Bulk Export of Audit Log Events
You can request a bulk export of audit logs, and within 3–4 business days Oracle support will begin making copies of the logs and adding them to buckets in your tenancy. The export includes logs for the specified regions, beginning after you make the request and continuing into the future.
- Administrators have full control of the buckets and can provide access to others with IAM policy statements.
Exported logs remain available indefinitely.
You can automatically manage archiving and deleting logs using Object Storage. See Using Object Lifecycle Management.
- Specify all the regions you want exported in your request. If you only request some regions, then decide later you want to add other regions, you must make another request.
- To disable your bulk export, contact Oracle support. New logs will stop being added to the bucket, and audit logs will only be available through the Console, based on the retention period you have defined.
Required IAM Policy
To access the bucket where Oracle exports the audit logs, you must be a member of the Administrators group. See The Administrators Group and Policy
Requesting an Export of Audit Logs
A member of the Administrators group for your tenancy must create a ticket at My Oracle Support and provide the following information:
- Ticket name: Export Audit Logs - <your_company_name>
- Tenancy OCID
- Ticket name: Export Audit Logs - ACME
- Tenancy OCID: ocid1.tenancy.oc1.<unique_ID>
- Regions: us-ashburn-1, us-phoenix-1
It can take 3–4 business days before your My Oracle Support ticket is complete and the logs are available to you.
Bucket and Object Details
This section specifies the naming conventions of the bucket and objects you receive.
Bucket Name Format
Oracle support creates buckets for audit log exports using the following naming format:
oci-logsidentifies that Oracle created this bucket.
_auditidentifies that the bucket contains audit events.
- <compartment_OCID> identifies the compartment where the audit events were generated.
If the OCID of the compartment that generated the audit log contains a colon, your bucket name will not match the OCID. To create a bucket, Oracle must substitute colon characters (
:) from the OCID with dot characters (
.) in the bucket name.
Object Name Format
Objects use the following naming format:
- <region> identifies the region where the audit events were generated.
- <ad> identifies the availability domain where the audit events were generated.
- <YYYY-MM-DDTHH:MMZ> specifies the start of a 10-minute window for audit events listed in the object. For example, during a thirty-minute period, Oracle would write three objects, the first would contain audit events that occurred from 00–09:59, the second object would contain events from 10–19:59, while the third object contains events for 20–29:59.
- [_<seqNum>] specifies a conditional sequence number. If present, this number means that either an event came in late or the object became too large to write. Sequence numbers start at two. Apply multiple sequence numbers to the original object in the order listed.
Files list a single audit event per line. For more information, see Contents of an Audit Log Event.