Logging for Security and Compliance Center
IBM Cloud services, such as Security and Compliance Center, generate platform logs that you can use to investigate abnormal activity and critical actions in your account, and troubleshoot problems.
You can use IBM Cloud Logs Routing, a platform service, to route platform logs in your account to a destination of your choice by configuring a tenant that defines where platform logs are sent. For more information, see About Logs Routing.
You can use IBM Cloud Logs to visualize and alert on platform logs that are generated in your account and routed by IBM Cloud Logs Routing to an IBM Cloud Logs instance.
As of 28 March 2024, the IBM Log Analysis service is deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs before 30 March 2025. During the migration period, customers can use IBM Log Analysis along with IBM Cloud Logs. Logging is the same for both services. For information about migrating from IBM Log Analysis to IBM Cloud Logs and running the services in parallel, see migration planning.
Locations where platform logs are generated
Locations where logs are sent to IBM Log Analysis
Security and Compliance Center sends platform logs to IBM Log Analysis in the regions indicated in the following table.
Dallas (us-south) |
Washington (us-east) |
Toronto (ca-tor) |
Sao Paulo (br-sao) |
|---|---|---|---|
| Yes | No | Yes | No |
Tokyo (jp-tok) |
Sydney (au-syd) |
Osaka (jp-osa) |
Chennai (in-che) |
|---|---|---|---|
| No | No | No | No |
Frankfurt (eu-de) |
London (eu-gb) |
Madrid (eu-es) |
|---|---|---|
| Yes | No | Yes |
Locations where logs are sent by IBM Cloud Logs Routing
Security and Compliance Center sends logs by IBM Cloud Logs Routing in the regions that are indicated in the following table.
Dallas (us-south) |
Washington (us-east) |
Toronto (ca-tor) |
Sao Paulo (br-sao) |
|---|---|---|---|
| Yes | No | Yes | No |
Tokyo (jp-tok) |
Sydney (au-syd) |
Osaka (jp-osa) |
Chennai (in-che) |
|---|---|---|---|
| No | No | No | No |
Frankfurt (eu-de) |
London (eu-gb) |
Madrid (eu-es) |
|---|---|---|
| Yes | No | Yes |
Platform logs that are generated
The Security and Compliance Center service generates platform logs related to the following cases:
- When a scan begins or when a scan cannot be initiated
- Any errors related to provider integrations
- Report generation or if an error associated with a report is found
- When there is an error in storing reports
Enabling logging
Platform logs are logs that are exposed by logging-enabled services and the platform in IBM Cloud. Platform logs are regional. You can monitor logs from enabled services on IBM Cloud in the region where the service is available. While you can configure multiple IBM Cloud Logs service in a location, only one instance of the logging service can be configured to receive logs from enabled services in that IBM Cloud location.
To configure your IBM Cloud instance, you must turn on the platform logs configuration setting. You must also have the platform role of editor or higher for the IBM Cloud Log service in your account. For more information about platform logs, see Configuring IBM Cloud platform logs.
Viewing logs
Launching IBM Cloud Logs from the Observability page
For more information about launching the IBM Cloud Logs UI, see Launching the UI in the IBM Cloud Logs documentation.
Fields by log type
For information about fields included in every platform log, see Fields for platform logs
| Field | Type | Description |
|---|---|---|
logSourceCRN |
Required | Defines the Security and Compliance Center instance where the log is published. |
resourceGroupId |
Required | Defines the resource group that is associated with the Security and Compliance Center instance. |
message |
Required | Description of the log that is generated. |
msgTimestamp |
Required | UTC timestamp of the message. |
messageId |
Required | ID of the log that is generated. |
correlationId |
Required | Unique identifier used to correlate multiple log entries associated with a single API request. |
level |
Required | Type of log. Valid values are info, warn, error. |
requestId |
Optional | Identifier of the associated request. |
resolution |
Optional | Guidance on how to proceed if you receive this log record. |
documentUrls |
Optional | More information on how to proceed if you receive this log record. |
Log messages
The following table lists the message IDs that are generated by the Security and Compliance Center service:
| Message ID | Log type | Description | Additional fields | Resolution |
|---|---|---|---|---|
compliance.00001E |
ERROR | Provider integration missing. | scanID, providerType |
Please create an integration between Workload Protection and Security and Compliance. |
compliance.00002E |
ERROR | Unable to retrieve results from the provider. | scanID, providerType |
Please review the workload protection configuration. Additionally, please reach out to the Security and Compliance team and provide them with the correlationID. |
compliance.00003I |
INFO | Scheduled scan started. | scanID, attachmentID, scanType |
N/A |
compliance.00004I |
INFO | On-demand scan started. | scanID, attachmentID, scanType |
N/A |
compliance.00005E |
ERROR | One scan is already running for the attachment, hence could not initiate a new scan. | attachmentID |
One scan is already in progress for this attachment, you can run only one scan per attachment at a time. Please wait until the current running scan to complete and then initiate a new scan. |
compliance.00006E |
ERROR | Cloud Object Storage configuration not valid. | attachmentID, scanType |
Missing storage configuration. Before you can evaluate your resources you must connect a Cloud Object Storage bucket that can be used to store results. |
compliance.00007E |
ERROR | Billing plan validation failed. | attachmentID, scanType |
Most likely your trial-period has ended, please check and upgrade your plan. To continue to work with the service. |
compliance.00008E |
ERROR | Scan failed. | scanID |
Scan failed due to an unexpected error, please create support case with the necessary information like correlationId. |
compliance.00009E |
ERROR | Unable to store report in Cloud Object Storage bucket. | scanID |
Validate the configuration of your Cloud Object Storage bucket associated with this Security and Compliance instance. |