1. Monitor audit logs for Autonomous Transaction Processing databases
  2. Learn About Monitoring Audit Logs for Autonomous Transaction Processing Databases

Learn About Monitoring Audit Logs for Autonomous Transaction Processing Databases

The Marketplace app used to monitor audit logs from an Autonomous Transaction Processing (ATP) database automates the configuration needed to start processing Oracle ATP Database Audit Logs for analysis in Oracle Logging Analytics. It includes a collection of automated Terraform deployment scripts obtainable from the OCI Marketplace.

OCI Marketplace applications use the Resource Manager to create and deploy cloud infrastructure and services specified in the Application with the click of a single button. This simplifies the deployment significantly, allowing the users to get onboarded quickly.

This application creates an OCI Resource Manager stack, which comprises an OCI management agent on a new Compute instance configured to ingest unified database audit logs from an ATP instance running in the customer's tenancy into Logging Analytics. The application showcases the resource manager stack structure for monitoring ATP and can be extended to enable monitoring of multiple ATP instances for production deployments.

Logging Analytics allows you to easily to turn all that raw ATP instance data into insight. allowing operators to spend their effort fixing problems, instead of investigating them. It provides out-of-the-box log enrichment that reveals the meaning of the log data, not just the data itself. It also makes asking questions easy by providing pre-tuned, operations-optimized machine learning and visualizations that scale across tens of millions of log entries—all available at the touch of a button

Note:

You must onboard the OCI Logging Analytics in the tenancy, along with necessary policies, in the region where this stack will be launched. See the OCI Quick Start guide, referenced in the Explore More topic, below for rmore information.

Review the Resources You Will Create

The Marketplace app creates the following resources (in order):

  • Dynamic groups for Compute and Management Agents.
  • IAM policies for uploading Logging Analytics logs, reading the OCI Vault read, and creating a Credential wallet.
  • A Compute instance for running management agent
  • A Management Agent
  • A Logging Analytics Entity

Once these are created, review them all before proceeding with the rest of this solution.

Review App Availability

You can obtain the apps associated with this solution from the following sources. You can find links for both in "Explore More", elsewhere in this playbook.

  • Marketplace Apps

    Autonomous Transaction Processing (ATP) Database Audit Logs Monitoring is available on OCI Marketplace. This tool assists with capturing the database audit logs from an ATP instance and presenting them in the Logging Analytics Dashboard.

  • Github

    The Terraform scripts for the Management Agent—Quick Start are available on GitHub. Use these scripts to customize and create resources to meet your specific monitoring requirements.

Understand Terminology Used in this Playbook

Familiarize yourself with the following terms before attempting this solution.

  • Resource Manager and Stacks

    The OCI Resource Manager provides a simplified user interface (UI) to execute a collection of Terraform scripts, also known as stacks. The Resource Manager also provides the ability to perform dry-runs (plan), which are useful for troubleshooting problems and an option to clean up (destroy) resources after they are no longer in use.

  • Terraform

    This is the underlying technology used by the Resource Manager to develop and deploy cloud services as well as infrastructure.

  • Management Agent

    The Management Agent provides low latency interactive communication and data collection between OCI and any other sources of data. It is used in this app to collect log data from a specified target.

  • OCI Dynamic Groups and Identity and Access Management Policies

    Dynamic groups allow you to group OCI Compute instances or other resources—the Management Agent, in this case—as principal actors (similar to user groups). You create policies for this group to permit principal actors to make API calls against OCI services. Dynamic groups allow you to define a set of matching rules to define group members, eliminating the need to add members explicitly to the group.

  • ATP Instance and Unified DB Audit logs

    This app captures DB Audit logs from an ATP instance in this app and displays those logs on the Logging Analytics Dashboard.

  • Logging Analytics Dashboard

    The Oracle Cloud Infrastructure Logging Analytics dashboard presents search data in a form that helps you better understand and analyze it. It also provides access to a customized dashboard to access the DB Audit logs captured with this app.

Meet the Prerequisites for Implementing this Use Case

Before embarking on this solution, ensure you've met the following prerequisites. You must:

  • Be part of the Admin group or have the necessary permissions to invoke the Resource Manager stack. See the following section on required policies.
  • Complete onboarding with Logging Analytics.
  • Have a tenancy containing a VCN and a subnet in which to create compute instance.
  • Have access to an ATP instance to monitor.
  • Create a vault secret with an ATP user password to use to access logs on the ATP Instance.

Review Required Policies

If the user is not part of the Admin group, they should have the following permissions to invoke the Resource Manager stack. Refer to "Managing Groups", which you can access from "Explore More", elsewhere in this playbook, for more details on creating and managing user groups.

# Policies required to manage stacks and jobs in OCI Resource Manager

ALLOW GROUP User-Group TO MANAGE orm-stacks IN TENANCY
ALLOW GROUP User-Group TO MANAGE orm-jobs IN TENANCY

# Policies required to read and manage IAM resources

ALLOW GROUP User-Group TO READ compartments IN TENANCY
ALLOW GROUP User-Group TO READ tenancies IN TENANCY
ALLOW GROUP User-Group TO MANAGE dynamic-groups IN TENANCY
ALLOW GROUP User-Group TO MANAGE policies IN TENANCY

# Policies required to read ATP and Vault Secret

ALLOW GROUP User-Group TO INSPECT autonomous-databases IN TENANCY
ALLOW GROUP User-Group TO INSPECT secrets IN TENANCY

# Policies required to create the Compute Instance

ALLOW GROUP User-Group TO READ vcns IN TENANCY
ALLOW GROUP User-Group TO MANAGE subnets IN TENANCY
ALLOW GROUP User-Group TO MANAGE instance-family IN TENANCY

# Policies required to manage Oracle Cloud Agent plugins and enable Management Agent

ALLOW GROUP User-Group TO MANAGE instance-agent-plugins IN TENANCY
ALLOW GROUP User-Group TO USE volume-family IN TENANCY
ALLOW GROUP User-Group TO USE virtual-network-family IN TENANCY
ALLOW GROUP User-Group TO MANAGE management-agents IN TENANCY
ALLOW GROUP User-Group TO READ metrics IN TENANCY

# Policies required to access and manage the Logging Analytics resources

ALLOW GROUP User-Group TO MANAGE loganalytics-features-family IN TENANCY
ALLOW GROUP User-Group TO MANAGE loganalytics-resources-family IN TENANCY