IBM Cloud Docs
Logging for VPC

Logging for VPC

IBM Cloud services, such as IBM Cloud VPC, generate platform logs that you can use to investigate abnormal activity and critical actions in your account, and troubleshoot problems.

You can use IBM Cloud Logs Routing, a platform service, to route platform logs in your account to a destination of your choice by configuring a tenant that defines where platform logs are sent. For more information, see About Logs Routing.

You can use IBM Cloud Logs to visualize and alert on platform logs that are generated in your account and routed by IBM Cloud Logs Routing to an IBM Cloud Logs instance.

As of 28 March 2024, the IBM Log Analysis service is deprecated and will no longer be supported as of 30 March 2025. Customers need to migrate to IBM Cloud Logs before 30 March 2025. During the migration period, customers can use IBM Log Analysis along with IBM Cloud Logs. Logging is the same for both services. For information about migrating from IBM Log Analysis to IBM Cloud Logs and running the services in parallel, see migration planning.

Locations where platform logs are generated

Locations where logs are sent to IBM Log Analysis

IBM Cloud VPC sends platform logs to IBM Log Analysis in the regions indicated in the following table.

Regions where platform logs are sent in Americas locations
Dallas (us-south) Washington (us-east) Toronto (ca-tor) Sao Paulo (br-sao)
Yes Yes Yes Yes
Regions where platform logs are sent in Asia Pacific locations
Tokyo (jp-tok) Sydney (au-syd) Osaka (jp-osa)
Yes Yes Yes
Regions where platform logs are sent in Europe locations
Frankfurt (eu-de) London (eu-gb) Madrid (eu-es)
Yes Yes Yes

Locations where logs are sent by IBM Cloud Logs Routing

IBM Cloud VPC sends logs by IBM Cloud Logs Routing in the regions that are indicated in the following table.

Regions where platform logs are sent in Americas locations
Dallas (us-south) Washington (us-east) Toronto (ca-tor) Sao Paulo (br-sao)
Yes Yes Yes Yes
Regions where platform logs are sent in Asia Pacific locations
Tokyo (jp-tok) Sydney (au-syd) Osaka (jp-osa)
Yes Yes Yes
Regions where platform logs are sent in Europe locations
Frankfurt (eu-de) London (eu-gb) Madrid (eu-es)
Yes Yes Yes

Viewing logs

Launching IBM Cloud Logs from the Observability page

For more information about launching the IBM Cloud Logs UI, see Launching the UI in the IBM Cloud Logs documentation.

Fields per log type

The following table outlines the fields that are included in each log record:

Log record fields
Field Type Description
logSourceCRN Required Defines the account and flow log instance where the log is published.
saveServiceCopy Required Defines whether IBM saves a copy of the record for operational purposes.
message Required Description of the log that is generated.
messageID Required ID of the log that is generated.
msg_timestamp Required The timestamps when the log is generated.
resolution Optional Guidance on how to proceed if you receive this log record.
documentsURL Optional More information on how to proceed if you receive this log record.
generation Required Defines the VPC source of the log. Valid options are 1 for VPC Classic, and 2 for VPC Gen 2.

Log messages

The following tables list the message IDs that are generated by VPC services:

Dedicated Host

The following table outlines the message IDs that are generated for dedicated hosts:

Message IDs that are generated for dedicated hosts
Message ID Type Learn More
dedicated-host.00001 err Failed to create dedicated host <Dedicated Host ID> due to insufficient capacity in zone.
dedicated-host.00002 info Provisioned a virtual server instance on dedicated host <Dedicated Host ID>.
dedicated-host.00003 info Removed a virtual server instance on dedicated host <Dedicated Host ID>.

A log is generated when each Dedicated Host event occurs.

File share cross-account access

The following table outlines the message IDs that are generated for File Storage related events:

Message IDs that are generated for accessor file share events
Message ID Type Description
is.share.00004I info The lifecycle_state of accessor share {{.shareID}} is stable.
is.share.00005I info The lifecycle_state of accessor share {{.shareID}} is failed and the reason for failure is {{.shareLifecycleReason}}.
is.share.00006I info The lifecycle_state of share mount target {{.targetID}} for the {{.shareID}} at accessor account is stable.
is.share.00007I info The lifecycle_state of share mount target {{.targetID}} for the {{.shareID}} at accessor account is failed.

File share replication

The following table outlines the message IDs that are generated for File Storage replication events:

Message IDs that are generated for file share replication events
Message ID Type Description
regional-file.00001I info The replication status of {{.shareID}} is active.
regional-file.00002W warning The replication status of {{.shareID}} is degraded.
regional-file.00003I info Initiated by the cron schedule {{.cronSpec}}, {{.dataTransferredInGiB}} of data transferred from the source share {{.shareID.}} between {{.startedAt.}} and {{.endedAt.}} with a data transfer rate of {{.transferRate}}.

A log is generated when a replication event occurs.

Flow log collector

The following table outlines the message IDs that are generated by the flow log collector service:

Message IDs that are generated by Flow Log Collector
Message ID Type Learn More
is.flow-log-collector.00001E err Failed to write Flow Log file for the past 24 hours. Dropping flow log for Virtual Server <ServerName>
is.flow-log-collector.00002E err Unauthorized access to Cloud Object Storage bucket <BucketName>
is.flow-log-collector.00003E err Cloud Object Storage bucket <BucketName> was not found

Flow log collector generates hourly logs.

Load Balancer for VPC

The following table outlines the message IDs that are generated by the Load Balancer for VPC service:

Message IDs that are generated by the Load Balancer for VPC service
Message Category Type Description
Health check info Connect from <IP>:<PORT> to <IP>:<PORT>
Connect info Health check for server <ID>> failed, reason: Layer4 connection problem, info: "General socket error (Network is unreachable)", check duration: 0ms, status: 1/2 UP

Resource Quota

The following table outlines the message IDs that are generated for resource quota events:

Message IDs that are generated for resource quota events
Message ID Type Learn More
quota-monitoring.00001 info Successfully provisioned resource <Resource ID>.
quota-monitoring.00002 err Failed to provision resource <Resource ID> due to resource quota limits.
quota-monitoring.00004 err Failed to update resource <Resource ID> due to resource quota limits.

A log is generated when a provision or update resource quota event succeeds or fails.

Snapshots for VPC

The following table outlines the message IDs that are generated by the Snapshots service:

Message IDs that are generated for Snapshot events
Message ID Type Learn More
snapshot.00001 info Snapshot creation requested for volume <Volume ID>.
snapshot.00002 info Snapshot <Snapshot ID> is successfully captured. Volume <Volume ID>
snapshot.00003 info Snapshot <Snapshot ID> is an incremental snapshot. Volume <Volume ID>
snapshot.00004 info Snapshot <Snapshot ID> is a full snapshot. Volume <Volume ID>
snapshot.00005 info Snapshot <Snapshot ID> is available. Volume <Volume ID>
snapshot.00006 info Snapshot <Snapshot ID> is uploaded. Volume <Volume ID>
snapshot.00007 info Snapshot <Snapshot ID> deletion requested.
snapshot.00008 info Snapshot <Snapshot ID> is successfully deleted. Volume <Volume ID> Region <Region>
snapshot.00009 info All snapshots of volume <Volume ID> in the region <Region> are requested to be deleted.
snapshot.00010 info Delete all snapshots request for volume <Volume ID> is completed successfully. Region <Region>
snapshot.00010 info Snapshot copy creation in region <Region> requested for snapshot <Snapshot ID> from region <Source Region>. Volume <Volume ID>

VPN for VPC (site-to-site) logging

Fields per log type (VPN for VPC)

The following table outlines the fields that are included in each site-to-site VPN log record:

Sub-system name = is.vpn

Log record fields (VPN for VPC)
Field Type Description
logSourceCRN Required The VPN ID can be obtained from logSourceCRN.
tag Required Includes the account where the VPN is and matches the account in logSourceCRN.
message Required Contains different data based on the RFC protocol standard.

Logs (VPN for VPC)

The following table outlines sample logs that are generated by the VPN for VPC service. The following logs are based on Internet Key Exchange version 2 (IKEv2).

Logs that are generated for VPN for VPC (site-to-site)
Log Description
UTC YYYY-MM-DD HH24:MM:SS 03[IKE] <peer_{PEER GW IP}_{VPN GW CONNECTION ID}|32563> initiating IKE_SA peer_{PEER GW IP}_{VPN GW CONNECTION ID}[32563] to {PEER GW IP} Initiating the establishment of an IKE Security Association with the peer.
UTC YYYY-MM-DD HH24:MM:SS 07[CFG] <peer_{PEER GW IP}_{VPN GW CONNECTION ID}|664> configured proposals: IKE:{IKE POLICIES} Listing the IKE policies currently configured.
UTC YYYY-MM-DD HH24:MM:SS 12[IKE] <peer_{PEER GW IP}_{VPN GW CONNECTION ID}|665> IKE_SA peer_{PEER GW IP}_{VPN GW CONNECTION ID}[665] established between {GW PRIVATE IP}[{LOCAL GW IP}]...{PEER GW IP}[{PEER GW IP}] The IKE Security Association with the peer is established.
UTC YYYY-MM-DD HH24:MM:SS 12[IKE] <peer_{PEER GW IP}_{VPN GW CONNECTION ID}> CHILD_SA peer_{PEER GW IP}_{VPN GW CONNECTION ID}{1} established with SPIs {SPI INDEX} and TS {LOCAL CIDR} === {PEER CIDR} The CHILD Security Association is established and finalized with the peer.
UTC YYYY-MM-DD HH24:MM:SS 13[IKE] <peer_{PEER GW IP}_{VPN GW CONNECTION ID}|665> IKE_SA deleted The IKE Security Association has been terminated.
UTC YYYY-MM-DD HH24:MM:SS 13[IKE] <peer_{PEER GW IP}_{VPN GW CONNECTION ID}|665> IKE_SA peer_{PEER GW IP}_{VPN GW CONNECTION ID}[665] state change: DELETING => DESTROYING Tearing down the deleted IKE Security Association connection.
UTC YYYY-MM-DD HH24:MM:SS 06[IKE] <peer_{PEER GW IP}_{VPN GW CONNECTION ID}|32563> establishing IKE_SA failed, peer not responding The IKE_SA connection initiation from the VPN gateway is not getting a response from the peer.
UTC YYYY-MM-DD HH24:MM:SS 15[ENC] <peer_{PEER GW IP}_{VPN GW CONNECTION ID}|670> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] Error triggered by a preshared key mismatch on either side.
UTC YYYY-MM-DD HH24:MM:SS 06[IKE] <679> no IKE config found for {GW PRIVATE IP}...{LOCAL GW IP}, sending NO_PROPOSAL_CHOSEN Error occurred because the IKE policies selected on both sides do not match.
UTC YYYY-MM-DD HH24:MM:SS 15[IKE] <peer_{PEER GW IP}_{VPN GW CONNECTION ID}|684> no acceptable proposal found Error occurred because the IPsec policies selected on both sides do not match.
UTC YYYY-MM-DD HH24:MM:SS 15[IKE] <peer_{PEER GW IP}_{VPN GW CONNECTION ID}|684> failed to establish CHILD_SA, keeping IKE_SA Error prevented the successful establishment of CHILD_SA.

Client VPN for VPC (client-to-site) logging

Fields per log type (VPN for VPC)

The following table outlines the fields that are included in each client-to-site VPN log record:

Sub-system name = is.vpn.server

Log record fields (Client VPN for VPC)
Field Type Description
logSourceCRN Required The VPN ID can be obtained from logSourceCRN.
tag Required Includes the account where the VPN is and matches the account in logSourceCRN.
message Required Contains different data based on the RFC protocol standard.

Logs (Client VPN for VPC)

The following table outlines sample logs that are generated by the Client VPN for VPC service. The following logs are based on Internet Key Exchange version 2 (IKEv2).

Logs that are generated for Client VPN for VPC (client-to-site)
Log Description
YYYY-MM-DD HH24:MM:SS {DEVICE PUBLIC IP:PORT} {USERNAME/INTERMEDIATE CA} connect The connection between the OpenVPN client and the server is established.
YYYY-MM-DD HH24:MM:SS {DEVICE PUBLIC IP:PORT} {USERNAME/INTERMEDIATE CA} disconnect The OpenVPN client is no longer linked to the server.