Streaming data
Stream data from an IBM Cloud Activity Tracker instance to other corporate tools such as Security Information and Event Management (SIEM) tools.
As of 28 March 2024 the IBM Log Analysis and IBM Cloud Activity Tracker services are deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs, which replaces these two services, prior to 30 March 2025.
When you stream data to data lakes, other analysis tools, or other SIEM tools, you can add additional capabilities to the ones provided by the Activity Tracker service:
- You can gain visibility into enterprise data across on-premises and cloud-based environments.
- You can identify and prioritize security threats that might affect your organization.
- You can detect vulnerabilities by using Artificial Intelligence (AI) to investigate threats and incidents.
You can stream data to an Event Streams instance or to an Activity Tracker instance. For example, when you enable streaming on an Activity Tracker instance, you configure Activity Tracker to send data to an Event Streams instance. Then, you can configure Kafka Connect to consume the data and forward it to your destination tool. Once the data is persisted within Event Streams, you can configure any application or service to create a subscription and take action on log data being streamed.
You can also also configure streaming from one Activity Tracker instance to a second Activity Tracker instance.
You can only stream from one Activity Tracker instance to one other Activity Tracker instance. You cannot stream from the second Activity Tracker instance to another Activity Tracker instance.
Currently, you can only stream up to 1TB of data per day.
If you have any regulatory requirement for data residency and compliance needs, you must control the location where Activity Tracker, Event Streams, Kafka Connect and the destination tool are available.
Configure streaming
Consider the following information when streaming data to an Event Streams instance:
-
You must have manager role to configure streaming in the Activity Tracker instance. This role includes the logdnaat.dashboard.manage IAM action role that allows a user to perform admin tasks such as configure streaming.
-
When you configure streaming, the Activity Tracker instance and the Event Streams instance must be provisioned in the same account.
-
To connect the Activity Tracker instance to the Event Streams instance, you need the following information:
-
Endpoint URLs to call the APIs
-
Credentials for authentication
-
-
If you configure the account to restrict access to configured IP addresses via IAM settings, or if the account limits the network locations that connections are accepted from via context based restrictions rules (CBR) for the Event Streams service, you must allowlist the Activity Tracker CIDR blocks in the account. For more information, see Activity Tracker CIDR blocks and Event Streams - Restricting network access.
-
To create a topic in Event Streams, you must have manager role. This role includes the messagehub.topic.manage IAM action role that allows an app or user to create or delete topic.
-
The credential that Activity Tracker uses to publish data in Event Streams must have writer role. This role includes the messagehub.topic.write IAM action role that allows an app or service to write data to 1 or more topics.
Consider the following information when streaming data to an Activity Tracker instance:
-
The Activity Tracker instance data that will receive data must be configured with a paid service plan. Activity Tracker instances on the
Liteplan cannot receive streamed data. -
You must have manager role to configure streaming in the Activity Tracker instance. This role includes the logdnaat.dashboard.manage IAM action role that allows a user to perform admin tasks such as configure streaming.
-
When you configure streaming, the source Activity Tracker instance and the destination Activity Tracker instance can be provisioned in the same account or in different accounts.
-
To connect the source Activity Tracker instance to the destination Activity Tracker instance, you need the following information:
-
Destination Activity Tracker ingestion URL
-
Ingestion key for the destination Activity Tracker for authentication
-
-
If you have any regulatory restriction to keep data within specific regions, make sure streaming is only configured to a valid destination.
Monitor streaming
To monitor streaming, you can use the following services:
-
IBM Cloud Monitoring service to monitor streaming to an Event Streams instance:
Event Streams is integrated with the Monitoring service. Monitoring provides a default template that you can customize to monitor the Event Streams instance, how data is streamed out of Activity Tracker and consumed by any application or service that is subscribed to Event Streams.
For more information, see Monitoring streaming by using IBM Cloud Monitoring.
-
IBM Cloud Activity Tracker:
Streaming generates Activity Tracker events with the action logdnaat.streaming-logs.send to notify of failures sending data. There are different reasons for failure such as invalid credentials and topic deleted.
For more information, see Monitoring streaming by using Activity Tracker.
Conditional streaming
You can configure exclusion rules to filter out data from streaming. For more information, see Configuring conditional streaming.
- You configure streaming exclusion rules through Settings > Streaming > Exclusion rules.
- The exclusion rules that you define for streaming are different from the exclusion rules that you can define at the instance level through Settings > Usage > Exclusion rules.
When you define exclusion rules, either at the instance level, or for streaming, they are applied as follows:
- Exclusion rules that you define at the instance level are applied first.
- Only the data that is retained and available for search is in scope of the exclusion rules that you define for streaming.
- After a streaming exclusion rule is active, data that matches the filter criteria is not streamed.
- Conditions that are applied by a query are enforced.
Activity Tracker events
The following Activity Tracker events are generated when you configure streaming:
| Action | Description |
|---|---|
logdnaat.streaming-configuration.validate |
This event is generated when you configure the connection in Activity Tracker to Event Streams. |
logdnaat.streaming-samples.send |
This event is generated when sample data is sent to verify the connection. |
logdnaat.account-streaming-setting.configure |
This event is generated when you start streaming. |
logdnaat.streaming-configuration.deactivate |
This event is generated when you stop streaming. |
logdnaat.streaming-logs.send |
This event is generated when there is a failure streaming data. |
logdnaat.exclusion-rule.create |
This event is generated when an streaming exclusion rule is configured. |
logdnaat.exclusion-rule.delete |
This event is generated when an streaming exclusion rule is deleted. |