Oracle Cloud Infrastructure Documentation

Viewing Audit Log Events

Audit provides records of API operations performed against supported services as a list of log events. The service logs events at both the tenant and compartment level. By default, audit logs are maintained for 90 days. You can configure audit log retention for up to 365 days. Log events are preserved in JavaScript Object Notation (JSON) format and can be analyzed using standard log analysis tools. To programmatically download logged events, use the Java SDK. For more information about using the Java SDK, see Getting Started with the Java SDK.

When viewing events logged by Audit, you might be interested in specific activities that happened in the tenancy or compartment and who was responsible for the activity. You will need to know the approximate time and date something happened and the compartment in which it happened to display a list of log events that includes the activity in question. List log events by specifying a time range on the 24-hour clock in Greenwich Mean Time (GMT), calculating the offset for your local time zone, as appropriate. New activity is appended to the existing list, usually within 15 minutes of the API call, though processing time can vary.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be given the required type of access in a An IAM document that specifies who has what type of access to your resources. It is used in different ways: to mean an individual statement written in the policy language; to mean a collection of statements in a single, named "policy" document (which has an Oracle Cloud ID (OCID) assigned to it); and to mean the overall body of policies your organization uses to control access to resources. written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which A collection of related resources that can be accessed only by certain groups that have been given permission by an administrator in your organization. you should work in.

For administrators: The following policy statement gives the specified group (Auditors) the ability to view all the Audit event logs in the tenancy:

Allow group Auditors to read audit-events in tenancy

To give the group access to the Audit event logs in a specific compartment only (Project-A), write a policy like the following:

Allow group Auditors to read audit-events in compartment Project-A

If you're new to policies, see Getting Started with Policies and Common Policies. For more details about policies for the Audit, see Details for the Audit Service.

Searching and Filtering in the Console

When you navigate to Audit in the Console, a list of results is generated for the current compartment. Audit logs are organized by compartment, so if you are looking for a particular event, you must know which compartment the event occurred in. You can filter the list in all the following ways: 

  • Date and time
  • Request Action Types (operations) 
  • keywords

For example, users begin to report that their attempts to log in are failing. You want to use Audit to research the problem. Adjust the date and time to search for corresponding failures during a window of time that starts a little before the events were reported. Look for corresponding failures and similar operations preceding the failures to correlate a reason for the failures.

Note

The service logs events at the time they are processed. There can be a delay between the time an operation occurs and when it is processed.

You can filter results by request actions to zero in on only the events with operations that interest you. For example, say you only want to know about instances that were deleted during a specific time frame. Select a delete request action filter to see only the events with delete operations.

You can also filter by keywords. Keyword filters are powerful when combined with the values from audit event fields. For example, say you know the user name of an account and want a list of all activity by that account in a particulate time frame. Do a search using the user name as a keyword filter.

Every audit event contains the same fields, so search for values from those fields. To get a better understanding of what values are available, see Contents of an Audit Log Event.

Using the Console

To search log events
To view the details of a log event
To copy the details of a log event

Using the API

Note

This is a query API. Do not use this API for bulk-export operations.

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Use the following operation to manage log events: