Searching Logs
This topic describes how to search your logs using the Search page.
Overview of Log Search
Logging provides a powerful tool to search indexed logs. Use the Console to perform any of the following tasks:
- Search logs, whether in a basic user interface mode, or by typing custom queries in an advanced mode.
- Filter on values in logs, whether by log fields, text search, or time intervals, all in terms of chosen compartments or log groups.
- Visualize log data in a bar chart view, along with accompanying tabular data.
- Explore each log line in more detail. View the raw JSON payload, and view before/after information.
- Export search results to a JSON file.
Logs are indexed by default, which allows them to be searched using the Console.
Required IAM Policy
To use Oracle Cloud Infrastructure, you must be granted security access in a policy by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment you should work in.
Administrators: For specific examples of policy, see Required Permissions for Searching Logs.
If you're new to policies, see Getting Started with Policies and Common Policies. If you want to know more about writing policies for Logging, see Details for Logging.
Required Permissions for Searching Logs
To search indexed logs, a user must have the read permission on the log
content and read access to the log group.
allow group GroupA to read log-groups in tenancy
allow group GroupA to read log-content in tenancyTo search indexed logs, you must have access to the log group that contains the indexed logs. For more information, see Required Permissions for Working with Logs and Log Groups.
To view and search Audit Logs, you must also have the corresponding Audit-related permissions. See Details for the Audit Service for more information. For example:
search "compartment"requiresAUDIT_EVENT_READ, and if there are any log objects, it would also requireLOG_CONTENT_READsearch "compartment/_Audit"requires justAUDIT_EVENT_READ.search "compartmentOcid/logGroupNameOrOcid/logNameOrOcid"requiresLOG_CONTENT_READonly.search "compartmentOcid1/_Audit" "compartmentOcid2/logGroupNameOrOcid/logNameOrOcid"requiresLOG_CONTENT_READoncompartmentOcid2andAUDIT_EVENT_READoncompartmentOcid1.