Auditing events for IBM Cloud Logs Routing
As a security officer, auditor, or manager, you can use the IBM Cloud® Activity Tracker service to track how users and applications interact with the IBM® Cloud Logs Routing service in IBM Cloud.
IBM Cloud Activity Tracker records user-initiated activities that change the state of a service in IBM Cloud. You can use this service to investigate abnormal activity and critical actions and to comply with regulatory audit requirements. In addition, you can be alerted about actions as they happen. The events that are collected comply with the Cloud Auditing Data Federation (CADF) standard. For more information, see IBM Cloud Activity Tracker Getting Started.
Management events
| Action | Description |
|---|---|
logs-router.tenant.create |
This event is generated whenever a new tenant is created (onboarded). |
logs-router.tenant.delete |
This event is generated whenever a tenant is deleted (offboarded). |
logs-router.tenant.read |
This event is generated whenever data about an existing tenant is viewed. |
logs-router.tenant.update |
This event is generated whenever the target data for a target of the tenant is edited (updated). |
Viewing events
Events that are generated by a IBM Cloud Logs Routing tenant are automatically forwarded to the IBM Cloud Activity Tracker service instance that is available in the same location.
IBM Cloud Activity Tracker can have only one instance per location. To view events, you must access the web UI of the IBM Cloud Activity Tracker service in the same location where your service instance is available. For more information, see Navigating to the UI.
Analyzing events
Depending on the action, the event includes additional information in the requestData or responseData field. The following table lists custom fields that are included in these events:
| Custom fields | Valid values | Description | Actions |
|---|---|---|---|
requestData.region |
For example, eu-gb |
Defines the region where the tenant is located. | create, read, update, delete, send |
requestData.targetType |
For example, logdna |
Defines the target type requested. | create, update |
requestData.targetHost |
For example, logs.eu-gb.logging.cloud.ibm.com |
Defines the host where logs are sent. | create, update |
requestData.targetPort |
For example, 443 |
Defines the port where logs are sent. | create, update |
requestData.targetCRN |
A valid CRN | Defines the CRN of the target. | create, update |
requestData.tenantID |
For example, XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX |
Defines the tenant ID. For example, the tenant ID to delete (offboard). | read, delete, update |
responseData.tenantCRN |
For example, crn:v1:staging:public:logs-router:eu-gb:a/XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX:XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX:: |
Defines the CRN of the onboarded tenant. | create, read, update |