IBM Cloud Docs
Specifications

Specifications

Use IBM Cloud® Activity Tracker Event Routing to configure how to route audit events, both global and location-based event data, in your IBM Cloud. The events comply with the Cloud Auditing Data Federation (CADF) standard.

The Activity Tracker Event Routing service
Figure 1. The Activity Tracker Event Routing service

Configuring the account

To configure Activity Tracker Event Routing in your account, define where auditing events are routed and stored. You must configure 1 or more targets, and 1 or more routes. You must also configure the account settings.

  • A target defines the resource where you can store auditing events.
  • A route defines the rules that determine where auditing events are routed in your account.
  • The account settings configuration defines information such as default targets where events are collected in the account, type of endpoints that are allowed to manage the configuration, and allowed locations to store the data in the account.

You can collect global events and location-based events.

  • Global events report on activity in your account that relate to data and resources that are generally synchronized across all regions.
  • Location-based events report on activity in your account that is generated by IBM Cloud services that are hosted within an IBM data centre location, like US-South or US-East.

Per account, you can choose the region where events are collected.

Account configuration settings

When you configure the Activity Tracker Event Routing account settings, you can define any of the following information:

  1. The location in your IBM Cloud account where the Activity Tracker Event Routing account configuration metadata is stored.

    By metadata, we refer to the target/route/settings data that is available across the account in any region.

    You can choose any of the supported locations where Activity Tracker Event Routing is available. For more information, see Locations.

    Take into account any corporate or industry compliance requirements such as Financial Services Validated locations, or EU-managed regions, and any data residency requirements.

  2. The type of endpoints that are allowed to manage the Activity Tracker Event Routing account configuration in the account.

    You can configure public endpoints, private endpoints, or both.

  3. The locations where an account administrator can define targets to collect auditing events.

    You can choose any of the supported locations where Activity Tracker Event Routing is available. For more information, see Locations.

    Take into account any corporate or industry compliance requirements such as Financial Services Validated locations, or EU-managed regions, and any data residency requirements.

  4. 1 or more targets in the account that will collect auditing events from supported Activity Tracker Event Routing locations where you have not configured how you want to route the auditing events.

    If you define more than 1 target, all default targets get a copy of the auditing events that do not have a routing rule to indicate where to route them in the account. You can define up to 2 default targets per account.

When you configure or modify the Activity Tracker Event Routing account settings, consider the following information:

  • Every time you modify the Activity Tracker Event Routing account settings, the data that is passed in the new request replaces any existing configuration data. You must ensure that any existing data is not deleted when you run an update of the account settings by including it in the new request.

  • Before you disable public endpoints by setting --private-api-endpoint-only TRUE, make sure your account has access to the private endpoint. You can do this by running the command ibmcloud account show. If VRF Enabled is true and Service Endpoint Enabled is true then you have access to the private endpoint. If you do not have access to the private endpoint, you will be unable to re-enable the public endpoint since private endpoint access is required to re-enable the public endpoint.

Targets

A target defines where auditing events are collected.

Note the following information about targets:

  • You can define up to 16 targets in each account.

  • Each account can have up to 2 default targets. A default target defines a resource where auditing events that are not explicitly managed in the account's routing rules are sent.

  • A target can be:

    • An IBM Cloud Object Storage (COS) bucket

    • The Activity Tracker Event Routing hosted event search offering

    • An IBM® Event Streams for IBM Cloud® topic

  • All targets can be accessed by any Activity Tracker Event Routing API endpoint.

  • Targets are created within a region but are visible across regions.

  • You can define targets in the same account where events are generated or in a different account.

  • When you define a Cloud Object Storage target, you can use an API key or service to service authentication to upload events.

  • You can manage targets in your account by using the Activity Tracker Event Routing CLI, and programmatically by using the Activity Tracker Event Routing REST API and Terraform scripts.

  • To manage targets, you need IAM permissions. For more information, see IAM actions by task.

The following table outlines valid target types:

Table 1. List of targets
Target Type More info
IBM Cloud Object Storage (COS) cloud_object_storage Managing COS targets
Activity Tracker logdna Managing Activity Tracker hosted event search targets
IBM® Event Streams for IBM Cloud® event_streams Managing IBM® Event Streams for IBM Cloud® targets

Routes

A route defines the rules that indicate where auditing events that are generated in the account are routed.

  • Routes are global under an account and are evaluated in all regions where Activity Tracker Event Routing is deployed.

  • Routes may be managed from any regional IBM Cloud® Activity Tracker Event Routing API endpoint.

  • You can define up to 30 routes for an account.

  • By default, the account has 0 routes configured.

  • You can configure up to 10 rules for each route. A routing rule indicates the locations and associated targets where auditing events are routed.

  • You can configure up to 8 locations for each rule.

  • You can configure up to 3 targets (target_ids) for each rule.

  • Routes are processed independently. If you have multiple routes with rules that match the same event, that event will be sent to multiple targets.

  • Rules are processed in order. The first matching rule (for example, location) an event matches will be used to process the event. Once an event has been processed it will not be processed by a subsequent rule within that route's definition. If you want to specify a default rule for all events that were not processed by other rules you would specify the rule ("locations" : ["*"]) as the final rule in your rules definition for the route.

  • If an event doesn't match any rule and no default target is configured, the event will be dropped and not routed to any target.

  • Any update to a rules configuration must include all location rules. An update will discard the existing rule set and replace it with the specified configuration.

  • You can manage routes in your account by using the Activity Tracker Event Routing CLI, and programmatically by using the Activity Tracker Event Routing REST API and Terraform scripts.

  • To manage routes, you need IAM permissions. For more information, see Activity Tracker Event Routing actions.

Collecting auditing events

To collect auditing events in your IBM Cloud account, you can configure Activity Tracker Event Routing by using the Activity Tracker Event Routing API, the Activity Tracker Event Routing CLI and Terraform scripts.

For more in formation, see Collecting events.