Before you begin

Activity tracking events are critical data for security operations and a key element for meeting compliance requirements.

In IBM Cloud Logs, activity tracking events that are generated by IBM Cloud services include metadata fields that you can use to enhance searches and analyze the data.

• applicationName: The application name is the environment that produces and sends data to IBM Cloud Logs. It is set to ibm-audit-events for activity tracking events.

• subsystemName: The subsystem name is the service or application that produces and sends logs to IBM Cloud Logs. It is set as follows for activity tracking events:

  For IBM Cloud services that you can provision, the format is: crn-service-name:<INSTANCE_GUID>

  For VPC services, the format is: is:<VPC_SERVICE_NAME>

  For platform services (these are services that you cannot provision), the format is: crn-service-name:

In IBM Cloud, you must configure IBM Cloud Activity Tracker Event Routing to route activity tracking events to the IBM Cloud Logs service.

Before you can monitor activity tracking events that are generated in an IBM Cloud account, you must configure the IBM Cloud Activity Tracker Event Routing service in the account to define what activity tracking events you want to collect, the destination where you want to monitor the events, and the routing rules that define where the events are routed.

• You can configure 1 or more IBM Cloud Logs instances in the account.
• The IBM Cloud Logs instances can be located in the same account where events are generated or in a different account.
• You must define a service to service authorization between IBM Cloud Activity Tracker Event Routing and IBM Cloud Logs to grant permissions to the IBM Cloud Activity Tracker Event Routing service to send events to the IBM Cloud Logs service.

For more information, see:

• Getting started with IBM Cloud Activity Tracker Event Routing
• IBM Cloud services that generate events that are managed through IBM Cloud Activity Tracker Event Routing

What this extension deploys

This extension includes one or more items.

Before deploying this extension, make sure that deploying the extension will not cause you to exceed limits for your IBM Cloud Logs instance. If deploying the extension results in limits being exceeded, the deployment will fail.

Deploying the extension

You can deploy this extension in any IBM Cloud Logs instance that collects activity tracking events. This extension includes a set of pre-configured resources such as dashboards, views, and alerts that help you monitor critical metrics, identify anomalies, and optimize your system's performance.

When you deploy the extension, consider the following information:

• Views and dashboards are located within the folder Activity Tracking.
• Alerts have the label platform:event that you can use to filter them out in the Alert Management page.
• Parsing rules should be deployed for some of the views and dashboards to report data.

For more information about deploying the extension, see Deploying, managing, and removing IBM Cloud Logs extensions.

After deploying, verify that the extension configuration handles data in a way that matches your IBM Cloud Logs instance configuration. For example, if you have TCO policies sending data to the Analyze and alert pipeline, you will need to change the dashboard configured by this extension to All Logs instead of Priority insights.

Parsing rules

You can use parsing rules to process, parse, and restructure log data to prepare for monitoring and analysis.

The creation of a Parsing CRN rule and the disabling of the Severity Rule are required for the Activity Tracking extention to operate correctly. See log parsing rules for information about IBM Cloud Logs parsing rules.

crn:v1:bluemix:public:(?P<serviceName>[^:]+):(?P<region>[^:]*):a\/(?P<accountID>[^:]+):(?P<instanceID>[^:]*):(?P<resourceType>[^:]*):(?P<resourceID>[^:]*)$

Dashboards

You can deploy any of the following predefined dashboards:

• Activity Tracking Overview by region: Use this dashboard to monitor activity tracking events by region and by service.
• Activity Tracking Overview by action: Use this dashboard to monitor activity tracking events by action and by service.
• Activity Tracking TCO Overview: Use this dashboard to monitor your activity tracking events by TCO policy. You must have a Cloud Object Storage bucket configured with your IBM Cloud Logs instance to use this dashboard. You can monitor the Priority insights or Analyze and alert pipelines by switching the pipeline in the dashboard. Monitoring of the Store and search pipeline is not supported.

If you decide to remove dashboard widgets for specific regions or locations where you are not currently operating, and then add operations in those regions, the deleted widgets will not be automatically added back into your dashboard. You can clone a widget and change the location to add it back.

Views

You can deploy any of the following views:

• Actions by service table: Use this view to see the number of events by service name and action.
• All logs: Use this view to see events in a customized view that shows timestamp, severity, service name and message.
• Instances created by service: Use this view to see events that report provisioning of instances in the account ordered by eventTime.
• Events by service in EU-GB: Use this view as a sample to view the list of services that generate events in a region. You can use this view to create views for other regions.

Alerts

You can deploy any of the following alerts:

• Activity tracking events are down: Use this alert generate an alert when no events are ingested over a period of 10 min.
• Unauthorized access: Use this alert to notify when activity tracking events report actions with RC=403 or RC=401.