Migrating IBM Cloud Activity Tracker instances into a single IBM Cloud Logs instance for centralize auditing events

You can use the migration tool to help you migrate IBM Cloud Activity Tracker instances into a single IBM Cloud Logs instance.

The following image shows a high-level view of the account after IBM Cloud Activity Tracker instances from multiple regions in the account are migrated into 1 instance of IBM Cloud Logs.

High-level view of the account after IBM Cloud Activity Tracker instances from multiple regions in the account are migrated into 1 instance of IBM Cloud Logs

Scenario

IBM Cloud Activity Tracker Event Routing is not configured in the account.
You have IBM Cloud Activity Tracker instances provisioned in multiple locations.
You must migrate your IBM Cloud Activity Tracker instances into 1 IBM Cloud Logs instance.
You have a requirement to centralize activity tracking events that are generated in the account.

Before you begin

Learn about migration. For more information, see Migrating IBM Cloud Logs.
Learn about the migration tool. For more information, see Migrating tool.
Check the locations where IBM Cloud Logs is available. You can only provision IBM Cloud Logs instances in supported locations. For more information, see Locations.

Migration steps

Complete the following steps to migrate IBM Cloud Activity Tracker instances in the account:

Run the migration tool to collect information about what instances need to be migrated and their resources.
```
ibmcloud logging migrate generate-terraform --scope account --service logdnaat
```
When you run this command, you get information in the tmp directory about the resources that you currently have configured. You also get terraform scripts to recreate these resources in IBM Cloud Logs in the cl directory.
Manually configure a route in IBM Cloud Activity Tracker Event Routing that routes events to your current IBM Cloud Activity Tracker instances.

Before you configure IBM Cloud Activity Tracker Event Routing to route activity tracking events to your IBM Cloud Logs instance, you must configure targets for each IBM Cloud Activity Tracker instance and a route with rules to route events that are generated in each region to be routed to the IBM Cloud Activity Tracker instance that is available in the same region where the events are generated. Until you have validated the new architecture, you must continue managing the account through the deprecated services. If you fail to configure this route, activity tracking events will stop being routed to your current IBM Cloud Activity Tracker instances.

Define rules in the route as follows:
- For eu-de, the rule routes events generated in the eu-de region and global events to the IBM Cloud Logs instance created in the eu-de region.
- For other supported regions, the rule routes events from that region only to the IBM Cloud Logs instance created in that region. For example, for eu-es, the rule routes events generated in the eu-es region to the IBM Cloud Logs instance created in the eu-es region.
The migration tool cannot automatically create this route since it requires an ingestion key that you must get and configure. For more information on how to configure the targets and routes, see Getting started with IBM Cloud Activity Tracker Event Routing.

Run the migration tool to create the IBM Cloud Logs instance, data bucket, metrics bucket, and configure IBM Cloud Activity Tracker Event Routing in the account.

Run the following command to generate Terraform scripts:

ibmcloud logging migrate create-resources --scope atracker --terraform --single --instance-name INSTANCE_NAME --data-bucket-name DATA_BUCKET_NAME --metrics-bucket-name METRICS_BUCKET_NAME --region REGION --instance-resource-group-id RESOURCE_GROUP_ID --cos-instance-crn COS_INSTANCE_CRN [--cos-kms-key-crn KEY_CRN]

Run the following command to generate Terraform scripts:

ibmcloud logging migrate create-resources --scope atracker --terraform --single --instance-name INSTANCE_NAME --data-bucket-name DATA_BUCKET_NAME --metrics-bucket-name METRICS_BUCKET_NAME --region REGION --instance-resource-group-id RESOURCE_GROUP_ID --cos-instance-crn COS_INSTANCE_CRN [--cos-kms-key-crn KEY_CRN] -f

Run the following command to automatically create the instance by using the API:

ibmcloud logging migrate create-resources --scope atracker --api --single --instance-name INSTANCE_NAME --data-bucket-name DATA_BUCKET_NAME --metrics-bucket-name METRICS_BUCKET_NAME --instance-region REGION --instance-resource-group-id RESOURCE_GROUP_ID --cos-instance-crn COS_INSTANCE_CRN [--cos-kms-key-crn KEY_CRN]

The migration tool creates the IBM Cloud Logs instance and buckets for data and metrics.
The migration tool creates the service to service authorizations between IBM Cloud Logs and IBM Cloud Activity Tracker Event Routing, and IBM Cloud Logs and IBM Cloud Object Storage.
The migration tool creates an IBM Cloud Activity Tracker Event Routing target with information about the IBM Cloud Logs instance using the endpoint that is specified by the region parameter.
The migration tool adds a new route with a wildcard rule to route all events, including global ones, to the IBM Cloud Logs instance.

If you have alerts configured in your IBM Cloud Activity Tracker instances, you must define an outbound integration to the IBM Cloud Event Notifications service in your IBM Cloud Logs instance. In addition, you might need to provision an instance of the IBM Cloud Event Notifications service, and do some manual tasks to enable notification channels that might, for example, require credentials.

In IBM Cloud Logs, alerts are triggered through the IBM Cloud Event Notifications service. If you do not currently use the IBM Cloud Event Notifications service, and have alerts configured in your IBM Cloud Activity Tracker instances, you must provision an instance of the IBM Cloud Event Notifications service for alerting. For more information, see Enabling event notifications for IBM Cloud Logs.

You must manually configure notification channels such as email and PagerDuty. For example, every user that is configured to receive a mail notification when an alert is triggered receives an email that requires them to accept before they get email notifications that might be generated by the alert.

Sysdig alerts are not migrated. You can use the Incidents page to see which alerts have been triggered. You can use the IBM Cloud Event Notifications service to configure other notification channels.

You must manually configure the Slack URL and the webhook header apikey when you configure Slack notification channels or webhooks to other applications.

The migration tool provides Terraform scripts that you can customize to configure the IBM Cloud Event Notifications service.
Migrate IAM permissions. For more information, see Migrating IAM permissions.
Validate that the new configuration is working for your requirements.
After you validate that your migrated configuration is as required, delete your IBM Cloud Activity Tracker instances.

Before you delete your IBM Cloud Activity Tracker instances, check that the events that are generated by IBM Cloud services that you use are managed through IBM Cloud Activity Tracker Event Routing. For more information, see IBM Cloud services that generate events that are managed through IBM Cloud Activity Tracker Event Routing.