Configuring IBM Cloud Activity Tracker Event Routing in the account for an IBM Cloud Logs instance that was created without using the migration tool

Prereqs

Complete these steps before you begin:

1. Make sure you use an ID that has permissions for migrating your instance.

   See Required permissions for running the Migration tool.

   If you have the IAM permission to create policies and authorizations, you can grant only the level of access that you have as a user of the target service. For example, if you have viewer access for the target service, you can assign only the viewer role for the authorization. If you attempt to assign a higher permission such as administrator, it might appear that permission is granted, however, only the highest level permission you have for the target service, that is viewer, will be assigned.

   • IAM permissions to view Activity Tracker instances and resources

   • IAM permissions to read the DEK key name that is associated to a bucket if you have archiving configured on a bucket that has Key Protect enabled.

   • IAM permissions to manage the Activity Tracker Event Routing service

   • IAM permissions to create authorizations between services in the account

     • Activity Tracker Event Routing and Cloud Logs

     • Cloud Logs and Cloud Object Storage

     • Cloud Logs and IBM Cloud Event Notifications

     • Cloud Logs and IBM Cloud Event Streams

   • IAM permissions to create buckets

   • IAM permissions to configure sources, destinations, topics and subscriptions in IBM Cloud Event Notifications

2. If you plan to use terraform, generate an API key to use when you apply your Terraform scripts to create resources. Must have these permissions.

3. If you plan to use terraform, install the Terraform CLI. Complete the steps in Geting started with Terraform.

4. To send alerts to your destinations, you must provision an instance of the Event Notifications service in the account.

Provision a Cloud Logs instance

1. Provision a Cloud Logs instance.

2. Configure two IBM Cloud Object Storage buckets for your IBM Cloud Logs instance. One is used for logs, the other is used for metrics. For mroe information, see Creating buckets.

   Review the bucket restrictions.

3. Create a service to service (S2S) authorization between the Cloud Logs instance and the data bucket.

4. Create a service to service (S2S) authorization between the Cloud Logs instance and the metrics bucket.

5. Configure the buckets with your Cloud Logs instance. For more informations, see Configuring buckets.

Configure Activity Tracker Event Routing

Configure Activity Tracker Event Routing to continue receiving auditing events in the Activity Tracker instance and the new Cloud Logs instance. Then verify the Activity Tracker Event Routing configuration.

• Create 1 logdna target for each Activity Tracker instance in the account

• Create the routes with a rule that maps your current Activity Tracker instances location:

  For eu-de: Select eu-de and global events and as the target destination, choose the target you have configured for the eu-de region.

  For the rest of the supported regions, choose the same region. For example, for us-south events, choose the target you have configured for the us-south region.

  For Chennai, select in-che events, and choose the target you have configured for the in-che region.

• Define a service to service authorization between Activity Tracker Event Routing and Cloud Logs

• Create a cloud_logs target with the details of the Cloud Logs instance

• Create a route with a wildcard rule to route all auditing events to the Cloud Logs target.

  Choose wildcard(*) events and the Cloud Logs target that you have created.

Checklist to verify the Activity Tracker Event Routing configuration.

• Check that you continue to see activity tracking events in tail mode in your Activity Tracker instances.

• Check that you see activity tracking events, from all the regions where you have Activity Tracker instances, in your Cloud Logs instance. Filter by applicationName ibm-audit-event.

Configure the Event Notifications service for alerting

Cloud Logs integrates with the Event Notifications service to send events to your destinations.

In Activity Tracker, a view and an alert are tightly coupled. You define the triggering condition (query) in the view and configure an alert to indicate when and to how many notification channels to send the event.

In Cloud Logs, Views (known as Logs) and Alerts are resources that you manage separately. You create a view and an alert as independent resources. The query is the same in both cases if the view and the alert are related. You can also add an integration to the Event Notifications service when you configure an alert so when the alert triggers in Cloud Logs, an event is sent to your destinations through the Event Notifications service.

1. Provision an instance of Event notifications.

2. Define a service to service authorization between Cloud Logs and the Event Notifications service

3. Define an outbound integration in your Cloud Logs instance to integrate both services.

4. Verify you integration.

Configure IAM policies

You must configure IAM policies to grant access to work with the Cloud Logs service. For more information, see Geting started with IAM.

Create resources in Cloud Logs

You might want to configure some views and alerts that you currently have in your Activity Tracker instances.

• To create views, see Managing custom views.
• To create dashboards, see Managing dashboards.
• Deploy an extension. Extensions are pre-defined resources that you can easily deploy to start monitoring your data. See Managing extensions.

Remove Activity Tracker instances in the account

After you have completed the migration and verification process, remove your Activity Tracker instance and related resources by following the instructions in Removing deprecated IBM Cloud Activity Tracker instances.