Oracle Cloud Infrastructure Documentation

Bulk Export of Audit Log Events

You can request a bulk export of audit logs, and within 3–4 business days Oracle support will begin making copies of the logs and adding them to buckets in your tenancy. The export includes logs for the specified regions, beginning after you make the request and continuing into the future.

Highlights

  • Administrators have full control of the buckets and can provide access to others with IAM policy statements.
  • Exported logs remain available indefinitely.

    Tip

    You can automatically manage archiving and deleting logs using Object Storage. See Using Object Lifecycle Management.

  • Specify all the regions you want exported in your request. If you only request some regions, then decide later you want to add other regions, you must make another request.
  • To disable your bulk export, contact Oracle support. New logs will stop being added to the bucket, and audit logs will only be available through the Console, based on the retention period you have defined.

Required IAM Policy

To access the bucket where Oracle exports the audit logs, you must be a member of the Administrators group. See The Administrators Group and Policy

Requesting an Export of Audit Logs

A member of the Administrators group for your tenancy must create a ticket at My Oracle Support and provide the following information: 

  • Ticket name: Export Audit Logs - <your_company_name>
  • Tenancy OCID
  • Regions

For example:

  • Ticket name: Export Audit Logs - ACME
  • Tenancy OCID: ocid1.tenancy.oc1.<unique_ID>
  • Regions: us-ashburn-1, us-phoenix-1

Note

It can take 3–4 business days before your My Oracle Support ticket is complete and the logs are available to you.

Bucket and Object Details

This section specifies the naming conventions of the bucket and objects you receive.

Bucket Name Format

Oracle support creates buckets for audit log exports using the following naming format: 

oci-logs._audit.<compartment_OCID>

  • oci-logs identifies that Oracle created this bucket.
  • _audit identifies that the bucket contains audit events.
  • <compartment_OCID> identifies the compartment where the audit events were generated.

For example:

oci-logs._audit.ocid1compartment.oc1..<unique_ID>

Important

If the OCID of the compartment that generated the audit log contains a colon, your bucket name will not match the OCID. To create a bucket, Oracle must substitute colon characters (:) from the OCID with dot characters (.) in the bucket name.

Object Name Format

Objects use the following naming format: 

<region>/<ad>/<YYYY-MM-DDTHH:MMZ>[_<seqNum>].log.gz

  • <region> identifies the region where the audit events were generated.
  • <ad> identifies the availability domain where the audit events were generated.
  • <YYYY-MM-DDTHH:MMZ> identifies the start time of the earliest audit event listed in the object.
  • [_<seqNum>] identifies a conditional sequence number. If present, this number means that either an event came in late or the object became too large to write. Sequence numbers start at two. Apply multiple sequence numbers to the original object in the order listed.

For example: 

us-phoenix-1/ad1/2019-03-21T00:00Z.log.gz
us-phoenix-1/ad1/2019-03-21T00:00Z_2.log.gz

File Format

Files list a single audit event per line. For more information, see Contents of an Audit Log Event.