Configuring the IBM Cloud Logs Routing service to route platform logs to an IBM Cloud Logs instance in a region

Use the IBM Cloud Logs Routing service to route platform logs from your IBM Cloud account to an IBM Cloud Logs instance target destination. You must configure a tenant in the region and a target destination.

A tenant is the account-specific configuration of IBM Cloud Logs Routing running within a region. The tenant configuration includes a maximum of 2 target definitions. The target defines where the logs are routed.

You must create a tenant in your account in each region where you want to use IBM Cloud Logs Routing. Each region is independent and regions do not share data.

Goals

In this tutorial you will:

Configure IBM Cloud Logs Routing to route platform logs to an IBM Cloud Logs instance in a region
Verify that platform logs are being routed to your IBM Cloud Logs instance.

Before you begin

Complete the following steps:

Review About IBM® Cloud Logs Routing to understand concepts.
Install all prerequisite tools as described in the getting started.
To get details on a tenant by using the API, check that you can connect to IBM Cloud Logs Routing by using the management API. For more information, see Connecting to IBM® Cloud Logs Routing.
Platform logs that are routed to IBM Cloud Logs include metadata fields that you can use to manage the data and configure features in your IBM Cloud Logs instance.

The application name is the environment that produces and sends logs to IBM Cloud Logs. Platform logs have the application name set to ibm-platform-log.

The subsystem name is the service or application that produces and sends logs, or metrics to IBM Cloud Logs. Platform logs have the subsystem name set to CRNserviceName:instanceID. For VPC platform logs, the fields is set to is:resourceType.
Set up permissions to manage targets in the account. For more information, see Setting up IAM permissions for managing tenants.

Before you can set up the IBM Cloud Logs Routing service to route your platform logs, you need an IBM Cloud® Identity and Access Management (IAM) access token for authentication. The IBM Cloud CLI is used to obtain this information.
1. Log in to your IBM Cloud account. Include the --sso option if you are using a federated ID.
```
ibmcloud login [--sso]
```
  The output will include your username similar to:
```
Targeted account Jane Doe\'s Account (111111111112a21af53a2aeed19a1542a44) <-> 11111156


 API endpoint:     https://cloud.ibm.com
 Region:           us-south
 User:             Jane.Doe@ibm.com
 Account:          Jane Doe\'s Account (111111111112a21af53a2aeed19a1542a44) <-> 11111156
 Resource group:   No resource group targeted, use 'ibmcloud target -g RESOURCE_GROUP'
```
2. To grant access for using IBM Cloud Logs Routing to your user, collect the username from the above generated output. In our example, this would be Jane.Doe@ibm.com. Replace <username> with your username in the following command:
```
ibmcloud iam user-policy-create <username> --roles Manager --service-name logs-router
```
  Instead of assigning roles directly to identities, a common strategy is to assign roles to access groups, and add identities as members to those access groups. For more information about access groups, see setting up access groups.

Creating a service to service authorization

You must use IBM Cloud® Identity and Access Management (IAM) to create an authorization that grants IBM Cloud Logs Routing access to IBM Cloud Logs.

Creating a service to service authorization through the UI

Complete the following steps:

Log in to your IBM Cloud account.
In the IBM Cloud console, click Manage > Access (IAM), and select Authorizations.
Click Create.
Configure the source account. Select This account.
Select Logs Routing as the source service. Then, set the scope of the access to All resources.
Select Cloud Logs as the target service. Then, set the scope of the access to All resources, which grants access to all IBM Cloud Logs instances, or a single instance by configuring Resources based on selected attributes > Service Instance.

Other attributes are not supported for this type of authorization.
In the Service Access section, select Sender to assign access to the source service that accesses the target service.
Click Authorize.

Creating a service to service authorization by using the CLI

You must define a service to service (S2S) authorization between IBM Cloud Logs and IBM® Cloud Logs Routing so the IBM® Cloud Logs Routing service can send logs to your tenant.

Complete the following steps:

Retrieving the IAM bearer token and export it as an environment variable. Run the following command:

You must get an IBM Cloud® Identity and Access Management (IAM) access token to authenticate your requests to the IBM® Cloud Logs Routing service. For more information, see Retrieving an access token.

For example, you can retrieve your IAM bearer token and export it as an environment variable by running the following CLI command:
```
export IAM_TOKEN=`ibmcloud iam oauth-tokens --output json | jq -r '.iam_token'`
```
Verify that your token has been correctly exported by displaying it in your terminal.
```
echo $IAM_TOKEN
```
The output should start with Bearer followed by a string containing letters, numbers, and symbols.

Create an authorization policy.

ibmcloud iam authorization-policy-create logs-router logs Sender

For more information, see Creating a S2S authorization to grant access to send logs to IBM Cloud Logs.

Retrieving your IBM Cloud Logs information

To route data to an IBM Cloud Logs instance, you need information about the destination where you want logs delivered. You need the following information for your IBM Log Analysis instance:

The instance CRN
The ingestion (ingress) endpoint and port

Only public ingress endpoints are supported when configuring a target to an IBM Cloud Logs instance.

Use this command to retrieve the URL and ID:

ibmcloud resource service-instances --service-name logs --long --output JSON | jq '[.[] | {name: .name, id: .id, region: .region_id, ingestion_endpoint: .extensions.external_ingress}]'

If you have multiple instances, choose one you would like to use for receiving platform logs and save the information for later.

The endpoint is similar to:

ingestion_endpoint: 3a622101-7521-4002-bf91-8c26e17eedcf.ingress.eu-de.logs.cloud.ibm.com

The ID is similar to:

"crn:v1:bluemix:public:logs:eu-es:a/15ff25632a21af53a2aeed19a1542a44:3a622101-7521-4002-bf91-8c26e17eedcf::"

To get all the information about the instance, you can run ibmcloud resource service-instances --service-name logs --long --output JSON This command lists all of your IBM Cloud Logs instances. You need the following fields: IDthat contains the instance's CRN, extensions.external_ingress that contains the ingress endpoint, and extensions.virtual_private_endpoints.endpoints.ports.port_max that contains the port value.

Creating a tenant and target

To receive your platform logs, you need to create a tenant with the IBM Cloud Logs Routing service.

You must create your tenant in the region where you want to collect and route platform logs to the IBM Cloud Logs instance.

Creating a tenant and target by using the API

Run the following cURL request from the command line:

The create request creates the tenant in the region and the destination.

curl -X POST https://<MANAGEMENT-API-ENDPOINT>:443/v1/tenants \
-H "Content-Type: application/json" \
-H "Authorization: ${IAM_TOKEN}" \
-H 'IBM-API-Version: DATE' \
--data '{
    "name": "TENANT_NAME",
    "targets": [
        {
            "log_sink_crn": "CLOUD_LOGS_INSTANCE_ID",
            "name": "TARGET_NAME",
            "parameters": {
                "host": "CLOUD_LOGS_INSTANCE_INGRESS_ENDPOINT",
                "port": PORT
            }
        }
    ]
}'

Where

Parameter descriptions
Parameter	Description
`MANAGEMENT-API-ENDPOINT`	The endpoint of the IBM® Cloud Logs Routing service. For more information, see Endpoints. For example, `https://management.eu-es.logs-router.cloud.ibm.com`
`IAM_TOKEN`	The IAM Token you obtained previously. If you exported it in your environment as described above, it is replaced automatically.
`DATE`	The current date. For example, `2024-03-01`
`TENANT_NAME`	Name of the tenant. The name must be unique across tenants for this account and can be up to 35 characters long. The value can only contain these characters: `a-z,0-9,-./` An example would be `eu-es-tenant`.
`TARGET_NAME`	Name of the target destination. The name must be unique across all targets within a region and can be up to 35 characters long. The value can only contain these characters: `a-z,0-9,-./` You can for example choose the name of your IBM Cloud Logs instance. An example would be `platformlogs-eu-es`.
`CLOUD_LOGS_INSTANCE_ID`	The CRN of your IBM Cloud Logs instance.
`CLOUD_LOGS_INSTANCE_INGRESS_ENDPOINT`	The endpoint of your IBM Cloud Logs instance.
`PORT`	Set to `443`

Review your command carefully, since it contains values that were gathered previously. Be sure to make the necessary substitutions for the command to work as expected.

If the creation request was successful, a response that contains your tenant metadata is returned. For example,

{
    "id": "3517d2ed-9429-af34-ad52-34278391cbc8:",
    "created_at": "2023-10-20T18:30:00.143156Z",
    "updated_at": "2023-10-20T18:30:00.143156Z",
    "crn": "crn:v1:bluemix:public:logs-router:eu-de:a/3516b8fa0a174a71899f5affa4f18d78:3517d2ed-9429-af34-ad52-34278391cbc8::",
    "name": "tenant",
    "etag": "\"822b4b5423e225206c1d75666595714a11925cd0f82b229839864443d6c3c049\"",
    "targets": [
    {
        "id": "86432b-66a6-df12-7003-888a21a2b3",
        "log_sink_crn": "crn:v1:bluemix:public:logs:eu-gb:a/91d1d1e42f9b684df920bbd06461c222:743e3b4f-72bc-4669-9fa6-0e6621d0b232::",
        "name": "my-log-sink",
        "etag": "\"c3a43545a7f2675970671ac3a57b8db067a1866b2222e1b950ee8da612e347c6\"",
        "type": "logs",
        "created_at": "2023-10-20T18:30:00.143156Z",
        "updated_at": "2023-10-20T18:30:00.143156Z",
        "parameters": {
            "host": "743e3b4f-72bc-4669-9fa6-0e6621d0b232.ingress.eu-gb.logs.cloud.ibm.com",
            "port": 443
        }
    }
    ]
}

Creating a tenant using the UI

Complete the following steps:

Log in to your IBM Cloud account.
Click the Menu icon > Observability.
Click Logging > Routing.
Click Set target.
Click the tab Cloud Logs and select an IBM Cloud Logs instance from the list. This is the instance where you want to receive logs that are routed by IBM Cloud Logs Routing.

You can select a IBM Cloud Logs instance from the list.

The IBM Cloud Logs instance must be located in the same account that you are configuring.
Click Save.

Verifying that logs are sent to the destination target

To ensure that your platform logs are successfully flowing to IBM Cloud Logs, do the following steps:

Launch the IBM Cloud Logs web UI for the IBM Cloud Logs instance that is configured as the target to collect platform logs in a region. This is the instance that you selected in the step where you setup a target.
View logs through custom views. For more information, see Viewing logs.

All platform logs are generated in JSON. You can filter platform logs in your instance be selecting the value of ibm-platform-logs as the applicationName.