IBM Cloud Docs
Configuring archiving through the UI

Configuring archiving through the UI

You can archive logs from an IBM Log Analysis instance into a bucket in an IBM Cloud Object Storage (COS) instance.

As of 28 March 2024 the IBM Log Analysis and IBM Cloud Activity Tracker services are deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs, which replaces these two services, prior to 30 March 2025.

For more information about archiving, see Archiving events to IBM Cloud Object Storage.

Complete the following steps to archive an IBM Log Analysis instance into a bucket in an IBM Cloud Object Storage instance:

Step 1. Grant IAM policies to a user to work with IBM Cloud Object Storage

This step must be completed by the account owner or an administrator of the IBM Cloud Object Storage service on the IBM Cloud.

As an administrator of the IBM Cloud Object Storage service, you must be able to provision instances of the service, grant other users permissions to work with these instances, and create service IDs.

You can grant a user permissions to become an editor of the IBM Cloud Object Storage service:

  • As administrator of the service in the account, the user must have an IAM policy for the IBM Cloud Object Storage service with the platform role Administrator. You must assign this user access to an individual resource in the account.

  • As administrator of the service within the context of a resource group, the user must have an IAM policy for the IBM Cloud Object Storage service with the platform role Administrator within the context of the resource group.

The following table lists the roles that a user can have to complete the actions listed for the IBM Cloud Object Storage service:

Table 1. Roles and actions
Service Platform roles Action
Cloud Object Storage Administrator Allows the user to assign policies to users in the account to work with the IBM Cloud Object Storage service.
Cloud Object Storage Administrator
Editor 		Allows the user to provision an instance of the IBM Cloud Object Storage service.
Cloud Object Storage Administrator
Editor
Operator 		Allows the user to create a service ID.

Complete the following steps to assign a user administrator role to the IBM Cloud Object Storage service within the context of a resource group:

  1. From the menu bar, click Manage > Access (IAM), and then select Users.

  2. From the row for the user that you want to assign access, select the Actions menu, and then click Assign access.

  3. Select Assign access within a resource group.

  4. Select a resource group.

  5. If the user does not have a role that is already granted for the selected resource group, choose a role for the Assign access to a resource group field.

    Depending on the role that you select, the user can view the resource group on their dashboard, edit the resource group name, or manage user access to the group.

    You can select No access, if you want the user to have only access to the IBM Log Analysis service in the resource group.

  6. Select Cloud Object Storage.

  7. Select the platform role Administrator.

  8. Click Assign.

Step 2. Provision an instance of IBM Cloud Object Storage

This step must be completed by an editor, or administrator of the IBM Cloud Object Storage service on the IBM Cloud.

Complete the following steps to provision an IBM Cloud Object Storage instance:

  1. Log in to your IBM Cloud account.

    After you log in, the IBM Cloud UI opens.

  2. Click Catalog. The list of the services that are available in IBM Cloud opens.

  3. To filter the list of services that is displayed, select the Storage category.

  4. Click the Object Storage tile.

  5. Enter a name for the service instance.

  6. Select a resource group.

    By default, the Default resource group is set.

  7. Select a service plan.

    By default, the Lite plan is set.

  8. Click Create.

Step 3. Create a bucket

Buckets are a way to organize your data in an IBM Cloud Object Storage instance.

To manage buckets, your user must be granted permissions to work with buckets on the IBM Cloud Object Storage instance. The following table outlines the different actions and roles that a user can have to work with buckets:

Table 1. Roles and actions to work with buckets
Service Roles Action
Cloud Object Storage Platform role: Viewer Allows the user to view all buckets and list the objects within them through the IBM Cloud UI.
Cloud Object Storage Service role: Manager Allows the user to make objects public.
Cloud Object Storage Service roles: Manager
Writer 		Allows the user to create and destroy buckets and objects.
Cloud Object Storage Service role: reader Allows the user to list and download objects.

Note: To create a bucket, your user must have manager or writer permissions for the IBM Cloud Object Storage instance.

Complete the following steps to create a bucket:

  1. Log in to your IBM Cloud account.

    Click IBM Cloud dashboard to launch the IBM Cloud dashboard.

    After you log in with your user ID and password, the IBM Cloud Dashboard opens.

  2. From the Dashboard, select the IBM Cloud Object Storage instance where you plan to create the bucket.

  3. Select Buckets. Then, click Create Bucket.

  4. Enter a bucket name for the Unique bucket name field.

    Note: All buckets in all regions across the globe share a single namespace.

    You can use as part of the bucket name your IBM Log Analysis instance name. For example, for an instance with name logging-1, you can use accountN-logging-1 as your bucket name.

    You need this name to configure archiving through the IBM Log Analysis web UI.

  5. Choose the type of resiliency and a location where you would like your data to be physically stored.

    Resiliency refers to the scope and scale of the geographic area across which your data is distributed.

    • Cross Region resiliency spreads your data across several metropolitan areas.

    • Regional resiliency spreads data across a single metropolitan area.

    • A Single Data Center will only distribute data across devices within a single site.

    For more information, see Select regions and endpoints.

  6. Choose the type of Storage class.

    You can create buckets with different storage classes. Choose the storage class for your bucket based on your requirements to retrieve data. For more information, see Use storage classes.

    Note: It is not possible to change the storage class of a bucket once the bucket is created. If objects need to be reclassified, it is necessary to move the data to another bucket with the wanted storage class.

  7. Optionally, add a Key Protect Key to encrypt data at rest.

    All objects are encrypted by default by using randomly generated keys and an all-or-nothing-transform. While this default encryption model provides at-rest security, some workloads need to be in possession of the encryption keys used. For more information, see Manage encryption.

Step 4. Create a service ID for the IBM Cloud Object Storage instance

A service ID identifies a service similar to how a user ID identifies a user. Service IDs are not tied to a specific user. If the user that creates the service ID leaves your organization and is deleted from the account, the service ID remains.

You must create a service ID for your IBM Cloud Object Storage instance. This service ID is used by the IBM Log Analysis instance to authenticate with your IBM Cloud Object Storage instance.

You must assign specific access policies to the service ID that restrict permissions for using specific services, or even combine permissions for accessing different services. For example, to restrict access to a single bucket, ensure that the service ID doesn't have any instance level policies by using either the console or CLI.

Complete the following steps to create a service ID with writing permissions for the IBM Cloud Object Storage instance:

  1. Log in to your IBM Cloud account.

    Click IBM Cloud dashboard to launch the IBM Cloud dashboard.

    After you log in with your user ID and password, the IBM Cloud Dashboard opens.

  2. From the Dashboard, select the IBM Cloud Object Storage instance where you plan to create the bucket.

  3. Select Service credentials. Then, select New credential.

  4. Enter a name.

  5. Select the Reader role.

  6. Click Add.

    A new service ID is added to the list.

For the service ID that you just created, click View credentials. You can see information that is related to the service ID.

  • Copy the API key. This is the value set for the field apikey.

    When the service credential is rotated, make sure the API Key is updated with the new API Key. Archiving will stop if the API Key is not updated.

  • Copy the resource instance ID. This is the value set for the field resource_instance_id.

Step 5. Restrict the service ID to have only writing permissions for the bucket

If you want to restrict the service ID to have only writing permissions for a bucket, complete the following steps:

  1. Read the information for the service ID and write down the value of the iam_apikey_name field and the iam_apikey_name field.

  2. From the Dashboard, select Manage > Access (IAM), and then select Users.

  3. Select Service IDs.

  4. Look for a service ID that has the following name: auto-generated-serviceId-<ID that is part of the iam_apikey_name value>.

  5. Select the service ID. Then, in Access policies, click Writer.

  6. In the Resource type field enter bucket.

  7. In the Resource ID field enter the name of your bucket.

  8. Click Save.

If you leave the Resource Type or Resource fields blank, the policy that is created is an instance-level policy.

Step 6. Select the endpoint

An endpoint defines where to look for a bucket. There are different endpoints depending on the region and type of resiliency. For more information, see Select regions and endpoints.

Complete the following steps to obtain the endpoint for your bucket:

  1. Log in to your IBM Cloud account.

    After you log, the IBM Cloud Dashboard opens.

  2. From the Dashboard, select the IBM Cloud Object Storage instance where you plan to create the bucket.

  3. Select Buckets. Then, select the bucket that you created where you want to archive logs.

  4. Select Configuration.

  5. Copy one of the private endpoints.

Step 7. Grant IAM policies to a user to archive logs

The following table lists the policies that a user must have to configure archiving of logs from the IBM Log Analysis web UI into a bucket in an IBM Cloud Object Storage instance:

Table 2. IAM policies
Service Role Permission granted
IBM Log Analysis Platform role: Viewer Allows the user to view the list of service instances in the Observability Logging dashboard.
IBM Log Analysis Service role: Manager Allows the user to launch the web UI and view logs in the web UI.

For more information on how to configure these policies for a user, see Granting permissions to a user to view logs.

Complete the following steps to assign a user permission to archive logs:

  1. From the menu bar, click Manage > Access (IAM), and then select Users.

  2. From the row for the user that you want to assign access, select the Actions menu, and then click Assign access.

  3. Select Assign access within a resource group.

  4. Select a resource group.

  5. If the user does not have a role already granted for the selected resource group, choose a role for the Assign access to a resource group field.

    Depending on the role that you select, the user can view the resource group on their dashboard, edit the resource group name, or manage user access to the group.

    You can select No access, if you want the user to have only access to the IBM Log Analysis service in the resource group.

  6. Select IBM Log Analysis.

  7. Select the platform role Viewer.

  8. Select the service role Manager.

  9. Click Assign.

Step 8. Configure archiving for your IBM Log Analysis instance

Complete the following steps to configure archiving of your IBM Log Analysis instance into a COS bucket:

  1. Launch the IBM Log Analysis web UI.

  2. Click the Settings icon Configuration icon. Then select Archiving.

  3. Make sure Enable Archiving is on.

  4. Select IBM Cloud Object Storage as the Provider.

  5. Set the bucket, endpoint, API key, and instance ID where you want logs to be archived.

    Table 3. COS fields
    Field Value
    Bucket Set to the COS bucket name.
    Endpoint Set to the COS bucket private endpoint.
    API Key Set to the API key associated to the COS service ID.
    Instance ID Set to the COS instance ID.

  6. Click Save.

After you save the configuration, logs are archived once a day.

When the service credential is rotated, make sure the API Key is updated with the new API Key. Archiving will stop if the API Key is not updated.

Next steps