This image shows logs from resources in an Oracle Cloud region streamed to an external Splunk-based SIEM system.

The region contains one VCN, defined as 10.0.0.0/16, which in turn contains one private subnet, defined as 10.0.30.0/24. The subnet contains a load balancer and two VMs with Virtual Network Interface Cards (VNICs). These resources are deployed in a single availability domain.

In the OCI region, but outside of the VCN, is a Logging service and two Service Connector Hubs. Outside of the OCI region there is a Spunk installation with the OCI Logging Addon for Splunk installed.

The Logging service captures logs from the load balancer. A Service Connector Hub then reads the log and converts it to a stream. The OCI Logging Addon for Splunk reads the stream, then writes the data to Splunk.

Similarly, the logging service captures logs from the VNICs. A second Service Connector Hub reads that log and converts it to a stream. The OCI Logging Addon for Splunk reads the stream, then writes the data to Splunk.