Enabling IBM Cloud Event Notifications for IBM Cloud Logs

As an administrator of IBM Cloud Logs, you might want to send notifications of events in IBM Cloud Logs to other users, or human destinations, by using email, SMS, or other supported delivery channels. Additionally, you might want to send these notifications of events to other applications to build logic by using event-driven programming using webhooks, for example. This is made possible by the integration between IBM Cloud Logs and IBM Cloud Event Notifications.

To send information to Event Notifications, you must connect your IBM Cloud Logs instance to Event Notifications. For more information about working with Event Notifications, see Getting started with Event Notifications.

How events are collected and sent by IBM Cloud Logs

When an event of interest takes place in your IBM Cloud Logs instance, IBM Cloud Logs communicates with a connected Event Notifications instance to forward a notification to a supported destination.

Events for IBM Cloud Logs

The following table lists the IBM Cloud Logs events.

Table 1. Actions that generate event notifications
Event type	Description
`com.ibm.cloud.logs.test_event`	Test event.
`com.ibm.cloud.logs.StandardImmediateAlertEvent`	Standard Immediate Alert
`com.ibm.cloud.logs.StandardLessThanAlertEvent`	Standard Less Than Alert
`com.ibm.cloud.logs.StandardMoreThanAlertEvent`	Standard More Than Alert
`com.ibm.cloud.logs.StandardMoreThanUsualAlertEvent`	Standard More Than Usual Alert
`com.ibm.cloud.logs.RatioLessThanAlertEvent`	Ratio Less Than Alert
`com.ibm.cloud.logs.RatioMoreThanAlertEvent`	Ratio More Than Alert
`com.ibm.cloud.logs.NewValueAlertEvent`	New Value Alert
`com.ibm.cloud.logs.UniqueCountAlertEvent`	Unique Count Alert
`com.ibm.cloud.logs.TimeRelativeLessThanAlertEvent`	Time Relative Less Than Alert
`com.ibm.cloud.logs.TimeRelativeMoreThanAlertEvent`	Time Relative More Than Alert
`com.ibm.cloud.logs.MetricLessThanAlertEvent`	Metric Less Than Alert
`com.ibm.cloud.logs.MetricMoreThanAlertEvent`	Metric More Than Alert
`com.ibm.cloud.logs.MetricMoreThanUsualAlertEvent`	Metric More Than Usual Alert
`com.ibm.cloud.logs.TracingImmediateAlertEvent`	Tracing Immediate Alert
`com.ibm.cloud.logs.TracingMoreThanAlertEvent`	Tracing More Than Alert
`com.ibm.cloud.logs.FlowAlertEvent`	Flow Alert Alert
`com.ibm.cloud.logs.FlowAnomaly`	Flow Anomaly event
`com.ibm.cloud.logs.SpikeAnomaly`	Spike Anomaly event
`com.ibm.cloud.logs.DailyReport`	Daily Report event
`com.ibm.cloud.logs.DataUsage`	Data Usage event

The following table lists the IBM Cloud Logs subtypes per event type related to alerts:

Table 2. Subtypes for actions that generate event notifications
Subtype	Description
`AlertTriggered`	The alert is triggered.
`AlertResolved`	The alert is resolved.

Enabling notifications

Events that are generated by an instance of the IBM Cloud Logs service can be forwarded to an Event Notifications service instance that is available in the same account. You can configure only one IBM Cloud Logs instance to one Event Notifications service instance.

Connecting to Event Notifications in the console

Before you can enable notifications for IBM Cloud Logs, be sure that you have an Event Notifications service instance that is in the same account as your IBM Cloud Logs instance. Then, you can use the Data Flow > Outbound integrations section in the IBM Cloud Logs UI to connect the services.

In the console, click the Navigation Menu icon > Resource list.
Select your instance of IBM Cloud Logs.
In the IBM Cloud Logs navigation, click The Integrations icon > Outbound integrations.
In the outbound integrations section, find Event Notifications and click Add.
On the Integrations page, click Add.
Select Event Notifications service instance that you want to connect.

If an IAM authorization between IBM Cloud Logs and Event Notifications doesn't exist in your account, a dialog is displayed. Follow the prompts to grant access between the services.
1. To grant access between IBM Cloud Logs and Event Notifications, click Authorize.
2. Select Event Notifications as the target service.
3. From the list of instances, select the Event Notifications service instance that you want to authorize.
4. Select the Event Source Manager role.
5. Click Review.
6. Click Assign.
To confirm the connection, click Save.

Sending a test event to Event Notifications in the UI

After you enable notifications for IBM Cloud Logs, test your connection to ensure that the events that are generated by IBM Cloud Logs are being forwarded to Event Notifications.

Figure 1. Sending a test event to Event Notifications Event Notifications

Delivering notifications to select destinations

After you enable notifications for IBM Cloud Logs, create topics and subscriptions in Event Notifications so that alerts can be forwarded and delivered to your selected destinations.

For a complete list of supported destinations, see the Event Notifications documentation.

Email notifications

You can use the IBM Cloud email service as a delivery channel for IBM Cloud Logs event notifications. Create an Event Notifications subscription between an existing topic and the IBM Cloud email service to forward your alerts to various recipients by email.

To receive detailed information about an event notification in your email, select the Add notification payload option when you create an Event Notifications subscription. Your email displays the notification payload details that are associated with the event.

Webhooks

You can configure a webhook destination so that an incoming notification can be consumed programmatically by an app or service. For more information about setting up webhooks, check out the Event Notifications documentation.

Notification payload details

Successful events that are generated by IBM Cloud Logs contain various fields that help you to identify the source and details of an event.

Event notifications from IBM Cloud Logs contain only metadata properties, such as names or identifiers of resources. Sensitive data, for example API keys or passwords, are not included in generated events.

The properties that are sent to Event Notifications vary depending on the event type and subtype. For example, if a StandardMoreThanAlertEvent:AlertTriggered event takes place in an instance for one or more public_cert secrets, IBM Cloud Logs sends a notification payload to Event Notifications that is similar to the following example.

{
   "data": {
      "alert_definition": {
         "alert_type": "StandardMoreThanAlertEvent",
         "condition": {
            "MoreThan": {
               "condition_threshold": 0,
               "condition_timeframe": 0
            }
         },
         "description": "",
         "id": "<alert_id>",
         "name": "<alert_name>",
         "query_statement": "_exists_:level",
         "severity": "ERROR"
      },
      "latest_event_timestamp": 0000000000000,
      "links": {
         "edit_alert": "https://dashboard.cxdev.eu-gb.logs.dev.appdomain.cloud/<instance_id>/#/alerts/<alert_id>",
         "view_alert": "https://dashboard.cxdev.eu-gb.logs.dev.appdomain.cloud/<instance_id>/#/insights?id=c9fe7539-e901-4745-b3ad-29ca0ae987a0"
      },
      "status": "triggered"
   },
   "datacontenttype": "application/json",
   "ibmendefaultlong": "Triggered: 2024-01-01T00:00:00Z",
   "ibmendefaultshort": "ERROR - new_groupBy",
   "ibmensourceid": "crn:v1:staging:public:logs:<region>:a/<account_id>:<instance_id>::",
   "id": "997355d5-4542-47fd-9868-84cf5df71e1b_c9fe7539-e901-4745-b3ad-29ca0ae987a0",
   "notification_id": "923873c0-2b42-4d4c-a9a0-c69339b16717",
   "source": "crn:v1:staging:public:logs:<region>:a/<account_id>:<instance_id>::",
   "time": "2024-01-01T00:00:00.000000Z",
   "type": "com.ibm.cloud.logs.<event_type>:<event_subtype>"
}

Review following table for more information about event notification properties.

Table 3. Properties in an event notification payload
Property	Description
`alert_definition`	`alert_type`: The type of alert that triggered a notification. `condition`: Alerts configuration about when alerts can be triggered. `description`: The description of the alert. `id`: The id of the given alert. `name`: The name of the given alert. `query_statement`: The search query of the given alert. `severity`: The severity level of the given alert.
`latest_event_timestamp`	The date and time the event was generated.
`links`	`edit_alert`: Link to the page to modify configurations of the alert. `view_alert`: Link to the page to check alert details.
`status`	The status of the given alert.
`ibmensourceid`	The Cloud Resource Name (CRN) that uniquely identifies your IBM Cloud Logs service instance.
`id`	The identifier provided by IBM Cloud Logs that would identify the event in IBM Cloud Logs
`notification_id`	The identifier created by Event Notifications.
`source`	The Cloud Resource Name (CRN) that uniquely identifies your IBM Cloud Logs service instance.
`type`	The combination of the type of event that triggered a notification and The subtype that corresponds with the type of event that triggered a notification.