Oracle Cloud Infrastructure Documentation

Contents of an Audit Log Event

The following explains the contents of a log event. The table does not include request headers that are specific to an Internet browser or other client.

Property Description
compartmentId The Oracle Cloud Identifier (OCID) of the compartment.
credentialId The credential ID of the user. This value is extracted from the HTTP 'Authorization' request header. It consists of the tenantId, userId, and user fingerprint, all delimited by a slash (/).
compartmentName The name of the compartment. This value is the friendly name associated with compartmentId. This value can change, but Audit logs the value that appeared at the time of the audit event.
eventId The global unique identifier (GUID) of the event.
eventName The name of the event.

Note

Not all services support this property. A null value may appear when not supported by the related service.

eventSource The source of the event.
eventTime The time the event occurred, expressed in RFC 3339 timestamp format.
eventType The type of the event. (Currently, Audit supports only API activities.)
id The OCID of the resource. Found in responsePayload along with the name of the resource (resourceName). Some API operations generate an audit event, but don't involve a resource, so then the audit event does not have an id.
principalId

The OCID of the user or service that triggered the event. Find the friendly name of the service or user for this OCID in userName.

requestAction The HTTP method of the request.
requestAgent The user agent of the client that made the request.
requestHeaders The HTTP header fields and values in the request.
requestId The opc-request-id of the request. An opc-request-id is a unique Oracle-assigned identifier for the request. If you need to contact Oracle about a particular request, please provide the request ID.
requestOrigin The IP address of the source of the request.
requestParameters The query parameter fields and values for the request.
responsePayload Metadata of interest from the response payload. For example, the OCID of a resource (id) and the name of the resource (resourceName). Some API operations generate an audit event, but don't involve a resource, so then responsePayload is empty.
requestResource The resource targeted by the request.
resourceName The name of the resource. Found in responsePayload along with the OCID of the resource (id). Some API operations generate an audit event, but don't involve a resource, so then the audit event does not have a resourceName.
responseHeaders The headers of the response.
responseStatus The status code of the response.
responseTime The time of the response to the audited request, expressed in RFC 3339 timestamp format.
tenantId The OCID of the tenant.
userName The name of the user or service that triggered this event. This value is the friendly name associated with principalId.

Resource Identifiers

Most types of Oracle Cloud Infrastructure resources have a unique, Oracle-assigned identifier called an Oracle Cloud ID (OCID). For information about the OCID format and other ways to identify your resources, see Resource Identifiers.

An Example Log Event

The following is an example log event recorded by the Audit service. Copy the event into a text file to make it easier to read.

{
  "requestAgent": "<Browsers, Operating systems>",
  "compartmentName": "CompartmentA",
  "credentialId": "",
  "responseTime": "2018-06-14T22:24:37.713Z",
  "eventType": "ServiceApi",
  "requestHeaders": {
     <The HTTP header fields and values from the request.>
  },
  "compartmentId": "ocid.compartment.oc1..<compartment_OCID>",
  "requestId": "example-4092-8233-e8371f94/example1BF1CE734676108C6345FF/51FE3CACE106DD8F825508D04E91E261",
  "eventName": "LaunchInstance",
  "eventSource": "ExampleService",
  "responseStatus": "200",
  "requestParameters": {
    "compartmentId": [
      "example.compartment.region1..<compartment_OCID>"
    ],
    "availabilityDomain": [
      "Example-AD-2"
    ],
    "sortOrder": [
      "DESC"
    ],
    "limit": [
      "25"
    ],
    "sortBy": [
      "timeCreated"
    ]
  },
  "userName": "JohnSmith",
  "responsePayload":{
    "resourceName":"example-instance-name","id":"ocid1.instance.oc1.phx.<instance_OCID>
    },
  "requestAction": "GET",
  "tenantId": "example.tenancy.oc1..<tenancy_OCID>",
  "responseHeaders": {
    "Access-Control-Expose-Headers": [
      "opc-previous-page,opc-next-page,opc-client-info,ETag,opc-request-id,Location"
    ],
    "Access-Control-Allow-Origin": [
      "https://console.us-phoenix-1.oraclecloud.com"
    ],
    "Access-Control-Allow-Credentials": [
      "true"
    ],
    "Connection": [
      "close"
    ],
    "Content-Length": [
      "3"
    ],
    "opc-request-id": [
      "example-4092-8233-EXAMPLEB863DC6CEC1BF1CE734676108C6345FF/51FE3CACE106DD8F825508D04E91E261"
    ],
    "Date": [
      "Thu, 14 Jun 2018 22:24:37 GMT"
    ],
    "Content-Type": [
      "application/json"
    ]
  },
  "principalId": "example.user.oc1..<principal_OCID>",
  "requestOrigin": "172.24.96.35",
  "eventTime": "2018-06-14T22:24:37.671Z",
  "eventId": "examplea9-f488-4842-96cb-a10f2893b369",
  "requestResource": ""/20160918/images/ocid1.image.region1..<resource_OCID>"
}