diff --git a/docs/access-and-analyze-observability-data-dad5b01.md b/docs/access-and-analyze-observability-data-dad5b01.md new file mode 100644 index 0000000..cf7042d --- /dev/null +++ b/docs/access-and-analyze-observability-data-dad5b01.md @@ -0,0 +1,35 @@ + + +# Access and Analyze Observability Data + +Access and analyze observability data that has been ingested following the [Ingest Observability Data](ingest-observability-data-ba16ff7.md) guides. For more information about OpenSearch and OpenSearch Dashboards, see the [OpenSearch documentation](https://www.opensearch.org). + + + + + +## Procedure + +To open the dashboard UI:: + +- Create a service binding or service key, and read the contents to extract the dashboard login information. See [Initial Setup](initial-setup-ac50297.md). +- Open the dashboards URLin a browser and sign in using the configured login method. + + + + + +## Results + +After opening the URL in the browser, OpenSearch Dashboards displays a landing page from which you can access and analyze data. + + + + + +## Next Steps + +The landing page provides pointers to a set of pre-built dashboards that help to analyze applications. The dashboards UI also provides the flexibility to create custom dashboards and to configure alerting. + +You can now navigate across the dashboards, and set and pin filters to explore what you're interested in. For example, you can focus your search on a specific application, with specific response codes producing unexpectedly high response times. + diff --git a/docs/accessibility-features-1c628e5.md b/docs/accessibility-features-1c628e5.md new file mode 100644 index 0000000..442b9ae --- /dev/null +++ b/docs/accessibility-features-1c628e5.md @@ -0,0 +1,13 @@ + + +# Accessibility Features + +To optimize your experience of SAP Cloud Logging, SAP Business Technology Platform \(SAP BTP\) provides features and settings that help you use the software efficiently. + + + +> ### Note: +> SAP Cloud Logging runs on the SAP BTP cockpit. For this reason, accessibility features for SAP BTP cockpit also apply. See the accessibility documentation for SAP BTP cockpit on the SAP Help Portal at [Accessibility Features in SAP BTP Cockpit](https://help.sap.com/docs/BTP/65de2977205c403bbc107264b8eccf4b/8153bc43bc7d44009549b375ed5c9632.html). + +For more information, on-screen reader support, and keyboard shortcuts, see [Accessibility for End Users](https://help.sap.com/docs/SAPUI5/bc5a64aac808463baa95b4230f221716/f562835d0b4e44129aa24a17551a0baa.html). + diff --git a/docs/configuration-parameters-1830bca.md b/docs/configuration-parameters-1830bca.md new file mode 100644 index 0000000..4c3027e --- /dev/null +++ b/docs/configuration-parameters-1830bca.md @@ -0,0 +1,674 @@ + + +# Configuration Parameters + +SAP Cloud Logging supports the following parameters for `create service` and `update service` operations. + + + + + +## Configuration Parameters + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +Name + + + +Required + + + +Type + + + +Description + +
+ +Backend + + + +No + + + +[Backend](configuration-parameters-1830bca.md#loio1830bca1b060484e9cfabc0e62472e8e__table_xyd_p3x_jzb) + + + +Configures the OpenSearch backend. + +
+ +dashboards + + + +No + + + +[dashboards](configuration-parameters-1830bca.md#loio1830bca1b060484e9cfabc0e62472e8e__table_gqx_w3x_jzb) + + + +Configures the dashboards UI. + +
+ +ingest + + + +No + + + +[ingest](configuration-parameters-1830bca.md#loio1830bca1b060484e9cfabc0e62472e8e__table_brp_bjx_jzb) + + + +Configures the ingest endpoint. + +
+ +ingest\_otlp + + + +No + + + +[ingest\_otlp](configuration-parameters-1830bca.md#loio1830bca1b060484e9cfabc0e62472e8e__table_zcy_jjx_jzb) + + + +Configures the data ingestion over the ingest-otlp endpoint \(OpenTelemetry Protocol\). + +
+ +retention\_period + + + +No + + + +Integer + + + +The time in days until data \(see [Ingest Observability Data](ingest-observability-data-ba16ff7.md)\) is deleted. Range is between `1` and `90`. Defaults to `7`. That deletion of ingested data can also happen due to size-based curation. Changing this parameter will only affect newly created indices. + +
+ +saml + + + +No + + + +[saml](configuration-parameters-1830bca.md#loio1830bca1b060484e9cfabc0e62472e8e__table_nrv_sjx_jzb) + + + +Configures the SAML Integration to authenticate in dashboards. + +
+ +rotate\_root\_ca + + + +No + + + +Boolean + + + +> ### Note: +> Updating this parameter can invalidate bindings permanently + +Controls the rotation of the ingestion root Certificate Authority \(CA\) certificate. Defaults to `false`. + +Refer to [Rotate the Ingestion Root CA Certificate](rotate-the-ingestion-root-ca-certificate-bbcb3e7.md) for more details. + +
+ + + + + +## Configuration Parameters for Backend + + + + + + + + + + + + + + + +
+ +Name + + + +Required + + + +Type + + + +Description + +
+ +max\_data\_notes + + + +No + + + +Integer + + + +Configures the maximum number of OpenSearch data nodes for disk-based auto-scaling. Must be between `2` and `10`. Defaults to `10`. Indirectly, this parameter sets the maximum disk size for storing observability data as described in [Service Plans](service-plans-a9d2d1b.md). This parameter has no effect for the `dev` plan. + +
+ + + + + +## Configuration Parameters for Dashboards + + + + + + + + + + + + + + + +
+ +Name + + + +Required + + + +Type + + + +Description + +
+ +custom\_label + + + +No + + + +String + + + +Set a custom label to be displayed in OpenSearch Dashboards in the top bar to identify and distinguish multiple service instances. The label is embedded into a fixed sized element due to technical limitations. It gets cut off if the content is too long. 12 characters is ideal, and the maximum length is 20. Supported characters are `A-Z`, `a-z`, `0-9`, `#`, `+`, `-`, `_`, `/`, `*`, `(`, `)`, and space. + +
+ + + + + +## Configuration Parameters for Ingest + + + + + + + + + + + + + + + +
+ +Name + + + +Required + + + +Type + + + +Description + +
+ +max\_instances + + + +No + + + +Integer + + + +Specifies the maximum number of provisionable ingest instances, which are scaled automatically based on their overall CPU utilization. Must be between `2` and `10`. Defaults to `10`. This parameter impacts peak throughput and buffering. Scale-out happens when the overall CPU utilization exceeds 80%. Scale-in happens when the overall CPU utilization or configuration parameter decreases. This parameter has no effect on the `dev` plan, which is limited to a single instance. + +
+ + + + + +## Configuration Parameters for ingest\_otlp + + + + + + + + + + + + + + + +
+ +Name + + + +Required + + + +Type + + + +Description + +
+ +enabled + + + +No + + + +Boolean + + + +Enables ingestion over the OpenTelemetry Protocol. Defaults to false. For more information, refer to [Ingest via OpenTelemetry API Endpoint](ingest-via-opentelemetry-api-endpoint-fdc78af.md). + +
+ + + + + +## Configuration Parameters for SAML + +> ### Caution: +> Ensure that you consider the [SAP BTP Security Recommendation BTP-CLS-0001](https://help.sap.com/docs/btp/sap-btp-security-recommendations-c8a9bb59fe624f0981efa0eff2497d7d/sap-btp-security-recommendations?seclist-index=BTP-CLS-0001&version=Cloud). + +Configuration to integrate the service with a SAML Idenditiy Provider \(IdP\), like SAP Cloud Identity Services - Identity Authentication \(Identity Authentication\). See [Prerequisites](prerequisites-41d8559.md) on how to integrate SAP Cloud Logging with Identity Authentication. This configuration exposes a subset of the SAML parameters of OpenSearch. Learn more about configuration parameters from [OpenSearch](https://opensearch.org/) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +Name + + + +Required + + + +Type + + + +Description + +
+ +enabled + + + +Yes + + + +Boolean + + + +Enables SAML authentication. We strongly recommend SAML authentication for production use cases, because of improved security and login flow. Basic authentication is configured if this parameter is set to `false`. + +
+ +admin\_group + + + +Conditionally + + + +String + + + +The SAML group to grant administrative access and permissions to modify the security module. Required if `enabled` is set to `true`. Required if `enabled` is set to `true`. + +
+ +initiated + + + +Conditionally + + + +Boolean + + + +Enables IdP-initiated SSO. Required if `enabled` is set to `true`. + +
+ +roles\_key + + + +Conditionally + + + +String + + + +The list of backend\_roles will be read from this attribute during user login. + +This field must be set to the corresponding attribute for IdP groups,usually `groups`. Required if `enabled` is set to `true`. + +
+ +idp.metadata\_url + + + +Conditionally + + + +URL + + + +The URL to get the SAML IdP metadata from. Required if `enabled` is set to `true`. + +
+ +idp.entity\_id + + + +Conditionally + + + +String + + + +The Entity ID of the SAML IdP. + +Open the metadata URL in your browser and copy the full value of the `entityID` field. It is located in the first line of the response. Required if `enabled` is set to `true`. + +
+ +sp.entity\_id + + + +Conditionally + + + +String + + + +The Entity ID of the service provider. Generally, this parameter is set to the name of your application configured in your IdP. Required if `enabled` is set to `true`. + +
+ +sp.signature\_private\_key + + + +No + + + +String + + + +The private key is used to sign the requests. This parameter must be valid base64 encoded and PKCS8 format. + +
+ +sp.signature\_private\_key\_password + + + +No + + + +String + + + +The private key used to sign the requests. Valid base64 encoded and PKCS8 format of private key. + +
+ +exchange\_key + + + +No + + + +String + + + +Key to sign tokens. Provide a `random` key with an `even number (min. length: 32)` of `alphanumeric characters (A-Z, a-z, 0-9)`. A random key is generated if the key isn't provided. + +
+ diff --git a/docs/create-an-sap-cloud-logging-instance-through-cloud-foundry-cli-3658d09.md b/docs/create-an-sap-cloud-logging-instance-through-cloud-foundry-cli-3658d09.md new file mode 100644 index 0000000..2a8b424 --- /dev/null +++ b/docs/create-an-sap-cloud-logging-instance-through-cloud-foundry-cli-3658d09.md @@ -0,0 +1,51 @@ + + +# Create an SAP Cloud Logging Instance through Cloud Foundry CLI + + + + + + + +## Prerequisites + +See [Prerequisites](prerequisites-41d8559.md). + + + + + +## Create a Service Instance + +1. `cf marketplace` displays the service in the marketplace. +2. To create a service instance, execute the following command and provide the necessary information: + - `cf create-service cloud-logging -c `. + - See [Service Plans](service-plans-a9d2d1b.md) and [Configuration Parameters](configuration-parameters-1830bca.md) for configuration options. + - Here is an example command with additional parameters: + + ``` + cf create-service cloud-logging standard cloud-logging -c '{ + "retention_period": 14, + "backend": { + "max_data_nodes": 10, + "api_enabled": false + }, + "ingest": { + "max_instances": 10 + } + }' + + ``` + + +3. Wait for your dedicated instance to be provisioned. + - Use the following command to verify the service provisioning. This checks the `last operation` status: + + ``` + cf services + ``` + + - Wait until the last operation reads `create succeeded`. The service instance is now available for consumption. + + diff --git a/docs/create-an-sap-cloud-logging-instance-through-sap-btp-cli-21eb1bd.md b/docs/create-an-sap-cloud-logging-instance-through-sap-btp-cli-21eb1bd.md new file mode 100644 index 0000000..5784e76 --- /dev/null +++ b/docs/create-an-sap-cloud-logging-instance-through-sap-btp-cli-21eb1bd.md @@ -0,0 +1,51 @@ + + +# Create an SAP Cloud Logging Instance through SAP BTP CLI + + + + + + + +## Prerequisites + +- See [Prerequisites](prerequisites-41d8559.md). +- Install BTP CLI as described in [Download and Start Using the BTP CLI Client](https://help.sap.com/docs/BTP/65de2977205c403bbc107264b8eccf4b/8a8f17f5fd334fb583438edbd831d506.html). +- Ensure you are [logged in](https://help.sap.com/docs/btp/sap-business-technology-platform/log-in?version=Cloud). + + + + + +## Create a Service Instance + +1. Create a SAP Cloud Logging instance. See [Service Plans](service-plans-a9d2d1b.md) and [Configuration Parameters](configuration-parameters-1830bca.md) for configuration options: + + ``` + btp create services/instance --subaccount --service --offering-name "cloud-logging" --plan-name --parameters + ``` + +2. Wait for your dedicated instance to be provisioned. + + + + + +## Create a Service Binding + +Get a service key to access instance credentials. + +1. Create a service binding. + + ``` + btp create services/binding --subaccount --binding --instance-name + ``` + +2. Get a binding to access instance credentials. + + ``` + btp get services/binding --name --subaccount + ``` + + diff --git a/docs/create-an-sap-cloud-logging-instance-through-sap-btp-cockpit-3aca7af.md b/docs/create-an-sap-cloud-logging-instance-through-sap-btp-cockpit-3aca7af.md new file mode 100644 index 0000000..5b77572 --- /dev/null +++ b/docs/create-an-sap-cloud-logging-instance-through-sap-btp-cockpit-3aca7af.md @@ -0,0 +1,44 @@ + + +# Create an SAP Cloud Logging Instance through SAP BTP Cockpit + + + + + + + +## Prerequisites + +See [Prerequisites](prerequisites-41d8559.md). + + + + + +## Create a Service Instance + +To create an SAP Cloud Logging instance using the SAP BTP Cockpit, follow these steps: + +1. Open the SAP BTP Cockpit and navigate to the `Instances and Subscriptions` page of your subaccount. +2. Click `Create`. +3. Configure your Instance: + - Select `cloud-logging service`. + - Select your preferred service plan \(see [Service Plans](service-plans-a9d2d1b.md)\). + - Set an `Instance Name`. + +4. Configure `Service Configuration Parameters` \(see [Configuration Parameters](configuration-parameters-1830bca.md)\) +5. Review and click `Create`. It takes some time until SAP Cloud Logging is up. + + + + + +## Create a Service Key + +Get a service key to access instance credentials. + +1. Select your SAP Cloud Logging instance to open the `Bindings` panel and click `Create`. +2. Enter a name for the binding and click `Create`. +3. Click the three dots next to the newly created binding and select `View` to show the credentials of the service instance. + diff --git a/docs/create-an-sap-cloud-logging-instance-through-sap-btp-service-operator-f6aa131.md b/docs/create-an-sap-cloud-logging-instance-through-sap-btp-service-operator-f6aa131.md new file mode 100644 index 0000000..2ef2fd2 --- /dev/null +++ b/docs/create-an-sap-cloud-logging-instance-through-sap-btp-service-operator-f6aa131.md @@ -0,0 +1,141 @@ + + +# Create an SAP Cloud Logging Instance through SAP BTP Service Operator + +> ### Note: +> Instances created with SAP BTP Operator can only be managed from SAP BTP Operator. Management operations that require SAP BTP Operator include service update and deletion, as well as binding creation and access. + + + + + +## Prerequisites + +- See [Prerequisites](prerequisites-41d8559.md). +- You need [sap-btp-service-operator installed in Kubernetes cluster](https://github.com/SAP/sap-btp-service-operator/blob/main/README.md#setup). In [SAP BTP, Kyma runtime](https://help.sap.com/docs/btp/sap-business-technology-platform/create-kyma-environment-instance), SAP BTP Service Operator is available if the `btp-operator` [module](https://help.sap.com/docs/btp/sap-business-technology-platform/kyma-modules) is [enabled](https://help.sap.com/docs/btp/sap-business-technology-platform/enable-and-disable-kyma-module). + + + + + +## Create a Service Instance + +1. To create the namespace `sap-cloud-logging-integration`, execute the following command: + + ``` + kubectl create namespace sap-cloud-logging-integration + ``` + +2. To create a service instance of SAP Cloud Logging, first create a `ServiceInstance` custom-resource yaml file. See [Service Plans](service-plans-a9d2d1b.md) and [Configuration Parameters](configuration-parameters-1830bca.md) for configuration options. + + ``` + apiVersion: services.cloud.sap.com/v1alpha1 + kind: ServiceInstance + metadata: + name: < name > + spec: + serviceOfferingName: cloud-logging + servicePlanName: < service plan > + externalName: < externalName > + parameters: + < parameterName1 >: < parameterValue1 > + < parameterName2 >: < parameterValue2 > + + ``` + + For example: + + ``` + apiVersion: services.cloud.sap.com/v1alpha1 + kind: ServiceInstance + metadata: + name: created-with-sap-btp-service-operators + spec: + serviceOfferingName: cloud-logging + servicePlanName: standard + externalName: cloud-logging-created-with-sap-btp-service-operators + parameters: + retentionPeriod: 14 + esApiEnabled: false + + ``` + +3. Apply the custom-resource file in your cluster to create the instance in the sap-cloud-logging-integration namespace. Deploy the configuration with: + + ``` + kubectl apply -n sap-cloud-logging-integration -f path/to/my-service-instance.yaml + ``` + +4. Wait for your dedicated instance to be provisioned. Check the status by executing: + + ``` + kubectl get serviceinstances.services.cloud.sap.com -o yaml + ``` + + +> ### Note: +> To update service parameters, change the values in your yaml file and deploy the changes with `kubectl apply`. + +> ### Note: +> If you have questions about these steps, see [SAP BTP Service operator service instance creation documentation](https://github.com/SAP/sap-btp-service-operator/blob/main/README.md#step-1-create-a-service-instance). + + + + + +## Create a Service Binding + +This step results in a `secret` with the name `cls``sap-cloud-logging-integration` namespace of the Kyma cluster, which provides credentials to see and ingest data. + +1. Create a `ServiceBinding` and `secret` with the BTP Operator in the `sap-cloud-logging-integration` namespace by executing the following command: in the + + ``` + cat <" + ingest-mtls-key: "" + ingest-mtls-cert: "" + # To ingest distributed traces, skip if you want to configure logging only + # certs/keys should be pasted as is, keeping \n characters + ingest-otlp-endpoint: "" + ingest-otlp-key: "" + ingest-otlp-cert: " ### Note: +> The responsibility to rotate credentials remains with the user when applying this approach. + diff --git a/docs/data-protection-and-privacy-80e76fd.md b/docs/data-protection-and-privacy-80e76fd.md new file mode 100644 index 0000000..0c56df8 --- /dev/null +++ b/docs/data-protection-and-privacy-80e76fd.md @@ -0,0 +1,16 @@ + + +# Data Protection and Privacy + +Governments place legal requirements on industry to protect data and privacy. We provide features and functions to help you meet these requirements. + +For general information about data protection and privacy on SAP Business Technology Platform \(BTP\), see the SAP BTP documentation under [Data Protection and Privacy](https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/7e513d31704a4a87831191e504ca850a.html). + +> ### Note: +> SAP does not provide legal advice in any form. SAP software supports data protection compliance by providing security features and data protection-relevant functions, such as blocking and deletion of personal data. In many cases, compliance with applicable data protection and privacy laws is not covered by a product feature. Furthermore, this information should not be taken as advice or a recommendation regarding additional features that would be required in specific IT environments. Decisions related to data protection must be made on a case-by-case basis, taking into consideration the given system landscape and the applicable legal requirements. Definitions and other terms used in this documentation are not taken from a specific legal source. Handle personal data with care. You as the data controller are legally responsible when processing personal data. + +**Related Information** + + +[Data Protection and Privacy](https://help.sap.com/docs/btp/sap-business-technology-platform/data-protection-and-privacy?version=Cloud) + diff --git a/docs/index.md b/docs/index.md new file mode 100644 index 0000000..8f887fd --- /dev/null +++ b/docs/index.md @@ -0,0 +1,23 @@ +# SAP Cloud Logging + +SAP Cloud Logging service is an instance-based and environment-agnostic observability service that builds upon OpenSearch. + +- [What Is SAP Cloud Logging?](what-is-sap-cloud-logging-8342176.md) +- [Service Plans](service-plans-a9d2d1b.md) +- [Initial Setup](initial-setup-ac50297.md) + - [Prerequisites](prerequisites-41d8559.md) + - [Configuration Parameters](configuration-parameters-1830bca.md) + - [Create an SAP Cloud Logging Instance through SAP BTP Cockpit](create-an-sap-cloud-logging-instance-through-sap-btp-cockpit-3aca7af.md) + - [Create an SAP Cloud Logging Instance through Cloud Foundry CLI](create-an-sap-cloud-logging-instance-through-cloud-foundry-cli-3658d09.md) + - [Create an SAP Cloud Logging Instance through SAP BTP CLI](create-an-sap-cloud-logging-instance-through-sap-btp-cli-21eb1bd.md) + - [Create an SAP Cloud Logging Instance through SAP BTP Service Operator](create-an-sap-cloud-logging-instance-through-sap-btp-service-operator-f6aa131.md) +- [Ingest Observability Data](ingest-observability-data-ba16ff7.md) + - [Ingest via Cloud Foundry Runtime](ingest-via-cloud-foundry-runtime-f5a7c99.md) + - [Ingest via Kyma Runtime](ingest-via-kyma-runtime-612c7b9.md) + - [Ingest via OpenTelemetry API Endpoint](ingest-via-opentelemetry-api-endpoint-fdc78af.md) + - [Rotate the Ingestion Root CA Certificate](rotate-the-ingestion-root-ca-certificate-bbcb3e7.md) +- [Access and Analyze Observability Data](access-and-analyze-observability-data-dad5b01.md) +- [Data Protection and Privacy](data-protection-and-privacy-80e76fd.md) +- [Accessibility Features](accessibility-features-1c628e5.md) +- [Stability](stability-a7c0d8d.md) + diff --git a/docs/ingest-observability-data-ba16ff7.md b/docs/ingest-observability-data-ba16ff7.md new file mode 100644 index 0000000..6e299ec --- /dev/null +++ b/docs/ingest-observability-data-ba16ff7.md @@ -0,0 +1,13 @@ + + +# Ingest Observability Data + +Use one or more of the following options to drain observability data in your Cloud Logging instance. + +- [Ingest via Cloud Foundry Runtime](ingest-via-cloud-foundry-runtime-f5a7c99.md) +- [Ingest via Kyma Runtime](ingest-via-kyma-runtime-612c7b9.md) +- Ship via API + - [Ingest via OpenTelemetry API Endpoint](ingest-via-opentelemetry-api-endpoint-fdc78af.md) + +- [Rotate the Ingestion Root CA Certificate](rotate-the-ingestion-root-ca-certificate-bbcb3e7.md) + diff --git a/docs/ingest-via-cloud-foundry-runtime-f5a7c99.md b/docs/ingest-via-cloud-foundry-runtime-f5a7c99.md new file mode 100644 index 0000000..bd4c554 --- /dev/null +++ b/docs/ingest-via-cloud-foundry-runtime-f5a7c99.md @@ -0,0 +1,140 @@ + + +# Ingest via Cloud Foundry Runtime + +Following this guide allows you to benefit from default contents, such as dashboards, index patterns, and retention settings. + + + + + +## Ship Logs from a Cloud Foundry Application + +> ### Note: +> Even without any specific application logs, you can analyze your applications based on the automatically issued request logs from the Cloud Foundry router. + +> ### Note: +> You can [Ingest via OpenTelemetry API Endpoint](ingest-via-opentelemetry-api-endpoint-fdc78af.md). There are no predefined dashboards yet, but you can use the observability plugin by OpenSearch Dashboards. + +Ship logs from applications deployed on SAP BTP Cloud Foundry by binding the application. Bind applications either using the SAP BTP Cockpit or the Cloud Foundry Command Line Interface \(CLI\). + + + + + +## Indirection via Service Key and User-Provided Service + +> ### Note: +> If you delete the service key, the certificates and credentials are invalidated. + +> ### Note: +> Skip this step and bind to your application directly if you are sending with certificates \(as it manages certificate rotation for you\). + +Bind the application directly to an SAP Cloud Logging instance. However, to be resilient against issues during the binding process \(important for automated builds\), we recommend an indirection via service key and binding to a [user-provided service](https://docs.cloudfoundry.org/devguide/services/user-provided.html). Cloud Foundry operations can lead to an implicit rebind, without the need for a rebind. Using service keys provides control over the credential lifecycle. + + + +### Using the Cloud Foundry Command Line Interface + +1. `cf services` lists the service instance. +2. To create a service key without binding to any application via `cf cli`, execute the following command: + + ``` + cf create-service-key + ``` + + > ### Note: + > SAP Cloud Logging needs no configuration parameters during service key creation. + +3. The service key holds all the credentials. To view a service key, execute: + + ``` + cf service-key + + ``` + + and extract ingest-endpoint, ingest-username, and ingest-password. + +4. Create a user-provided service using the following pattern: + + ``` + cf cups -l https://ingest-username:ingest-password@ingest-endpoint/cfsyslog + + ``` + + + + +### Using the SAP BTP Cockpit + +1. Create a service key according to [Creating Service Keys in Cloud Foundry](https://help.sap.com/viewer/09cc82baadc542a688176dce601398de/Cloud/en-US/6fcac08409db4b0f9ad55a6acd4d31c5.html). +2. Create a User-Provided Service following [Creating User-Provided Service Instances in Cloud Foundry Environment](https://help.sap.com/docs/service-manager/sap-service-manager/creating-user-provided-service-instances-in-cloud-foundry-environment), using the information from the service key + +Instance Name:`` + +System Logs Drain URL: `https://ingest-username:ingest-password@ingest-endpoint/cfsyslog` + +> ### Note: +> SAP Cloud Logging needs no configuration parameters during service key creation. + + + + + +## Bind the Application to the Service Instance + + + +### Bind the Application Using the Cloud Foundry Command Line Interface + +To bind the application using CF CLI, execute the following command: + +``` +cf bind-service +``` + +> ### Note: +> CF CLI asks you to restage, but this isn't mandatory to use SAP Cloud Logging. + + + +### Bind the Application Using the SAP BTP Cockpit + +You can bind service instances to applications both at the application view, and at the service-instance view in the cockpit. + +1. [Log On to the Cloud Foundry](https://help.sap.com/docs/BTP/65de2977205c403bbc107264b8eccf4b/350356d1dc314d3199dca15bd2ab9b0e.html) environment using the SAP BTP Cockpit. +2. Navigate to the space in which your application is deployed. For more information, see [Navigate to Global Accounts, Subaccounts, Orgs, and Spaces in the Cockpit](https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/5bf87353bf994819b8803e5910d8450f.html). +3. In the navigation area, choose *Services* \> *Service Marketplace*. +4. Search for SAP Cloud Logging. +5. In the navigation area, choose `Instances`. +6. To create a new instance, choose `New Instance`. In the following steps, you assign an application to this service. This application then writes its logs to the newly created service instance. + 1. Choose the service plan, then choose `Next`. + 2. **Optional**. Browse for the .json file of the app for which you want to write logs. Then choose `Next`. + 3. **Optional**. Choose an application from the dropdown that lists all deployed applications. Then choose `Next`. + 4. Enter the name of the new instance, then choose `Finish`. + +7. **Optional**. If you haven't bound an application to the service instance in the optional steps above, you can bind it from the application’s dashboard. For more information, see [Bind Service Instances to Applications Using the Cockpit](https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/2d2a3e8b2f1348ffbb54eaae10d80b95.html). + + + + + +## Share Service Instance Across Different Spaces + +You can share a single service instance across multiple spaces. Skip this step if you don't need to share a single instance across multiple spaces of the same org. To share the services in an additional space, execute the following command: + +``` +cf share-service -s +``` + + + + + +## Include Logging Libraries + +> ### Caution: +> Ensure that you consider the [SAP BTP Security Recommendation BTP-CLS-0002](https://help.sap.com/docs/btp/sap-btp-security-recommendations-c8a9bb59fe624f0981efa0eff2497d7d/sap-btp-security-recommendations?seclist-index=BTP-CLS-0002&version=Cloud). + +We recommend using one of the Cloud Foundry open-source logging libraries \([Java](https://github.com/SAP/cf-java-logging-support)/[NodeJS](https://github.com/SAP/cf-nodejs-logging-support)\) within your application. + diff --git a/docs/ingest-via-kyma-runtime-612c7b9.md b/docs/ingest-via-kyma-runtime-612c7b9.md new file mode 100644 index 0000000..1aec5a1 --- /dev/null +++ b/docs/ingest-via-kyma-runtime-612c7b9.md @@ -0,0 +1,42 @@ + + +# Ingest via Kyma Runtime + +Kyma's [Telemetry](https://kyma-project.io/docs/kyma/latest/01-overview/telemetry) component supports shipping observability signals to SAP Cloud Logging instances. You can configure different observability signal types independently of each other. + +> ### Caution: +> Ensure that you consider the [SAP BTP Security Recommendation BTP-CLS-0003](https://help.sap.com/docs/btp/sap-btp-security-recommendations-c8a9bb59fe624f0981efa0eff2497d7d/sap-btp-security-recommendations?seclist-index=BTP-CLS-0003&version=Cloud). + + + + + +## Prerequisites + +- An [SAP BTP Kyma runtime](https://help.sap.com/docs/btp/sap-business-technology-platform/create-kyma-environment-instance) instance + - With `telemetry` [module](https://help.sap.com/docs/btp/sap-business-technology-platform/kyma-modules) [enabled](https://help.sap.com/docs/btp/sap-business-technology-platform/enable-and-disable-kyma-module). + - With `btp-operator` [module](https://help.sap.com/docs/btp/sap-business-technology-platform/kyma-modules) [enabled](https://help.sap.com/docs/btp/sap-business-technology-platform/enable-and-disable-kyma-module). + +- Kubernetes CLI \(kubectl\) v1.23 or higher \(see the [kubectl tutorial](https://developers.sap.com/tutorials/cp-kyma-download-cli.html)\). +- SAP Cloud Logging instance with [Ingest via OpenTelemetry API Endpoint](ingest-via-opentelemetry-api-endpoint-fdc78af.md) enabled to ingest distributed traces. We recommend you create it with the SAP BTP Service Operator \(see [Create an SAP Cloud Logging Instance through SAP BTP Service Operator](create-an-sap-cloud-logging-instance-through-sap-btp-service-operator-f6aa131.md)\), because it takes care of creation and rotation of the required Secret. + + + + + +## Procedure + +To integrate Cloud Logging on SAP BTP Kyma Runtime, please follow Kyma documentation on [how to ship from Kyma to SAP Cloud Logging](https://kyma-project.io/#/telemetry-manager/user/integration/sap-cloud-logging/README). + + + + + +## Results + +You can analyze the ingested data in OpenSearch Dashboards \(see [Access and Analyze Observability Data](access-and-analyze-observability-data-dad5b01.md)\) based on the following index patterns: + +1. `logs-json-istio-envoy-kyma`\* for istio access logs +2. `logs-json-kyma*` for application logs +3. [OpenTelemetry related indices](ingest-via-opentelemetry-api-endpoint-fdc78af.md) + diff --git a/docs/ingest-via-opentelemetry-api-endpoint-fdc78af.md b/docs/ingest-via-opentelemetry-api-endpoint-fdc78af.md new file mode 100644 index 0000000..38ba7a1 --- /dev/null +++ b/docs/ingest-via-opentelemetry-api-endpoint-fdc78af.md @@ -0,0 +1,89 @@ + + +# Ingest via OpenTelemetry API Endpoint + +You can ship OpenTelemetry data via OpenTelemetry protocol \(OTLP\) using a combined endpoint for logs, metrics, and traces. This endpoint supports the gRPC protocol, but no other protocol formats of the OTLP specification. + +> ### Note: +> Protocols like http/protobuf or http/json can be converted to gRPC using the [OpenTelemetry Collector](https://opentelemetry.io/docs/collector/). + + + + + +## Procedure + +OpenTelemetry support in SAP Cloud Logging needs to be enabled with a service instance configuration parameter that can be set with service instance creation or update. Once enabled, all new service bindings and service keys contain the OTLP endpoint and credentials. + +1. Enable Endpoint via Configuration Parameter. + + OpenTelemetry ingestion must be enabled explicitly via the following in the service instance configuration: + + ``` + { + "ingest_otlp:": { + "enabled" "true" + } + } + ``` + + After OpenTelemetry has been enabled, the endpoint is added to the service instance. + +2. Retrieve Endpoint and Certificates. + + Once OpenTelemetry ingestion is enabled, all new service bindings and service keys contain the required endpoint and credentials for mutual TLS. SAP Cloud Logging only supports mTLS for the OTLP endpoint. The service key contains the following OTLP-related properties: + + ``` + { + "credentials": { + "ingest-otlp-endpoint": + "ingest-otlp-sf-.:443", + "ingest-otlp-cert": + "-----BEGIN CERTIFICATE-----\n + Your client certificate in PEM format\n + -----END CERTIFICATE-----\n", + "ingest-otlp-key": + "-----BEGIN PRIVATE KEY-----\n + Your client key in PCKS #8 format\n + -----END PRIVATE KEY-----\n", + "server-ca": + "-----BEGIN CERTIFICATE-----\n + Your instance server certificate in PEM format\n + -----END CERTIFICATE-----\n", + } + } + ``` + + > ### Note: + > TLS certificates for client authentication are issued with a validity period of 90 days by default. Rotate the service key and update the credentials in all sender configurations, otherwise, ingestion will stop. + + > ### Caution: + > Ensure that you consider the [SAP BTP Security Recommendation BTP-CLS-0003](https://help.sap.com/docs/btp/sap-btp-security-recommendations-c8a9bb59fe624f0981efa0eff2497d7d/sap-btp-security-recommendations?seclist-index=BTP-CLS-0003&version=Cloud). + + > ### Note: + > Use the `certValidityDays` to configure the validity period via a service binding parameter within the range of 1 to 180 days. For example, passing `'{"ingest":{"certValidityDays":30}}` as the configuration parameter for binding creation sets the validity to 30 days. + + > ### Note: + > Deleting a binding doesn't revoke the corresponding certificate. [Rotate the Ingestion Root CA Certificate](rotate-the-ingestion-root-ca-certificate-bbcb3e7.md) if the root Certification Authority \(Certification Authority\) of your service instance expires soon, or the private key of a certificate was leaked. + +3. Ship OpenTelemetry data with method of choice. + + You can use the endpoint and credentials to ship OpenTelemetry signals retrieved by one of the following instrumentation options: OpenTelemetry SDK, OpenTelemetry Agent, or OpenTelemetry Collector. See [OpenTelemetry documentation on instrumentation](https://opentelemetry.io/docs/concepts/instrumentation/) for more details. + + + + + + +## Result + +You can analyze the ingested OpenTelemetry data in OpenSearch Dashboards \(see [Access and Analyze Observability Data](access-and-analyze-observability-data-dad5b01.md)\). The index names match the requirements for the default analysis features of OpenSearch Dashboards. Indices match the following patterns: + +- `logs-otel-v1-*` for logs +- `metrics-otel-v1-*` for metrics +- `otel-v1-apm-span-*` for traces/spans +- `otel-v1-apm-service-map` for the service map + +> ### Note: +> Due to limitations of OpenSearch/Lucene, signal and resource attribute names have dots replaced with "@," and contain a prefix specifying the attribute type. For example, the resource attribute `service.name` is mapped to `resource.attributes.service@name`. Because of its prominent role, the service name is also available as a field `serviceName`, which reflects the open-source defaults. + diff --git a/docs/initial-setup-ac50297.md b/docs/initial-setup-ac50297.md new file mode 100644 index 0000000..599099b --- /dev/null +++ b/docs/initial-setup-ac50297.md @@ -0,0 +1,25 @@ + + +# Initial Setup + + + + + +## Prerequisites + +See [Prerequisites](prerequisites-41d8559.md) for service creation. + + + + + +## Service Creation + +You can create a service instance from the `Service Marketplace`, following the same steps as for other SAP services. Depending on your [Service Plans](service-plans-a9d2d1b.md) and [Configuration Parameters](configuration-parameters-1830bca.md), you can create a service instance using one of the following methods: + +- [Create an SAP Cloud Logging Instance through SAP BTP Cockpit](create-an-sap-cloud-logging-instance-through-sap-btp-cockpit-3aca7af.md) +- [Create an SAP Cloud Logging Instance through Cloud Foundry CLI](create-an-sap-cloud-logging-instance-through-cloud-foundry-cli-3658d09.md) +- [Create an SAP Cloud Logging Instance through SAP BTP CLI](create-an-sap-cloud-logging-instance-through-sap-btp-cli-21eb1bd.md) +- [Create an SAP Cloud Logging Instance through SAP BTP Service Operator](create-an-sap-cloud-logging-instance-through-sap-btp-service-operator-f6aa131.md) + diff --git a/docs/prerequisites-41d8559.md b/docs/prerequisites-41d8559.md new file mode 100644 index 0000000..cfd3c9f --- /dev/null +++ b/docs/prerequisites-41d8559.md @@ -0,0 +1,181 @@ + + +# Prerequisites + +To create instances of SAP Cloud Logging, you must configure entitlements for SAP Cloud Logging, and integrate SAP Cloud Identity Services - Identity Authentication SAML 2.0 with SAP Cloud Logging. + + + + + +## Configure Entitlements for SAP Cloud Logging + +To create a service instance of SAP Cloud Logging, you need: + +- A Global Account \(see [Getting a Global Account](https://help.sap.com/docs/btp/sap-business-technology-platform/getting-global-account?version=Cloud)\). +- A Subaccount \(see [Getting a Subaccount](https://help.sap.com/docs/btp/sap-business-technology-platform/create-subaccount?version=Cloud)\). +- A service Entitlement for SAP Cloud Logging \(see [Configure Entitlements and Quotas for Subaccounts](https://help.sap.com/docs/btp/sap-business-technology-platform/configure-entitlements-and-quotas-for-subaccounts?version=Cloud)\). + +Once you have these three prerequisites, the service is available in the Service Marketplace. + + + + + +## Integrate SAP Cloud Identity Services - Identity Authentication SAML 2.0 with SAP Cloud Logging + +> ### Caution: +> Ensure that you consider the [SAP BTP Security Recommendation BTP-CLS-0001](https://help.sap.com/docs/btp/sap-btp-security-recommendations-c8a9bb59fe624f0981efa0eff2497d7d/sap-btp-security-recommendations?seclist-index=BTP-CLS-0001&version=Cloud). + +This explains how to integrate with SAP Cloud Identity Services - Identity Authentication SAML 2.0. It results in changes in the Identity Authentication tenant and a corresponding SAML configuration to be used for creating or updating SAP Cloud Logging instances. Access to the Identity Authentication administration console as an administrator is a prerequisite. + +> ### Note: +> We recommend you integrate with Identity Authentication. You can also integrate with other SAML providers, but there will be no support or documentation. + +> ### Note: +> You can reuse the resulting SAML configuration for multiple instances of SAP Cloud Logging. + + + +### Obtain SAML 2.0 IdP Information + +Obtain SAML 2.0 Identity Provider \(IdP\) Information based on the [Identity Authorization guide](https://help.sap.com/docs/identity-authentication/identity-authentication/tenant-saml-2-0-configuration). Use the console URL to access the tenant’s administration console for the Identity Authentication service. The URL has a `https://.accounts.ondemand.com/admin` pattern. + +- Note down the `idp.metadata_url` information as `https://.accounts.ondemand.com/saml2/metadata` +- Note down the `idp.entity_id`. Open the metadata URL in your browser and copy the full value of the entityID field, which is located in the first line of the response. + + + +### Create a SAML 2.0 application + +Create a SAML 2.0 application in your Identity Authentication account based on the [Identity Authorization guide](https://help.sap.com/docs/identity-authentication/identity-authentication/create-saml-2-0-application) and note down the `sp.entity_id` value as name of the SAML 2.0 application. + + + +### Configure the SAML 2.0 application + +Go to `Applications & Resources`, choose `Applications`, and select your application from the list. Then perform the following steps to configure the SAML 2.0 application within Identity Authentication: + +1. [Configure a Self-Defined Attribute](https://help.sap.com/docs/identity-authentication/identity-authentication/user-attributes?version=Cloud) with `Name` "groups," `Source` "Identity Directory," and `Value` "Groups." +2. [Configure Default Name ID Format](https://help.sap.com/docs/btp/sap-business-technology-platform/configure-entitlements-and-quotas-for-subaccounts?version=Cloud) to `E-mail`. +3. Select `SAML 2.0 Configuration` and `Configure Manually`. + - Set the name with value of the `sp.entity_id` from the Create a SAML 2.0 application step. + - Continue with one of the following options. **OPTION 1** is recommended, as it removes the need to specify the IdP SAML application's assertion/logout URL. + - **OPTION 1:** Enable request signing. + - Create a new signing certificate and private key in PKCS8 format. + + ``` + # generate a certificate and a private key in PKCS8 format with a reasonable validity + openssl req -x509 -newkey rsa:2048 -keyout private.key -out cert.pem -nodes -days + # add a password (encrypted) + openssl pkcs8 -topk8 -v1 PBE-SHA1-3DES -in private.key -out private_pkcs8.key + # encode key to base64 format + printf "%s" "$(< private_pkcs8.key)" | base64 + + ``` + + - Enable request signing in Identity Authentication by setting `Require signed authentication requests` to `ON`, going to the `Signing Certificate` section, clicking `Add`, and uploading the certificate. + - Make sure to provide a signing key to the `sp.signature_private_key` field and set the sp.signature\_private\_key\_password field if the signing key is encrypted. The signing certificate in your Identity Authentication SAML 2.0 application can expire, and Identity Authentication rejects login attempts with the error message, "The digital signature of the received SAML2 message is invalid." + + - **OPTION 2:** ⚠️ This step can only be done after an SAP Cloud Logging instance has been created and has to be repeated for each new service instance. + - Set `Assertion Consumer Service Endpoint` to the OpenSearch Dashboards URL plus`/_opendistro/_security/saml/acs`. + - Set `Single Logout Endpoint`: Set binding to HTTP\_REDIRECT and the URL must be the OpenSearch Dashboards URL without any path. + - To store the configuration, click `Save` . + + + + + +### Create a Group and Assign Users + +- [Create a group](https://help.sap.com/docs/identity-authentication/identity-authentication/create-new-user-group) and named `admin_group` for the SAML configuration. This group gets administrative access in OpenSearch. It has permission to modify the security module. + + > ### Note: + > The login procedure forwards Identity Authentication group names to OpenSearch as backend roles. Backend roles can map to OpenSearch roles that grant permissions to the users assigned to the respective Identity Authentication groups. The configuration parameter `admin_group` is mapped automatically to the "all\_access" role + +- [Add users to the group](https://help.sap.com/docs/identity-authentication/identity-authentication/add-users-to-group) who should have admin access. Users can be added or removed at any time. + + + +### Compose SAML Configuration Parameters + +Compose SAML configuration parameters to be used for service instance creation or updates: + + + + + + + + + + + + + + + + + + + + + + + +
+ +SAML Configuration Template + + + +Parameterization + +
+ +``` +"saml": { + "enabled": true, + "initiated": true, + "idp": { + "metadata_url": "", + "entity_id": "" + }, + "admin_group": "", + "roles_key": "groups", + "sp": { + "entity_id": "", + "signature_private_key": "", + "signature_private_key_password": "" + }, + "exchange_key": "" + } + +``` + + + + + +Set IdP information `idp.metadata_url` and `idp.entity_id` from Obtain SAML 2.0 IdP Information step. + +
+ +Set `sp.entity_id` from Create a SAML 2.0 application step. + +
+ +Set `admin_group` from Configure a SAML 2.0 application step. + +
+ +Set `sp.signature_private_key` and `sp.signature_private_key_password` if you selected OPTION 1 in the Configure SAML 2.0 application step. + +
+ +Add `exchange_key` to sign tokens, or remove line. Provide a random key with an even character length \(minimum length: 32\) of alphanumeric characters \(A-Z, a-z, 0-9\). The system generates a randome key f the key is not provided. + +
+ +See [Configuring Applications](https://help.sap.com/docs/identity-authentication/identity-authentication/configuring-applications) in Identity Authentication Service. + diff --git a/docs/rotate-the-ingestion-root-ca-certificate-bbcb3e7.md b/docs/rotate-the-ingestion-root-ca-certificate-bbcb3e7.md new file mode 100644 index 0000000..448a7f2 --- /dev/null +++ b/docs/rotate-the-ingestion-root-ca-certificate-bbcb3e7.md @@ -0,0 +1,35 @@ + + +# Rotate the Ingestion Root CA Certificate + +Rotating the ingestion root Certification Authority \(CA\) certificate is a delicate process that must be performed with special care. It's a three-step process that provisions a new root CA certificate for your instance, then invalidates the previous root CA certificate. + + + +Root CA rotation is only necessary when ingesting data using mutual TLS authentication \(mTLS\), and + +- The root CA certificate of your CLS instance is expiring soon, or +- The private key of a client certificate was leaked. + +> ### Caution: +> Not following this process can result in premature invalidation of certificates and, as a result, interruption of log ingestion. + + + + + +## CA Rotation Procedure + +1. Create a new Root CA certificate. + + Start the root CA certificate rotation by updating the `rotate_root_ca` [Configuration Parameters](configuration-parameters-1830bca.md) from `false` to `true`. This creates a new root CA certificate for your service instance, while retaining the previous root CA certificate. Bindings created before the service instance update continue to work, so ingestion isn't affected. New bindings return certificates issued by the new root CA. + +2. Rebind all Applications. + + With the new root CA certificate in place, create new bindings for each shipping mechanism. Since this process depends on the sending mechanism, refer to [Ingest Observability Data](ingest-observability-data-ba16ff7.md). + +3. Delete the old root CA certificate. + + After recreating all of your ingestion-related bindings, update your service instance configuration `rotate_root_ca` service parameter to `false`. Afterwards, validate that the ingestion still works as expected for all bindings. + + diff --git a/docs/service-plans-a9d2d1b.md b/docs/service-plans-a9d2d1b.md new file mode 100644 index 0000000..6332d0a --- /dev/null +++ b/docs/service-plans-a9d2d1b.md @@ -0,0 +1,43 @@ + + +# Service Plans + +The SAP Cloud Logging service plans provide different ingestion and storage capabilities. + +> ### Note: +> Updating service plans isn't supported. The recommended migration procedure involves running instances side-by-side during a transition. + +For production service plans, service instances scale automatically within the configured limits. To avoid disk overflow, there is time-based and disk-utilization-based data curation. If the disk usage watermark has been exceeded and the instance is scaled to its maximum, the system automatically deletes the oldest indices. The term `net storage capacity` used in service plan descriptions refers to the usable disk-size up to the watermark and has subtracted the disk space required for replicas. Service plans can handle peak load in relation to their storage volumes. However, service quality degradation can happen if the load exceeds the non-scaled disk capacity within one day. + +To get an overview on the availability of SAP Cloud Logging according to region, infrastructure provider, and release status, visit the [SAP Discovery Center](https://discovery-center.cloud.sap/protected/index.html#/serviceCatalog/cloud-logging). + + + + + +## Development Plan + +The `dev` plan is only for evaluation purposes. It must not be used in production use cases, as it lacks cloud qualities. It also doesn't include auto-scaling or data replication, and has limited ingestion throughput. Therefore it isn't suitable for testing loads exceeding its 7.5 GB-storage capacity. + + + + + +## Standard Plan + +The `standard` plan targets usage in production. It incorporates data replication, and enables automatic scaling of net storage capacity from 75 GB to 375 GB. + +> ### Example: +> If the average ingest rate is 100x 2 kB logs per second, a single standard plan instance can sustain storage for approximately 8 to 43 days, depending on the specific scaling configuration. + + + + + +## Large Plan + +The `large` plan targets usage in production. It incorporates data replication and enables automatic scaling of net storage capacity from 750 GB to 3.75 TB. + +> ### Example: +> If the average ingest rate is 1000x 2 kB logs per second, a single large plan instance can sustain storage for approximately 8 to 43 days, depending on the specific scaling configuration. + diff --git a/docs/stability-a7c0d8d.md b/docs/stability-a7c0d8d.md new file mode 100644 index 0000000..3e33d36 --- /dev/null +++ b/docs/stability-a7c0d8d.md @@ -0,0 +1,34 @@ + + +# Stability + +The service quality of Cloud Logging instances is a shared responsibility between service provider and service user. + + + + + +## What does Cloud Logging manage on my behalf? + +Cloud Logging manages the work involved in setting up a domain, from provisioning infrastructure capacity to installing the OpenSearch software. Once your instance is running, Cloud Logging automates common administrative tasks, such as auto-scaling, retention, and patching software. Cloud Logging also offers and maintains end-to-end integration into different SAP environments by providing specific ingestion endpoints, parsing, and preconfigured dashboards. + + + + + +## How can atypical usage compromise service qualities? + +Cloud Logging strives to deliver a resilient service. + +However, the flexibility in utilization and configuration of OpenSearch features comes at the cost that service quality may be compromised through atypical usage. + +Areas of usage that may result in service degradation when deviating from documented paths include: + +- **Overloading the OpenSearch component** +- - **Exceeding Ingestion Limits**: going beyond the save ingestion limits specified in \[Service Plans\]\(service\_plans.md\) documentation may impact the service quality of the database. Deleting indices that is written to or filling the disk \(without considering auto-scaling\) within one day may disrupt service qualities. +- **Resource-Intensive Recurring Tasks**: The configuration of recurring tasks in a resource-expensive way may impact the service quality of the database. +- **Backend API Usage**: OpenSearch API can be enabled which opens a plethora of possibilities to impact the service quality of the database. + +- **Incorrect Identity Provider Configuration**: Incorrectly configured identity provider may result in the inability to login to the dashboards UI. +- **Neglecting Certificate Rotation**: Lack of certificates rotation leads to interrupted ingestion after certificate expiry. + diff --git a/docs/what-is-sap-cloud-logging-8342176.md b/docs/what-is-sap-cloud-logging-8342176.md new file mode 100644 index 0000000..1572aa2 --- /dev/null +++ b/docs/what-is-sap-cloud-logging-8342176.md @@ -0,0 +1,83 @@ + + +# What Is SAP Cloud Logging? + + + +SAP Cloud Logging service is an instance-based observability service that builds upon OpenSearch to store, visualize, and analyze application logs, metrics, and traces from SAP BTP Cloud Foundry, Kyma, Kubernetes and other runtime environments. For Cloud Foundry and Kyma, it offers an easy integration by providing predefined contents to investigate load, latency, and error rates of the observed applications based on their requests and correlate them with additional data. + + + +## Features + + +
+
+ +Store observability data + +
+
+ +Store observability data from SAP BTP workloads. Ingest logs, metrics, and traces via OpenTelemetry format API. Ingest observability data via JSON format API. Ingest application logs and request logs emitted by Cloud Foundry. + + + +
+ +Configure retention + +
+
+ +Persist the ingested observability data for a configurable retention period. Note: This is overruled by size-based curation when the disk runs full. + + + +
+ +View, search, and analyze data + +
+
+ +View, search, filter, and analyze observability data in a web-based user interface using predefined dashboards. + + + +
+ +Create custom dashboards + +
+
+ +Build and persist custom dashboards to analyze your observability data tailored to your specific requirements. + + + +
+ +Configure notifications + +
+
+ +Configure customized notifications derived from the observability data of your applications. + + + +
+ +Manage access + +
+
+ +Enable management of users and group-based access using SAP Identity Authentication Service. + + + +
+
+