Logging for Security and Compliance Center

You can view and analyze Security and Compliance Center logs by using the IBM® Log Analysis service and enabling platform logs in each region where you operate in IBM Cloud. IBM Log Analysis adds log management capabilities to your IBM Cloud® architecture.

Use the IBM Cloud Activity Tracker service to audit and track how users and applications interact with the Security and Compliance Center service.

Platform logs

Platform logs are logs that are exposed by logging-enabled services and the platform in IBM Cloud.

Platform logs are regional.

You can monitor logs from enabled services on the IBM Cloud in the region where the service is available.
You can configure one instance only of the Log Analysis service per region to collect platform logs in that location.

You can have multiple Log Analysis instances in a location. However, only one instance in a location (region) can be configured to receive logs from enabled services in that IBM Cloud location.
To configure a Log Analysis instance, you must set on the platform logs configuration setting. Also, you must have the platform role editor or higher for the Log Analysis service in your account.

To enable platform logs, see:
- Configuring platform logs through the Observability dashboard
- Configuring platform logs from the command line

For more information about platform logs, see Configuring IBM Cloud platform logs.

Viewing logs

If a Log Analysis instance in a region is already enabled to collect platform logs, logs from the Security and Compliance Center service in that region are collected automatically and available for analysis through this instance.

To view and analyze platform logs for a Security and Compliance Center instance, check that the Log Analysis instance is provisioned in the same region where the Security and Compliance Center instance that you want to monitor is available.

To start the Log Analysis web UI to view logs, see Navigating to the web UI.

Fields per log type

Table 4 outlines the fields that are included in each log record:

Table 4. Log record fields
Field	Type	Description
`logSourceCRN`	Required	Defines the Security and Compliance Center instance where the log is published.
`resourceGroupId`	Required	Defines the resource group that is associated with the Security and Compliance Center instance.
`message`	Required	Description of the log that is generated.
`msgTimestamp`	Required	UTC timestamp of the message.
`messageId`	Required	ID of the log that is generated.
`correlationId`	Required	Unique identifier used to correlate multiple log entries associated with a single API request.
`level`	Required	Type of log. Valid values are `info`, `warn`, `error`.
`requestId`	Optional	Identifier of the associated request.
`resolution`	Optional	Guidance on how to proceed if you receive this log record.
`documentUrls`	Optional	More information on how to proceed if you receive this log record.

Log messages

The following table lists the message IDs that are generated by the Security and Compliance Center service:

Table 5. Message IDs
Message ID	Log type	Description	Additional fields	Resolution
`compliance.00001E`	ERROR	Provider integration missing.	`scanID`, `providerType`	Please create an integration between Workload Protection and Security and Compliance.
`compliance.00002E`	ERROR	Unable to retrieve results from the provider.	`scanID`, `providerType`	Please review the workload protection configuration. Additionally, please reach out to the Security and Compliance team and provide them with the correlationID.
`compliance.00003I`	INFO	Scheduled scan started.	`scanID`, `attachmentID`, `scanType`	N/A
`compliance.00004I`	INFO	On-demand scan started.	`scanID`, `attachmentID`, `scanType`	N/A
`compliance.00005E`	ERROR	One scan is already running for the attachment, hence could not initiate a new scan.	`attachmentID`	One scan is already in progress for this attachment, you can run only one scan per attachment at a time. Please wait until the current running scan to complete and then initiate a new scan.
`compliance.00006E`	ERROR	Cloud Object Storage configuration not valid.	`attachmentID`, `scanType`	Missing storage configuration. Before you can evaluate your resources you must connect a Cloud Object Storage bucket that can be used to store results.
`compliance.00007E`	ERROR	Billing plan validation failed.	`attachmentID`, `scanType`	Most likely your trial-period has ended, please check and upgrade your plan. To continue to work with the service.
`compliance.00008E`	ERROR	Scan failed.	`scanID`	Scan failed due to an unexpected error, please create support case with the necessary information like correlationId.
`compliance.00009E`	ERROR	Unable to store report in Cloud Object Storage bucket.	`scanID`	Validate the configuration of your Cloud Object Storage bucket associated with this Security and Compliance instance.