Oracle Cloud Infrastructure Documentation

Managing and Searching Logs with Operator Access Control

Learn to enable logs to view the list of Operator Controls created and in use in a compartment. Also, to monitor operator activities in a cage.

Enabling Logs and Creating Log Groups with Operator Access Control

To track Oracle operator activities on your system., learn how to enable logs, and how to create log groups to manage logs.

To audit the actions that an Oracle operator performs on your system, you can create an audit log for a compartment and a particular service where you want to monitor Oracle operator actions.
  1. On the left navigation menu, select Logging, and then select Logs.
  2. Click Enable Service Log. The Enable Resource Log window opens.
  3. In the Select Resource section, provide information for each of the fields:
    • Resource Compartment: Select the compartment where you want to create the log.
    • Service: Select Operator Access Control Service for which you want to enable log.
    • Resource: Select an Operator Control for which you want to enable log.
  4. In the Configure Log section, provide information for the following fields:
    • Log Category: Select Access Logs.
    • Log Name: Provide a name for the log that you want to create.
  5. (Optional) Click Show Advanced Options.
  6. (Optional) In the Log Location section, provide information for the following fields:
    • Compartment: Select a compartment, if you want log files to be placed in a different compartment from the one for which you are creating an audit log.
    • Log Group: Select a log group to which you wan to add the log. A log group is a logical container for logs. Use log groups to streamline log management, including applying policy or analyzing groups of logs. If you want to create a new log group, the click Create New Group, and provide information for the following fields:
      • Compartment Select the compartment where you want to place the log group.
      • Name: Provide a name for the log group.
      • Description: Provide a description for the purpose of the log group.
    • In the Tag Namespace field, consider adding a tag namespace (an identifying text string applied to a set of compartments), or tagging the control with an existing tag namespace.
  7. In the Log Retention section, select a log retention period.
  8. When you have completed and reviewed your selections, click Enable Log. The log pertaining to the operator control is enabled.

Log Format for Operator Access Control

Learn about the fields that an audit log published in the logging service contains.

Table 6-1 Audit Log Fields

Field Description

data

Contains all the data obtained from the Exadata audit logs.

data.accessRequestId

Contains the Oracle Cloud Identifier (OCID) of the access request. This identifier is obtained from the access request listing page in the Console.

data.message

Contains audit log in the raw format. The audit log format follows the audit logging format as output by the ausearch command.

For more information, see the ausearch(8) manual pages.

data.systemOcid

The Oracle Cloud Identifier (OCID) of the Exadata system from which the log was collected.

data.timestamp

The time stamp, usually in the Universal Time Coordinated (UTC) time zone (TZ) at which point the action that the log represents was performed.

source

The service that is publishing the log. The source of the log is the OperatorAccessControl for this service.

Note

There are a few additional fields, which are primarily for accounting purposes of the service.

Example 6-1 Operator Access Control Audit Log

{
  "logContent": {
    "data": {
      "accessRequestId": "ocid1.opctlaccessrequest.oc1.ap-chuncheon-1.aaaaaaaaqk67mpzb74nsssg4ppwk7cyg46dwoxegtvhopdp7lxbktpymk4kq",
      "message": "type=PROCTITLE msg=audit(09/08/2021 09:01:24.335:34495595) : proctitle=ps -ef \ntype=PATH msg=audit(09/08/2021 09:01:24.335:34495595) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=2546207 dev=fc:00 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 \ntype=PATH msg=audit(09/08/2021 09:01:24.335:34495595) : item=0 name=/usr/bin/ps inode=33619160 dev=fc:00 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 \ntype=CWD msg=audit(09/08/2021 09:01:24.335:34495595) : cwd=/home/b9dc42d68f6e4e26a1d843a4c5e70187 \ntype=EXECVE msg=audit(09/08/2021 09:01:24.335:34495595) : argc=2 a0=ps a1=-ef \ntype=SYSCALL msg=audit(09/08/2021 09:01:24.335:34495595) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x1848d50 a1=0x184c360 a2=0x184c040 a3=0x7ffeec95b760 items=2 ppid=94699 pid=95635 auid=b9dc42d68f6e4e26a1d843a4c5e70187 uid=b9dc42d68f6e4e26a1d843a4c5e70187 gid=opctl_facc1 euid=b9dc42d68f6e4e26a1d843a4c5e70187 suid=b9dc42d68f6e4e26a1d843a4c5e70187 fsuid=b9dc42d68f6e4e26a1d843a4c5e70187 egid=opctl_facc1 sgid=opctl_facc1 fsgid=opctl_facc1 tty=pts0 ses=813000 comm=ps exe=/usr/bin/ps key=(null) \n",
      "status": "",
      "systemOcid": "ocid1.exadatainfrastructure.oc1.ap-chuncheon-1.ab4w4ljr46tyytihmindrbshch3jjhrxxpctq4eiaksakp4kqamluuwkzdga",
      "target": "",
      "timestamp": "2021-09-08T09:01:24.000Z"
    },
    "id": "b3b102aa-daee-4861-8e2c-9014faac9de2",
    "oracle": {
      "compartmentid": "ocid1.tenancy.oc1..aaaaaaaazxdmffivtoe32kvio5e2dcgz24re5rqbkis3452yi2e7tc3x2erq",
      "ingestedtime": "2021-09-08T16:02:26.182Z",
      "loggroupid": "ocid1.loggroup.oc1.ap-chuncheon-1.amaaaaaajobtc3ia3iypuri32bhvrgmosztobwi72wgdofkpfdbyfg4yxlrq",
      "logid": "ocid1.log.oc1.ap-chuncheon-1.amaaaaaajobtc3iahnkkwizgpoakdafmrttikohparjl7icmcfjzkechekfq",
      "tenantid": "ocid1.tenancy.oc1..aaaaaaaazxdmffivtoe32kvio5e2dcgz24re5rqbkis3452yi2e7tc3x2erq"
    },
    "source": "OperatorAccessControl",
    "specversion": "1.0",
    "time": "2021-09-08T16:01:52.989Z",
    "type": "com.oraclecloud.opctl.audit"
  },
  "datetime": 1631116912989
}

Searching Logs

To perform a search on logs, use this procedure to specify the fields, time range, and text strings for logs that you want to search.

The log is enabled based on specific Operator Controls. Hence these form the top level filter for the log searches. Additionally, you can also search logs for the Access Request IDs, Exadata systems where the operator action occurred, or the time when the action occurred.

The following examples help you understand how to search for specific field.

  1. On the left navigation menu, select Logging, and then select Logs.
  2. Choose the compartment where the logs are stored.

    This will provide a list of logs which were enabled.

  3. Click the log that you are interested in. log detail page is displayed.

    These logs are always related to a single operator control.

  4. Click the Explore with Log Search link to search for specific logs.
  5. Case 1: Searching for actions performed using the approval for a specific access request, ocid.opctlaccessrequest.x during a period T-start to T-end pertaining to an Operator Control, ocid.opctl.x.
    1. Choose Custom from the Filter By Time field.
    2. Select Start Date and End Date.
    3. Click Search.

      After choosing you would be able to see a set of logs.

    4. Now, for example, add the following search criteria ino the Filter By Field or Text Search field.
      data.accessRequestId='ocid.opctlaccessrequest.x'

      This will list the logs matching the search criteria.

  6. Case 2: Searching for actions on an Exadata systems, ocid.exadata.x during a period T-start to T-end pertaining to an Operator Control, ocid.opctl.x.
    1. Choose Custom from the Filter By Time field.
    2. Click Search.

      After choosing you would be able to see a set of logs.

    3. Now, for example, add the following search criteria ino the Filter By Field or Text Search field.
      data.systemOcid ='ocid.exadata.x'

      This will list the logs matching the search criteria.

  7. You can also search the logs by the content. Use the log-content field. For more information, see Searching Logs.
  8. To search for specific linux commands executed, use the Advanced Mode.
    1. Create a basic search using the examples given above (case 1 or case 2), and then switch to Advanced Mode.
      For example, to search for all the logs with the action vi add the following criteria:
      and text_contains(data.message, 'proctitle=vi ', true)
  9. When performing a search on the Logging Search page, you can click Show Advanced Mode to enter your own custom log search queries.
    For example:
    search "ocid1.compartment.oc1..x/ocid1.loggroup.oc1.iad.loggroup_x/ocid1.log.oc1.iad.log_x"
 | data.systemOcid='ocid1.exadata.x' and text_contains(data.message, 'proctitle=vi ', true)
 | sort by datetime desc