Provisioning an instance

Before you can monitor and manage metrics, you must provision an instance of the service in IBM Cloud. You can optionally connect an IBM Cloud Security and Compliance Center Workload Protection instance to your IBM Cloud Monitoring instance.

Provisioning an instance from the catalog

Provision an IBM Cloud Monitoring instance from the IBM Cloud catalog by completing the following steps:

Log in to the IBM Cloud console.
Click Catalog. The list of the services that are available on IBM Cloud opens.
Filter the list of services by selecting the Logging and Monitoring category.
Click the IBM Cloud Monitoring tile.
Select Create.
Select the location where the IBM Cloud Monitoring is to be created.
Select a service plan. By default, the Lite plan is set.

To provision an instance with the full monitoring funnctionality, select the Graduated Tier plan.

For more information about the service plans, see Service plans.
In Configure resource details enter a name for your instance.
Select a resource group. By default, the Default resource group is set.
Optionally specify any desired tags or access management tags.
You can have one IBM Cloud Monitoring instance in a region configured to receive platform metrics. To configure the instance to receive platform metric, set the Enable platform metrics switch to on.
(Optional) Connect an IBM Cloud Security and Compliance Center Workload Protection instance to your IBM Cloud Monitoring instance.

An IBM Cloud Security and Compliance Center Workload Protection instance can be linked to your IBM Cloud Monitoring instance so that a single agent can collect both metrics and security data both provisioned services.

To link an IBM Cloud Security and Compliance Center Workload Protection instance to your IBM Cloud Monitoring instance:
1. Set the Connect a Workload Protection instance switch to on.
2. If you have an existing IBM Cloud Security and Compliance Center Workload Protection instance you can connect to the existing instance or create a new instance.
  - To create a new instance:
    1. Select Connect new instance.
    2. To change any of the default details for the new IBM Cloud Security and Compliance Center Workload Protection instance, click Edit, make any required changes and click Save to save your changes.
  - To use an existing instance, select Connect existing instance.
    1. Select Connect existing instance.
    2. Select the instance to be connected from the list.
Confirm that you have read and agreed to the license agreements.
Click Create.

After you provision an instance:

The details for the IBM Cloud Monitoring instance are displayed along with whether or not an IBM Cloud Security and Compliance Center Workload Protection instance is connected.
A service ID is automatically created. You can use this service ID to get the access key for your instance. The name of the service ID has the following format: {InstanceName}-key-Administrator.

Next, configure a metric source by adding an agent. This agent is responsible for collecting and forwarding metrics to the monitoring instance.

Provisioning an instance through the CLI

To provision an instance through the command line, complete the following steps:

[Pre-requisite] Installation of the IBM Cloud CLI. If the CLI is installed, continue with the next step.
Log in to the region in the IBM Cloud where you want to provision the instance. Run the following command: ibmcloud login
Set the resource group where you want to provision the instance. Run the following command: ibmcloud target

By default, the default resource group is set.
Create the instance. Run the ibmcloud resource service-instance-create command:
```
ibmcloud resource service-instance-create NAME sysdig-monitor SERVICE_PLAN_NAME LOCATION  -p '{"default_receiver": false,"external_api_auth": "API_AUTH", "workload_protection_connected_instance": "WP_CRN"}'
```
Where

NAME is the name of the instance.

service-name is the name of the IBM Cloud Monitoring service name in the IBM Cloud.

SERVICE_PLAN_NAME is the type of plan. See Service plans to get the plan name.

LOCATION is the region where the instance is created.

default_receiver is set to false by default. Set to true to collect platform metrics automatically through this instance in a region.

API_AUTH is set to the authorization model that is enabled to authenticate with the IBM Cloud Monitoring service when you use Python scripts or the REST API. Valid values are: ANY, and IAM_ONLY.

workload_protection_connected_instance (optional) connects an existing IBM Cloud Security and Compliance Center Workload Protection instance to the IBM Cloud Monitoring instance being created. For more information on connecting instances, see Can IBM Cloud Monitoring and IBM Cloud Security and Compliance Center Workload Protection be used together?

WP_CRN(required when specifying workload_protection_connected_instance) the CRN of the IBM Cloud Security and Compliance Center Workload Protection instance to be connected.

For example, to provision an instance with the paid plan, run the following command:
```
ibmcloud resource service-instance-create monitoring-instance-01 service-name graduated-tier us-south -p '{"default_receiver": false}'
```
To provision an instance with the paid plan that only allows IAM tokens, run the following command:
```
ibmcloud resource service-instance-create monitoring-instance-01 service-name graduated-tier us-south -p '{"default_receiver": false,"external_api_auth": "IAM_ONLY"}'
```
Create the service key that connects to the instance ibmcloud resource service-key-create
```
ibmcloud resource service-key-create NAME ROLE_NAME --instance-name SERVICE_INSTANCE_NAME
```
Where

NAME is the name of your new service key

ROLE_NAME is either Administrator, Manager, Writer, or Reader

SERVICE_INSTANCE_NAME is the name of the instance you created

This will gain you access to the instance's access key.