Use Event Exposure (common)

Contributing Services

Cloud Services

Below is the list of cloud services currently exposing their events:

Cloud Service NameHealth EventsLog Events
File Service Premium-Logs for provision, deprovision and update events on all deployments (Catalog requests & day-2 operations).
Managed KubernetesYESManagement (cluster virtual machines and PKS) and authentication logs. For PKS, logs from the virtual machines are from /var/vcap/sys/logs.
Managed MS SQL DBMS-Audit logs coming from MSSQL server for actions and login to the SQL. Logs covered are: AUDIT_CHANGE_GROUP, BROKER_LOGIN_GROUP, DATABASE_LOGOUT_GROUP, DATABASE_OWNERSHIP_CHANGE_GROUP, DATABASE_PERMISSION_CHANGE_GROUP, DATABASE_PRINCIPAL_CHANGE_GROUP, DATABASE_PRINCIPAL_IMPERSONATION_GROUP, DATABASE_ROLE_MEMBER_CHANGE_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, FAILED_LOGIN_GROUP, LOGOUT_GROUP, SERVER_PERMISSION_CHANGE_GROUP, SERVER_PRINCIPAL_CHANGE_GROUP, SERVER_PRINCIPAL_IMPERSONATION_GROUP, SERVER_ROLE_MEMBER_CHANGE_GROUP, SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, SUCCESSFUL_LOGIN_GROUP, USER_DEFINED_AUDIT_GROUP.
Managed Oracle DB Service Highend-Audit logs from Oracle DB.
Managed Oracle DB Service Regular-Audit logs from Oracle DB.
Managed Oracle DB Service on ExaCC--
Managed OS RHEL-Audit logs coming from operating system for action executed at operating system level. Security logs coming from operating system for any attempt to login to the system. For example, virtual machines would publish the logs from /var/log/{secure,audit}.
Managed OS Windows-Audit logs coming from operating system for action executed at operating system level. Security logs coming from operating system for any attempt to login to the system. For example, virtual machines would publish logs from nc_winlogbeat::event_logs.
Network F5-Audit logs coming from operating system for action executed at operating system level. Security logs coming from operating system for any attempt to login to the system. Logs come from files /var/log/ltm and /var/log/secure in the F5 virtual machines implementing the service.
Network ServicesYESInstance proxy log messages which contain raw syslog message strings including request/response header data such as HTTP host, agent, method, path, status code and size information.
Network UplinkYES-
Object Storage S3-Logs for provision, deprovision and update events on S3 Instances and S3 Users.
Virtual MachineYES-
Log ExposureYESAudit logs for credential management actions.
Health ExposureYESAudit logs for credential management actions.

Cloud Management

Some Cloud Management Platform components expose their events too:

Cloud Management Service NameHealth EventsLog Events
Firewall-Firewall logs that have matching firewall rules created via NSX proxy. For instance, firewall logs from matching provider/global default rules are not sent to customers.
Infrastructure as a Service-Audit logs for infrastructure changes
NSX Proxy-Actions performed in the NSX Proxy to create firewall rules. Any GET/PUT/POST method call triggered by customer via ESC portal towards NSX Proxy.
Swisscom Cloud Orchestrator-Audit logs for space-related operations.
vRealize Automation-Security logs for any login attempt on the service by the tenant.
vRealize Orchestrator-Workflow logs for actions made by customer (e.g. deploy, reconfigure, day-2 operations). VM Lifecycle Events related with provisioning of VMs (Requested, Building machine, Activated, Disposing), VM Day-2 Operations (Reconfiguration, Power On, Power Off, Create Snapshot, Delete Snapshot), Services (Create Network, Update Network, Delete Network, Reserve IP, Free Reserved IP, Import OVA), Subtenant Lifecycle Events related with Business Groups (Create Business Groups, Update Business Groups, Delete Business Groups), OSB Services (Provision DynDB, Update DynDB, Delete DynDB, Create Kubernetes Cluster, Provision CP, Delete Dyndb, Delete CP), OSB Day-2 Operations (Start, Stop, Restart, Sync, PKS Upgrade Cluster, PKS Upgrade Persistent Storage, Create DynDB User, Delete DynDB User, PKS Bind, PKS Unbind).

Service Instance Classes

Some services may be built up with multiple types of resources, which are organized into separate instance classes. This detail is available from event schema 1.1.

Cloud Service NameInstance Class Names
File Service PremiumFile System Service, Container, Share, Initiator, Initiator Group, File System Service for Kubernetes, Storage Virtual Machine for Kubernetes
Managed KubernetesKubernetes Cluster, Kubernetes Environment
Managed Oracle DB Service HighendMODS Highend CDB, MODS Highend PDB
Managed Oracle DB Service RegularMODS Regular CDB, MODS Regular PDB
Managed Oracle DB Service on ExaCCMODS ExaCC CDB, MODS ExaCC VM
Managed OS RHELManaged RHEL
Managed OS WindowsManaged Windows
Network F5F5 Load Balancer
Network ServicesManaged Forward Proxy, Managed Reverse Proxy
Network UplinkUplink Topology
Object Storage S3Object Storage S3, NAT Network
Virtual MachineVirtual Machine, Snapshot, Network, Uplink Topology
Log ExposureLog Exposure Endpoint
Health ExposureHealth Exposure Endpoint
Infrastructure as a ServiceCloud Management Platform
Swisscom Cloud Orchestrator Cloud Management Platform, Space

Consuming Events

The Kafka clients must be configured with the Event Exposure Kafka endpoint which is reachable from ESC compute services (e.g. VM, K8s).

kafka.prd.msg.entcloud.swisscom.com:9094

The Event Exposure Kafka endpoints are using a child certificate of the Swisscom RootCore CA. When configuring the Kafka client, it is necessary to create a CA bundle containing the root certificate from the chain. Below we provide the commands to get the required certificate:

wget http://crl.swisscom.com/SwisscomRootCore.crt
openssl x509 -inform DER -in SwisscomRootCore.crt -out ca-bundle.crt
This is an information message

Please Note

The server certificates of Event Exposure Kafka brokers are rotated automatically every few months. To avoid issues when this happens, trust only the root certificate, not the whole chain reported by the brokers.

An example Logstash configuration looks like this:

input
{
    kafka {
        bootstrap_servers => "kafka.prd.msg.entcloud.swisscom.com:9094"
        topics => ["logs-orion-123"]
        group_id => "the-consumer-group-set-at-certificate-creation"
        security_protocol => "SSL"
        ssl_truststore_location => "${TRUSTSTORE_FILENAME}"
        ssl_truststore_password => "${PASSWORD}"
        ssl_keystore_location => "${KEYSTORE_FILENAME}"
        ssl_keystore_password => "${PASSWORD}"
        ssl_key_password => "${PASSWORD}"
        codec => "json"
    }
}

If you have any problems setting up the client, please contact ESC support.

List of Kafka Clients

Out of the box solutions:

For custom solutions:

Last Updated: