Monitor archiving with Activity Tracker
You can monitor archiving of an Log Analysis instance by monitoring the service ID that is used to write data into IBM Cloud Object Storage (COS) by using the Activity Tracker service.
As of 28 March 2024 the IBM Log Analysis and IBM Cloud Activity Tracker services are deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs, which replaces these two services, prior to 30 March 2025. For information about IBM Cloud Logs, see the IBM Cloud Logs documentation.
Prereqs
Activity Tracker service
-
You must have an Activity Tracker instance provisioned that receives events from the COS bucket that you use for archiving. Normally this instance is in the same region as the COS bucket.
-
You must have a paid service plan for the IBM Cloud Activity Tracker service. Learn more.
-
Check that your user ID has permissions to launch the web UI and create views and alerts in the Activity Tracker instance. The following table lists the minimum roles that a user must have to be able to launch the IBM Cloud Activity Tracker web UI, and manage resources:
Role | Permission granted |
---|---|
Platform role: Viewer |
Allows the user to view the list of service instances in the Observability dashboard. |
Service role: standard-user or Service role: manager |
Allows the user to launch the web UI and configure resources. |
For more information on how to configure policies for a user, see Granting user permissions to a user or service ID.
IBM Cloud Object Storage service
-
You must have enabled collection of data events for the bucket where you are archiving data for the Log Analysis instance. Make sure the events are saved to your IBM Cloud Activity Tracker instance.
You must enable
write
data events to monitor upload of objects to the bucket.You must enable
read
data events to monitor download of objects from the bucket. -
You must have access to view the bucket CRN.
-
You must have access to view the service ID CRN value that is associated with the service credential that is used to configure archiving in Log Analysis.
Configure an alert to monitor archiving
Step 1. Get the service ID
Complete the following steps to get the service ID that is used to configure archiving in Log Analysis:
-
From the Navigation menu, select Resource List > Storage.
-
Select the IBM Cloud Object Storage instance where the bucket is available.
-
Select Service credentials.
-
For the service ID that you used to configure archiving, open the details for the Key name. You will see information that is related to the key.
-
Copy the service ID value. This is the last section of the CRN value that is set for the field iam_serviceid_crn.
For example, an
iam_serviceid_crn
is similar to the following:"iam_serviceid_crn": "crn:v1:bluemix:public:iam-identity::a/xxxxxxxxx::serviceid:ServiceId-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"
You must copy the section:
ServiceId-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx
-
Select Buckets.
-
Select the bucket you are using for archiving.
-
Click the Configuration tab.
-
Copy the Bucket Instance CRN.
-
In the Activity Tracker section make sure the selected service instance is the one you are using. Also make sure Data events is set to read & write.
Step 2. Define a view to filter the events that report the usage of that service ID
Complete the following steps to define a view:
-
Launch the Activity Tracker UI. The Views section opens.
-
Select the Everything view.
-
In the search bar, enter the following query:
initiator.id:iam-ServiceId-<GUID> action:cloud-object-storage.object.create target.id:<BUCKET-CRN>
Replace
<GUID>
with the ID value of the service ID that you copied earlier.Replace
<BUCKET-CRN>
with the CRN value of the bucket that you found on the the bucket configuration page. -
Save the view. For example, you can name the view
Upload Frankfurt
to indicate archive files into the bucket from an IBM Log Analysis instance located in Frankfurt.The data that is displayed through the view reports write actions of archive files to the archive bucket.
Step 3. Define an alert to notify the absence of new archive files
Complete the following steps to define an absence alert that notifies you when archiving is not happening:
-
Select the view name.
-
Select Attach an alert. The following page opens.
-
Select View-specific alert.
-
Choose the notification channel.
-
Configure an Absence alert.
Archiving is configured hourly. Consider configuring the absence alert over a period of 24 hours to monitor archiving daily.
For more details on how to configure an alert, see Creating alerts.
Configure an alert to detect unauthorize access to the bucket
Notice that you must enable data events read and write for the bucket to collect detailed bucket events in your account. Data events are enabled for each bucket.
You should monitor requests that report unauthorized access to the bucket. There are different reasons for which you might get this type of situation, for example, invalid credentials if the service ID permissions are changed or the service ID is deleted, or a user or service without permissions is trying to access the bucket to upload data or download it.
To configure this alert, you must create a view with the following query so that you monitor any unauthorized access to the bucket:
target.id:<BUCKET-CRN> reason.reasonCode:403
Replace <BUCKET-CRN>
with the CRN value of the bucket that you can get from the bucket configuration page.
Then, you must create a presence alert so you are notified as soon as you start receiving this type of event. For more details on how to configure an alert, see Creating alerts.
Configure a dashboard to monitor archiving
Complete the following steps to define a dashboard:
-
Launch the Activity Tracker UI. The Views section opens.
-
Select the Boards icon .
-
Select New board.
-
Select Add Graph.
-
Select All lines in the Graph a field section.
-
Select Advance filtering and add the following query:
initiator.id:iam-ServiceId-<GUID> action:cloud-object-storage.object.create target.id:<BUCKET-CRN>
Replace
<GUID>
with the ID value of the service ID that you copied earlier.Replace
<BUCKET-CRN>
with the CRN value of the bucket that you can get from the bucket configuration page. -
Select Add graph. The following dashboard is created where you can monitor the archiving activity in your account for the bucket that you specified in the configuration.