Oracle Cloud Infrastructure Documentation

Contents of an Audit Log Event

The following explains the contents of an Audit log event. Every audit log event includes two main parts: 

  • Envelopes that act as a container for all event messages
  • Payloads that contain data from the resource emitting the event message

Resource Identifiers

Most types of Oracle Cloud Infrastructure resources have a unique, Oracle-assigned identifier called an Oracle Cloud ID (OCID). For information about the OCID format and other ways to identify your resources, see Resource Identifiers.

Event Envelope

These attributes for an event envelope are the same for all events. The structure of the envelope follows the CloudEvents industry standard format hosted by the Cloud Native Computing Foundation ( CNCF).

Property Description
cloudEventsVersion

The version of the CloudEvents specification.

Note

Audit uses version 0.1 specification of the CloudEvents event envelope.

contentType Set to application/json. The content type of the data contained in the data attribute.
data The payload of the event. Information within data comes from the resource emitting the event.
eventID

The UUID of the event. This identifier is not an OCID, but just a unique ID for the event.

eventTime The time of the event, expressed in RFC 3339 timestamp format.
eventType

The type of event that happened.

Note

The service that produces the event can also add, remove, or change the meaning of a field. A service implementing these type changes would publish a new version of an eventType and revise the eventTypeVersion field.

eventTypeVersion

The version of the event type. This version applies to the payload of the event, not the envelope. Use cloudEventsVersion to determine the version of the envelope.

source The resource that produced the event. For example, an Autonomous Database or an Object Storage bucket.

Payload

The data in these fields depends on which service produced the event log and the event type it defines.

Data

The data object contains the following attributes.

Property Description
data.additionalDetails A container object for attributes unique to the resource emitting the event.
data.availabilityDomain The availability domain where the resource resides.
data.compartmentId The OCID of the compartment of the resource emitting the event.
data.compartmentName The name of the compartment of the resource emitting the event.
data.definedTags Defined tags added to the resource emitting the event.
data.eventGroupingId

This value links multiple audit events that are part of the same API operation. For example, a long running API operation that emits an event at the start and the end of the operation.

data.eventName

Name of the API operation that generated this event.

Example: LaunchInstance

data.freeformTags Free-form tags added to the resource emitting the event.
data.identity A container object for identity attributes. See Identity.
data.request A container object for request attributes. See Request.
data.resourceId An OCID or an ID for the resource emitting the event.
data.resourceName The name of the resource emitting the event.
data.response A container object for response attributes. See Response.
data.stateChange A container object for state change attributes. See State Change.
Identity
Request
Response
State Change

An Example Audit Log

The following is an example an event recorded by the Audit service.

{
	"eventType": "com.oraclecloud.ComputeApi.GetInstance",
	"cloudEventsVersion": "0.1",
	"eventTypeVersion": "2.0",
	"source": "ComputeApi",
	"eventId": "<unique_ID>",
	"eventTime": "2019-09-18T00:10:59.252Z",
	"contentType": "application/json",
	"data": {
		"eventGroupingId": null,
		"eventName": "GetInstance",
		"compartmentId": "ocid1.tenancy.oc1..<unique_ID>",
		"compartmentName": "compartmentA",
		"resourceName": "my_instance",
		"resourceId": "ocid1.instance.oc1.phx.<unique_ID>",
		"availabilityDomain": "<availability_domain>",
		"freeformTags": null,
		"definedTags": null,
		"identity": {
			"principalName": "ExampleName",
			"principalId": "ocid1.user.oc1..<unique_ID>",
			"authType": "natv",
			"callerName": null,
			"callerId": null,
			"tenantId": "ocid1.tenancy.oc1..<unique_ID>",
			"ipAddress": "172.24.80.88",
			"credentials": null,
			"userAgent": "Jersey/2.23 (HttpUrlConnection 1.8.0_212)",
			"consoleSessionId": null
		},
		"request": {
			"id": "<unique_ID>",
			"path": "/20160918/instances/ocid1.instance.oc1.phx.<unique_ID>",
			"action": "GET",
			"parameters": {},
			"headers": {
				"opc-principal": [
					"{\"tenantId\":\"ocid1.tenancy.oc1..<unique_ID>\",\"subjectId\":\"ocid1.user.oc1..<unique_ID>\",\"claims\":[{\"key\":\"pstype\",\"value\":\"natv\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"h_host\",\"value\":\"iaas.r2.oracleiaas.com\",\"issuer\":\"h\"},{\"key\":\"h_opc-request-id\",\"value\":\"<unique_ID>\",\"issuer\":\"h\"},{\"key\":\"ptype\",\"value\":\"user\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"h_date\",\"value\":\"Wed, 18 Sep 2019 00:10:58 UTC\",\"issuer\":\"h\"},{\"key\":\"h_accept\",\"value\":\"application/json\",\"issuer\":\"h\"},{\"key\":\"authorization\",\"value\":\"Signature headers=\\\"date (request-target) host accept opc-request-id\\\",keyId=\\\"ocid1.tenancy.oc1..<unique_ID>/ocid1.user.oc1..<unique_ID>/8c:b4:5f:18:e7:ec:db:08:b8:fa:d2:2a:7d:11:76:ac\\\",algorithm=\\\"rsa-pss-sha256\\\",signature=\\\"<unique_ID>\\\",version=\\\"1\\\"\",\"issuer\":\"h\"},{\"key\":\"h_(request-target)\",\"value\":\"get /20160918/instances/ocid1.instance.oc1.phx.<unique_ID>\",\"issuer\":\"h\"}]}"
				],
				"Accept": [
					"application/json"
				],
				"X-Oracle-Auth-Client-CN": [
					"splat-proxy-se-02302.node.ad2.r2"
				],
				"X-Forwarded-Host": [
					"compute-api.svc.ad1.r2"
				],
				"Connection": [
					"close"
				],
				"User-Agent": [
					"Jersey/2.23 (HttpUrlConnection 1.8.0_212)"
				],
				"X-Forwarded-For": [
					"172.24.80.88"
				],
				"X-Real-IP": [
					"172.24.80.88"
				],
				"oci-original-url": [
					"https://iaas.r2.oracleiaas.com/20160918/instances/ocid1.instance.oc1.phx.<unique_ID>"
				],
				"opc-request-id": [
					"<unique_ID>"
				],
				"Date": [
					"Wed, 18 Sep 2019 00:10:58 UTC"
				]
			}
		},
		"response": {
			"status": "200",
			"responseTime": "2019-09-18T00:10:59.278Z",
			"headers": {
				"ETag": [
					"<unique_ID>"
				],
				"Connection": [
					"close"
				],
				"Content-Length": [
					"1828"
				],
				"opc-request-id": [
					"<unique_ID>"
				],
				"Date": [
					"Wed, 18 Sep 2019 00:10:59 GMT"
				],
				"Content-Type": [
					"application/json"
				]
			},
			"payload": {
				"resourceName": "my_instance",
				"id": "ocid1.instance.oc1.phx.<unique_ID>"
			},
			"message": null
		},
		"stateChange": {
			"previous": null,
			"current": null
		},
		"additionalDetails": {
			"imageId": "ocid1.image.oc1.phx.<unique_ID>",
			"shape": "VM.Standard1.1",
			"type": "CustomerVmi"
		}
	}
}