| copyright |
|
||
|---|---|---|---|
| lastupdated | 2025-09-25 | ||
| keywords | |||
| subcollection | cloud-logs |
{{site.data.keyword.attribute-definition-list}}
{: #extensions-activity-tracking}
In {{site.data.keyword.logs_full}}, you can use the Activity Tracking extension to gain insights into activity tracking events that are generated in an {{site.data.keyword.cloud_notm}} account. {: shortdesc}
{: #extensions-activity-tracking-overview}
Activity tracking events are critical data for security operations and a key element for meeting compliance requirements.
In {{site.data.keyword.logs_full_notm}}, activity tracking events that are generated by {{site.data.keyword.cloud_notm}} services include metadata fields that you can use to enhance searches and analyze the data.
-
applicationName: The application name is the environment that produces and sends data to {{site.data.keyword.logs_full_notm}}. It is set toibm-audit-eventsfor activity tracking events. -
subsystemName: The subsystem name is the service or application that produces and sends logs to {{site.data.keyword.logs_full_notm}}. It is set as follows for activity tracking events:For {{site.data.keyword.cloud_notm}} services that you can provision, the format is:
crn-service-name:<INSTANCE_GUID>For VPC services, the format is:
is:<VPC_SERVICE_NAME>For platform services (these are services that you cannot provision), the format is:
crn-service-name:
In {{site.data.keyword.cloud_notm}}, you must configure {{site.data.keyword.atracker_full_notm}} to route activity tracking events to the {{site.data.keyword.logs_full_notm}} service.
Before you can monitor activity tracking events that are generated in an {{site.data.keyword.cloud_notm}} account, you must configure the {{site.data.keyword.atracker_full_notm}} service in the account to define what activity tracking events you want to collect, the destination where you want to monitor the events, and the routing rules that define where the events are routed.
- You can configure 1 or more {{site.data.keyword.logs_full_notm}} instances in the account.
- The {{site.data.keyword.logs_full_notm}} instances can be located in the same account where events are generated or in a different account.
- You must define a service to service authorization between {{site.data.keyword.atracker_full_notm}} and {{site.data.keyword.logs_full_notm}} to grant permissions to the {{site.data.keyword.atracker_full_notm}} service to send events to the {{site.data.keyword.logs_full_notm}} service.
For more information, see:
- Getting started with {{site.data.keyword.atracker_full_notm}}
- {{site.data.keyword.cloud_notm}} services that generate events that are managed through {{site.data.keyword.atracker_full_notm}}
{: #extensions-activity-tracking-deploys}
This extension includes one or more items.
| Includes | Number |
|---|---|
| Alerts | 2 |
| Dashboards | 3 |
| Enrichments | 0 |
| Events to metrics | 0 |
| Rules | 1 |
| Views | 0 |
| {: caption="Items included when extension is deployed" caption-side="bottom"} |
Before deploying this extension, make sure that deploying the extension will not cause you to exceed limits for your {{site.data.keyword.logs_full_notm}} instance. If deploying the extension results in limits being exceeded, the deployment will fail. {: tip}
{: #extensions-activity-tracking-deploy}
You can deploy this extension in any {{site.data.keyword.logs_full_notm}} instance that collects activity tracking events. This extension includes a set of pre-configured resources such as dashboards, views, and alerts that help you monitor critical metrics, identify anomalies, and optimize your system's performance.
When you deploy the extension, consider the following information:
- Views and dashboards are located within the folder
Activity Tracking. - Alerts have the label
platform:eventthat you can use to filter them out in the Alert Management page. - Parsing rules should be deployed for some of the views and dashboards to report data.
For more information about deploying the extension, see Deploying, managing, and removing {{site.data.keyword.logs_full_notm}} extensions.
{{/_include-segments/extensions-validate.md}}
{: #extensions-activity-tracking-rules}
You can use parsing rules to process, parse, and restructure log data to prepare for monitoring and analysis.
The creation of a Parsing CRN rule and the disabling of the Severity Rule are required for the Activity Tracking extention to operate correctly. See log parsing rules for information about {{site.data.keyword.logs_full_notm}} parsing rules.
{: #extensions-activity-tracking-rules-1}
The parsing rule Parsing CRN is required for the rest of the resources that are provided as part of this extension to display data. You must deploy it.
{: important}
This rule is required to identifies the different components of the logSourceCRN field in activity tracking events:
crn:v1:bluemix:public:(?P<serviceName>[^:]+):(?P<region>[^:]*):a\/(?P<accountID>[^:]+):(?P<instanceID>[^:]*):(?P<resourceType>[^:]*):(?P<resourceID>[^:]*)$
{: codeblock}
It creates new fields to capture the information: serviceName, region, accountID, instanceID, resourceType, and resourceID.
It also adds the value global for activity tracking events that are global and do not include a value in the CRN.
{: #extensions-activity-tracking-rules-2}
When you configure {{site.data.keyword.atracker_full_notm}}, activity tracking events are set with the severity value that applies to each event. You must disable the rule Severity Rule so the severity set from the source is maintained.
{: important}
{: #extensions-activity-tracking-dashboards}
You can deploy any of the following predefined dashboards:
Activity Tracking Overview by region: Use this dashboard to monitor activity tracking events by region and by service.Activity Tracking Overview by action: Use this dashboard to monitor activity tracking events by action and by service.Activity Tracking TCO Overview: Use this dashboard to monitor your activity tracking events by TCO policy. You must have a Cloud Object Storage bucket configured with your {{site.data.keyword.logs_full_notm}} instance to use this dashboard. You can monitor the {{site.data.keyword.frequent-search}} or {{site.data.keyword.monitoring}} pipelines by switching the pipeline in the dashboard. Monitoring of the {{site.data.keyword.compliance}} pipeline is not supported.
If you decide to remove dashboard widgets for specific regions or locations where you are not currently operating, and then add operations in those regions, the deleted widgets will not be automatically added back into your dashboard. You can clone a widget and change the location to add it back. {: note}
{: #extensions-activity-tracking-alerts}
You can deploy any of the following alerts:
Activity tracking events are down: Use this alert generate an alert when no events are ingested over a period of 10 min.Unauthorized access: Use this alert to notify when activity tracking events report actions with RC=403 or RC=401.