Enable Access to Logging Analytics and Its Resources

Set up your Oracle Cloud Infrastructure tenancy to use Oracle Cloud Logging Analytics by performing these prerequisite configuration tasks.

Oracle Cloud Logging Analytics is a regional service. Before you get started, select a region that you want to use. You can follow these steps for each region that you want to set up, but each region will be a different instance. Select your region by using the region selector in the upper right corner of the console.

Topics:

For Logging Analytics policies documentation, see Details for Logging Analytics.

Enable Access from Logging Analytics to Its Features Family

A service-level IAM policy must be created to enable the Oracle Cloud Logging Analytics service to operate. Create policies by using standard Oracle Cloud Infrastructure IAM Policies and add the following policy statement to it.

Policy Statement Description
allow service loganalytics to READ loganalytics-features-family in tenancy

Allow the Oracle Cloud Logging Analytics service READ access rights of the family loganalytics-features-family across the tenancy.

See Managing Policies in Oracle Cloud Infrastructure Documentation.

Identify OCI Compartments to Place the Logging Analytics Resources

Use compartments to create resources of Oracle Cloud Logging Analytics like entities and log groups. Fine tune the access to the compartments for better user access control.

You can use existing compartments or you can create new ones specifically forOracle Cloud Logging Analytics. You can create multiple compartments to give different sets of users access to different parts of the product or log data. For more guidance on how compartments work, see Managing Compartments in Oracle Cloud Infrastructure Documentation.

Resources in Oracle Cloud Logging Analytics must reside in the compartments. When you create any of the following resources, you must select the compartment that they will be in:

Resource Access Control Using Oracle IAM Policies

Entities

You can control who can enable or disable log collection for a specific entity

Log Groups

You can control who can search the logs after they have been collected, enriched, and indexed.

Purge Policies

You can control who can stop or change the purge policy definition.

Object Storage Collection Rules

You can control who can stop or change the collection rule.

See Managing Policies in Oracle Cloud Infrastructure Documentation.

Create User Groups to Implement Access Control

Create one or more user groups to grant varying levels of access to the users depending on how you want to use Oracle Cloud Logging Analytics.

A user who is a member of Administrators group will have full access to all the features of Oracle Cloud Logging Analytics.

Recommended User Groups

It is recommended that you create the user groups similar to the following examples to get started:

  • Logging-Analytics-Users: The users that you add to this group will be able to query the logs and see various configurations. However, they cannot enable or disable log collection, change configurations, or delete logs.
  • Logging-Analytics-Admins: The users that you add to this group will have Logging-Analytics-Users privileges and additionally can create or edit sources, parsers, entities, and log groups. These users can also enable or disable log collection. However, they cannot purge logs.
  • Logging-Analytics-SuperAdmins: The users in this group have the privileges of Logging-Analytics-Admins and can additionally perform lifecycle activities such as onboarding and offboarding from Oracle Cloud Logging Analytics, and purging logs.

Note that the above groups are shown as examples, and will be used for creating IAM policies in this documentation. However, you can create the user groups based on your needs.

See Managing Groups in Oracle Cloud Infrastructure Documentation.

Aggregate Resource-Types in Logging Analytics

The following two families allow you to grant bulk access without having to assign individual permissions to each user group. For most cases, you can use these to simplify the management of your Oracle Cloud Logging Analytics policies, but for the details of all available policies, see Logging Analytics policies documentation at Details for Logging Analytics.

  • loganalytics-features-family to control the features that a user has access to, and the actions that the user can perform using Console, REST API, CLI, or SDK.

    loganalytics-features-family and the resources contained in it can be set only at the tenancy level, not per compartment.

  • loganalytics-resources-family to control the access that the user has for creating, reading, updating, and deleting the resources such as entities, log groups, purge policies, and object store collection rules.

    This family and the resources contained in it can be granted access for the whole tenancy or for a specific compartment.

Grant Access to User Groups

Create policies by using standard Oracle Cloud Infrastructure IAM Policies to define how your user groups can use Oracle Cloud Logging Analytics.

Note

If you want to quickly try out Oracle Cloud Logging Analytics without managing groups and policies, a user who is a member of the Administrators group will have full access to all features.

To set up the policy according to the example groups in Create User Groups to Implement Access Control, apply the following sets of policies in Oracle Cloud Infrastructure IAM Policies feature:

Policy Description

For Logging-Analytics-SuperAdmins user group:

allow group Logging-Analytics-SuperAdmins to MANAGE loganalytics-features-family in tenancy

Allow the group Logging-Analytics-SuperAdmins to have the MANAGE access rights of the family loganalytics-features-family across the tenancy.

This policy will enable rights to perform every task in the service including offboarding, deleting logs, setting up archiving, etc.

allow group Logging-Analytics-SuperAdmins to MANAGE loganalytics-resources-familY in tenancy

OR

allow group Logging-Analytics-SuperAdmins to MANAGE loganalytics-resources-family in compartment myCompartment1

Allow the group Logging-Analytics-SuperAdmins to have MANAGE access rights of the family loganalytics-resources-family across the tenancy or in specific compartment.

This policy will enable rights to perform any task in the service on any resource-type that belongs to the family loganalytics-resources-family.

allow group Logging-Analytics-SuperAdmins to MANAGE management-dashboard-family in tenancy

Allow the group Logging-Analytics-SuperAdmins to have the all the access rights for the Management Dashboard family of resources in the tenancy. You could change from tenancy to specific compartments.

allow group Logging-Analytics-SuperAdmins to read compartments in tenancy

Allow the group Logging-Analytics-SuperAdmins to get the list of available compartments for the log groups that the group may have access to. This is required for using the Log Explorer.

For Logging-Analytics-Admins user group:

allow group Logging-Analytics-Admins to use loganalytics-features-family in tenancy

Allow the group Logging-Analytics-Admins to have the USE access rights of the family loganalytics-features-family across the tenancy.

allow group Logging-Analytics-Admins to use loganalytics-resources-family in tenancy

OR

allow group Logging-Analytics-Admins to use loganalytics-resources-family in compartment myCompartment1

Allow the group Logging-Analytics-Admins to have USE access rights of the family loganalytics-resources-family across the tenancy or in specific compartment.

Allow this group to view, create, edit, or delete the resources in the family loganalytics-resources-family.

allow group Logging-Analytics-Admins to manage management-dashboard-family in tenancy

OR

allow group Logging-Analytics-Admins to manage management-dashboard-family in compartment myCompartment2

Allow the group Logging-Analytics-Admins to have the all the access rights for the Management Dashboard family of resources in the tenancy. You could change from tenancy to specific compartments.

allow group Logging-Analytics-Admins to read compartments in tenancy

Allow the group Logging-Analytics-Admins to get the list of available compartments for the log groups that the group may have access to. This is required for using the Log Explorer.

For Logging-Analytics-Users user group:

allow group Logging-Analytics-Users to read loganalytics-features-family in tenancy

Allow the group Logging-Analytics-Users to have the READ access rights of the family loganalytics-features-family across the tenancy.

allow group Logging-Analytics-Users to read loganalytics-resources-family in tenancy

OR

allow group Logging-Analytics-Users to read loganalytics-resources-family in compartment myCompartment1

Allow the group Logging-Analytics-Users to have READ access rights of the family loganalytics-resources-family across the tenancy. You could change from tenancy to specific compartments.

Allow this group to view details of the resources in the family loganalytics-resources-family. User cannot create, edit, or delete any of them.

allow group Logging-Analytics-Users to use management-dashboard-family in tenancy

OR

allow group Logging-Analytics-Users to use management-dashboard-family in compartment myCompartment2

Allow the group Logging-Analytics-Users to have the USE access rights for the Management Dashboard family of resources in the tenancy. You could change from tenancy to specific compartments.

allow group Logging-Analytics-Users to read compartments in tenancy

Allow the group Logging-Analytics-Users to get the list of available compartments for the log groups that the group may have access to. This is required for using the Log Explorer.

For complete IAM policy matrix and examples, see Getting Started with Policies in Oracle Cloud Infrastructure Documentation.

You can add compartment-specific policy statements for any number of compartments that you want to create for organizing the resources like entities and log groups. These resources can also be in different compartments altogether. It is not necessary that all the resource instances of different types be in the same compartment. However, you may find it easier to manage if you can minimize the number of compartments used.

Instead of using the resources family, you can also specify a policy that is at the individual resource level. For example:

Policy Description

allow group DBA to use log-analytics-entity in compartment Databases

Users in DBA group can create, edit, or delete entities and enable or disable log collection for entities in Databases compartment.

allow group DBA to use log-analytics-log-group in compartment Databases

Users in DBA group can create, edit, or delete log groups and query the logs that are stored in Databases compartment.

Enable Logging Analytics

After completing the prerequisite tasks such as creating user groups, creating compartments, and defining access policies for the user groups, you can access Oracle Cloud Logging Analytics and enable it for use.

To enable Oracle Cloud Logging Analytics, you must be a member of the example user group Logging-Analytics-SuperAdmins defined above or the Administrators group. Having the manage access on the loganalytics-features-family enables the on-boarding ability for Oracle Cloud Logging Analytics.

  1. Open the navigation menu, click Observability & Management, and then click Logging Analytics.

  2. If this is the first time that you are using the service in this region, you will land on an on-boarding page that will give you some high level details of the service and an option to start using Oracle Cloud Logging Analytics service. Click Start Using Logging Analytics.

    The Enable Logging Analytics dialog box is displayed. Here, the minimum required policies and log group are created if they don't exist already.

  3. Click Set Up Ingestion to initiate ingesting the logs.

    Confirm if you want to install the Management Agent to continuously collect logs from the host. Also, you can confirm if you want to collect OCI Audit Logs for analysis. Based on your preference, the policies are created and suitable actions performed.

After the on-boarding is complete, you can explore Oracle Cloud Logging Analytics.