IBM Cloud Logs
Synopsis
The IBM Cloud Logs target forwards telemetry events to IBM Cloud Logs using the Logs API singles endpoint. Events are batched and sent with configurable application context, subsystem categorization, and severity levels.
Schema
- name: <string>
description: <string>
type: ibmcloudlogs
pipelines: <pipeline[]>
status: <boolean>
properties:
instance_id: <string>
region: <string>
authentication_method: <string>
iam_token: <string>
iam_token_secret: <string>
application_name: <string>
subsystem_name: <string>
computer_name: <string>
default_severity: <integer>
use_timestamp: <boolean>
use_hires_timestamp: <boolean>
batch_size: <integer>
timeout: <integer>
field_format: <string>
debug:
status: <boolean>
dont_send_logs: <boolean>
Configuration
The following fields are used to define the target:
| Field | Required | Default | Description |
|---|---|---|---|
name | Y | Target name | |
description | N | - | Optional description |
type | Y | Must be ibmcloudlogs | |
pipelines | N | - | Optional post-processor pipelines |
status | N | true | Enable/disable the target |
IBM Cloud Logs Connection
| Field | Required | Default | Description |
|---|---|---|---|
instance_id | Y | - | IBM Cloud Logs instance ID |
region | Y | - | IBM Cloud region. See Valid Regions below |
authentication_method | N | token | Authentication method: token, secret |
iam_token | Y* | - | IBM Cloud IAM Bearer token |
iam_token_secret | Y* | - | Environment variable name containing IAM token |
* = Conditionally required. iam_token when authentication_method: token; iam_token_secret when authentication_method: secret.
Log Configuration
| Field | Required | Default | Description |
|---|---|---|---|
application_name | Y | - | Application name for log categorization |
subsystem_name | Y | - | Subsystem name for log categorization |
computer_name | N | - | Computer/host name for log source identification |
default_severity | N | 1 | Default severity level (1-6). 1 = Debug. See Severity Levels below |
use_timestamp | N | false | Use event timestamp instead of current time |
use_hires_timestamp | N | false | Use high-resolution (nanosecond) timestamp |
Batch Configuration
| Field | Required | Default | Description |
|---|---|---|---|
batch_size | N | 1000 | Maximum events per batch |
timeout | N | 30 | Request timeout in seconds |
Processing
| Field | Required | Default | Description |
|---|---|---|---|
field_format | N | - | Data normalization format. See applicable Normalization section |
Debug Options
| Field | Required | Default | Description |
|---|---|---|---|
debug.status | N | false | Enable debug logging |
debug.dont_send_logs | N | false | Process logs but don't send to target (testing) |
Details
Valid Regions
IBM Cloud Logs is available in the following regions:
| Region Code | Region Name |
|---|---|
us-south | US South (Dallas) |
us-east | US East (Washington DC) |
eu-gb | United Kingdom (London) |
eu-de | Germany (Frankfurt) |
eu-es | Spain (Madrid) |
jp-tok | Japan (Tokyo) |
jp-osa | Japan (Osaka) |
au-syd | Australia (Sydney) |
ca-tor | Canada (Toronto) |
br-sao | Brazil (São Paulo) |
Severity Levels
IBM Cloud Logs uses numeric severity levels:
| Level | Name | Description |
|---|---|---|
1 | Debug | Debug or trace information |
2 | Verbose | Verbose informational messages |
3 | Info | Informational messages |
4 | Warn | Warning events |
5 | Error | Error events |
6 | Critical | Critical events requiring immediate action |
Severity Handling:
- Events with
severityfield use that value if valid (1-6) - Events without
severityfield usedefault_severity - Invalid severity values default to
default_severity
Authentication Methods
Token (Default):
- Use
iam_tokenfield with Bearer token directly in configuration - Token automatically prefixed with "Bearer " if not already present
- Simpler for development and testing
Secret:
- Use
iam_token_secretfield with environment variable name - More secure for production deployments
- Environment variable must be set before starting DataStream
IBM Cloud Logs requires a valid IAM Bearer token for authentication. Generate tokens using IBM Cloud CLI or API. Tokens expire and must be refreshed periodically.
IAM Permissions
The IAM identity (service ID or user) used to generate the Bearer token requires the following IBM Cloud IAM role:
| IBM IAM Role | Service | IAM Action | Purpose |
|---|---|---|---|
Sender | IBM Cloud Logs | logs.data.send | Ingest logs via the /logs/v1/singles REST endpoint |
The Sender role (underlying IAM action: logs.data.send) is the minimum required role. No read, management, or administrative roles are needed since the target only performs log ingestion (write-only).
IBM Cloud Logs accepts up to 2 MB per request, which is approximately 3,000 medium-sized log entries.
Endpoint Construction
Automatic Endpoint Building:
- Endpoint format:
https://{instance_id}.ingress.{region}.logs.cloud.ibm.com/logs/v1/singles - Example:
https://abc123.ingress.us-south.logs.cloud.ibm.com/logs/v1/singles - Instance ID and region are validated during configuration
Event Structure
JSON Parsing:
- Events with valid JSON message are parsed and sent as structured data
- Non-JSON messages are sent as
{"text": "message"}objects - Supports nested JSON structures and complex data types
Application Context:
applicationName: Required field for log categorizationsubsystemName: Required field for subsystem identificationcomputerName: Optional field for source host identification
Timestamp Handling:
- Default: Current timestamp when event is sent
use_timestamp: true: Use event's original timestampuse_hires_timestamp: true: Include nanosecond precision
Performance Considerations
Batch Processing:
- Events are buffered until
batch_sizeis reached - Flush occurs on batch limit or during finalization
- Larger batches reduce API calls but increase latency
- Maximum recommended batch size: 1000 events
Connection Pooling:
- HTTP client maintains connection pool
- Maximum 100 idle connections total
- Maximum 10 idle connections per host
- 90-second idle connection timeout
Retry Logic:
- Failed sends are retried based on sender configuration
- HTTP errors include response body for troubleshooting
- Check IBM Cloud Logs service status for API issues
IBM Cloud Logs API has limits on batch size and request payload. Configure batch_size appropriately for your event size to avoid API rejections.
Error Handling
Authentication Failures:
- HTTP 401: Invalid or expired IAM token
- Refresh IAM token and restart DataStream
- Check token format (must include "Bearer " prefix)
API Errors:
- HTTP 400: Malformed request or invalid event structure
- HTTP 500: IBM Cloud Logs service error
- Error responses include detailed message for troubleshooting
Validation Errors:
- Invalid region codes are rejected during configuration validation
- Invalid severity levels default to
default_severity - Missing required fields (instance_id, application_name, subsystem_name) prevent target initialization
Examples
Basic Configuration
Sending logs to IBM Cloud Logs using token authentication... | |
With Secret Authentication
Using environment variable for secure IAM token storage... | |
With Custom Severity
Setting default severity to Warning for important events... | |
High-Volume Configuration
Optimizing for high-volume log ingestion with larger batches... | |
Multi-Region Configuration
Sending logs to different IBM Cloud regions for geographic distribution... | |
With Normalization
Applying ECS normalization before sending to IBM Cloud Logs... | |
Production Configuration
Production-ready configuration with secret authentication, batch optimization, and high-resolution timestamps... | |