IBM Cloud Docs
Configuring an Event Streams target

Configuring an Event Streams target

You can define an Event Streams topic as an IBM Cloud Activity Tracker Event Routing target to send auditing events to other corporate tools such as Security Information and Event Management (SIEM) tools.

Scenarios

You can define an Event Streams topic as an IBM Cloud Activity Tracker Event Routing target to send auditing events to other corporate tools such as Security Information and Event Management (SIEM) tools. When you route data to data lakes, other analysis tools, or other SIEM tools, you can add additional capabilities to the ones provided by Activity Tracker Event Routing:

  • You can gain visibility into enterprise data across on-premises and cloud-based environments.
  • You can identify and prioritize security threats that might affect your organization.
  • You can detect vulnerabilities by using Artificial Intelligence (AI) to investigate threats and incidents.

Prerequisites

  • Learn about Activity Tracker Event Routing. For more information, see About.

  • Install the IBM Cloud CLI. For more information, see Installing the IBM Cloud CLI.

  • Install the latest Activity Tracker Event Routing CLI V2 plugin in your local system. See Installing the Activity Tracker Event Routing CLI.

  • You need a user ID that is a member, or an owner of, an IBM Cloud account. To get an IBM Cloud user ID, go to: Create an account.

  • Every user that manages the Activity Tracker Event Routing configuration in your account must be assigned an access policy. The policy determines what actions the user can perform. The allowable actions are customized and defined by Activity Tracker Event Routing as operations that are allowed to be performed on the service. The actions are then mapped to IAM user roles. Learn more.

    Your user ID needs administrator platform permissions to manage the IBM Cloud Activity Tracker Event Routing service. Contact the account owner. The account owner can grant another user access to the account for the purposes of managing user access, and managing account resources. Learn more.

Configure a Event Streams topic

Auditing events that are collected in your account can be routed to an Event Streams topic.

When you configure Activity Tracker Event Routing, you can define a target per region. The target defines the Event Streams instance and topic where auditing events in that region are routed.

Complete the following steps:

  1. Log in to your IBM Cloud account.

  2. Create an Event Streams instance.

    Check the limitations of the Event Streams service plans. For more information, see Limits and quotas.

    a. Access the Event Streams service in the Catalog.

    b. Select the plan on the service instance page.

    c. Enter a name for your service. You can use the default value.

    d. Click Create. The Event Streams Getting started page opens.

  3. Select Topics.

  4. Click Create a topic.

    Create a topic.
    Create a topic

  5. Enter a topic name and click Next.

    Enter a topic name
    Enter a topic name

  6. Enter the number of partitions and click Next.

    One or more partitions make up a topic. A partition is an ordered list of messages. Partitions are distributed across the brokers in order to increase the scalability of your topic. You can also use them to distribute messages across the members of a consumer group.

    Enter the number of partitions
    Enter the number of partitions

  7. Select a Message retention and click Create Topic.

    Message retention defines how long messages are retained before they are deleted. If your messages are not read by a consumer within this time, they will be missed.

Create credentials to authenticate with Event Streams

You need the following information to connect Activity Tracker Event Routing to the Event Streams instance:

  • Endpoint URLs to call the APIs
  • Credentials for authentication

Complete the following steps to create service credentials that Activity Tracker Event Routing needs to communicate with the Event Streams instance:

  1. In the IBM Cloud, click the Menu icon Menu icon > Resource list.

  2. Look for the Event Streams instance that you plan to use, and select it.

  3. In the Event Streams console, click Service credentials.

  4. Select New credential.

  5. Enter a name and select the writer role.

    Create a credential.
    Create a credential

  6. Click Add.

To restrict access to 1 topic, complete the following steps:

You must define 2 policies, 1 for the resource type topic, and 1 for the resource type cluster. For more information, see Managing access to your Event Streams resources.

  1. Modify the policy for the Event Streams service to restrict access to the topic.

    1. From the menu bar, click Manage > Access (IAM), and select Service IDS.

      Service IDs
      Service IDs

    2. Select the service ID.

    3. In the Access policies section, select the policy and modify it to specify the topic.

      For example, in the following image the topic ID is demo-streaming.

      Edit Policy
      Edit policy

      Select Role
      Select role

  2. Add an access policy for the Event Streams service with resource type set to cluster.

    1. From the menu bar, click Manage > Access (IAM), and select Service IDS.

      Service IDs
      Service IDs

    2. Select the service ID.

    3. In the Access policies section, select Assign access.

    4. Add a policy for the Event Streams service, resource type cluster with reader permissions.

      Edit Policy
      Edit policy

      Select Role
      Select role

You can get credentials by using the IBM Cloud CLI and make note of the api key and broker URL values.

Configure service-to-service authorization

Configure service-to-service authorization to your Event Streams topic so you do not need to pass an API key when writing your encrypted data to the Event Streams topic.

The following steps show how to define service-to-service authorization when the Event Streams topic is available in a different account from where auditing events are generated:

You must complete these steps in the account where the Event Streams topic is available.

  1. Log in to your IBM Cloud account as the account owner that will be configuring IBM Cloud Activity Tracker Event Routing targets.

    After you log in with your user ID and password, the IBM Cloud dashboard opens.

  2. Click Manage > Access (IAM). Manage access and users is displayed.

  3. Click Authorizations.

  4. Click Create.

  5. Select the Source account. Choose Other account. Then, enter the account ID for the source service. An account ID is a 32 character, unique account identifier.

  6. For Source service select Activity Tracker Event Routing and for How do you want to scope the access? select All resources.

  7. For Target service select Message Hub for How do you want to scope the access? select Resources based on selected attributes.

  8. Select Service instance and string equals the name of your Event Streams instance.

  9. For Service access select Writer.

  10. Click Authorize. Your new service-to-service authorization will be listed in the Manage authorizations view.

Alternately, you can create the service-to-service policy by running the following command:

ibmcloud iam authorization-policy-create atracker messagehub Writer --source-service-account sourceAccountID

Create a target

To create a target, run the following command:

ibmcloud atracker target create --name <TARGET_NAME> --type event-streams --endpoint <EVENT_STREAMS_ENDPOINT> --target-crn <EVENT_STREAMS_TARGET_CRN> --topic <TOPIC> --region <REGION>

Where

--region <REGION>
Name of the region that will process the events, for example, us-south or eu-gb. If not specified, the region logged into, or targeted, will be used.
--name <TARGET_NAME>
The name to be given to the target.
--endpoint <EVENT_STREAMS_ENDPOINT>
The Event Streams endpoint to be associated with the topic.
--topic <TOPIC>
The name of the Event Streams topic to be associated with the target.
--api-key <EVENTSTREAMS_API_KEY> | @EVENTSTREAMS_API_KEY_FILE
The password value found in the Event Streams service credential. This is the IAM API key
--target-crn <EVENT_STREAMS_TARGET_CRN>
The CRN of the Event Streams instance.
--service-to-service-enabled <true/false>
Determines if IBM Cloud Activity Tracker Event Routing has service to service authentication enabled. Set this flag to true if service to service is enabled and do not supply an apikey.

For example, to create a target in the US-South region, you can run the following command:

ibmcloud atracker target create --name  "My target" --type event-streams --target-crn "crn:v1:bluemix:public:messagehub:eu-de:a/11111111111111111111111111111111:22222222-2222-2222-2222-222222222222::" --brokers "broker-1:9093,broker-2:9093" --topic "topic-name" --api-key xxxxx

To see the target definition in a region, see Getting information about a target using the CLI.

When your target is created the target ID is returned. Make note of the target ID. You will need the target ID to configure a rule that routes events to the target in the account.

Next

Define 1 or more routes in the account. For more information, see Configuring a route.

When you configure a route, you associate a target with a route and define which type of auditing events are routed. The route defines the rules that determine where auditing events are routed in your account. For example, you can define a route that routes auditing events from 2 different regions, and also routes global events.

You can collect global events and location-based events.

  • Global events report on activity in your account that relate to data and resources that are generally synchronized across all regions.
  • Location-based events report on activity in your account that is generated by IBM Cloud services that are hosted within an IBM data center location, such as US-South or US-East.