Getting Started with Audit
The Oracle Cloud Infrastructure Audit service is included with your Oracle Cloud Infrastructure tenancy. The Audit service automatically records calls to the public application programming interface (API) endpoints for your Oracle Cloud Infrastructure tenancy. The service records events relating to the actions taken on the Oracle Cloud Infrastructure resources. Events recorded in the log can be viewed, retrieved, stored, and analyzed. These log events include information such as:
- ID of the caller
- target resource
- time of the recorded event
- request parameters
- response parameters
This task helps you get started with the Audit service by showing you how to find and view a specific event.
For complete details on the Audit service, see Overview of Audit.
Prerequisite
To create an event to view, create and delete a VCN in the Networking service.
- Select the compartment (from the list on the left) in which you want to create the VCN.
- Open the navigation menu, click Networking, and then click Virtual cloud networks.
- Click Create Virtual Cloud Network.
- Enter the following:
- Name: Enter "Audit_Test".
- CIDR Block: Enter "10.0.0.0/16".
Leave all other fields with their default settings. Click Create Virtual Cloud Network.
The VCN is displayed in the list.
- Next to your VCN name, click the OCID: Copy link. You will use the OCID to help you find the event.
- Terminate the VCN: Click the , and then click Terminate. Confirm when prompted.
Using Audit to View Events
In this task, you will use Audit to find the delete VCN event.
Audit time stamps events according to Coordinated Universal Time (UTC). Before you get started, be aware of your local time zone offset.
-
Open the navigation menu, click Identity & Security, and then click Audit
The list of events that occurred in the current compartment is displayed. Audit logs are organized by compartment, so if you are looking for a particular event, you must know which compartment the event occurred in.
-
From the Compartment list, select the compartment in which you created the VCN.
The list of events for the compartment is displayed.
-
To find the delete VCN event, you can try the following filters:
Filter by time
- Click in the Start date box to display the date and time editor.
- Select the current date from the calendar. Type or select values for hour and minute to approximate the preceding hour. Enter the time as Coordinated Universal Time (UTC) using 24-hour clock notation.
-
Repeat the above steps to enter an end date for the current date and time, so that you filter results for the preceding hour.
ExampleIf you are in located in the America/Los Angeles time zone and you are looking for an event that occurred between 1:15 PM and 2:15 PM local time on October 25, enter 21:15 and 22:15 to account for the UTC offset.
- Click Search.
Filter events by keywords
You can further filter the results list to display only log entries that include a specific text string. Try the following entries to help you find the delete VCN event:
Tip
When you filter by keywords, use quotes to avoid results that have a similar string embedded in a longer string. For example, the quotes around the responseStatus "204" prevent matches of 204 embedded in a longer string somewhere else in the audit event.-
Filter by the responseStatus value
In the Keywords box, type "204" and click Search to display only events that returned the 204 (i.e., deleting resource) response status.
-
Filter by requestResource value
In the Keywords box, paste the VCN OCID that you copied to your clipboard in the prerequisite step and click Search.
Review the events to find the DELETE event.
Filter events by request action types
-
Filter by the request action types
On the Request actions types menu, select "DELETE" and click Search.
The list filters to show only DELETE events. Scan the list to find your VCN termination event.
- View the details of your event:
- To see only the top-level details, click the down arrow to the right of an event.
- To see lower-level details, click { . . . } to the right of the collapsed parameter.