Getting started with IBM Cloud Activity Tracker Event Routing
Use IBM Cloud® Activity Tracker Event Routing to configure how to route auditing events, both global and location-based event data, in your IBM Cloud. Auditing events are critical data for security operations and a key element for meeting compliance requirements. Control of the storage location is critical to building enterprise-grade solutions on the IBM Cloud.
You can use Activity Tracker Event Routing, a platform service, to manage auditing events at the account-level by configuring targets and routes that define where auditing data is routed. Activity Tracker Event Routing can only route events that are generated in supported regions. Other regions, where Activity Tracker Event Routing is not available, continue to manage events by using IBM Cloud Activity Tracker hosted event search. For more information about IBM Cloud Activity Tracker Event Routing, see About Activity Tracker Event Routing.
Prerequisites
-
You must have a user ID with permissions to manage IBM Cloud Activity Tracker Event Routing. For more information about IAM roles and how to assign them, see Managing access with IAM and IAM roles.
Step 1. Configure the account global settings
When you configure Activity Tracker Event Routing in your account, you can configure the account settings such as the metadata location, type of endpoints allowed to manage the configuration, locations where targets can be defined, and default targets for collecting auditing events in regions that yiu have not explicitly configured. For more information, see Configuring Activity Tracker Event Routing account settings.
Set these settings to define where and how auditing events are collected, routed, and managed in your account. For example, to configure the primary metadata location that defines the region where all your Activity Tracker Event Routing resource definitions are stored, run the following command:
ibmcloud atracker setting update --metadata-region-primary <REGION>
Where <REGION> you can set the region to any of the supported locations where Activity Tracker Event Routing is available.
When you set the metadata location, check any compliance or industry regulations that apply to data location.
Step 2. Configure 1 target
A target defines where auditing events are collected. For more information about targets, see Understanding how targets work in your account.
Choose 1 of the following options to configure a target in your account:
- Configuring a Cloud Object Storage target.
- Configuring a Activity Tracker hosted event search target.
- Configuring an Event Streams target.
The rest of the instructions assume that you configure a cloud-object-storage target.
Step 3. Configure 1 route
A route defines the rules that indicate where auditing events that are generated in an account are routed. Routes are global under an account and are evaluated in all regions where Activity Tracker Event Routing is deployed. For more information, see Understanding how routes work in your account.
In this step, you will configure a route to redirect regional and global events to a target bucket.
Run the following command to create the route:
ibmcloud atracker route create --name <ROUTE_NAME> --rules
Where
--name <ROUTE_NAME>-
The name to be given to the route.
--rules <ROUTING_RULES>-
A JSON formatted rule definition enclosed in single quotes. For example:
--rules '[{"locations":["global"],"target_ids":["11111111-1111-1111-1111-111111111111"]},{"locations":["us-south","us-east"],"target_ids":["22222222-2222-2222-2222-222222222222","33333333-3333-3333-3333-333333333333"]}]'
After you configure a route, it might take up to 1 hour for the configuration to be enabled.
For example, to create a route to send auditing events to a target that you created in the previous step, run the following command.
ibmcloud atracker route create --name "my-route" --rules '[{"locations":["global","eu-de"],"target_ids":["TARGETID"]}]'
Where TARGETID is the ID of the target that you created in the previous step.
Step 4. Verify collection of events
After the target and the route is configured, you must verify that auditing events are available in your bucket.
For example, auditing events are stored in log files in the bucket.
Log files are structured and named as follows:
<REGION>/<DATE>T<HOUR>/2021-02-23T15:38+05.log
Where
<REGION>defines the region from where auditing events are collected. For example, valid values areus-southandus-east.<DATE>defines the date when auditing events are collected. The format isYYYY-MM-DD.<HOUR>defines the hour of the day. The value is set by using a 24-hour clock.<FILENAME>defines a timestamp. The format isYYYY-MM-DDTHH:MM+SS.
Each log file includes auditing events that have an eventTime that maps the filename timestamp. eventTime indicates when the auditing event was generated.
For example, a sample log file that collects auditing events in the US-South region looks as follows:
us-south/2021-02-23T15/2021-02-23T15:38+05.log
You can choose any of the following methods to list objects in a bucket:
Next
Plan your account configuration. For more information, see Planning the account configuration.