_type
3. Each event shows what was attempted and on what resource
4. hermes_get_event for details on specific failures
1. hermes_list_events(target_id="<resource-uuid>", sort="time:asc", limit=500)
2. This gives chronological lifecycle: create → updates → deletes
3. For each event of interest: hermes_get_event → full request/response
4. Build timeline: who did what, when, and the exact changes made
1. hermes_list_attributes(attribute="target_type") → all audited resource types
2. hermes_list_attributes(attribute="action") → all tracked actions
3. hermes_list_attributes(attribute="outcome") → valid outcome values
4. Use results to construct precise queries
Most common causes (check in order):
compute/server not nova/server or server. Call hermes_list_attributes to verify.time_gte/time_lte range. Events for old resources may be outside default window.If you get HTTP 500: You've likely hit the 10,000 offset ceiling. The fix:
time_gte/time_lte) to bound the window below 10k resultstime_lteTo reduce results generally:
target_type filter to narrow to specific servicetime_gte/time_lte) to bound the windowaction filter if looking for specific operations (e.g., only delete)outcome filter if only interested in failureslimit above 10,000 — the API will 500Not all events include request/response attachments. Simple actions (delete, start, stop) may have minimal or no attachments. Update events typically include the changed fields.
Audit data is sensitive. It reveals:
Only query audit data scoped to the authenticated project. Do not expose audit data containing other users' actions or resource details without confirming the requester has legitimate need. The MCP server enforces project-scoped access, but be judicious in what you surface.
| Need | Service | Tool |
|---|---|---|
| Server details for compute/server events | Nova | nova_get_server(<target_id>) |
| Port details for network/port events | Neutron | neutron_list_ports |
| Volume details for volume events | Cinder | cinder_get_volume(<target_id>) |
| Who is the initiator (token context) | Keystone | keystone_token_info |
| Resource quota impact of actions | Limes | limes_get_project_quota |
| User need | Action |
|---|---|
| Understanding CADF event structure | Read cadf-event-format.md |