IBM Cloud Docs
Monitoring operational metrics

Monitoring operational metrics

As a security officer, auditor, or manager, you can use the IBM Cloud Monitoring service to measure how users and applications interact with IBM® Key Protect for IBM Cloud®.

IBM Cloud Monitoring records data on the operations that occur inside of IBM Cloud. This service allows you to gain operational visibility into the performance and health of your applications, services, and platforms. You can use its advanced features to monitor and troubleshoot, define alerts based on API response codes, and design custom dashboards.

For more information regarding the Monitoring service, see the getting started tutorial for IBM Cloud Monitoring.

What metrics are available?

You can use Monitoring to track the type of API requests being made in your service instance as well as the latency of the requests.

The following contains examples of metrics that can be measured in your Monitoring dashboard:

  • Total requests being made in your Key Protect instance

  • Successful vs failed API requests categorized by API type

  • API request latency over time

  • Total API requests categorized by response code

Before you begin

Enabling Key Protect service metrics will add new metrics to your Monitoring instance. For information on Monitoring pricing, see Pricing.

Before you provision an instance of Monitoring, consider the following guidance:

  • You will need to enable a metrics policy in the Key Protect instance in order to retrieve operational metrics.

  • Other IBM Cloud users with administrator or editor permissions can manage the Monitoring service in the IBM Cloud. These users must also have platform permissions to create resources within the context of the resource group where they plan to provision the instance.

Connecting Monitoring with Key Protect

Your dashboard will show metrics for all Key Protect instances with an enabled metrics policy.

Configure a Monitoring instance for metrics

To enable platform metrics in a region, complete the following steps:

  1. Provision an instance of Monitoring in the region of the Key Protect instance that contains an enabled metrics policy.

  2. Go to the monitoring dashboard.

  3. Click on "Configure platform metrics."

  4. Select the region where the Key Protect instance was created.

  5. Select the Key Protect instance in which you would like to receive metrics.

  6. Click "Configure."

  7. Your Key Protect instance is now set for platform metrics.

Key Protect Metrics Details

You can use the metrics in your monitoring instance dashboard to measure the types of requests being made in your service instance as well as the latency of the requests.

API Hits

The type and amount of API requests being made to your Key Protect instance. For example, you can track how many API requests have been made by an authorized user be setting an alert that triggers when your monitoring instance notices a frequent amount of 401 status codes being returned from your Key Protect instance.

Table 1. Describes the API Hits metrics.
Metadata Description
Metric Name ibm_kms_api_request_gauge
Metric Type Gauge
Value Type none
Segment By Attributes for Segmentation

Latency

The amount of time it takes Key Protect to receive an API request and respond to it.

The latency is calculated by getting the average of all requests of the same type that occur within 60 seconds.

Table 2. Describes the Latency metrics.
Metadata Description
Metric Name ibm_kms_api_latency_gauge
Metric Type Gauge
Value Type Milliseconds
Segment By Attributes for Segmentation

Attributes for Segmentation

You can filter your metrics by using the following attributes.

Table 3. Describes the attributes use for segmenting metrics.
Attribute Name Description
ibm_resource_type Supported resource type is instance.
ibm_kms_response_code Response code for the Key Protect service API request.
ibm_scope The account, organization, or space GUID associated with the metric.
ibm_ctype public, dedicated, or local.
ibm_location Location of the Key Protect service instance.
ibm_service_name kms.
ibm_resource Key Protect service instance ID.
ibm_kms_api Key Protect service API name.
ibm_resource_group_name Resource group name associated with the Key Protect service instance.
ibm_service_instance_name Key Protect service instance name.
ibm_service_instance Key Protect service instance ID.

Metrics Filter Attributes

You can scope down your metrics by using the following scope filters. These filters are more granular than the segmentation filters.

Table 4. Describes the scope filters for Key Protect metrics.
Attribute Name Description
ibmResourceGroupName The name of the resource group associated with the Key Protect service instance.
ibmScope The account, organization, or space GUID associated with the metric.
ibmServiceInstanceName The service instance associated with the metric.
ibmKmsApi The Key Protect API call associated with the metric.

Due to Monitoring limitations, you will only be able to see the values in the dropdown filters for up to 6 hours at a time. You can manually type in value into scope variables to use scope filters for given time periods.

Default Dashboards

You will need to configure platform metrics and enable a metrics policy on your KP service instance in order to view your Key Protect operational metrics dashboard.

How to find the Monitoring dashboard for your Key Protect service instance using Key Protect console

After configuring your Monitoring instance to receive platform metrics, follow the below steps:

  1. Go to the Provision service instance and create your Key Protect service instance.

  2. Click on the Actions dropdown.

  3. Select Monitoring. This will take you to the Key Protect dashboard.

An example of the console monitoring button.
Figure 1. Shows example of the Monitoring instance console monitoring button.

How to find the Monitoring dashboard for your Key Protect service instance using observability page

After configuring your Monitoring instance to receive platform metrics, follow the below steps:

  1. Go to the monitoring dashboard and find your monitoring instance that is configured to receive platform metrics.

  2. Click on the View Monitoring button that is in the View Dashboard column of the monitoring instance.

  3. Once you are in the Monitoring platform, click Dashboards to open up the side menu.

  4. Select IBM under the Dashboard Templates section.

  5. Select Key Protect - Overview to view the dashboard for your Key Protect service instance.

An example of the dashboard menu in Monitoring.
Figure 2. The dashboard menu that lists the dashboards in your Monitoring instances.

Below are figures that show the metric views available to you on the default dashboard.

An example of a Key Protect metrics dashboard.
Figure 3. Some of the metrics available on the Monitoring dashboard.

An example of a Key Protect dashboard view.
Figure 4. Some of the metrics available on the Monitoring dashboard.

You will not be able to see any metrics in your Monitoring instance until you enable a metrics policy for your Key Protect instance and make API requests to your Key Protect instance.

Setting Alerts

You can set alerts on your Monitoring dashboard to notify you of certain metrics.

To setup a metric, complete the follow steps.

  1. Click Alerts on the side menu.

  2. Click Add Alert at the top of the page.

  3. Select Metric as the alert type.

  4. Select the aggregation and the metric that you would like to be performed on.

  5. Select the scope if applicable.

  6. Set the metric and time requirements for the alert to trigger.

  7. Configure and set up the notification channel and notification interval.

  8. Click the CREATE button.

The figure as shown provides an example of how to configure an alert when your service instance receives multiple 401 and 403 errors within a 10 minute time span.

An example of a 401 and 403 configuration.
Figure 5. The configuration for a 401 alert in a Monitoring dashboard.