Enable Access to Logging Analytics and Its Resources

Set up your Oracle Cloud Infrastructure tenancy to use Oracle Cloud Logging Analytics by performing these prerequisite configuration tasks.

Oracle Cloud Logging Analytics is a regional service. Before you get started, select a region that you want to use. You can follow these steps for each region that you want to set up, but each region will be a different instance. Select your region by using the region selector in the upper right corner of the console.

Topics:

For Logging Analytics policies documentation, see Details for Logging Analytics.

Enable Access from Logging Analytics to Its Features Family

A service-level IAM policy must be created to enable the Oracle Cloud Logging Analytics service to operate. Create policies by using standard Oracle Cloud Infrastructure IAM Policies and add the following policy statement to it.

Policy Statement Description
allow service loganalytics to READ loganalytics-features-family in tenancy

Allow the Oracle Cloud Logging Analytics service READ access rights of the family loganalytics-features-family across the tenancy.

See Managing Policies in Oracle Cloud Infrastructure Documentation.

Identify OCI Compartments to Place the Logging Analytics Resources

Use compartments to create resources of Oracle Cloud Logging Analytics like entities and log groups. Fine tune the access to the compartments for better user access control.

You can use existing compartments or you can create new ones specifically forOracle Cloud Logging Analytics. You can create multiple compartments to give different sets of users access to different parts of the product or log data. For more guidance on how compartments work, see Managing Compartments in Oracle Cloud Infrastructure Documentation.

Resources in Oracle Cloud Logging Analytics must reside in the compartments. When you create any of the following resources, you must select the compartment that they will be in:

Resource Access Control Using Oracle IAM Policies

Entities

You can control who can enable or disable log collection for a specific entity

Log Groups

You can control who can search the logs after they have been collected, enriched, and indexed.

Purge Policies

You can control who can stop or change the purge policy definition.

Object Storage Collection Rules

You can control who can stop or change the collection rule.

See Managing Policies in Oracle Cloud Infrastructure Documentation.

Create User Groups to Implement Access Control

Create one or more user groups to grant varying levels of access to the users depending on how you want to use Oracle Cloud Logging Analytics.

A user who is a member of Administrators group will have full access to all the features of Oracle Cloud Logging Analytics.

See Managing Groups in Oracle Cloud Infrastructure Documentation.

It is recommended that you create the user groups similar to the following examples to get started:

  • Logging-Analytics-Users: The users that you add to this group will be able to query the logs and see various configurations. However, they cannot enable or disable log collection, change configurations, or delete logs.
  • Logging-Analytics-Admins: The users that you add to this group will have Logging-Analytics-Users privileges and additionally can create or edit sources, parsers, entities, and log groups. These users can also enable or disable log collection. However, they cannot purge logs.
  • Logging-Analytics-SuperAdmins: The users in this group have the privileges of Logging-Analytics-Admins and can additionally perform lifecycle activities such as onboarding and offboarding from Oracle Cloud Logging Analytics, and purging logs.

Note that the above groups are shown as examples, and will be used for creating IAM policies in this documentation. However, you can create the user groups based on your needs.

Grant Access to User Groups

Create policies by using standard Oracle Cloud Infrastructure IAM Policies to define how your user groups can use Oracle Cloud Logging Analytics.

If you want to quickly try out Oracle Cloud Logging Analytics without managing groups and policies, a user who is a member of the Administrators group will have full access to all features.

Oracle Cloud Logging Analytics resource definitions enable the administrator to create fine-grain control over who can perform what actions in Oracle Cloud Logging Analytics. Typically, the user group IAM policies are of the following format:

allow group UserGroupName to read compartments in tenancy

In the above format, replace UserGroupName with any groups of users who will use the product. This is required for using the Log Explorer to get the list of available compartments for the log groups that the user may have access to.

The following two feature families allow you to grant bulk access without having to assign individual permissions to each user group. For most cases, you can use these to simplify the management of your Oracle Cloud Logging Analytics policies, but for the details of all available policies, see Logging Analytics policies documentation at Details for Logging Analytics.

  • loganalytics-features-family to control the features that a user has access to, and the actions that the user can perform using Console, REST API, CLI, or SDK.

    loganalytics-features-family and the resources contained in it can be set only at the tenancy level, not per compartment.

  • loganalytics-resources-family to control the access that the user has for creating, reading, updating, and deleting the resources such as entities, log groups, purge policies, and object store collection rules.

    This family and the resources contained in it can be granted access for the whole tenancy or for a specific compartment.

To set up the policy according to the example groups in Create User Groups to Implement Access Control, apply the following sets of policies in Oracle Cloud Infrastructure IAM Policies feature:

Policy Description

For Logging-Analytics-SuperAdmins user group:

allow group Logging-Analytics-SuperAdmins to MANAGE loganalytics-features-family in tenancy

Allow the group Logging-Analytics-SuperAdmins to have the MANAGE access rights of the family loganalytics-features-family across the tenancy.

This policy will enable rights to perform every task in the service including offboarding, deleting logs, setting up archiving, etc.

allow group Logging-Analytics-SuperAdmins to MANAGE loganalytics-resources-familY in tenancy

Allow the group Logging-Analytics-SuperAdmins to have MANAGE access rights of the family loganalytics-resources-family across the tenancy. You could change from tenancy to specific compartments.

This policy will enable rights to perform any task in the service on any resource.

allow group Logging-Analytics-SuperAdmins to MANAGE management-dashboard-family in tenancy

Allow the group Logging-Analytics-SuperAdmins to have the all the access rights for the Management Dashboard family of resources in the tenancy. You could change from tenancy to specific compartments.

For Logging-Analytics-Admins user group:

allow group Logging-Analytics-Admins to use loganalytics-features-family in tenancy

Allow the group Logging-Analytics-Admins to have the USE access rights of the family loganalytics-features-family across the tenancy.

allow group Logging-Analytics-Admins to use loganalytics-resources-family in tenancy

Allow the group Logging-Analytics-Admins to have USE access rights of the family loganalytics-resources-family across the tenancy. You could change from tenancy to specific compartments.

allow group Logging-Analytics-Admins to manage management-dashboard-family in tenancy (or specific compartments)

Allow the group Logging-Analytics-Admins to have the all the access rights for the Management Dashboard family of resources in the tenancy. You could change from tenancy to specific compartments.

For Logging-Analytics-Users user group:

allow group Logging-Analytics-Users to read loganalytics-features-family in tenancy

Allow the group Logging-Analytics-Users to have the READ access rights of the family loganalytics-features-family across the tenancy.

allow group Logging-Analytics-Users to read loganalytics-resources-family in tenancy

Allow the group Logging-Analytics-Users to have READ access rights of the family loganalytics-resources-family across the tenancy. You could change from tenancy to specific compartments.

allow group Logging-Analytics-Users to use management-dashboard-family in tenancy

Allow the group Logging-Analytics-Users to have the USE access rights for the Management Dashboard family of resources in the tenancy. You could change from tenancy to specific compartments.

For using Management Dashboard, apply the following policy:

Policy Description

allow group Logging-Analytics-UserGroup to MANAGE management-dashboard-family in tenancy

Allow the group Logging-Analytics-UserGroup to have the all the access rights for the Management Dashboard family of resources in the tenancy.

For complete IAM policy matrix and examples, see Getting Started with Policies in Oracle Cloud Infrastructure Documentation.

Depending on how you want to organize the access to entities and log groups, you can write various policies to control access by the compartment these resources are located in. For example:

Policy Description

allow group Logging-Analytics-Users to read loganalytics-resources-family in compartment myCompartment1

Allow the group Logging-Analytics-Users to have the read access rights of the family loganalytics-features-family in the compartment myCompartment1.

Allow this group to view details of entities and log groups. User cannot create, edit, or delete any of them.

allow group Logging-Analytics-Admins to use loganalytics-resources-family in compartment myCompartment1

Allow the group Logging-Analytics-Admins to have the use access rights to the resources of the family loganalytics-resources-family in the compartment myCompartment1.

Allow this group to view, create, edit, or delete the resources like entities, log groups, dashboards, and saved searches.

allow group Logging-Analytics-SuperAdmins to manage loganalytics-resources-family in compartment myCompartment1

Allow the group Logging-Analytics-SuperAdmins to have the manage rights to the resources of the family loganalytics-resources-family in the compartment myCompartment1.

Allow this group to perform any action on resources.

You can add these policies for any number of compartments that you want to create for organizing the resources like entities and log groups. These resources can also be in different compartments altogether. It is not necessary that all the resource instances of different types be in the same compartment. However, you may find it easier to manage if you can minimize the number of compartments used.

Instead of using the resources family, you can also specify a policy that is at the individual resource level. For example:

Policy Description

allow group DBA to use log-analytics-entity in compartment Databases

Users in DBA group can create, edit, or delete entities and enable or disable log collection for entities in Databases compartment.

allow group DBA to use log-analytics-log-group in compartment Databases

Users in DBA group can create, edit, or delete log groups and query the logs that are stored in Databases compartment.

Enable Logging Analytics

After completing the prerequisite tasks such as creating user groups, creating compartments, and defining access policies for the user groups, you can access Oracle Cloud Logging Analytics and enable it for use.

To enable Oracle Cloud Logging Analytics, you must be a member of the example user group Logging-Analytics-SuperAdmins defined above or the Administrators group. Having the manage access on the loganalytics-features-family enables the on-boarding ability for Oracle Cloud Logging Analytics.

  1. Open the navigation menu, click Observability & Management, and then click Logging Analytics.

  2. If this is the first time that you are using the service in this region, you will land on an on-boarding page that will give you some high level details of the service and an option to start using Oracle Cloud Logging Analytics service. Click Start Using Logging Analytics.

    The Enable Logging Analytics dialog box is displayed. Here you are guided on the required policies and some example policies that you can create to manage the users of the service.

  3. Click Continue to initiate the service on-boarding.

    This process only takes a few seconds. If the page is not reloaded in a few seconds, then refresh your browser.

After the on-boarding is complete, you can explore Oracle Cloud Logging Analytics. Before you are able to view the logs in the Log Explorer, you must ingest the logs into Oracle Cloud Logging Analytics.