Oracle Cloud Infrastructure Documentation

Enable Access to Log Analytics and Its Resources

Set up your Oracle Cloud Infrastructure tenancy to use Oracle Log Analytics by performing these prerequisite configuration tasks.

Oracle Log Analytics is a regional service. Before you get started, select a region that you want to use. You can follow these steps for each region that you want to set up, but each region will be a different instance. Select your region by using the region selector in the upper right corner of the console.

Topics:

For policies to perform specific tasks and a complete reference of the policy requirements in Log Analytics, see IAM Policies Catalog for Log Analytics.

You can use the readily available templates to create a policy for a user group or dynamic group to perform a specific operation or a collection of operations. See Oracle-defined Policy Templates for Common Use Cases.

Note

If you enabled Oracle Log Analytics using the onboarding UI which is available when you navigate to the service for the first time, then some policies are already created. See Policies Created While Onboarding Log Analytics.

Enable Access from Log Analytics to Its Features Family

A service-level IAM policy must be created to enable the Oracle Log Analytics service to operate. Create policies by using standard Oracle Cloud Infrastructure IAM Policies and add the following policy statement to it.

Policy Statement Description
allow service loganalytics to READ loganalytics-features-family in tenancy

Allow the Oracle Log Analytics service READ access rights of the family loganalytics-features-family across the tenancy.

Some of the above policy statements are included in the readily available Oracle-defined policy templates. You may want to consider using the template for your use case. See Oracle-defined Policy Templates for Common Use Cases.

For policies to perform specific tasks and a complete reference of the policy requirements in Log Analytics, see IAM Policies Catalog for Log Analytics.

Note

If you enabled Oracle Log Analytics using the onboarding UI which is available when you navigate to the service for the first time, then some policies are already created. See Policies Created While Onboarding Log Analytics.

Identify OCI Compartments to Place the Log Analytics Resources

Use compartments to create resources of Oracle Log Analytics like entities and log groups. Fine tune the access to the compartments for better user access control.

You can use existing compartments or you can create new ones specifically forOracle Log Analytics. You can create multiple compartments to give different sets of users access to different parts of the product or log data. For more guidance on how compartments work, see Managing Compartments in Oracle Cloud Infrastructure Documentation.

Resources in Oracle Log Analytics must reside in the compartments. When you create any of the following resources, you must select the compartment that they will be in:

Resource Access Control Using Oracle IAM Policies

Entities

You can control who can enable or disable log collection for a specific entity

Log Groups

You can control who can search the logs after they have been collected, enriched, and indexed.

Purge Policies

You can control who can stop or change the purge policy definition.

Object Storage Collection Rules

You can control who can stop or change the collection rule.

For policies to perform specific tasks and a complete reference of the policy requirements in Log Analytics, see IAM Policies Catalog for Log Analytics.

Note

If you enabled Oracle Log Analytics using the onboarding UI which is available when you navigate to the service for the first time, then some policies are already created. See Policies Created While Onboarding Log Analytics.

Create User Groups to Implement Access Control

Create one or more user groups to grant varying levels of access to the users depending on how you want to use Oracle Log Analytics.

Topics:

A user who is a member of Administrators group will have full access to all the features of Oracle Log Analytics. See The Administrators Group, Policy, and Administrator Roles.

Recommended User Groups

It is recommended that you create the user groups similar to the following examples to get started:

  • Log-Analytics-Users: The users that you add to this group will be able to query the logs and see various configurations. However, they cannot enable or disable log collection, change configurations, or delete logs.
  • Log-Analytics-Admins: The users that you add to this group will have Log-Analytics-Users privileges and additionally can create or edit sources, parsers, entities, and log groups. These users can also enable or disable log collection. However, they cannot purge logs.
  • Log-Analytics-SuperAdmins: The users in this group have the privileges of Log-Analytics-Admins and can additionally perform lifecycle activities such as onboarding and offboarding from Oracle Log Analytics, and purging logs.

Note that the above groups are shown as examples, and will be used for creating IAM policies in this documentation. However, you can create the user groups based on your needs.

Aggregate Resource-Types in Log Analytics

The following two families allow you to grant bulk access without having to assign individual permissions to each user group. For most cases, you can use these to simplify the management of your Oracle Log Analytics policies.

  • loganalytics-features-family to control the features that a user has access to, and the actions that the user can perform using Console, REST API, CLI, or SDK.

    loganalytics-features-family and the resources contained in it can be set only at the tenancy level, not per compartment.

  • loganalytics-resources-family to control the access that the user has for creating, reading, updating, and deleting the resources such as entities, log groups, purge policies, and object store collection rules.

    This family and the resources contained in it can be granted access for the whole tenancy or for a specific compartment.

For policies to perform specific tasks and a complete reference of the policy requirements in Log Analytics, see IAM Policies Catalog for Log Analytics.

Note

If you enabled Oracle Log Analytics using the onboarding UI which is available when you navigate to the service for the first time, then some policies are already created. See Policies Created While Onboarding Log Analytics.

Grant Access to User Groups

Create policies by using standard Oracle Cloud Infrastructure IAM Policies to define how your user groups can use Oracle Log Analytics.

Note

If you want to quickly try out Oracle Log Analytics without managing groups and policies, a user who is a member of the Administrators group will have full access to all features. See The Administrators Group, Policy, and Administrator Roles.

To set up the policy according to the example groups in Create User Groups to Implement Access Control, apply the following sets of policies.

For Log-Analytics-SuperAdmins user group:

Policy Description

allow group Log-Analytics-SuperAdmins to MANAGE loganalytics-features-family in tenancy

Allow the group Log-Analytics-SuperAdmins to have the MANAGE access rights of the family loganalytics-features-family across the tenancy.

This policy will enable rights to perform every task in the service including offboarding, deleting logs, setting up archiving, etc.

allow group Log-Analytics-SuperAdmins to MANAGE loganalytics-resources-familY in tenancy

OR

allow group Log-Analytics-SuperAdmins to MANAGE loganalytics-resources-family in compartment myCompartment1

Allow the group Log-Analytics-SuperAdmins to have MANAGE access rights of the family loganalytics-resources-family across the tenancy or in specific compartment.

This policy will enable rights to perform any task in the service on any resource-type that belongs to the family loganalytics-resources-family.

allow group Log-Analytics-SuperAdmins to MANAGE management-dashboard-family in tenancy

Allow the group Log-Analytics-SuperAdmins to have the all the access rights for the Management Dashboard family of resources in the tenancy. You could change from tenancy to specific compartments.

allow group Log-Analytics-SuperAdmins to read compartments in tenancy

Allow the group Log-Analytics-SuperAdmins to get the list of available compartments for the log groups that the group may have access to. This is required for using the Log Explorer.

For Log-Analytics-Admins user group:

Policy Description

allow group Log-Analytics-Admins to use loganalytics-features-family in tenancy

Allow the group Log-Analytics-Admins to have the USE access rights of the family loganalytics-features-family across the tenancy.

allow group Log-Analytics-Admins to use loganalytics-resources-family in tenancy

OR

allow group Log-Analytics-Admins to use loganalytics-resources-family in compartment myCompartment1

Allow the group Log-Analytics-Admins to have USE access rights of the family loganalytics-resources-family across the tenancy or in specific compartment.

Allow this group to view, create, edit, or delete the resources in the family loganalytics-resources-family.

allow group Log-Analytics-Admins to manage management-dashboard-family in tenancy

OR

allow group Log-Analytics-Admins to manage management-dashboard-family in compartment myCompartment2

Allow the group Log-Analytics-Admins to have the all the access rights for the Management Dashboard family of resources in the tenancy. You could change from tenancy to specific compartments.

allow group Log-Analytics-Admins to read compartments in tenancy

Allow the group Log-Analytics-Admins to get the list of available compartments for the log groups that the group may have access to. This is required for using the Log Explorer.

For Log-Analytics-Users user group:

Policy Description

allow group Log-Analytics-Users to read loganalytics-features-family in tenancy

Allow the group Log-Analytics-Users to have the READ access rights of the family loganalytics-features-family across the tenancy.

allow group Log-Analytics-Users to read loganalytics-resources-family in tenancy

OR

allow group Log-Analytics-Users to read loganalytics-resources-family in compartment myCompartment1

Allow the group Log-Analytics-Users to have READ access rights of the family loganalytics-resources-family across the tenancy. You could change from tenancy to specific compartments.

Allow this group to view details of the resources in the family loganalytics-resources-family. User cannot create, edit, or delete any of them.

allow group Log-Analytics-Users to use management-dashboard-family in tenancy

OR

allow group Log-Analytics-Users to use management-dashboard-family in compartment myCompartment2

Allow the group Log-Analytics-Users to have the USE access rights for the Management Dashboard family of resources in the tenancy. You could change from tenancy to specific compartments.

allow group Log-Analytics-Users to read compartments in tenancy

Allow the group Log-Analytics-Users to get the list of available compartments for the log groups that the group may have access to. This is required for using the Log Explorer.

You can add compartment-specific policy statements for any number of compartments that you want to create for organizing the resources like entities and log groups. These resources can also be in different compartments altogether. It is not necessary that all the resource instances of different types be in the same compartment. However, you may find it easier to manage if you can minimize the number of compartments used.

Instead of using the resources family, you can also specify a policy that is at the individual resource level. For example:

Policy Description

allow group DBA to use loganalytics-entity in compartment Databases

Users in DBA group can create, edit, or delete entities and enable or disable log collection for entities in Databases compartment.

allow group DBA to use loganalytics-log-group in compartment Databases

Users in DBA group can create, edit, or delete log groups and query the logs that are stored in Databases compartment.

Some of the above policy statements are included in the readily available Oracle-defined policy templates. You may want to consider using the template for your use case. See Oracle-defined Policy Templates for Common Use Cases.

For policies to perform specific tasks and a complete reference of the policy requirements in Log Analytics, see IAM Policies Catalog for Log Analytics.

Note

If you enabled Oracle Log Analytics using the onboarding UI which is available when you navigate to the service for the first time, then some policies are already created. See Policies Created While Onboarding Log Analytics.

Enable Log Analytics

After completing the prerequisite tasks such as creating user groups, creating compartments, and defining access policies for the user groups, you can access Oracle Log Analytics and enable it for use.

To enable Oracle Log Analytics, you must be a member of the Administrators group. See The Administrators Group, Policy, and Administrator Roles.

  1. Open the navigation menu, click Observability & Management, and then click Log Analytics.

  2. If this is the first time that you are using the service in this region, you will land on an on-boarding page that will give you some high level details of the service and an option to start using Oracle Log Analytics service. Click Start Using Log Analytics.

    The Enable Log Analytics dialog box is displayed. Here, the minimum required policies and log group are created if they don't exist already.

  3. Click Next. The OCI Audit Log collection is configured.

    The check box Include _Audit in subcompartments is enabled by default. You can disable it, if required. Based on your preference, the policies are created and suitable actions performed.

    Click Next.

  4. After the on-boarding is complete, click Take me to Log Explorer.

You can now explore Oracle Log Analytics.

Note

To view the list of policies created in the above process, see Policies Created While Onboarding Log Analytics.