Viewing Audit Log Events
Describes how to view Audit log events.
Audit provides records of API operations performed against supported services as a list of log events. The service logs events at both the tenant and compartment level.
When viewing events logged by Audit, you might be interested in specific activities that happened in the tenancy or compartment and who was responsible for the activity. You will need to know the approximate time and date something happened and the compartment in which it happened to display a list of log events that includes the activity in question. List log events by specifying a time range on the 24-hour clock in Greenwich Mean Time (GMT), calculating the offset for your local time zone, as appropriate. New activity is appended to the existing list, usually within 15 minutes of the API call, though processing time can vary.
Required IAM Policy
To use Oracle Cloud Infrastructure, you must be granted security access in a policy by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment to work in.
For administrators: The following policy statement gives the specified group (Auditors) the ability to view all the Audit event logs in the tenancy:
Allow group Auditors to read audit-events in tenancy
To give the group access to the Audit event logs in a specific compartment only (ProjectA), write a policy like the following:
Allow group Auditors to read audit-events in compartment ProjectA
If you're new to policies, see Getting Started with Policies and Common Policies. For more details about policies for the Audit, see Details for the Audit Service.
Searching and Filtering in the Console
When you navigate to Audit in the Console, a list of results is generated for the current compartment. Audit logs are organized by compartment, so if you are looking for a particular event, you must know which compartment the event occurred in. You can filter the list in all the following ways:
- Date and time
- Request Action Types (operations)
- Keywords
For example, users begin to report that their attempts to log in are failing. You want to use Audit to research the problem. Adjust the date and time to search for corresponding failures during a window of time that starts a little before the events were reported. Look for corresponding failures and similar operations preceding the failures to correlate a reason for the failures.
The service logs events at the time they are processed. There can be a delay between the time an operation occurs and when it is processed.
You can filter results by request actions to zero in on only the events with operations that interest you. For example, say that you only want to know about instances that were deleted during a specific time frame. Select a delete request action filter to see only the events with delete operations.
You can also filter by keywords. Keyword filters are powerful when combined with the values from audit event fields. For example, say that you know the user name of an account and want a list of all activity by that account in a particular time frame. Do a search using the user name as a keyword filter.
Every audit event contains the same fields, so search for values from those fields. To get a better understanding of what values are available, see Contents of an Audit Log Event.
Using the Console
- Open the navigation menu, click Identity & Security, and then click Audit.
The list of events that occurred in the current compartment is displayed.
- Click one of the compartments under Compartment.
Audit organizes logs by compartment, so if you are looking for a particular event, you must know which compartment the event occurred in.
- Click in the Start date box to choose the start date and time for the range of results you want to see. You can click the arrows on either side of the month to go backward or forward.
- (Optional) Specify a time by doing one of the following:
- Click Time and specify an exact start time in thirty-minute increments.
- Type an exact time in the Start date box.
The service uses a 24-hour clock, so you must provide a number between
0
and23
for the hour. Also remember to calculate the offset between Greenwich Mean Time (GMT) and your local time.
- Repeat step 3 and 4 to choose an end date and time.
- (Optional) In the Keywords box, type the text you want to find and click
Search.
Tip: If you want to find log events with a specific status code, include quotes (") around the code to avoid results that have those numbers embedded in a longer string.
- (Optional) In Request action types, specify one or more operations with which
to filter results.
- GET
- POST
- PUT
- PATCH
- DELETE
The results are updated to include only log events that were processed within the time range and filters you specified. If an event occurred in the recent past, you might have to wait to see it in the list. The service typically requires up to 15 minutes for processing.
If there are more than 100 results for the specified time range, you can click the right arrow next to the page number at the bottom of the page to advance to the next page of log events.
If you get fewer than 100 results on the last page of a results list, you might still have more results, which you can access by clicking the right arrow. If there are more results, Audit prompts you.
If you want to view all the key-value pairs in a log event, see To view the details of a log event.
View the details of your event:
- To see only the top-level details, click the down arrow to the right of an event.
- To see lower-level details, click + to the left of the collapsed parameter.
The following assumes that you have expanded a row in your results.
- To copy an entire event, click the clipboard icon to the right of the opening curly
bracket, above the
eventType
parameter. - To copy a portion of an event, click the clipboard icon to the right of the nested parameter or value you want to copy.
The log event is copied to your clipboard. The Audit service logs events in JSON format. You can paste the log event details into a text editor to save and review later or to use with standard log analysis tools.
Using the API
For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.
Use the following operation to list audit log events:
This API is not intended for bulk-export operations. For bulk export, see Bulk Export of Audit Log Events.