Auditing events for IBM Cloud Metrics Routing

As a security officer, auditor, or manager, you can use the IBM Cloud® Activity Tracker Event Routing service or the Activity Tracker hosted event search service to track how users and applications interact with the IBM Cloud Metrics Routing service in IBM Cloud.

Activity Tracker Event Routing records user-initiated activities that change the state of a service in IBM Cloud. You can use this service to investigate abnormal activity and critical actions and to comply with regulatory audit requirements. In addition, you can be alerted about actions as they happen. The events that are collected comply with the Cloud Auditing Data Federation (CADF) standard.

Managing auditing events in an IBM Cloud account

You can manage auditing events in an IBM Cloud account in any of the following ways:

By configuring Activity Tracker hosted event search in the IBM Cloud account

You can use Activity Tracker hosted event search, an IAM enabled service, to manage auditing events through instances that you provision in each IBM Cloud region where you operate.

Activity Tracker hosted event search routes location-based auditing events to an Activity Tracker instance in the region where they are generated and routes global auditing events to the Activity Tracker Event Routing instance that is provisioned in Frankfurt. For more information about locations where IBM Cloud Metrics Routing generates events, see Locations of Activity Tracker Event Routing events.

For more information about how to configure Activity Tracker hosted event search, see Getting started with Activity Tracker hosted event search.
By configuring Activity Tracker Event Routing in the IBM Cloud account

You can use Activity Tracker Event Routing, a platform service, to manage auditing events at the account-level by configuring targets and routes that define where auditing data is routed.

Activity Tracker Event Routing routes events based on the location that is specified in the logSourceCRN field included in the event. You can define a target, the resource where events are routed to, in any Activity Tracker Event Routing supported region. However, the target resource can be located in any region where that type of target is supported, in the same account or in a different account. You can define rules to determine where auditing events are to be routed by configuring 1 or more routes in the account. You can define rules for managing global events and location-based events that are generated in regions where Activity Tracker Event Routing is supported.

For more information about how to configure Activity Tracker Event Routing, see Getting started with Activity Tracker Event Routing.

Activity Tracker Event Routing can only route events that are generated in supported regions. Other regions, where Activity Tracker Event Routing is not available, continue to manage events by using Activity Tracker hosted event search.

You can manage auditing events that are generated by IBM Cloud Metrics Routing by using any of the following methods:

Table 1. Methods to manage auditing events in an IBM Cloud account.
Method	Supported
Configuring Activity Tracker Event Routing
Configuring Activity Tracker hosted event search

Locations of service events

IBM Cloud Metrics Routing generates global events and regional events for targets.

If you manage auditing events in the account using IBM Cloud Activity Tracker hosted event search, all auditing events are available through the IBM Cloud Activity Tracker hosted event search instance provisioned in the Frankfurt (EU-DE) region.

If you manage auditing events in the account using IBM Cloud Activity Tracker Event Routing, you must define explicit rules to manage events for targets, and also rules to manage the rest of the events that are defined as global.

Viewing events

Viewing events managed through Activity Tracker Event Routing

Activity Tracker Event Routing routes events based on the location that is specified in the logSourceCRN field included in the event.

You can define a target, the resource where events are routed to, in any Activity Tracker Event Routing supported region. However, the target resource can be located in any region where that type of target is supported, in the same account or in a different account. For more information about supported targets, see Targets.

You can define rules to determine where auditing events are to be routed by configuring 1 or more routes in the account. You can define rules for managing global events and location-based events that are generated in regions where Activity Tracker Event Routing is supported. For more information, see supported regions.

To view events, you must access the target and download the object.

Viewing events managed through Activity Tracker hosted event search

Activity Tracker hosted event search routes location-based auditing events to an Activity Tracker instance in the region where they are generated and routes global auditing events to the Activity Tracker instance that is provisioned in Frankfurt.

IBM Cloud Metrics Routing events are automatically forwarded to the Activity Tracker instance that is provisioned in Frankfurt.

Activity Tracker can have only one instance per location. To view events, you must access the web UI of the Activity Tracker service in Frankfurt. For more information, see Launching the web UI through the IBM Cloud UI.

Management events

Targets

The following table lists the auditing events that are generated when you manage targets:

Table 1. Events for managing targets
Action	Description
`metrics-router.target.create`	This event is generated when an administrator creates a new Monitoring target.
`metrics-router.target.list`	This event is generated when an administrator lists all targets defined under a region.
`metrics-router.target.read`	This event is generated when an administrator retrieves a target and its details by specifying the ID of the target.
`metrics-router.target.update`	This event is generated when an administrator updates a target details by specifying the ID of the target.
`metrics-router.target.delete`	This event is generated when an administrator deletes a target by specifying the ID of the target.

Routes

The following table lists the auditing events that are generated when you manage routes:

Table 2. Events for managing routes
Action	Description
`metrics-router.route.create`	This event is generated when an administrator creates a route with rules that define how to route metrics data to targets.
`metrics-router.route.list`	This event is generated when an administrator lists routes.
`metrics-router.route.read`	This event is generated when an administrator retrieves a route and its details by specifying the ID of the route.
`metrics-router.route.update`	This event is generated when an administrator replaces a route details by specifying the ID of the route. You can also get this event when you validate a target by checking the credentials to the destination target.
`metrics-router.route.delete`	This event is generated when an administrator deletes a route by specifying the ID of the route.

Settings

The following table lists the auditing events that are generated when you manage settings:

Table 3. Events for managing settings
Action	Description
`metrics-router.setting.update`	This event is generated when an administrator configures the IBM Cloud Metrics Routing settings for an account.
`metrics-router.setting.get`	This event is generated when an administrator gets information about the IBM Cloud Metrics Routing settings for an account.