Use the IBM CloudActivity Tracker with LogDNA service to monitor the activity of your IBM Cloud account. We can use this service to investigate for abnormal activity and critical actions, and comply with regulatory audit requirements. In addition, you can be alerted on actions as they happen. The events that are collected comply with the Cloud Auditing Data Federation (CADF) standard.
IBM Cloud Activity Tracker with LogDNA collects and stores audit records for API calls made to resources that run in the IBM Cloud. We can archive these events on IBM Cloud for long-term storage.
About IBM CloudActivity Tracker with LogDNA
Compliance with internal policies and industry regulations is a key requirement in any organization's strategy, regardless of where applications run: on-premises, in a hybrid cloud, or in a public cloud. The IBM Cloud Activity Tracker with LogDNA service provides the framework and functionality to monitor API calls to services on the IBM Cloud and produces the evidence to comply with corporate policies and market industry-specific regulations.
When you work in a cloud environment, such as the IBM Cloud, you must plan the cloud strategy for auditing and monitoring workloads and data in accordance with your internal policies and with industry and country-based compliance requirements. We can use the information that is registered through the IBM Cloud Activity Tracker with LogDNA service to identify security incidents, detect unauthorized access, and comply with regulatory and internal auditing requirements.
- IBM Cloud Activity Tracker with LogDNA supports high-level security governance for your IT resources in the cloud.
- IBM Cloud Activity Tracker with LogDNA provides a solution for administrators to capture, store, view, search, and monitor API activity in a single place. It also offers a notifications feature to alert you by using any of the supported notification channels.
- IBM Cloud Activity Tracker with LogDNA provides capabilities to export events that you can then use to generate an audit trail report. You might require these reports so that your organization complies with internal regulations and external industry and country regulations.
Features
-
Simplify compliance sign-off tasks
Boost audit tasks on your IBM Cloud by automatically collecting events that report on actions to resources in your IBM Cloud account. Analyze and get notified on the events that report out of compliance actions.
-
Accelerate detection of security incidents
Get alert notifications of important events and errors when things are out of compliance. Create custom views and get notified immediately. We can configure multi-channel alert notifications based on pattern matching to a variety of direct integrations such as email, Slack, PagerDuty, or your own custom webhooks.
-
Improve visibility on actions in your IBM Cloud account
Improve the visibility into user and resource activity in your account by easily identifying the initiator who requested an action, the object on which the action was requested, and the time when the action took place.
-
Adhere to standards
Events comply with the Cloud Auditing Data Federation (CADF) standard. Use simple to use keyword based search to search across your events instead of fiddling with custom query languages. Apply the same keyword search to build time series graphs instantly.
For example, you can use the IBM Cloud Activity Tracker with LogDNA events to identify the following information:
- The users who made API calls to cloud services
- The time-stamp when the API calls were made
- The status of the API call
- The criticality of the action
Security
Consider the following information about security when you work with the IBM Cloud Activity Tracker with LogDNA service:
- IBM services that generate IBM Cloud Activity Tracker with LogDNA events follow the IBM Cloud security policy. See Trust the security and privacy of IBM Cloud.
- The IBM Cloud Activity Tracker with LogDNA service captures user-initiated actions that change the state of Cloud services. The information does not provide direct access to databases or applications.
- Only authorized users can view and monitor IBM Cloud Activity Tracker with LogDNA event logs. Each user is identified by their unique ID in the IBM Cloud.
- We can only provision 1 instance of the service per IBM Cloud location (region).
Objectives
Complete this tutorial to learn how to provision a service in the IBM Cloud. Find out what common data is available in each event and how it can help you monitor your cloud environment. Learn to navigate in the web UI.
Prerequisites
-
You need a user ID that is a member or an owner of an IBM Cloud account. To get an IBM Cloud user ID, go to: Registration.
-
If you prefer to work with the command line, install the IBM Cloud CLI. See Installing the IBM Cloud CLI.
-
To complete the steps to manage access to the service, your user ID needs administrator platform permissions to manage the IBM Cloud Activity Tracker with LogDNA service. Contact the account administrator. The account owner can grant another user access to the account for the purposes of managing user access, and managing account resources. Learn more.
Step 1. Provision an instance of the IBM Cloud Activity Tracker with LogDNA service
Complete the following steps to provision an instance:
-
Log in to your IBM Cloud account.
After you log in with your user ID and password, the IBM Cloud UI opens.
-
Go to the menu icon
. Then, select Observability to access the Observability dashboard. -
Select Activity Tracker, then click Create instance.
-
Enter a name for the service instance.
-
Select the Frankfurt location.
For more information about the regions where the service is available, see Regions.
-
Select a resource group.
By default, the default resource group is set.
Note: If you are not able to select a resource group, check that you've editing permissions on the resource group where you want to provision the instance.
-
Select the Lite service plan.
By default, the lite plan is set.
-
Click Create.
After you provision an instance, the Activity Tracker dashboard opens.
Step 2. Manage access to the service
Every user that accesses the IBM Cloud Activity Tracker with LogDNA service in your account must be assigned an access policy with an IAM user role defined. The policy determines what actions the user can perform within the context of the service or instance you select. The allowable actions are customized and defined as operations that are allowed to be performed on the service. The actions are then mapped to IAM user roles. Learn more.
To grant a user management permissions to work with the IBM Cloud Activity Tracker with LogDNA service within the context of a resource group, complete the following steps:
Step 2.1. Create an access group
Complete the following steps to create an access group:
- From the menu bar, click Manage > Access (IAM), and select Access Groups.
- Click Create.
- Enter a name and optional description for your group, and click Create.
Step 2.2. Add permissions to manage events
After you set up your group, you must assign a common access policy to the group. Any policy that you set for an access group applies to all entities, users and service IDs, within the group.
When you define the policy, you need to select a platform role and a service role:
- Platform management roles cover a range of actions, including the ability to create and delete instances, manage aliases, bindings, and credentials, and manage access. The platform roles are administrator, editor, operator, viewer. Platform management roles also apply to account management services that enable users to invite users, manage service IDs, access policies, catalog entries, and track billing and usage depending on their assigned role on an account management service.
- Service access roles define a user or service's ability to perform actions on a service instance. The service access roles are manager, writer, and reader.
To manage the IBM Cloud Activity Tracker with LogDNA service, a user needs the following roles:
- Platform role: Administrator.
- Service role: Manager.
Complete the following steps to assign a policy through the UI:
- From the menu bar, click Manage > Access (IAM).
- Select Access Groups.
- Select the name of the group that you want to assign access to.
- Click Access policies > Assign access.
- Select IAM services.
- For the field What type of access do you want to assign?, select IBM Cloud Activity Tracker with LogDNA.
- For the in field, select the resource group.
- Select the platform role Administrator.
- Select the service role Manager.
- Click Add. Then, select Assign.
Step 2.3. Add the user to the group
Complete the following steps to add the user to the access group:
- Click Add users on the Users tab.
- Select the user that you want to add from the list, and click Add to group.
Step 3. Generate IBM Cloud Activity Tracker with LogDNA events
If you've a pay-as-you-go account, you can use Certificate Manager to create an event. If you don't have a pay-as-you-go account, provisioning any of the available lite services triggers an event.
-
From the IBM Cloud catalog, select the category Security and Identity.
-
Select the Certificate Manager service.
Step 4. Launch the web UI
Complete the following steps to launch the web UI:
-
Log in to your IBM Cloud account.
After you log in with your user ID and password, the IBM Cloud dashboard opens.
-
In the navigation menu, select Observability.
-
Select Activity Tracker.
The list of instances that are available on IBM Cloud is displayed.
-
Select the instance that is located in Frankfurt. Then, click View LogDNA.
Global events, like provisioning a service, are available through the global domain instance that is located in Frankfurt.
The web UI opens.
Step 5. View events
The IBM Cloud Activity Tracker with LogDNA service captures activity data that is related to API calls and other actions that are made to selected cloud services in the IBM Cloud.
- Events are collected automatically.
- Events that are collected in IBM Cloud Activity Tracker with LogDNA comply with the Cloud Auditing Data Federation (CADF) standard. The CADF standard defines a full event model that includes the information that is needed to certify, manage, and audit security of applications in cloud environments.
- IBM Cloud Activity Tracker with LogDNA stores and groups events by location.
- Events that report on global IBM Cloud account actions, are collected and stored in Frankfurt (EU-DE).
- The service plan that you select for your IBM Cloud Activity Tracker with LogDNA instance sets the number of days that events are available for search through the web UI.
When the web UI opens, the Everything view is displayed. We can see events through this view.
We can also define custom views to view a set of events by applying a timestamp, a search query, or both. Learn more.
Step 6. Learn about the structure of an event
Events comply with the Cloud Auditing Data Federation (CADF) standard. The CADF standard defines a full event model that includes the information that is needed to certify, manage, and audit security of applications in cloud environments.
The CADF event model includes the following components:
| Component | Description |
|---|---|
| Action | The action is the operation or activity that an initiator performs, attempts to perform, or is waiting to complete. |
| Initiator | The initiator is the resource that makes an API call and generates a CADF event. The event that is triggered depends on the action that is requested by the API call. |
| Observer | The observer is the resource that creates and stores a CADF record from information available in a CADF event. |
| Outcome | The outcome is the status of the action against the target. |
| Target | The target is the resource against which the action is performed, attempted to perform, or is pending to complete. |
Next steps
Upgrade the IBM Cloud Activity Tracker with LogDNA service plan to a paid plan to be able to search events by applying a query, and configure alerts.
For more information about IBM Cloud Activity Tracker with LogDNA service plans, see Service plans.