Bulk Export of Audit Log Events
Describes how to export Audit log events in bulk.
If you make your request after June 30, 2023, use the Logging service and Service Connector Hub to request a bulk export of audit logs. For more information see, Scenario: Archiving Logs to Object Storage.
This page outlines the previous process of how to request a bulk export of audit logs.
Highlights
- Administrators have full control of the buckets and can provide access to others with IAM policy statements.
-
Exported logs remain available indefinitely.
Tip
You can automatically manage archiving and deleting logs using Object Storage. See Using Object Lifecycle Management. - Specify all the regions you want exported in your request. If you only request some regions, then decide later you want to add other regions, you must make another request.
- To disable your bulk export, contact Oracle support. New logs will stop being added to the bucket, and audit logs will only be available through the Console, based on the retention period you have defined.
Required IAM Policy
To access the bucket where Oracle exports the audit logs, you must be a member of the Administrators group. See The Administrators Group and Policy
Requesting an Export of Audit Logs
If you make your request after June 30, 2023, use the Logging service and Service Connector Hub to request a bulk export of audit logs. For more information see, Scenario: Archiving Logs to Object Storage.
For customers that have previously used this workflow, a member of the Administrators group for your tenancy must create a ticket at My Oracle Support and provide the following information:
- Ticket name: Export Audit Logs - <your_company_name>
- Tenancy OCID
- Regions
For example:
- Ticket name: Export Audit Logs - ACME
- Tenancy OCID: ocid1.tenancy.oc1.<unique_ID>
- Regions: US East (Ashburn), region identifier= us-ashburn-1; (US West (Phoenix)), region identifier = us-phoenix-1
It can take 5-10 business days before your My Oracle Support ticket is complete and the logs are available to you.
Bucket and Object Details
This section specifies the naming conventions of the bucket and objects you receive.
Bucket Name Format
Oracle support creates buckets for audit log exports using the following naming format:
oci-logs
._audit
.<compartment_OCID>
oci-logs
identifies that Oracle created this bucket._audit
identifies that the bucket contains audit events.- <compartment_OCID> identifies the compartment where the audit events were generated.
For example:
oci-logs._audit.ocid1compartment.oc1..<unique_ID>
If the OCID of the compartment that generated the audit log contains a colon, your bucket name will not match the OCID. To create a bucket, Oracle must substitute colon characters (
:
) from the OCID with dot characters (.
) in the bucket name.Object Name Format
Objects use the following naming format:
<region>/<ad>/<YYYY-MM-DDTHH:MMZ>[_<seqNum>].log.gz
- <region> identifies the region where the audit events were generated.
- <ad> identifies the availability domain where the audit events were generated.
- <YYYY-MM-DDTHH:MMZ> identifies the start time of the earliest audit event listed in the object.
- [_<seqNum>] identifies a conditional sequence number. If present, this number means that either an event came in late or the object became too large to write. Sequence numbers start at two. Apply multiple sequence numbers to the original object in the order listed.
For example:
us-phoenix-1/ad1/2019-03-21T00:00Z.log.gz
us-phoenix-1/ad1/2019-03-21T00:00Z_2.log.gz
File Format
Files list a single audit event per line. For more information, see Contents of an Audit Log Event.
Audit introduced a version 2 schema of Audit logs but bulk export is currently only available for version 1 schema logs.