OCI Parser Details

Following are the Oracle-defined parsers available in Oracle Logging Analytics to process the logs collected from Oracle Cloud Infrastructure services:

OCI Cloud Guard Query Results Log Format

Parser name: oci_cloud_guard_query_results_logtype

Example Content:

{
      "data": {
      "executionTime": "2024-06-05T13:51:43Z",
      "message": "ocid1.cloudguarddatasource.oc1.iad.UniqueID executed on nodename, result 1/1",
      "result": {
      "builddistro": "centos7",
      "buildplatform": "linux",
      "confighash": "2c01b8234d6c93aea2041b3430f8d7e26fb4f740",
      "configvalid": "1",
      "extensions": "active",
      "instanceid": "ocid1.instance.oc1.iad.UniqueID",
      "pid": "3212701",
      "platformmask": "9",
      "starttime": "1716921925",
      "uuid": "7e5b5280-3c75-4edf-be65-98363096836c",
      "version": "5.5.1_66",
      "watcher": "3212697"
      },
      "resultGroupId": "11566c0c-811b-4193-84f2-c2b1ee50f3e4"
      },
      "id": "10c777d8-231a-4e04-b33b-45d2312f096b",
      "oracle": {
      "compartmentid": "ocid1.compartment.oc1..UniqueID",
      "ingestedtime": "2024-06-05T13:58:09.343Z",
      "logid": "ocid1.log.oc1.iad.UniqueID",
      "tenantid": "ocid1.tenancy.oc1..UniqueID"
      },
      "source": "ol9-arm-flexa1-private-internet-standard",
      "specversion": "1.0",
      "subject": "ocid1.cloudguarddatasource.oc1.iad.UniqueID",
      "time": "2024-06-05T13:58:01.112Z",
      "type": "com.oraclecloud.workloadprotection.cloudguarddatasource.wlp_scheduled_query_logs"
      } 

OCI Cloud Guard Raw Log Format

Parser name: oci_cloud_guard_raw_logtype

Example Content:

{
      "data": {
      "executionTime": "2024-07-08T16:11:26Z",
      "message": "SECSCAN executed on logan-actions-ad2, result 1/1",
      "result": {
      "environment": "overlay",
      "daemonhost": "unix:///run/odo/docker.sock",
      "image": "rules:0.2",
      "imageid": "sha256:ec6790dUniqueID",
      "state": "running",
      "chefstatus": "success",
      "clamscanexitcode": "0",
      "arch": "x86_64",
      "builddistro": "centos7",
      "buildplatform": "linux",
      "errormessage": "",
      "instanceid": "ocid1.instance.oc1..UniqueID",
      "issecscanhost": "false",
      "command": "root /usr/bin/systemctl restart aidescan.service",
      "exitcode": "",
      "fqdn": "api_xyz.logginganalytics.example.com",
      "hostclass": "LOGAN",
      "region": "us-ashburn-1",
      "lastupdated": "2024-07-31T00:52:50Z"
      }
      },
      "id": "31cbedc5-aaaa-aaaa-UniqueID",
      "oracle": {
      "compartmentid": "ocid1.tenancy.oc1..UniqueID",
      "ingestedtime": "2024-07-08T16:18:18.654Z",
      "logid": "ocid1.log.oc1..UniqueID",
      "tenantid": "ocid1.tenancy.oc1..UniqueID"
      },
      "source": "logan-actions-ad2",
      "specversion": "1.0",
      "subject": "SECSCAN",
      "time": "2024-07-08T16:18:10.739Z",
      "type": "com.oraclecloud.workloadprotection.cloudguardtarget.recipelog"
      }

OCI Web Application Acceleration Log Format

Parser name: oci_waa_logtype

Example Content:

{
               "data":{
                  "request":{
                     "id":"727b8fabcc23662a8ad3754d4a3573f2"
                  },
                  "response":{
                     "code":"200",
                     "size":"73805"
                  },
                  "timestamp":"2023-08-14T05:40:24+00:00"
               },
               "id":"6cf12c5a-846f-4394-b882-861c5b698032-waa-192433",
               "oracle":{
                  "compartmentid":"ocid1.compartment.oc1.uniqueId",
                  "ingestedtime":"2023-08-14T05:40:33.086Z",
                  "loggroupid":"ocid1.loggroup.oc1.uniqueId",
                  "logid":"ocid1.log.oc1.uniqueId",
                  "resourceid":"ocid1.loadbalancer.oc1.uniqueId",
                  "tenantid":"ocid1.tenancy.oc1.uniqueId"
               },
               "source":"fortLB",
               "specversion":"1.0",
               "subject":"",
               "time":"2023-08-14T05:40:24.526Z",
               "type":"com.oraclecloud.loadbalancer.waa"
            }

OKE Control Plane Log Format

Parser name: oci_oke_controlplane_logtype

Example Content:

{
    "data": {
      "level": "info",
      "msg": "\"Event occurred\" object=\"oci-onm/oci-onm-discovery\" fieldPath=\"\" kind=\"CronJob\" apiVersion=\"batch/v1\" type=\"Normal\" reason=\"SuccessfulDelete\" message=\"Deleted job oci-onm-discovery-28283395\"",
      "source": "event.go:294"
    },
    "id": "uniqueId",
    "oracle": {
      "compartmentid": "ocid1.compartment.oc1.uniqueId",
      "ingestedtime": "2023-10-11T06:11:01.153Z",
      "loggroupid": "ocid1.loggroup.oc1.uniqueId",
      "logid": "ocid1.log.oc1.uniqueId",
      "tenantid": "ocid1.tenancy.oc1.uniqueId"
    },
    "source": "kube-controller-manager",
    "specversion": "1.0",
    "time": "2023-10-11T06:10:08.813Z",
    "type": "com.oraclecloud.kubernetes.cluster.controlplane"
  }

OCI Service Connector Hub Log Format

Parser name: oci_service_connector_hub_logtype

Example Content:

{
    "data": {
      "level": "INFO",
      "message": "Run succeeded - Read 2 messages from source and wrote 2 messages to target",
      "messageType": "CONNECTOR_RUN_COMPLETED"
    },
    "id": "f83205ef-0bef-47d0-b6b2-362afc4a2e9a",
    "oracle": {
      "compartmentid": "ocid1.compartment.uniqueId",
      "ingestedtime": "2023-08-02T00:10:28.990Z",
      "loggroupid": "ocid1.loggroup.uniqueId",
      "logid": "ocid1.log.uniqueId",
      "resourceid": "ocid1.serviceconnector.uniqueId",
      "tenantid": "ocid1.tenancy.uniqueId"
    },
    "source": "connectorName",
    "specversion": "1.0",
    "time": "2023-08-02T00:10:26.859Z",
    "type": "com.oraclecloud.sch.serviceconnector.runlog"
  }

OCI GoldenGate Log Format

Parser name: oci_golden_gate_logtype

Example Content:

[{
  "time": "2023-05-25T09:21:05.192Z",
  "source": "ocid1.goldengatedeployment.uniqueId",
  "id": "uniqueId",
  "oracle": {
    "compartmentid": "ocid1.compartment.uniqueId",
    "logid": "ocid1.log.uniqueId"
  },
  "specversion": "1.0",
  "type": "com.oraclecloud.goldengate.deployment.process_logs",
  "data": {
    "message": "CSRFTokenProtection: ENABLED.\nCross-Site Request Forgery checks using CSRF-Tokens will be performed.",
    "level": "INFO",
    "resourceId": "ocid1.goldengatedeployment.uniqueId",
    "processName": "distsrvr"
  }
},
{
  "ts": "2023-05-25T09:21:05.192Z",
  "source": "ocid1.goldengatedeployment.uniqueId",
  "id": "uniqueId",
  "oracle": {
    "compartmentid": "ocid1.compartment.uniqueId",
    "logid": "ocid1.log.uniqueId"
  },
  "specversion": "1.0",
  "type": "com.oraclecloud.goldengate.deployment.process_logs",
  "data": {
    "message": "CSRFTokenProtection: ENABLED.\nCross-Site Request Forgery checks using CSRF-Tokens will be performed.",
    "level": "INFO",
    "resourceId": "ocid1.goldengatedeployment.uniqueId",
    "processName": "distsrvr"
  }
}]

OCI Data Flow Spark Diagnostic Log Format

Parser name: oci_data_flow_spark_diagnostics_logtype

Example Content:

{
    "data": {
      "logLevel": "INFO",
      "message": "Execution complete.",
      "opcRequestId": "unique_ID",
      "runId": "ocid1.dataflowrun.realm.region.unique_ID",
      "thread": "shaded.dataflow.oracle.dfcs.spark.wrapper.DataflowWrapper"
    },
    "id": "unique_ID",
    "oracle": {
      "compartmentid": "ocid1.tenancy.oc1.unique_ID",
      "ingestedtime": "2023-06-23T20:20:06.974Z",
      "loggroupid": "ocid1.loggroup.realm.region.unique_ID",
      "logid": "ocid1.log.realm.region.unique_ID",
      "tenantid": "ocid1.tenancy.realm.region.unique_ID"
    },
    "source": "Sample CSV Processing App",
    "specversion": "1.0",
    "subject": "spark-driver",
    "time": "2023-06-23T20:20:02.245Z",
    "type": "com.oraclecloud.dataflow.run.driver"
  }

OCI Application Performance Monitoring Log Format

Parser name: oci_application_performance_monitoring_logtype

Example Content:

{
    "data": {
    "arrivaltime": "2023-03-14T15:21:27.010Z",
    "content": "{\\\"major-version\\\": 1, \\\"minor-version\\\": 0, \\\"payload-creation-ts-millis\\\": 1678807286000, \\\"resource\\\": {\\\"attributes\\\": [{\\\"key\\\": \\\"Component\\\", \\\"value\\\": \\\"BROWSER\\\"}, {\\\"key\\\": \\\"ServiceName\\\", \\\"value\\\": \\\"myService\\\"}, {\\\"key\\\": \\\"ApmrumLanguage\\\", \\\"value\\\": \\\"en-US\\\"}, {\\\"key\\\": \\\"ApmrumWindowId\\\", \\\"value\\\": \\\"\\\"}, {\\\"key\\\": \\\"SessionId\\\", \\\"value\\\": \\\"session-my1678807286000-3311688\\\"}, {\\\"key\\\": \\\"UserName\\\", \\\"value\\\": \\\"meUser\\\"}]}, \\\"spans\\\": [{\\\"id\\\": \\\"my1678807286000-3311688-2929311\\\", \\\"trace-id\\\": \\\"my1678807286000-3311688\\\", \\\"name\\\": \\\"Page Load myPage\\\", \\\"ts-micros\\\": 1678807284900000, \\\"td-micros\\\": 820619, \\\"kind\\\": \\\"PRODUCER\\\", \\\"attributes\\\": {\\\"ApmrumType\\\": \\\"Page\\\", \\\"WebApplicationName\\\": \\\"myWebapp\\\", \\\"PageInitTime\\\": 870, \\\"PageFirstByteTime\\\": 412, \\\"PageDownloadTime\\\": 17, \\\"PageRenderTime\\\": 994, \\\"PageInteractiveTime\\\": 341, \\\"ApmrumPageUpdateType\\\": \\\"Page Load\\\", \\\"HttpUrl\\\": \\\"http://www.example.com/myIndex.html\\\", \\\"HttpUrlHost\\\": \\\"http://www.example.com\\\", \\\"HttpUrlPath\\\": \\\"/myIndex.html\\\", \\\"HttpStatusCode\\\": 200, \\\"Error\\\": false}, \\\"links\\\": []}, {\\\"id\\\": 5797336, \\\"trace-id\\\": \\\"my1678807286000-3311688\\\", \\\"parent-id\\\": \\\"my1678807286000-3311688-2929311\\\", \\\"name\\\": \\\"Page Load page-0\\\", \\\"ts-micros\\\": 1678807284900000, \\\"td-micros\\\": 990000, \\\"kind\\\": \\\"PRODUCER\\\", \\\"attributes\\\": {\\\"ApmrumType\\\": \\\"Page\\\", \\\"WebApplicationName\\\": \\\"myWebapp\\\", \\\"PageInitTime\\\": 110, \\\"PageFirstByteTime\\\": 304, \\\"PageDownloadTime\\\": 5, \\\"PageRenderTime\\\": 732, \\\"PageInteractiveTime\\\": 401, \\\"ApmrumPageUpdateType\\\": \\\"Page Load\\\", \\\"HttpUrl\\\": \\\"http://www.example.com/myIndex.html\\\", \\\"HttpUrlHost\\\": \\\"http://www.example.com\\\", \\\"HttpUrlPath\\\": \\\"/myIndex.html\\\", \\\"HttpStatusCode\\\": 200, \\\"Error\\\": false}, \\\"links\\\": []}]}",
      "contentlength": "1616",
      "dataformat": "apm",
      "dataformatversion": "1",
      "message": "The request is rejected due to throttling limits.",
      "obstype": "public-span",
      "rejectioncause": "PAYLOAD_THROTTLED"
    },
    "id": "unique_ID",
    "oracle": {
      "compartmentid": "ocid1.compartment.oc1.unique_ID",
      "ingestedtime": "2023-03-14T15:21:35.427Z",
      "loggroupid": "ocid1.loggroup.oc1.phx.unique_ID",
      "logid": "ocid1.log.oc1.phx.unique_ID",
      "tenantid": "ocid1.tenancy.oc1.unique_ID"
    },
    "source": "ocid1.apmdomain.oc1.phx.unique_ID",
    "specversion": "1.0",
    "time": "2023-03-14T15:21:27.324Z",
    "type": "com.oraclecloud.apm.domain.dropped-data"
}

OCI Media Flow service Log Format

Parser name: oci_media_flow_service_logtype

Example Content:

{
        "data": {
          "mediaWorkflowId": "ocid1.mediaworkflow.oc1.iad.UniqueID",
          "mediaWorkflowJobId": "ocid1.mediaworkflowjob.oc1.iad.UniqueID",
          "message": "Job execution SUCCEEDED",
          "taskKey": "move",
          "taskType": "getFiles"
        },
        "id": "e60adf8e-48be-4adc-83f4-315768905600",
        "oracle": {
          "compartmentid": "ocid1.compartment.oc1..UniqueID",
          "ingestedtime": "2023-03-07T07:16:39.975Z",
          "loggroupid": "ocid1.loggroup.oc1.iad.UniqueID",
          "logid": "ocid1.log.oc1.iad.UniqueID",
          "tenantid": "ocid1.tenancy.oc1..UniqueID"
        },
        "source": "ocid1.mediaworkflow.oc1.iad.UniqueID",
        "specversion": "1.0",
        "time": "2023-03-07T07:16:37.460Z",
        "type": "com.oraclecloud.mediaservice.mediaworkflowjob.execution"
      }

Oracle Operator Access Control Log Format

Parser name: oracle_operator_access_control_logtype

Example Content:

{
    "data": {
        "accessRequestId": "ocid1.opctlaccessrequest.oc1.ap-region.uniqueId",
        "message": "type=PROCTITLE msg=audit(09/08/2021 09:01:24.335:34495595) : proctitle=ps -ef",
        "status": "",
        "systemOcid": "ocid1.exadatainfrastructure.oc1.region.uniqueId",
        "target": "",
        "timestamp": "2021-09-08T09:01:24.000Z"
    },
    "id": "b3b102aa-daee-4861-8e2c-123456789123",
    "oracle": {
        "compartmentid": "ocid1.tenancy.oc1.uniqueId",
        "ingestedtime": "2021-09-08T16:02:26.182Z",
        "loggroupid": "ocid1.loggroup.oc1.region.uniqueId",
        "logid": "ocid1.log.oc1.region.uniqueId",
        "tenantid": "ocid1.tenancy.oc1.uniqueId"
    },
    "source": "OperatorAccessControl",
    "specversion": "1.0",
    "time": "2021-09-08T16:01:52.989Z",
    "type": "com.oraclecloud.opctl.audit"
}

OCI Load Balancer Access Log Format

Parser name: oci_loadbalancer_access_logtype

Example Content:

{
	"data": {
		"timestamp": "2020-09-28T17:10:39+00:00",
		"clientAddr": "192.0.2.1:3427",
		"host": "LB_VirtualAddress",
		"backendAddr": "192.0.2.100:24443",
		"requestProcessingTime": "0.003",
		"backendConnectTime": "0.001",
		"lbStatusCode": "200",
		"receivedBytes": 100,
		"sentBytes": 300,
		"request": "GET /foo/abc",
		"sslCipher": "ECDHE-RSA-AES256-GCM-SHA384",
		"sslProtocol": "TLSv1.2",
		"userAgent": "curl/7.29.0"
	},
	"id": "adbd63f2-0da7-4d9f-818b-308ee6-a-1849",
	"oracle": {
		"compartmentid": "ocid1.compartment.oc1..aaaaaaaaenufxomt",
		"ingestedtime": "2020-09-28T17:10:47.369Z",
		"loggroupid": "ocid1.loggroup.oc1.iad.amaaaaaamdyb6aia4c",
		"logid": "ocid1.log.oc1.iad.amaaaaaamdyb6aiaqgflbcvgcfc",
		"tenantid": "ocid1.tenancy.oc1..aaaaaaaau6w4ohcbz7otxxy"
	},
	"source": "logan-data-ingest-api-lb",
	"specversion": "1.0",
	"subject": "subject",
	"time": "2020-09-28T17:10:39.266Z",
	"type": "com.oraclecloud.loadbalancer.access"
}

OCI Load Balancer Error Log Format

Parser name: oci_loadbalancer_error_logtype

Example Content:

{
  "data": {
    "errorLog": {
      "type": "healthChecker",
      "errorDetails": {
        "healthStatus": "Healthy to Unhealthy",
        "backendSetName": "newtest",
        "backend": "192.0.2.10:80",
        "details": {
          "date": 1596583722793,
          "failures": 3,
          "successes": 0,
          "skips": 0,
          "message": {
            "statusCode": 200,
            "expectedRegex": "^notexist$",
            "msg": "response match result: failed",
            "base641kData": "CjwhRE9DVFAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBUwgMS4wIFRyYW5zaXRpb25hb++Q+CiAgICA8c3R5bGUgdHlwZT0i"
          }
        }
      }
    },
    "timestamp": "2020-08-04T23:28:52+00:00"
  },
  "id": "7b06a283-140b-4870-8cda--e-0",
  "oracle": {
    "compartmentid": "ocid1.compartment.oc1..aaaaaaaaenufx",
    "ingestedtime": "2020-10-07T06:02:40.433Z",
    "loggroupid": "ocid1.loggroup.oc1.iad.amaaaaaamdyb6a",
    "logid": "ocid1.log.oc1.iad.amaaaaaamdyb6aiadglsu6l",
    "tenantid": "ocid1.tenancy.oc1..aaaaaaaau6w4ohcbz7o"
  },
  "source": "logan-scheduled-search-lb",
  "specversion": "1.0",
  "subject": "",
  "time": "2020-10-07T06:02:34.564Z",
  "type": "com.oraclecloud.loadbalancer.error"
}

OCI Function Log Format

Parser name: oci_function_logtype

Example Content:

{
    "data": {
        "applicationId": "ocid1.fnapp.oc1.region-1.abcdefg",
        "containerId": "01EMNSA3300000000000000502",
        "functionId": "ocid1.fnfunc.oci1.region-1.1112233abcdef",
        "message": "2020-10-15 11:11:35,568 - root - INFO - Headers: {\"host\": [\"localhost\", \"abcdefg.apigateway.region-1.test\"], \"user-agent\": [\"lua-resty-http/0.14 (Lua) ngx_lua/10015\", \"curl/7.29.0\"], \"transfer-encoding\": \"chunked\", \"content-type\": [\"application/octet-stream\", \"application/octet-stream\"], \"date\": \"Thu, 15 Oct 2020 11:11:35 GMT\", \"fn-call-id\": \"01EMNZAH461BT0H4GZJ000VNEQ\", \"fn-deadline\": \"2020-10-15T11:12:05Z\", \"accept\": \"*/*\", \"cdn-loop\": \"v3pC1JgjsYAdqr6Qp6ZcMg\", \"forwarded\": \"for=192.168.0.21\", \"x-forwarded-for\": \"192.168.0.21\", \"x-myheader1\": \"headerValue\", \"x-real-ip\": \"192.168.0.21\", \"fn-http-method\": \"GET\", \"fn-http-request-url\": \"/V2/display-httprequest-info\", \"fn-intent\": \"httprequest\", \"fn-invoke-type\": \"sync\", \"oci-subject-id\": \"ocid1.apigateway.oc1.region-1.abcdef\", \"oci-subject-tenancy-id\": \"ocid1.tenancy.oc1..abcdef1234\", \"oci-subject-type\": \"resource\", \"opc-request-id\": \"/ABCDEF1122F08CD72BCDF9568DA7CC8B/01EMNZAH451BT0H4GZJ000VNEP\", \"x-content-sha256\": \"47DEQpj8HBSa+/TImW+123009abc=\", \"accept-encoding\": \"gzip\"}",
        "requestId": "/ABCDEF1122F08CD72BCDF9568DA7CC8B/01EMNZAH451BT0H4GZJ000VNEP",
        "src": "STDERR"
    },
    "id": "ceae7406-f7ba-43c4-ac12-1234",
    "oracle": {
        "compartmentid": "ocid1.compartment.oc1..12345abcdef",
        "ingestedtime": "2020-10-15T11:11:35.802Z",
        "loggroupid": "ocid1.loggroup.oci1.region-1.22222abcdef",
        "logid": "ocid1.log.oci1.region-1.12345abcdef",
        "tenantid": "ocid1.tenancy.oc1..abcdef1234"
    },
    "source": "HTTP-REQUEST",
    "specversion": "1.0",
    "subject": "http-request",
    "time": "2020-10-15T11:11:35.000Z",
    "type": "function message type"
}

OCI Events Log Format

Parser name: oci_events_logtype

Example Content:

{
    "data": {
        "eventId": "0d06215a-e51b-3616-93c6-123456789abc",
        "message": "Event delivered successfully",
        "ruleId": "ocid1.eventrule.oc1.abc.abcdef12345678901234567891234567812345678",
        "target": "ocid1.stream.oc1.def.abcdef12345678901234567891234567812345698"
    },
    "id": "9c3cb4e7-e664-4bc7-a7c7-111223344",
    "oracle": {
        "compartmentid": "ocid1.compartment.abc.1111111111111111111111111111111111122222222222",
        "ingestedtime": "2020-09-22T03:03:04.749Z",
        "loggroupid": "ocid1.loggroup.oc1.iad.abcdef12345678901234567891234567812345677",
        "logid": "ocid1.log.oc1.ghi.abcdef12345678901234567891234567812345678",
        "tenantid": "ocid1.tenancy.oc1..aaaaaabcdef12345678901234567891234567812345666"
    },
    "source": "Stream Create Object events from log bucket to log stream",
    "specversion": "1.0",
    "time": "2020-09-22T03:02:54.000Z",
    "type": "com.oraclecloud.eventsservice.eventrule.ruleexecutionlog"
}

OCI Object Storage Access Log Format

Parser name: oci_objectstorage_access_logtype

Example Content:

{
    "data": {
        "apiType": "native",
        "authenticationType": "instance",
        "bucketCreator": "Unknown",
        "bucketId": "ocid1.bucket.oc1.abc.abcdef123456789",
        "bucketName": "log",
        "clientIpAddress": "192.0.2.1",
        "compartmentId": "ocid1.compartment.oc1..abcdefg1234568888",
        "compartmentName": "compartment_name",
        "credentials": "abcdef123456789abcdef",
        "eTag": "45385429-904b-4db1-866e-123",
        "endTime": "2020-09-29T20:02:31.811Z",
        "isPar": false,
        "message": "Object retrieved.",
        "namespaceName": "namespace_value",
        "objectName": "object_name",
        "opcRequestId": "iad-1:x-uGtXG5Wdk3abc",
        "principalId": "ocid1.instance.oc1.12345",
        "principalName": "UnknownPrincipal",
        "region": "us-region-1",
        "requestAction": "GET",
        "requestResourcePath": "/n/namespace_value/b/log/o/object_name",
        "startTime": "2020-09-29T20:02:31.787Z",
        "statusCode": 200,
        "tenantId": "ocid1.tenancy.oc1..6w4ohcbz7otxxy6kd",
        "tenantName": "loganprod",
        "userAgent": "Oracle-JavaSDK/1.19.3 (Linux/4.14.35-1902.305.4.el7uek.x86_64; Java/1.8.0_251; Java HotSpot(TM) 64-Bit GraalVM EE 19.3.2/25.251-b08-jvmci-20.1-b02-dev)",
        "vcnId": "477016"
    },
    "id": "20919d7c-2d6d-401a-9858-123",
    "oracle": {
        "compartmentid": "ocid1.compartment.oc1..lxenat5opur",
        "ingestedtime": "2020-09-29T20:02:37.678Z",
        "loggroupid": "ocid1.loggroup.oc1.gmsmd5c7qmebnsyx7dm",
        "logid": "ocid1.log.oc1.iz6lu3innhmdyb6aiamaaaaa",
        "tenantid": "ocid1.tenancy.oc1..1234"
    },
    "source": "log",
    "specversion": "1.0",
    "subject": "subject value",
    "time": "2020-09-29T20:02:31.811Z",
    "type": "com.oraclecloud.objectstorage.getobject"
}

OCI API Gateway Access Log Format

Parser name: oci_api_gw_access_logtype

Example Content:

{
    "data": {
        "bodyBytesSent": 22,
        "gatewayId": "ocid1.apigateway.oc1.region-1-ocidddddddd",
        "httpUserAgent": "curl/7.29.0",
        "message": "GET /V1/weather HTTP/1.1",
        "opcRequestId": "/12345B88C07D061F8221193082B12345/12345801AEDEEF3BE80938595EEABCDE",
        "remoteAddr": "192.0.2.1",
        "requestDuration": 0.161,
        "requestMethod": "GET",
        "requestUri": "/V1/weather",
        "serverProtocol": "HTTP/1.1",
        "status": 200
    },
    "id": "571aab5c-f9a9-11ea-a9a1-ABC1234",
    "oracle": {
        "compartmentid": "ocid1.compartment.oc1..ABC1234OCID",
        "ingestedtime": "2020-09-18T12:21:29.526Z",
        "loggroupid": "ocid1.loggroup.oc1.region-1.12345ABC1234OCID",
        "logid": "ocid1.log.oc1.region-1.AAAABBBB",
        "tenantid": "ocid1.tenancy.oc1..AAA11223344"
    },
    "source": "Weather",
    "specversion": "1.0",
    "time": "2020-09-18T12:20:29.000Z",
    "type": "com.oraclecloud.apigateway.apideployment.access"
}

OCI API Gateway Execution Log Format

Parser name: oci_api_gw_exec_logtype

Example Content:

{
    "data": {
        "code": "httpBackend.requestSent",
        "functionId":"ocid1.fnfunc.oc1.region-1.123456",
        "gatewayId": "ocid1.apigateway.oc1.region-1.AAA11223355",
        "level": "INFO",
        "message": "Sending request to upstream",
        "opcRequestId": "/0431C52F31E68CE19AD638AAE1B05854/F6D390655FD11520B8566BF5046284CE"
    },
    "id": "cb851077-f9a8-11ea-a9a1-ABC1234",
    "oracle": {
        "compartmentid": "ocid1.compartment.oc1..ABC1234OCID",
        "ingestedtime": "2020-09-18T12:17:28.699Z",
        "loggroupid": "ocid1.loggroup.oc1.region-1.12345ABC1234OCID",
        "logid": "ocid1.log.oc1.region-1.AAA11223356",
        "tenantid": "ocid1.tenancy.oc1..AAA11223344"
    },
    "source": "Weather",
    "specversion": "1.0",
    "time": "2020-09-18T12:16:35.000Z",
    "type": "com.oraclecloud.apigateway.apideployment.execution"
}

OCI Unified Schema Log Format

Parser name: oci_unifiedschema_logtype

Example Content:

{
    "data": {
    },
    "id": "571aab5c-f9a9-11ea-a9a1-ABC1234",
    "oracle": {
        "compartmentid": "ocid1.compartment.oc1..ABC1234OCID",
        "ingestedtime": "2020-09-18T12:21:29.526Z",
        "loggroupid": "ocid1.loggroup.oc1.region-1.12345ABC1234OCID",
        "logid": "ocid1.log.oc1.region-1.AAAABBBB",
        "tenantid": "ocid1.tenancy.oc1..AAA11223344"
    },
    "source": "message source",
    "specversion": "1.0",
    "time": "2020-09-18T12:20:29.000Z",
    "type": "message type"
}

OCI VCN Flow Unified Schema Format

Parser name: oci_vcn_flow_unifmt_logtype

Example Content:

{
    "data": {
        "action": "ACCEPT",
        "bytesOut": 4843,
        "destinationAddress": "192.0.2.11",
        "destinationPort": 443,
        "endTime": 1601204026,
        "flowid": "27f8550a",
        "packets": 15,
        "protocol": 6,
        "protocolName": "TCP",
        "sourceAddress": "192.0.2.1",
        "sourcePort": 46660,
        "startTime": 1601204026,
        "status": "OK",
        "version": "2"
    },
    "id": "409971d6",
    "oracle": {
        "compartmentid": "ocid1.compartment.oc1..aaaaaaaaenufxomtrgajc",
        "ingestedtime": "2020-09-27T10:54:41.449Z",
        "loggroupid": "ocid1.loggroup.oc1.iad.amaaaaaamdyb6aia4clhgcw",
        "logid": "ocid1.log.oc1.iad.amaaaaaamdyb6aiaon3xwya2hcrsdnn",
        "tenantid": "ocid1.tenancy.oc1..aaaaaaaau6w4ohcbz7otxxy6kdtk",
        "vniccompartmentocid": "ocid1.compartment.oc1..aaaaaaaaywgrjl",
        "vnicocid": "ocid1.vnic.oc1.iad.abuwcljtw",
        "vnicsubnetocid": "ocid1.subnet.oc1.iad.aaaaaaaaz"
    },
    "source": "ocid1.subnet.oc1.iad.aaaaaaaaz",
    "specversion": "1.0",
    "subject": "ocid1.vnic.oc1.iad.abuwcljtw",
    "time": "2020-09-27T10:53:46.000Z",
    "type": "com.oraclecloud.vcn.flowlogs.DataEvent"
}

OCI Audit Unified Schema Format

Parser name: oci_audit_unifmt_logtype

Example Content:

{
  "data": {
    "additionalDetails": {
      "X-Real-Port": 60760
    },
    "availabilityDomain": "AD1",
    "compartmentId": "ocid1.tenancy.uniqueId",
    "compartmentName": "emdemo",
    "definedTags": null,
    "eventGroupingId": "eventGroupingId",
    "eventName": "ParseQuery",
    "freeformTags": null,
    "identity": {
      "authType": "fed",
      "callerId": null,
      "callerName": null,
      "consoleSessionId": "consoleSessionId",
      "credentials": "***",
      "ipAddress": "203.0.113.1",
      "principalId": "ocid1.saml2idp.uniqueId",
      "principalName": "principalName",
      "tenantId": "ocid1.tenancy.uniqueId",
      "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
    },
    "message": "ParseQuery succeeded",
    "request": {
      "action": "POST",
      "headers": {
        "Accept": [
          "*/*"
        ],
        "Accept-Encoding": [
          "gzip, deflate, br"
        ],
        "Accept-Language": [
          "en"
        ],
        "Authorization": [
          "Signature ***"
        ],
        "Connection": [
          "keep-alive"
        ],
        "Content-Length": [
          "273"
        ],
        "Content-Type": [
          "application/json"
        ],
        "Origin": [
          "https://cloud.oracle.com"
        ],
        "Referer": [
          "https://cloud.oracle.com/"
        ],
        "Sec-Fetch-Dest": [
          "empty"
        ],
        "Sec-Fetch-Mode": [
          "cors"
        ],
        "Sec-Fetch-Site": [
          "cross-site"
        ],
        "User-Agent": [
          "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
        ],
        "opc-request-id": [
          "opc-request-id"
        ],
        "sec-ch-ua": [
          "\"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"114\", \"Google Chrome\";v=\"114\""
        ],
        "sec-ch-ua-mobile": [
          "?0"
        ],
        "sec-ch-ua-platform": [
          "\"macOS\""
        ],
        "x-content-sha256": [
          "sha256"
        ],
        "x-date": [
          "Fri, 23 Jun 2023 03:25:56 GMT"
        ]
      },
      "id": "id",
      "parameters": {},
      "path": "/20200601/namespaces/resource/search/actions/parse"
    },
    "resourceId": "resource",
    "response": {
      "headers": {
        "Access-Control-Allow-Credentials": [
          "true"
        ],
        "Access-Control-Allow-Origin": [
          "https://cloud.oracle.com"
        ],
        "Access-Control-Expose-Headers": [
          "opc-previous-page,opc-next-page,opc-client-info,ETag,opc-total-items,opc-request-id,Location"
        ],
        "Content-Length": [
          "2407"
        ],
        "Content-Type": [
          "application/json"
        ],
        "Date": [
          "Fri, 23 Jun 2023 03:25:57 GMT"
        ],
        "Timing-Allow-Origin": [
          "https://cloud.oracle.com"
        ],
        "Vary": [
          "Origin"
        ],
        "X-Content-Type-Options": [
          "nosniff"
        ],
        "X-Frame-Options": [
          "SAMEORIGIN"
        ],
        "opc-request-id": [
          "opc-request-id"
        ]
      },
      "message": null,
      "payload": {},
      "responseTime": "2023-06-23T03:25:57.342Z",
      "status": "200"
    },
    "stateChange": {
      "current": {
        "columns": [
          {
            "displayName": "Log Source",
            "internalName": "msrcid",
            "isCaseSensitive": false,
            "isEvaluable": true,
            "isGroupable": true,
            "isListOfValues": true,
            "isMultiValued": false,
            "subSystem": "LOG",
            "type": "COLUMN",
            "valueType": "STRING"
          },
          {
            "displayName": "Type",
            "internalName": "type",
            "isCaseSensitive": false,
            "isEvaluable": true,
            "isGroupable": true,
            "isListOfValues": false,
            "isMultiValued": false,
            "subSystem": "LOG",
            "type": "COLUMN",
            "valueType": "STRING"
          }
        ],
        "commands": [
          {
            "category": "FILTER",
            "displayQueryString": "'Log Source' = 'OCI Audit Logs' and Type like '%logginganalytics%' and Type = com.oraclecloud.logginganalytics.query",
            "internalQueryString": "log.msrcid = omc_ociAuditLogSource and log.type like '%logginganalytics%' and log.type = com.oraclecloud.logginganalytics.query",
            "isHidden": false,
            "name": "SEARCH",
            "referencedFields": [
              {
                "displayName": "Log Source",
                "internalName": "msrcid",
                "isGroupable": true,
                "name": "FIELD",
                "originalDisplayNames": [
                  "Log Source"
                ],
                "valueType": "STRING"
              },
              {
                "displayName": "Type",
                "internalName": "type",
                "isGroupable": true,
                "name": "FIELD",
                "originalDisplayNames": [
                  "Type"
                ],
                "valueType": "STRING"
              }
            ],
            "subQueries": []
          },
          {
            "category": "FILTER",
            "displayQueryString": "clusterdetails collection = 'dummyId' on h[1:0],u[dummyId2]",
            "internalQueryString": "clusterdetails collection = 'dummyId' on h[1:0],u[dummyId2]",
            "isHidden": false,
            "name": "CLUSTER_DETAILS"
          }
        ],
        "displayQueryString": "'Log Source' = 'OCI Audit Logs' and Type like '%logginganalytics%' and Type = com.oraclecloud.logginganalytics.query | clusterdetails collection = 'dummyId' on h[1:0],u[dummyId2]",
        "internalQueryString": "log.msrcid = omc_ociAuditLogSource and log.type like '%logginganalytics%' and log.type = com.oraclecloud.logginganalytics.query | clusterdetails collection = 'dummyId' on h[1:0],u[dummyId2]",
        "responseTimeInMs": 1
      },
      "previous": {}
    }
  },
  "dataschema": "2.0",
  "id": "id",
  "oracle": {
    "compartmentid": "ocid1.tenancy.uniqueId",
    "ingestedtime": "2023-06-23T03:26:02.913Z",
    "loggroupid": "_Audit",
    "tenantid": "ocid1.tenancy.uniqueId"
  },
  "source": "",
  "specversion": "1.0",
  "time": "2023-06-23T03:25:57.342Z",
  "type": "com.oraclecloud.LoggingAnalytics.ParseQuery"
}
{
  "data": {
    "additionalDetails": null,
    "availabilityDomain": "AD3",
    "compartmentId": "ocid1.tenancy.oc1..aaaaaaaaa",
    "compartmentName": "ociateam",
    "definedTags": null,
    "eventGroupingId": null,
    "eventName": "ListCompartments",
    "freeformTags": null,
    "identity": {
      "authType": "natv",
      "callerId": "loganalytics/C5C0E55526E263A3F9111111111111",
      "callerName": "loganalytics",
      "consoleSessionId": null,
      "credentials": "***",
      "ipAddress": "192.0.2.1,198.51.100.1",
      "principalId": "ocid1.user.oc1..aaaaaaaaea",
      "principalName": "Admin User",
      "tenantId": "ocid1.tenancy.oc1..aaaaaaaaa",
      "userAgent": "Oracle-JavaSDK/2.66.0 (Linux/4.14.35-2047.529.3.2.el7uek.x86_64; Java/17.0.8; Java HotSpot(TM) 64-Bit Server VM/17.0.8+9-LTS-jvmci-21.3-b32)"
    },
    "message": "ListCompartments succeeded",
    "request": {
      "action": "GET",
      "headers": {
        "Accept": [
          "application/json"
        ],
        "Connection": [
          "keep-alive"
        ],
        "Date": [
          "Thu, 26 Oct 2023 20:57:00 GMT"
        ],
        "User-Agent": [
          "Oracle-JavaSDK/2.66.0 (Linux/4.14.35-2047.529.3.2.el7uek.x86_64; Java/17.0.8; Java HotSpot(TM) 64-Bit Server VM/17.0.8+9-LTS-jvmci-21.3-b32)"
        ],
        "X-Forwarded-For": [
          "192.0.2.254,198.51.100.254"
        ],
        "X-OCI-LB-NetworkMetadata": [
          "{\"originalConnection\":{\"sourceIp\":\"192.0.2.84\",\"sourcePort\":57470,\"destinationIp\":\"192.0.2.12\",\"destinationPort\":443,\"protocol\":\"https\"},\"paResourceConnection\":{\"sourceIp\":\"192.0.2.19\",\"sourcePort\":57470,\"destinationIp\":\"192.0.2.12\",\"destinationPort\":443},\"paResource\":{\"ocid\":\"\",\"vcnOcid\":\"ocid1.vcn.oc1.iad.aaaaaaamdyb6aq\"}}"
        ],
        "X-OCI-LB-PrivateAccessMetadata": [
          "eyJvcmlnaW5hbENvbm5lAAAAAAAAAAAAAAAAAAAAAA="
        ],
        "X-Real-IP": [
          "203.0.113.84"
        ],
        "X-Real-Port": [
          "57470"
        ],
        "oci-original-host": [
          "identity.us-ashburn-1.oci.oraclecloud.com"
        ],
        "oci-original-url": [
          "https://identity.us-ashburn-1.oci.oraclecloud.com/20160918/compartments"
        ],
        "oci-splat-audited": [
          "true"
        ],
        "oci-splat-service-operation-id": [
          "compartments.ListCompartments"
        ],
        "opc-client-info": [
          "Oracle-JavaSDK/2.66.0"
        ],
        "opc-obo-principal": [
          "{\"tenantId\":\"ocid1.tenancy.oc1..aaaaaaaaa\",\"subjectId\":\"ocid1.user.oc1..aaaaaaaaea\",\"claims\":[{\"key\":\"pstype\",\"value\":\"natv\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"chain\",\"value\":\"\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"tgt\",\"value\":\"ocid1.tenancy.oc1..aaaaaaaaa\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"tgts\",\"value\":\"[\\\"ocid1.tenancy.oc1..aaaaaaaaa\\\"]\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"name-chain\",\"value\":\"\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"mfa_verified\",\"value\":\"true\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"ptype\",\"value\":\"user\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"ttype\",\"value\":\"obo\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"tgt_name\",\"value\":\"identity\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"own\",\"value\":\"ocid1.tenancy.oc1..aaaaaaaaa\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"tgt_names\",\"value\":\"[\\\"identity\\\"]\",\"issuer\":\"authService.oracle.com\"}]}"
        ],
        "opc-principal": [
          "{\"tenantId\":\"ocid1.tenancy.oc1..aaaaaaaaa\",\"subjectId\":\"loganalytics/C5C0E55526AAAA\",\"claims\":[{\"key\":\"opc-instance\",\"value\":\"ocid1.instance.oc1.iad.aaaaaaaa\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"h_date\",\"value\":\"Thu, 26 Oct 2023 20:57:00 GMT\",\"issuer\":\"h\"},{\"key\":\"h_host\",\"value\":\"identity.us-ashburn-1.oci.oraclecloud.com\",\"issuer\":\"h\"},{\"key\":\"svcHostingTenantId\",\"value\":\"ocid1.tenancy.oc1..aaaaaaaaa\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"ttype\",\"value\":\"x509\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"ptype\",\"value\":\"service\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"h_opc-obo-token\",\"value\":\"DUMMY\",\"issuer\":\"h\"},{\"key\":\"authorization\",\"value\":\"Signature ***\",keyId=\\\"DUMMY\\\",algorithm=\\\"rsa-sha256\\\",signature=\\\"*****\\\",version=\\\"1\\\"\",\"issuer\":\"h\"},{\"key\":\"svc\",\"value\":\"loganalytics\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"is_svc\",\"value\":\"true\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"opc-tenant\",\"value\":\"ocid1.tenancy.oc1..aaaaaaaaa\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"opc-compartment\",\"value\":\"ocid1.compartment.oc1..aaaaaaaa\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"h_(request-target)\",\"value\":\"get /20160918/compartments?compartmentId=ocid1.tenancy.oc1..aaaaaaaaa;page=AFUWCLJTAAAAAAAA&limit=1000&accessLevel=ACCESSIBLE&compartmentIdInSubtree=true\",\"issuer\":\"h\"},{\"key\":\"opc-certtype\",\"value\":\"instance\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"fprint\",\"value\":\"C5:C0:77\",\"issuer\":\"authService.oracle.com\"}]}"
        ],
        "opc-request-id": [
          "74298AAAAAAAAAAAAAAA"
        ]
      },
      "id": "74298AAAAAAAAAAAAAAAAA",
      "parameters": {
        "accessLevel": [
          "ACCESSIBLE"
        ],
        "compartmentId": [
          "ocid1.tenancy.oc1..aaaaaaaaa"
        ],
        "compartmentIdInSubtree": [
          "true"
        ],
        "limit": [
          "1"
        ],
        "page": [
          "AAAAAAAAAAJleUpyYVdRaU9pSXpOek13SWtiMzJVR0E="
        ]
      },
      "path": "/20160918/compartments"
    },
    "resourceId": null,
    "response": {
      "headers": {
        "Cache-Control": [
          "no-cache, no-store, must-revalidate"
        ],
        "Content-Length": [
          "784"
        ],
        "Content-Type": [
          "application/json"
        ],
        "Date": [
          "Thu, 26 Oct 2023 20:57:00 GMT"
        ],
        "Pragma": [
          "no-cache"
        ],
        "opc-limit": [
          "1"
        ],
        "opc-next-page": [
          "AAAAAAAAAAJleUpyYVdRaU9pSXpOek13SWl3aVpXNWpJam9pUVRJhZnc="
        ],
        "opc-request-id": [
          "742986C36DC6/7A39F697849/87DC14D30B3055B7"
        ]
      },
      "message": null,
      "payload": null,
      "responseTime": "2023-10-26T20:57:00.394Z",
      "status": "200"
    },
    "stateChange": {
      "current": null,
      "previous": null
    }
  },
  "dataschema": "2.0",
  "id": "f132bf7a-c3d5-4cdb-b3e4-42344b73d48a",
  "oracle": {
    "compartmentid": "ocid1.tenancy.oc1..aaaaaaaaa",
    "ingestedtime": "2023-10-26T20:57:09.668Z",
    "loggroupid": "_Audit",
    "tenantid": "ocid1.tenancy.oc1..aaaaaaaaa"
  },
  "source": "",
  "specversion": "1.0",
  "time": "2023-10-26T20:57:00.379Z",
  "type": "com.oraclecloud.Compartments.ListCompartments"
}
{
  "data": {
    "additionalDetails": {
      "bucketName": "testBucket",
      "namespace": "NAMESPACE"
    },
    "availabilityDomain": "PHX-AD-2",
    "compartmentId": "ocid1.tenancy.oc1..aaaaaaaaa",
    "compartmentName": "logantest1",
    "definedTags": {},
    "eventGroupingId": "phx-1:WRk50BSDAZ",
    "eventName": "GetBucket",
    "freeformTags": {},
    "identity": {
      "authType": "natv",
      "callerId": null,
      "callerName": null,
      "consoleSessionId": null,
      "credentials": "***",
      "ipAddress": "192.0.2.16",
      "principalId": "ocid1.user.oc1..aaaaaaaa",
      "principalName": "manageUser",
      "tenantId": "ocid1.tenancy.oc1..aaaaaaaaa",
      "userAgent": "Apache-HttpClient/4.5.8 (Java/1.8.0_381)"
    },
    "message": "Bucket details retrieved.",
    "request": {
      "action": "GET",
      "headers": {
        "Accept": [
          "application/json"
        ],
        "Accept-Encoding": [
          "gzip,deflate"
        ],
        "Authorization": [
          "Signature ***"
        ],
        "Connection": [
          "Keep-Alive"
        ],
        "User-Agent": [
          "Apache-HttpClient/4.5.8 (Java/1.8.0_381)"
        ],
        "date": [
          "Thu, 14 Dec 2023 17:59:28 GMT"
        ],
        "host": [
          "objectstorage.us-phoenix-1.oraclecloud.com"
        ]
      },
      "id": "phx-1:WRk50BSDAZ",
      "parameters": {
        "fields": [
          "approximateCount,approximateSize"
        ],
        "param0": [
          "NAMESPACE"
        ],
        "param1": [
          "testBucket"
        ]
      },
      "path": "/n/NAMESPACE/b/testBucket/?fields=approximateCount%2CapproximateSize"
    },
    "resourceId": "/n/NAMESPACE/b/testBucket/?fields=approximateCount%2CapproximateSize",
    "response": {
      "headers": {
        "Content-Length": [
          "827"
        ],
        "Content-Type": [
          "application/json"
        ],
        "access-control-allow-credentials": [
          "true"
        ],
        "access-control-allow-methods": [
          "POST,PUT,GET,HEAD,DELETE,OPTIONS"
        ],
        "access-control-allow-origin": [
          "*"
        ],
        "access-control-expose-headers": [
          "access-control-allow-credentials,access-control-allow-methods,access-control-allow-origin,cache-control,content-length,content-type,date,etag,opc-client-info,opc-request-id,x-api-id"
        ],
        "cache-control": [
          "no-store"
        ],
        "date": [
          "Thu, 14 Dec 2023 17:59:28 GMT"
        ],
        "etag": [
          "b863c403-7b12-4e49-94ca-5555555555AAAA"
        ],
        "opc-request-id": [
          "phx-1:WRk50BSDAZ"
        ],
        "x-api-id": [
          "native"
        ]
      },
      "message": null,
      "payload": {
        "id": "/n/NAMESPACE/b/testBucket/?fields=approximateCount%2CapproximateSize",
        "resourceName": "/n/NAMESPACE/b/testBucket/?fields=approximateCount%2CapproximateSize"
      },
      "responseTime": "2023-12-14T17:59:28.169Z",
      "status": "200"
    },
    "stateChange": null
  },
  "dataschema": "2.0",
  "id": "b60d4c03-3d70-2e32-f9cf-13b9d87d0a24",
  "oracle": {
    "compartmentid": "ocid1.tenancy.oc1..aaaaaaaaa",
    "ingestedtime": "2023-12-14T17:59:32.486Z",
    "loggroupid": "_Audit",
    "tenantid": "ocid1.tenancy.oc1..aaaaaaaaa"
  },
  "source": "testBucket",
  "specversion": "1.0",
  "time": "2023-12-14T17:59:28.169Z",
  "type": "com.oraclecloud.objectstorage.getbucket"
}
{
  "data": {
    "additionalDetails": {
      "actorDisplayName": "Test User6",
      "actorOcid": "bbbbbbbbbbbbbbbbbbbbbbbbbb",
      "actorType": "User",
      "resourceType": "AppRole",
      "adminRefResourceName": "G",
      "adminRefResourceType": "User",
      "adminResourceType": "User",
      "test": "test",
      "adminAppRoleAppName": "AUTOANALYTICS",
      "adminResourceName": "AUTONOMOUS_ANALYTICS_ServiceAdministrator",
      "clientIp": "192.0.2.2",
      "domainId": "ocid1.domain.oc1..aaa",
      "domainName": "idcs-123",
      "auditEventMapValue": "{\"schemas\"}",
      "domainDisplayName": "Default",
      "eventId": "sso.session.create.success",
      "hostIp": "198.51.100.18",
      "hostName": "idcs-sso-56d",
      "message": "Session create success",
      "rId": "0:1:6:14",
      "ecId": "vm4Cr1w^j00000000",
      "reasonValue": "",
      "ssoApplicationId": "LoginClient_APPID",
      "ssoApplicationName": "IAM LoginClient",
      "ssoApplicationType": "APP",
      "ssoBrowser": "Firefox",
      "ssoCSR": "false",
      "ssoComments": "Session create success",
      "ssoCompletedFactors": "{USERNAME_PASSWORD=AUTH_SUCCESS}",
      "ssoIdentityProvider": "UserNamePassword",
      "ssoIdentityProviderType": "LOCAL",
      "ssoLocalIp": "192.0.2.1",
      "ssoMatchedSignOnPolicy": "DefaultSignOnPolicy",
      "ssoMatchedSignOnPolicyName": "Default Sign-On Policy",
      "ssoMatchedSignOnRule": "DefaultSignOnRule",
      "ssoMatchedSignOnRuleName": "Default Sign-On Rule",
      "ssoPlatform": "Mac OS X",
      "ssoPolicyObligations": "effect:ALLOW,authenticationFactor:IDP,allowUserToSkip2FAEnrolment:false,2FAFrequency:SESSION,reAuthenticate:false,trustedDevice2FAFrequency:",
      "ssoProtectedResource": "https://cloud.oracle.com",
      "ssoRp": "LoginClient_APPID",
      "ssoSessionCreateTime": "2022-03-09T17:18:33Z",
      "ssoSessionExpiryTime": "2022-03-10T01:18:33Z",
      "ssoSessionId": "61142895dd5b4d",
      "ssoUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0",
      "idcsCreatedBy": {
             "value": "0f7f60294be042b"
       },
      "idcsLastModifiedBy": {
             "value": "0f7f60294be"
        },
      "adminValuesAdded": {
        "authenticationFactors": [
          {
            "status": "ENROLLED",
            "type": "TOTP"
          },
          {
            "publicKey": "DUMMY",
            "status": "INPROGRESS",
            "type": "PUSH"
          }
        ]
      }
    },
    "availabilityDomain": "AD3",
    "compartmentId": "ocid1.tenancy.oc1..aaaaa",
    "compartmentName": "cc",
    "definedTags": null,
    "eventGroupingId": null,
    "eventName": "InteractiveLogin",
    "freeformTags": null,
    "identity": {
      "authType": null,
      "callerId": null,
      "callerName": null,
      "consoleSessionId": null,
      "credentials": null,
      "ipAddress": "192.0.2.64",
      "principalId": null,
      "principalName": "gstest6",
      "tenantId": "ocid1.tenancy.oc1..aa",
      "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0"
    },
    "message": " InteractiveLogin succeeded",
    "request": {
      "action": null,
      "headers": null,
      "id": "DWsez1ESf10000000",
      "parameters": null,
      "path": null
    },
    "resourceId": null,
    "response": {
      "headers": null,
      "message": null,
      "payload": null,
      "responseTime": "2022-03-09T17:18:33.983Z",
      "status": null
    },
    "stateChange": {
      "current": null,
      "previous": null
    }
  },
  "dataschema": "2.0",
  "id": "fd380a65-c887-4d48-8a52-c405c0c96bc4",
  "oracle": {
    "compartmentid": "ocid1.tenancy.oc1..aaaaa",
    "ingestedtime": "2022-03-09T17:18:38.743Z",
    "loggroupid": "_Audit",
    "tenantid": "ocid1.tenancy.oc1..aaaa"
  },
  "source": "",
  "specversion": "1.0",
  "time": "2022-03-09T17:18:33.983Z",
  "type": "com.oraclecloud.IdentitySignOn.InteractiveLogin"
}

OCI Audit Log Format

Parser name: omc_oci_audit_logtype

Example Content:

{ 
   "tenantId":"ocid1.tenancy.oc1..aaaaaaaagABCDEFGHKUYGASDGADDGADAGADGDAGJDAGGDjiujvy2hjgxvabc",
   "compartmentId":"ocid1.tenancy.oc1..aaaaaaaauAADBCISHGDKUHAFFFFFFFFFDDDDDDDDDDDDxjlcnunxo2hbsixyz",
   "compartmentName":"mycompname",
   "eventId":"762d978e-f995-4208-93cf-af0e97bca529",
   "eventName":"GetCapabilities",
   "eventSource":"Compartments",
   "eventType":"ServiceAPI",
   "eventTime":"2019-09-25T15:38:48.784Z",
   "principalId":"ocid1.user.oc1..aaaaaaaaabcdefghiklm6hh2fv4szofhnz62nkzdvtalajs3nzvrmcdxyza",
   "credentialId":"ST$ABCDEFGHIJKLM3dfb2MxXzIwMTktMDRABCDEFGHIJKLMOiJSUzI1NiJ9eyJzd-p-9SFwuT86c-M5QC8gDZfMJ6u2Wwuu6eb91U7J3xVZdxRIHiloz20wm3JoGww7Q0YwpwV4Zyrub0c0UrW_xyzKLJYBAADYLBD",
   "requestAction":"GET",
   "requestId":"34d8ed99-e62c-4425-96d3-118ea684/1232AD2DD02E066E005B4A35F8B931E8/17BB11E992A4D540996942C24175C3A1",
   "requestAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36",
   "requestHeaders":{ 
      "Origin":[ 
         "https://console.us-ashburn-1.oraclecloud.com"
      ],
      "Accept":[ 
         "*/*"
      ],
      "X-Forwarded-Proto":[ 
         "http"
      ],
      "X-Forwarded-Host":[ 
         "identity.us-phoenix-1.oraclecloud.com:80"
      ],
      "User-Agent":[ 
         "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
      ],
      "Referer":[ 
         "https://console.us-ashburn-1.oraclecloud.com/a/identity/users/ocid1.user.oc1..aaaaaaaabfABCDEFGHIJKLMN123456789nz62nkzdvtalajs3nzvrmcdqhvq"
      ],
      "Sec-Fetch-Site":[ 
         "same-site"
      ],
      "Accept-Encoding":[ 
         "gzip, deflate, br"
      ],
      "X-Forwarded-Port":[ 
         "80"
      ],
      "x-date":[ 
         "Wed, 25 Sep 2019 15:38:48 GMT"
      ],
      "Sec-Fetch-Mode":[ 
         "cors"
      ],
      "Authorization":[ 
         "Signature keyId=\"ST$eyJraWQiOiJhABNCDEFILUYADLBDUYDADjciLCJhbGciOiJIj.E-p-EE0FzMWBsv_sixzmzbxuasdKJFYKVBLjkPLzH-9SFwuT86c-M5QC8gDZfMJ6u2WwuuasdklhdanaABCDEFGHloz20wm3JoGww7Q0YwpwV4ajsfdkavkdgkbjdVVVVVVVaasdadw\",version=\"1\",algorithm=\"rsa-sha256\",headers=\"(request-target) host x-date\",signature=\"*****\""
      ],
      "Opc-Request-Id":[ 
         "34d8ed99-e62c-4425-96d3-118ea6844100"
      ],
      "X-Forwarded-For":[ 
         "192.0.2.19, 192.0.2.1"
      ],
      "Accept-Language":[ 
         "en-US,en;q=0.9,fr;q=0.8"
      ],
      "Opc-Client-Info":[ 
         "Oracle-HgConsole/0.0.1"
      ],
      "X-Real-IP":[ 
         "192.0.2.1"
      ],
      "oci-original-url":[ 
         "http://identity.us-phoenix-1.oraclecloud.com/20160918/compartments/ocid1.tenancy.oc1..aaaaaaaauj75yrhgABCJKFKALBSDYADTVKDA6e5c7nxlxjlcnAJDGDJAHGDA/capabilities"
      ]
   },
   "requestOrigin":"192.0.2.11",
   "requestResource":"/20160918/compartments/ocid1.tenancy.oc1..aaaaaaaauj7JAHGDVKADUGashgajssJHGJKDKVSJYTDSVKUDTKSYTSKbs6ca/capabilities",
   "responseHeaders":{ 
      "Access-Control-Expose-Headers":[ 
         "opc-previous-page,opc-next-page,opc-client-info,ETag,opc-total-items,opc-request-id,Location"
      ],
      "Cache-Control":[ 
         "no-cache, no-store, must-revalidate"
      ],
      "Access-Control-Allow-Origin":[ 
         "https://console.us-ashburn-1.oraclecloud.com"
      ],
      "Access-Control-Allow-Credentials":[ 
         "true"
      ],
      "Vary":[ 
         "Origin"
      ],
      "Pragma":[ 
         "no-cache"
      ],
      "opc-request-id":[ 
         "34d8ed99-e62c-4425-96d3-118ea684/1232ADABCJASHSDGAS234523234231E8/JADFVADTDATDAD40996942C24175C3A1"
      ],
      "Date":[ 
         "Wed, 25 Sep 2019 15:38:48 GMT"
      ],
      "Content-Type":[ 
         "application/json"
      ]
   },
   "responseStatus":"200",
   "responseTime":"2019-09-25T15:38:48.851Z",
   "responsePayload":{ 
      "resourceName":"logandev",
      "id":"ocid1.tenancy.oc1..aaaaaaaauj7RABCDEFGHxktbikwiqtywqdqbbbbbbaaaaaaaaanxo2hbs6ca"
   },
   "userName":"user100"
}

OCI Audit Log Format v2

Parser name: omc_oci_audit_logtype_v2

Example Content:

{
   "eventType":"com.oraclecloud.virtualNetwork.CreateVcn",
   "cloudEventsVersion":"0.1",
   "eventTypeVersion":"2.0",
   "source":"virtualNetwork",
   "eventId":"1fd6329b-6e11-40a5-bb48-b4db04cce956",
   "eventTime":"2019-12-08T03:08:53.799Z",
   "contentType":"application/json",
   "data":{
      "eventGroupingId":"csid0234d20c41bcafe8ae4426aa5e56/6c9d69d339e8464598b2d7",
      "eventName":"CreateVcn",
      "compartmentId":"ocid1.compartment.oc1..aaaaaaaa2bhu3kzsu5jhmsstbf4olwmd",
      "compartmentName":"storage",
      "availabilityDomain":"AD",
      "identity":{
         "principalName":"user1",
         "principalId":"ocid1.user.oc1..aaaaaaaa36xdrbtaqilj7zqdkfotn2u53kq5a",
         "authType":"natf",
         "tenantId":"ocid1.tenancy.oc1..aaaaaaaagkbzgg6lpzrf47xzy4rjoxg4de6n",
         "credentials":"ABCDEF0123456789",
         "userAgent":"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0",
         "consoleSessionId":"ABCDEF34d20c41bcafe8ae4426aa5e56",
         "ipAddress":"192.0.2.1"
      },
      "request":{
         "id":"39e8464598b2d76e3dc9f256/E60985C6435ECBF85AAAABBBCCCCD020",
         "path":"/20160918/vcns",
         "action":"POST",
         "parameters":{

         },
         "headers":{
            "Origin":[
               "https://compute.plugins.oci.dummy.com"
            ],
            "Accept":[
               "*/*"
            ],
            "User-Agent":[
               "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0"
            ],
            "Referer":[
               "https://compute.plugins.oci.dummy.com/compute/instances/create"
            ],
            "Connection":[
               "keep-alive"
            ],
            "Accept-Encoding":[
               "gzip, deflate, br"
            ],
            "x-date":[
               "Sun, 08 Dec 2019 03:08:53 GMT"
            ],
            "Authorization":[
               "Signature keyId=\"ABCDEF0123456789-SZOT-By3-kG5Jgfbu2Zyw4Xq8va6TymkuoPw\",version=\"1\",headers=\"(request-target) host content-length content-type opc-request-id x-date\",signature=\"*****\""
            ],
            "Accept-Language":[
               "en-US,en;q=0.5"
            ],
            "Content-Length":[
               "231"
            ],
            "opc-request-id":[
               "ABCDEF0123456789339e8464598b2d76e3dc9f256"
            ],
            "Content-Type":[
               "application/json"
            ]
         }
      },
      "response":{
         "status":"404",
         "responseTime":"2019-12-08T03:08:53.799Z",
         "headers":{
            "Access-Control-Expose-Headers":[
               "opc-previous-page,opc-next-page,opc-client-info,ETag,opc-work-request-id,opc-total-items,opc-request-id,Location"
            ],
            "Access-Control-Allow-Origin":[
               "https://compute.plugins.oci.oraclecloud.com"
            ],
            "Access-Control-Allow-Credentials":[
               "true"
            ],
            "X-Content-Type-Options":[
               "nosniff"
            ],
            "Connection":[
               "keep-alive"
            ],
            "Content-Length":[
               "111"
            ],
            "opc-request-id":[
               "ABCDEF0123456789b2d76e3dc9f256/E60985C64112233333B2BA2CB7A8D020"
            ],
            "Date":[
               "Sun, 08 Dec 2019 03:08:53 GMT"
            ],
            "Content-Type":[
               "application/json"
            ]
         },
         "message":"CreateVcn failed with response 'NotAuthorizedOrNotFound'"
      },
      "stateChange":{
          "previous": "previous state",
          "current": "current state"
      },
      "additionalDetails":{
      },
      "internalDetails":{

      }
   }
}

OCI DevOps Log Format

Parser name: oci_devopslog_logtype

Example Content:

{
  "specversion": "1.0",
  "type": "com.oraclecloud.devops.deployment",
  "source": "Project name",
  "subject": "ocid1.instance.oc1.region.uniqueID",
  "id": "e3002eaa-d717-472e-8474-d024943a0f27",
  "time": "2020-10-18T21:02:40.58Z",
  "oracle": {
    "logid": "ocid1.log.oc1.region.uniqueID",
    "loggroupid": "ocid1.loggroup.oc1.region.uniqueID",
    "tenantid": "ocid1.tenant.oc1.region.uniqueID",
    "compartmentid": "ocid1.compartment.oc1.region.uniqueID",
    "ingestedtime": "2020-10-18T21:02:40.58Z"
  },
  "data": {
    "deploymentId": "ocid1.devopsdeployment.oc1.region.uniqueID",
    "deployPipelineId": "ocid1.devopsdeploypipeline.oc1.region.uniqueID",
    "deployStageId": "ocid1.devopsdeploystage.oc1.region.uniqueID",
    "message": "Manual Approval stage: Waiting for required approvals",
    "producer": "DEVOPS_SERVICE"
  }
}

OCI DevOps Build Log Format

Parser name: oci_devopsbuild_logtype

Example Content:

{
    "specversion": "1.0",
    "type": "com.oraclecloud.devops.build",
    "source": "project name",
    "subject": "ocid1.devopsbuildrun.oc1.region.uniqueID",
    "id": "27868e6f-b91d-4318-868e-6fb91d9318e9",
    "time": "2020-10-18T21:02:40.58Z",
    "oracle": {
        "logid": "ocid1.log.oc1.region.uniqueID",
        "loggroupid": "ocid1.loggroup.oc1.region.uniqueID",
        "tenantid": "ocid1.tenancy.oc1.uniqueID",
        "compartmentid": "ocid1.compartment.oc1.uniqueID",
        "ingestedtime": "2020-10-18T21:02:40.58Z"
    },
    "data": {
        "buildPipelineId": "ocid1.devopsbuildpipeline.oc1.region.uniqueID",
        "buildRunId": "ocid1.devopsbuildrun.oc1.region.uniqueID",
        "buildStageId": "ocid1.devopsbuildpipelinestage.oc1.region.uniqueID",
        "message": "Starting BUILD_SPEC_EXECUTION",
        "producer": "DEVOPS_SERVICE"
    }
}

OCI Email Delivery Log Format

Parser name: oci_emaildelivery_logtype

Example Content:

{
  "specversion": "1.0",
  "type": "com.oraclecloud.emaildelivery.emaildomain.outboundrelayed",
  "source": "example.com",
  "time": "2021-02-20T09:01:40.000Z",
  "id": "2eefd817-0a53-4be0-990c-224708aff337",
  "oracle": {
    "logid": "ocid1.log.oc1.region.uniqueID"
  },
  "data": {
    "action": "relay",
    "messageId": "12345",
    "sender": "support@example.com",
    "senderCompartmentId": "ocid1.compartment.oc1.region.uniqueID",
    "senderId": "ocid1.emailsender.oc1.region.uniqueID",
    "recipient": "user@example.com",
    "receivingDomain": "example.com",
    "sourceAddress": "192.0.2.10",
    "dkimSelector": "selector1",
    "messageSizeInKiB": 2,
    "recipientMailServer": "bmta.email.region.oraclecloud.com (198.51.100.1)",
    "internalProcessingDurationInMs": 20,
    "tlsCipher": "TLS_AES_128_GCM_SHA256",
    "sendingPoolName": "REGOCIVMTAs",
    "bounceCategory": "bad-mailbox",
    "bounceCode": "5.1.1",
    "reportGeneratedTime": "2021-02-24T22:50:22.123Z",
    "originalMessageAcceptedTime": "2021-02-23T22:50:22.123Z",
    "headers": {
      "X-Campaign-ID": "campaign1",
      "Recipient-Group-ID": "group1",
      "Sub-Account-ID": "account1"
    },
    "errorType": "Authorization failure",
    "smtpStatus": "550 5.1.1 unknown or illegal alias: 974-4710-b440-52e9e1a70cb8-user@example.com",
    "message": "Email approved Body From address: support@example.com is not authorized or not found"
  }
}

OCI Site-to-Site VPN Log Format

Parser name: oci_site2sitevpn_logtype

Example Content:

{
      "data":
      {
       "message":" \"2062988354_1\": terminating SAs using this connection",
       "tunnelId":"ocid1.ipsectunnel.oc1.region.uniqueID"
      },
      "id":"e3002eaa-d717-472e-8474-d024943a0f27",
      "oracle":
      {
        "compartmentid":"ocid1.compartment.oc1.region.uniqueID",
        "ingestedtime":"2021-02-18T18:22:01.453Z",
        "loggroupid":"ocid1.loggroup.oc1.region.uniqueID",
        "logid":"ocid1.log.oc1.region.uniqueID",
        "tenantid":"ocid1.tenancy.oc1.region..uniqueID"
      },
      "source":"ocid1.ipsecconnection.oc1.region.uniqueID",
      "specversion":"1.0",
      "time":"2021-02-18T18:21:52.024Z",
      "type":"com.oraclecloud.vpn.ipseclog.read"    
}

OCI WAF Log Format

Parser name: oci_waf_logtype

Example Content:

{
    "data": {
      "backendStatusCode": "200",
      "clientAddr": "192.0.2.150",
      "countryCode": "us",
      "host": "hostnamefoo",
      "listenerPort": "80",
      "request": {
        "httpVersion": "HTTP/1.1",
        "id": "685e4e2015eb0ebeea93123456789",
        "method": "GET",
        "path": "/?tst=KztAAU"
      },
      "requestAccessControl": {
        "matchedRules": "block_test_host_url"
      },
      "requestProtection": {
        "matchedData": "Matched Data: KztAAU found within ARGS:tst",
        "matchedIds": "944210_v001",
        "matchedRules": "Java_Code_Injection"
      },
      "response": {
        "code": "401",
        "size": "303"
      },
      "responseAccessControl": {
        "matchedRules": "1st_rule"
      },
      "responseProtection": {},
      "responseProvider": "requestProtection/Java_Code_Injection",
      "timestamp": "2021-09-29T15:52:47Z"
    },
    "id": "5c328018-f7d1-45ac-8d66-af0ad919bd85-waf-342734",
    "oracle": {
      "compartmentid": "ocid1.compartment.oc1.region.uniqueId",
      "ingestedtime": "2021-09-29T15:52:53.764Z",
      "loggroupid": "ocid1.loggroup.oc1.region.uniqueId",
      "logid": "ocid1.log.oc1.region.uniqueId",
      "resourceid": "ocid1.webappfirewall.oc1.region.uniqueId",
      "tenantid": "ocid1.tenancy.oc1.region.uniqueId"
    },
    "source": "lbwaf_source",
    "specversion": "1.0",
    "subject": "",
    "time": "2021-09-29T15:52:47.875Z",
    "type": "com.oraclecloud.loadbalancer.waf"
}

OCI Web Application Acceleration Log Format

Parser name: oci_waa_logtype

Example Content:

{
               "data":{
                  "request":{
                     "id":"727b8fabcc23662a8ad3754d4a3573f2"
                  },
                  "response":{
                     "code":"200",
                     "size":"73805"
                  },
                  "timestamp":"2023-08-14T05:40:24+00:00"
               },
               "id":"6cf12c5a-846f-4394-b882-861c5b698032-waa-192433",
               "oracle":{
                  "compartmentid":"ocid1.compartment.oc1.uniqueId",
                  "ingestedtime":"2023-08-14T05:40:33.086Z",
                  "loggroupid":"ocid1.loggroup.oc1.uniqueId",
                  "logid":"ocid1.log.oc1.uniqueId",
                  "resourceid":"ocid1.loadbalancer.oc1.uniqueId",
                  "tenantid":"ocid1.tenancy.oc1.uniqueId"
               },
               "source":"fortLB",
               "specversion":"1.0",
               "subject":"",
               "time":"2023-08-14T05:40:24.526Z",
               "type":"com.oraclecloud.loadbalancer.waa"
            }

OCI Integration Activity Stream Log Format

Parser name: oci_integration_actstream_logtype

Example Content:

{
    "data": {
      "actionName": "log2",
      "actionType": "Logger",
      "operationName": "execute",
      "endpointName": "helloWorld",
      "instanceId": "65202025",
      "executionTimeInMillis":"1",
      "integrationFlowIdentifier": "HELLO_WORLD!01.02.0000",
      "message": "Length of parameter is 4",
      "userId": "user@domain.com"
    },
    "id": "38c5cc58-f9f6-11eb-bee4-0200170046fa",
    "oracle": {
      "compartmentid": "ocid1.compartment.oc1.region.uniqueID",
      "ingestedtime": "2021-07-10T16:16:01.527Z",
      "loggroupid": "ocid1.loggroup.oc1.region.uniqueID",
      "logid": "ocid1.log.oc1.region.uniqueID",
      "tenantid": "ocid1.tenancy.oc1.region.uniqueID"
    },
    "source": "HelloWorld Integration Instance",
    "specversion": "1.0",
    "time": "2021-07-10T16:15:59.469Z",
    "type": "com.oraclecloud.integration.integrationinstance.activitystream"
  }

OCI Network Firewall Threat Log Format

Parser name: oci_network_firewall_threat_logtype

Example Content:

{
    "data": {
      "action": "alert",
      "device_name": "PA-VM",
      "direction": "server-to-client",
      "dst": "192.0.2.250",
      "dstloc": "192.0.2.1-192.0.2.254",
      "dstuser": "no-value",
      "firewall-id": "ocid1.networkfirewall.oc1.region.uniqueID",
      "proto": "udp",
      "receive_time": "2022/10/18 14:27:15",
      "rule": "AllowAll",
      "sessionid": "613924",
      "severity": "informational",
      "src": "203.0.113.1",
      "srcloc": "United States",
      "srcuser": "no-value",
      "subtype": "vulnerability",
      "thr_category": "protocol-anomaly",
      "threatid": "Non-RFC Compliant DNS Traffic on Port 53/5353"
    },
    "id": "ab991b1b-286a-4968-b1a2-77b31bf0fa12",
    "oracle": {
      "compartmentid": "ocid1.tenancy.oc1.region.uniqueID",
      "ingestedtime": "2022-10-18T14:27:37.295Z",
      "loggroupid": "ocid1.loggroup.oc1.region.uniqueID",
      "logid": "ocid1.log.oc1.region.uniqueID",
      "tenantid": "ocid1.tenancy.oc1.region.uniqueID"
    },
    "source": "ocid1.networkfirewall.oc1.region.uniqueID",
    "specversion": "1.0",
    "time": "2022-10-18T14:27:15.000Z",
    "type": "com.oraclecloud.networkfirewall.threat"
  }

OCI Network Firewall Traffic Log Format

Parser name: oci_network_firewall_traffic_logtype

Example Content:

{
  "data": {
    "action": "allow",
    "bytes": "588",
    "bytes_received": "0",
    "bytes_sent": "588",
    "chunks": "0",
    "chunks_received": "0",
    "chunks_sent": "0",
    "config_ver": "2561",
    "device_name": "PA-VM",
    "dport": "0",
    "dst": "192.0.2.2",
    "dstloc": "India",
    "firewall-id": "ocid1.networkfirewall.oc1.region.uniqueID",
    "packets": "6",
    "pkts_received": "0",
    "pkts_sent": "6",
    "proto": "icmp",
    "receive_time": "2022/08/27 08:00:52",
    "rule": "AllowAll",
    "rule_uuid": "ce6bc5b0-3ea8-4592-85f6-b470c4702e1f",
    "serial": "192743405F7D70D",
    "sessionid": "32114",
    "sport": "0",
    "src": "198.51.100.10",
    "srcloc": "198.51.100.1-198.51.100.254",
    "time_received": "2022/08/27 08:00:52"
  },
  "id": "5e905ffe-a528-420d-a9df-7b1b2c221cdf",
  "oracle": {
    "compartmentid": "ocid1.tenancy.oc1.region.uniqueID",
    "ingestedtime": "2022-08-27T08:00:56.004Z",
    "loggroupid": "ocid1.loggroup.oc1.region.uniqueID",
    "logid": "ocid1.log.oc1.region.uniqueID",
    "tenantid": "ocid1.tenancy.oc1.region.uniqueID"
  },
  "source": "ocid1.networkfirewall.oc1.region.uniqueID",
  "specversion": "1.0",
  "time": "2022-08-27T08:00:52.000Z",
  "type": "com.oraclecloud.networkfirewall.traffic"
}