Get Started with Audit


The Oracle Cloud Infrastructure Audit service is included with your Oracle Cloud Infrastructure tenancy. The Audit service automatically records calls to the public application programming interface (API) endpoints for your Oracle Cloud Infrastructure tenancy. The service records events relating to the actions taken on the Oracle Cloud Infrastructure resources. Events recorded in the log can be viewed, retrieved, stored, and analyzed. These log events include information such as:

This task helps you get started with the Audit service by showing you how to find and view a specific event.

For complete details on the Audit service, see Overview of Audit.


To create an event to view, create and delete a VCN in the Networking service.

Create and Delete a VCN

  1. Sign in to Oracle Cloud Infrastructure Console using your cloud tenant name, user name, and password.

  2. In OCI Console, under List Scope in the left navigation pane, select the compartment in which you want to create the VCN.

    A compartment is a collection of related resources that can be accessed only by certain groups that have been given permission by an administrator in your organization.

  3. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.

  4. Click Create Virtual Cloud Network.

  5. Enter the following:

    • Name: Enter “Audit_Test”.

    • CIDR Block: Enter “”.

    • Leave all other fields with their default settings. Click Create Virtual Cloud Network.

      The VCN is displayed in the list.

  6. Next to your VCN name, click the OCID: Copy link. You will use the OCID to help you find the event.

    An OCID is an Oracle-assigned unique ID called an Oracle Cloud Identifier (OCID). This ID is included as part of the resource’s information in both the Console and API.

  7. Terminate the VCN: Click the Actions icon (three dots), and then click Terminate. Confirm when prompted.

Using Audit to View Events

In this task, you will use Audit to find the delete VCN event.

Tip: Audit time stamps events according to Greenwich Mean Time (GMT). Before you get started, be aware of your local time zone offset.

  1. Open the navigation menu. Under Governance and Administration, go to Governance and click Audit.

    The list of events that occurred in the current compartment is displayed. Audit logs are organized by compartment, so if you are looking for a particular event, you must know which compartment the event occurred in.

  2. From the Compartments list, select the compartment in which you created the VCN.

    The list of events for the compartment is displayed.

  3. To find the delete VCN event, you can try the following filters:

    Filter by time

    1. Click in the Start Date box to display the date and time editor.

    2. Select the current date from the calendar. Type or select values for hour and minute to approximate the preceding hour. Enter the time as Greenwich Mean Time (GMT) using 24-hour clock notation.

    3. Repeat the above steps to enter an end date for the current date and time, so that you filter results for the preceding hour.


      If you are in located in the America/Los Angeles time zone and you are looking for an event that occurred between 1:15 PM and 2:15 PM local time on October 25, enter 21:15 and 22:15 to account for the GMT offset.

      Image shows setting a specific time range in the time and date editor

    4. Click Search.

    Filter events by keywords

    You can further filter the results list to display only log entries that include a specific text string. Try the following entries to help you find the delete VCN event:

    Tip: When you filter by keywords, use quotes to avoid results that have a similar string embedded in a longer string. For example, the quotes around the responseStatus “204” prevent matches of 204 embedded in a longer string somewhere else in the audit event.

    • Filter by the responseStatus value

      In the Keywords box, type “204” and click Search to display only events that returned the 204 (i.e., deleting resource) response status.

    • Filter by requestResource value

      In the Keywords box, paste the VCN OCID that you copied to your clipboard in the prerequisite step and click Search.

      Review the events to find the DELETE event.

      An OCID is an Oracle-assigned unique ID called an Oracle Cloud Identifier (OCID). This ID is included as part of the resource’s information in both the Console and API.

    Filter events by request action types

    • Filter by the request action types

      In Request Actions Types, select “DELETE” and click Search.

      The list filters to show only DELETE events. Scan the list to find your VCN termination event.

  4. View the details of your event:

    • To see only the top-level details, click the down arrow to the right of an event.
    • To see lower-level details, click { . . . } to the right of the collapsed parameter.

More Learning Resources

Explore other labs on or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.