Allow Continuous Log Collection Using Management Agents
When you perform the prerequisites for deploying Management Agents in the step Install Management Agents, you will create the required compartment, user group for Logging Analytics users, and create IAM policies to install the Management Agents. As part of the prerequisites, ensure that the following policies are created for your user group:
ALLOW GROUP Logging-Analytics-User-Group TO MANAGE management-agents IN COMPARTMENT <compartment_name>
ALLOW GROUP Logging-Analytics-User-Group to MANAGE management-agent-install-keys IN TENANCY
ALLOW GROUP Logging-Analytics-User-Group TO READ METRICS IN COMPARTMENT <compartment_name>
ALLOW GROUP Logging-Analytics-User-Group TO READ USERS IN TENANCY
In the above example policy statements, Logging-Analytics-User-Group
is
an example user group.
Also, create a dynamic group for the Management Agents if it already doesn't
exist, for example Management-Agent-Dynamic-Group
:
ALL {resource.type='managementagent', resource.compartment.id='<management_agent_compartment_OCID>'}
Create IAM policies for Management-Agent-Dynamic-Group
to
enable log collection and metrics generation:
ALLOW DYNAMIC-GROUP Management-Agent-Dynamic-Group TO USE METRICS IN TENANCY
ALLOW DYNAMIC-GROUP Management-Agent-Dynamic-Group TO {LOG_ANALYTICS_LOG_GROUP_UPLOAD_LOGS} IN TENANCY
If the dynamic group is under a domain, then include the domain in the policy statement. For example,
ALLOW DYNAMIC-GROUP <identity_domain_name>/Management-Agent-Dynamic-Group TO USE METRICS IN TENANCY
ALLOW DYNAMIC-GROUP <identity_domain_name>/Management-Agent-Dynamic-Group TO {LOG_ANALYTICS_LOG_GROUP_UPLOAD_LOGS} IN TENANCY
Some of the above policy statements are included in the readily available Oracle-defined policy templates. You may want to consider using the template for your use case. See Oracle-defined Policy Templates for Common Use Cases.
If you use the Set Up Ingestion wizard to configure the Management Agent for log collection, then some of the above policy statements are added automatically.