IBM Cloud Docs
Learning about IBM Cloud Logs architecture and workload isolation

Learning about IBM Cloud Logs architecture and workload isolation

Review the following sample architecture for IBM Cloud Logs, and learn more about different isolation levels so that you can choose the solution that best meets the requirements of the workloads that you want to run in the cloud.

IBM Cloud Logs architecture

IBM Cloud Logs is a multi-tenant, regional service that is available in IBM Cloud. With IBM Cloud Logs, you can analyze, process, store, and query your logs. See List of supported locations.

A diagram that shows a sample IBM Cloud Logs architecture.
IBM Cloud Logs sample architecture

The following sections provide details about specific sections of the architecture.

Front end

Front end components communicate outside of IBM Cloud Logs.

  • Ingestion: Audit events, platform logs, and application logs sent to the ingress endpoint of IBM Cloud Logs are forwarded to back end components where they will be processed and stored. For more information, see Ingress endpoints.
  • Web UI: Launch the IBM Cloud Logs dashboard in your browser to view, monitor, and manage logs. The web UI component uses back end components to implement the dashboard. For more information, see Navigating to the UI.
  • API: The IBM Cloud Terraform provider as well as the IBM Cloud Logs CLI plug-in uses the IBM Cloud Logs API to configure the service instance as well as query logs. The API component uses back end components to perform the requested actions. For more information, see API endpoints.

Back end

Back end components operate within IBM Cloud Logs.

  • Management: Management components are responsible for configuring the IBM Cloud Logs service instance. This includes features such as TCO policies, parsing rules, alerts, dashboards, and so on.
  • Priority insights, Analyze and alert, Store and search: The central data processing pipeline of the IBM Cloud Logs service implements features such as log parsing, storing and searching logs in Object Storage buckets, transforming logs to metrics, alerting on logs, storing and searching priority logs, and so on.

Storage

Storage components store data used by IBM Cloud Logs.

  • Configuration: Stores IBM Cloud Logs service instance configuration settings.
  • Priority logs: Stores logs sent to an IBM Cloud Logs service instance. Logs are indexed for fast query and removed after the chosen retention period has been exceeded.
  • Service data: Stores data to implement the IBM Cloud Logs service. This data includes metadata such as log templates or caches to improve performance.

Integration with other IBM Cloud services

IBM Cloud Logs integrates with other IBM Cloud services that process, store, or control your data. IBM Cloud Logs accesses these services through the IBM Cloud public or private network.

IBM Cloud Logs integration with other IBM Cloud services.
The first column is the service. The second column is a description of the service.
Service name Description
IBM Cloud Activity Tracker Event Routing You can use IBM Cloud Logs as a target for audit events. For more information, see Managing targets in IBM Cloud Activity Tracker Event Routing.
IBM Cloud Logs Routing You can use IBM Cloud Logs as a target for platform and application logs. For more information, see Creating an IBM Cloud Logs tenant in IBM Cloud Logs Routing.
.
You can use the Logging agent to collect and forward application logs to IBM Cloud Logs.
IBM Cloud Object Storage IBM Cloud Logs uses Object Storage buckets, owned by you, for long term storage and search of logs and log metrics. You need to attach the Object Storage buckets to your IBM Cloud Logs service instance. For more information, see Configuring buckets for long term storage and search.
IBM® Event Streams for IBM Cloud® You can send logs from IBM Cloud Logs to an IBM® Event Streams for IBM Cloud® topic.
IBM Cloud Event Notifications You can use IBM Cloud Event Notifications to notify your operators or other systems about IBM Cloud Logs alerts. For more information, see Configuring an outbound integration for IBM Cloud Logs.
IBM Cloud® Identity and Access Management To authenticate requests to the service and authorize user actions, IBM Cloud Logs implements platform and service access roles in Cloud Identity and Access Management (IAM). For more information about required IAM permissions to work with the service, see Managing access for IBM Cloud Logs.
.
IBM Cloud Logs accesses IAM through IBM Cloud public network.

Workload isolation

Each regional deployment serves multiple tenants that are identified by the IBM Cloud Logs service instance GUID.

  • There is a single deployment per region that is implementing the IBM Cloud Logs control and data plane shared by all service instances.
  • All data - including logs, configuration, and service data - is processed and stored per region and not visible in other regions.
  • All service instances share the same network, compute, and memory and storage resources in the control and data planes of the service.
  • All data in transit, as well as data at rest, in control and data planes is encrypted using keys provided and managed by IBM.
  • All communication within control and data planes is performed on the IBM Cloud private network.
  • You can use following approaches to access the ingestion and the API endpoints:
    • Public endpoint: Access through the IBM Cloud public network.
    • Cloud Service Endpoint (CSE): Access through the IBM Cloud private network and endpoints shared with all service instances in the region.
    • Virtual Private Endpoint (VPE): Access through the IBM Cloud private network and endpoints dedicated to the service instance.
  • You can access the web UI endpoint through the IBM Cloud public network.
  • All data processed in the IBM Cloud Logs service is associated with the service instance. Stored data is segmented by service instance.
  • IBM Cloud Logs enforces all applicable IAM access and authorization policies on all requested operations related to a service instance. Audit events are created.
  • IBM Cloud Logs integrates with other IBM Cloud services. When processing data with these services, the workload isolation characteristics of these services apply.