Skip to content

Latest commit

 

History

History
116 lines (86 loc) · 11.5 KB

auditing-logging.md

File metadata and controls

116 lines (86 loc) · 11.5 KB
Raw
copyright lastupdated
years
2018, 2019
2019-07-09

{:shortdesc: .shortdesc} {:new_window: target="_blank"} {:codeblock: .codeblock} {:pre: .pre} {:screen: .screen} {:tip: .tip} {:important: .important}

Auditing and logging

{: #auditing-logging}

The auditing and logging capabilities in {{site.data.keyword.cfee_full}} (CFEE) allow administrators to audit events taking place in a CFEE instance and developers to track log events generated by their Cloud Foundry applications and the Cloud Foundry platform.

Auditing and logging in CFEE are supported through integrations with LogDNA services instantiated in the IBM Cloud.

Auditing

{: #auditing}

Activity Tracker with LogDNA has replaced the original Activity Tracker service, which was fully deprecated on October 9, 2019. Configuring a new Activity Tracker with LogDNA instance requires CFEE version 5.0.0 or later. If you have an exisiting auditing configuration using the original Activity Tracker, you will need to disable it before enabling Activity Tracker with LogDNA. {: important}

Auditing allows CFEE administrators to track Cloud Foundry auditable activities which take place in a CFEE instance. Those activities include login, creation of organizations and spaces, user membership and role assignments, application deployments, service bindings, updates and scaling, and domain configuration. Auditing is supported through integration with the Activity Tracker with LogDNA service in the IBM Cloud. An instance of the Activity Tracker service selected by the CFEE administrator is configured automatically to receive events representing actions performed within Cloud Foundry and on the CFEE control plane. The user can see and manage those events in the user interface of the Activity Tracker service instance.

To enable auditing for a CFEE instance:

  1. Open a CFEE's user interface and navigate to Operations > Auditing in the left navigation pane.
  2. Click Enable auditing and select one of the Activity Tracker with LogDNA instances available in the IBM Cloud account.
  3. Communication between CFEE / Cloud Foundry and an Activity Tracker instance requires a LogDNA ingestion key. You can find your instance's ingestion key by opening the instance dashboard (from the Observability list) and navigating to Settings > Organization > API Keys.
  4. Once auditing is enabled, configuration details are displayed on the page. Details include the status of the configuration, and a link to the Activity Tracker with LogDNA service instance, where a user can view and manage auditing events.

You can disable Auditing by clicking Disable auditing, which will remove the currently configured service instance. This action does not delete the Activity Tracker service instance.

See the Activity Tracker with LogDNA documentation for event fields, types of audit events, and other information. Events can be viewed from the Activity Tracker with LogDNA instance dashboard or exported using the LogDNA API.

Cloud Foundry audit events

A list of events generated by the Cloud Foundry platform is available in the Audit Events section of the Cloud Foundry documentation.

Cloud Foundry Enterprise Environment events

The following audit events are generated by Cloud Foundry Enterprise Environment:

  • cfaas.user.login - generated when a user is authorized with an IAM token to use Cloud Foundry within a CFEE
  • cfaas.stratos.install.cf - generated when a user installs Stratos as a Cloud Foundry application using the CFEE service
  • cfaas.stratos.install.kubernetes - generated when a user installs Stratos as a Kubernetes deployment using the CFEE service
  • cfaas.stratos.uninstall.kubernetes - generated when a user uninstalls a Stratos as a Kubernetes deployment using the CFEE service
  • cfaas.loganalysis.set - generated when a user configures Application Logging using LogAnalysis (in CFEE versions less than v3.1.0)
  • cfaas.loganalysis.delete - generated when a user removes a configuration for Application Logging using LogAnalysis (in CFEE versions less than v3.1.0)
  • cfaas.logdna.set - generated when a user configures Application or Platform Logging using LogDNA
  • cfaas.logdna.delete - generated when a user removes a configuration for Application or Platform Logging using LogDNA
  • cfaas.activitytracker.set - generated when a user configures the Auditing service
  • cfaas.activitytracker.delete - generated when a user removes a configuration for the Auditing service
  • cfaas.update - generated when a user initiates a CFEE version update
  • cfaas.cancel.operation - generated when a user cancels an update or scale operation
  • cfaas.scaleup.cells - generated when a user initiates a scale-up operation (adds more cells to a CFEE)
  • cfaas.scaledown.cells - generated when a user initiates a scale-down operation (removes cells from a CFEE)
  • cfaas.deprovision - generated when a user deletes a CFEE
  • cfaas.domain.create - generated when a user adds a domain to a CFEE
  • cfaas.domain.delete - generated when a user removes a domain from a CFEE
  • cfaas.domain-tls-certificate.set - generated when a user adds a TLS certificate configuration to a domain in a CFEE
  • cfaas.domain-tls-certificate.delete - generated when a user removes a TLS certificate configuration from a domain in a CFEE
  • cfaas.aliasService.create - generated when a user adds a service alias to a CFEE
  • cfaas.aliasService.delete - generated when a user removes a service alias from a CFEE
  • cfaas.enable.monitoring - generated when a user enables monitoring for a CFEE
  • cfaas.disable.monitoring - generated when a user disables monitoring for a CFEE
  • cfaas.alertmanager.config.set - generated when a user updates the configuration for the Monitoring Alert Manager for a CFEE

Alerting on audit events

{: #alerting-on-audit-events} CFEE administrators can configure audit event alerts using Activity Tracker with LogDNA's alerts functionality.

Logging persistence

{: #logging}

The IBM Cloud Log Analysis service has been deprecated. Starting in CFEE v3.1.0, logging persistence in CFEE is supported through integration with the new IBM Log Analysis with LogDNA service. Logging persistence enabled through integration with pre-existing Log Analysis instances will continue to work even after the CFEE instance is updated to v3.1.0. However, once logging persistence enabled though a pre-existing Log Analysis service instance is disabled, re-enablement can only be done with an instance of the IBM Log Analysis with LogDNA service. {: important}

CFEE supports logging persistence for two types of log streams: Cloud Foundry application logs and Cloud Foundy platform logs. Logging persistance is supported through integration with the IBM Log Analysis with LogDNA service. An instance of the LogDNA service selected by the CFEE administrator can be easily configured to receive and persist the Cloud Foundry application and platform logs generated within the CFEE instance. The user can see and manage those logs using the LogDNA service instance.

To enable platform and application logging for a CFEE instance:

  1. Make sure that you have an IAM access policy that assigns you either administrator platform role, or viewer platform role with reader role in the LogDNA service instance into which you intend to persist the logs.
  2. Open a CFEE's user interface and navigate to Operations > Application logging or Operations > Platform logging entry in the left navigation pane to open the configuration page.
  3. Click Enable logging and select one of the LogDNA instances available in the IBM Cloud account. If no instances are available, the user will see an option to create an instance in the IBM Cloud catalog.
  4. Once logging persistence is enabled, configuration details are displayed on the page. Details include the status of the configuration, and a link to the LogDNA service instance itself, where the user see and manage logs.

You can disable logging persistence by clicking Disable logging, which will remove the service instance previously configured. This action will not delete the LogDNA service instance.

Platform logging configurations created with CFEE versions matching 5.2.x will need to be recreated in version 6.0.0. Please see below for more information about platform logging in CFEE versions matching 5.2.x. {: note}

Note: Both IKS and CFEE can be configured to use a common LogDNA instance. To configure your CFEE's cluster to report Kubernetes logging events to LogDNA, see the LogDNA documentation.

Note: When you disable logging persistence, Cloud Foundry logging events are still being generated, only they are not persisted outside the CFEE instance.

Healthcheck warnings

When enabling logging configurations, various Cloud Foundry components will be restarted, such that your CFEE's healthcheck will report several component errors. These errors are not disruptive to Cloud Foundry application runtime, as only a single instance of each component is restarted at one time. However, during the restart, you may experience intermittent issues with application deployment. All errors and issues should resolve after all Cloud Foundry components have finished restarting.

Configuring platform logs in CFEE v5.2.x

{: #configuring-platform-logs-in-cfee-v5-2} Limited support for platform logging persistance was added in CFEE version 5.2.0. CFEE administrators using platform logging in any version matching 5.2.x should be aware of the following caveats:

  • Enabling or disabling application logging also enables or disables platform logging. Enabling or disabling platform logging only enables or disables platform logging. If you've enabled application logging in these versions and want to disable the accompanying platform logging configuration, simply disable platform logging from the Operations > Platform Logging page. These services are decoupled in CFEE version 6.0.0.
  • Platform logging configurations created with a version matching 5.2.x do not report logs from UAA components. UAA component logs are supported in platform logging configurations created with CFEE version 6.0.0.
  • If you've manually disabled platform logging, or if you updated to a version matching 5.2.x with logging enabled, you may receive an error while disabling a configuration from the Operations > Application Logging page. In most cases your full configuration (application and platform logging) has been disabled properly. Refresh the page to confirm that disablement has worked correctly.
  • The platform logging healthcheck indicator may not work correctly in a version matching 5.2.x
  • Platform logging configurations created with a version matching 5.2.x will not function correctly after updating to version 6.0.0. If you have a pre-exisiting configuration, disable and re-enable platform logging after updating to CFEE version 6.0.0.

Exporting logs from IBM Log Analysis with LogDNA (optional)

You can refer to the Export IBM Log Analysis with LogDNA logs documentation for details on how to export logs to local files.