OCI Parser Details
Following are the Oracle-defined parsers available in Oracle Logging Analytics to process the logs collected from Oracle Cloud Infrastructure services:
OCI Web Application Acceleration Log Format
Parser name: oci_waa_logtype
Example Content:
{
"data":{
"request":{
"id":"727b8fabcc23662a8ad3754d4a3573f2"
},
"response":{
"code":"200",
"size":"73805"
},
"timestamp":"2023-08-14T05:40:24+00:00"
},
"id":"6cf12c5a-846f-4394-b882-861c5b698032-waa-192433",
"oracle":{
"compartmentid":"ocid1.compartment.oc1.uniqueId",
"ingestedtime":"2023-08-14T05:40:33.086Z",
"loggroupid":"ocid1.loggroup.oc1.uniqueId",
"logid":"ocid1.log.oc1.uniqueId",
"resourceid":"ocid1.loadbalancer.oc1.uniqueId",
"tenantid":"ocid1.tenancy.oc1.uniqueId"
},
"source":"fortLB",
"specversion":"1.0",
"subject":"",
"time":"2023-08-14T05:40:24.526Z",
"type":"com.oraclecloud.loadbalancer.waa"
}
OKE Control Plane Log Format
Parser name: oci_oke_controlplane_logtype
Example Content:
{
"data": {
"level": "info",
"msg": "\"Event occurred\" object=\"oci-onm/oci-onm-discovery\" fieldPath=\"\" kind=\"CronJob\" apiVersion=\"batch/v1\" type=\"Normal\" reason=\"SuccessfulDelete\" message=\"Deleted job oci-onm-discovery-28283395\"",
"source": "event.go:294"
},
"id": "uniqueId",
"oracle": {
"compartmentid": "ocid1.compartment.oc1.uniqueId",
"ingestedtime": "2023-10-11T06:11:01.153Z",
"loggroupid": "ocid1.loggroup.oc1.uniqueId",
"logid": "ocid1.log.oc1.uniqueId",
"tenantid": "ocid1.tenancy.oc1.uniqueId"
},
"source": "kube-controller-manager",
"specversion": "1.0",
"time": "2023-10-11T06:10:08.813Z",
"type": "com.oraclecloud.kubernetes.cluster.controlplane"
}
OCI Service Connector Hub Log Format
Parser name: oci_service_connector_hub_logtype
Example Content:
{
"data": {
"level": "INFO",
"message": "Run succeeded - Read 2 messages from source and wrote 2 messages to target",
"messageType": "CONNECTOR_RUN_COMPLETED"
},
"id": "f83205ef-0bef-47d0-b6b2-362afc4a2e9a",
"oracle": {
"compartmentid": "ocid1.compartment.uniqueId",
"ingestedtime": "2023-08-02T00:10:28.990Z",
"loggroupid": "ocid1.loggroup.uniqueId",
"logid": "ocid1.log.uniqueId",
"resourceid": "ocid1.serviceconnector.uniqueId",
"tenantid": "ocid1.tenancy.uniqueId"
},
"source": "connectorName",
"specversion": "1.0",
"time": "2023-08-02T00:10:26.859Z",
"type": "com.oraclecloud.sch.serviceconnector.runlog"
}
OCI GoldenGate Log Format
Parser name: oci_golden_gate_logtype
Example Content:
[{
"time": "2023-05-25T09:21:05.192Z",
"source": "ocid1.goldengatedeployment.uniqueId",
"id": "uniqueId",
"oracle": {
"compartmentid": "ocid1.compartment.uniqueId",
"logid": "ocid1.log.uniqueId"
},
"specversion": "1.0",
"type": "com.oraclecloud.goldengate.deployment.process_logs",
"data": {
"message": "CSRFTokenProtection: ENABLED.\nCross-Site Request Forgery checks using CSRF-Tokens will be performed.",
"level": "INFO",
"resourceId": "ocid1.goldengatedeployment.uniqueId",
"processName": "distsrvr"
}
},
{
"ts": "2023-05-25T09:21:05.192Z",
"source": "ocid1.goldengatedeployment.uniqueId",
"id": "uniqueId",
"oracle": {
"compartmentid": "ocid1.compartment.uniqueId",
"logid": "ocid1.log.uniqueId"
},
"specversion": "1.0",
"type": "com.oraclecloud.goldengate.deployment.process_logs",
"data": {
"message": "CSRFTokenProtection: ENABLED.\nCross-Site Request Forgery checks using CSRF-Tokens will be performed.",
"level": "INFO",
"resourceId": "ocid1.goldengatedeployment.uniqueId",
"processName": "distsrvr"
}
}]
OCI Data Flow Spark Diagnostic Log Format
Parser name: oci_data_flow_spark_diagnostics_logtype
Example Content:
{
"data": {
"logLevel": "INFO",
"message": "Execution complete.",
"opcRequestId": "unique_ID",
"runId": "ocid1.dataflowrun.realm.region.unique_ID",
"thread": "shaded.dataflow.oracle.dfcs.spark.wrapper.DataflowWrapper"
},
"id": "unique_ID",
"oracle": {
"compartmentid": "ocid1.tenancy.oc1.unique_ID",
"ingestedtime": "2023-06-23T20:20:06.974Z",
"loggroupid": "ocid1.loggroup.realm.region.unique_ID",
"logid": "ocid1.log.realm.region.unique_ID",
"tenantid": "ocid1.tenancy.realm.region.unique_ID"
},
"source": "Sample CSV Processing App",
"specversion": "1.0",
"subject": "spark-driver",
"time": "2023-06-23T20:20:02.245Z",
"type": "com.oraclecloud.dataflow.run.driver"
}
OCI Application Performance Monitoring Log Format
Parser name: oci_application_performance_monitoring_logtype
Example Content:
{
"data": {
"arrivaltime": "2023-03-14T15:21:27.010Z",
"content": "{\\\"major-version\\\": 1, \\\"minor-version\\\": 0, \\\"payload-creation-ts-millis\\\": 1678807286000, \\\"resource\\\": {\\\"attributes\\\": [{\\\"key\\\": \\\"Component\\\", \\\"value\\\": \\\"BROWSER\\\"}, {\\\"key\\\": \\\"ServiceName\\\", \\\"value\\\": \\\"myService\\\"}, {\\\"key\\\": \\\"ApmrumLanguage\\\", \\\"value\\\": \\\"en-US\\\"}, {\\\"key\\\": \\\"ApmrumWindowId\\\", \\\"value\\\": \\\"\\\"}, {\\\"key\\\": \\\"SessionId\\\", \\\"value\\\": \\\"session-my1678807286000-3311688\\\"}, {\\\"key\\\": \\\"UserName\\\", \\\"value\\\": \\\"meUser\\\"}]}, \\\"spans\\\": [{\\\"id\\\": \\\"my1678807286000-3311688-2929311\\\", \\\"trace-id\\\": \\\"my1678807286000-3311688\\\", \\\"name\\\": \\\"Page Load myPage\\\", \\\"ts-micros\\\": 1678807284900000, \\\"td-micros\\\": 820619, \\\"kind\\\": \\\"PRODUCER\\\", \\\"attributes\\\": {\\\"ApmrumType\\\": \\\"Page\\\", \\\"WebApplicationName\\\": \\\"myWebapp\\\", \\\"PageInitTime\\\": 870, \\\"PageFirstByteTime\\\": 412, \\\"PageDownloadTime\\\": 17, \\\"PageRenderTime\\\": 994, \\\"PageInteractiveTime\\\": 341, \\\"ApmrumPageUpdateType\\\": \\\"Page Load\\\", \\\"HttpUrl\\\": \\\"http://www.example.com/myIndex.html\\\", \\\"HttpUrlHost\\\": \\\"http://www.example.com\\\", \\\"HttpUrlPath\\\": \\\"/myIndex.html\\\", \\\"HttpStatusCode\\\": 200, \\\"Error\\\": false}, \\\"links\\\": []}, {\\\"id\\\": 5797336, \\\"trace-id\\\": \\\"my1678807286000-3311688\\\", \\\"parent-id\\\": \\\"my1678807286000-3311688-2929311\\\", \\\"name\\\": \\\"Page Load page-0\\\", \\\"ts-micros\\\": 1678807284900000, \\\"td-micros\\\": 990000, \\\"kind\\\": \\\"PRODUCER\\\", \\\"attributes\\\": {\\\"ApmrumType\\\": \\\"Page\\\", \\\"WebApplicationName\\\": \\\"myWebapp\\\", \\\"PageInitTime\\\": 110, \\\"PageFirstByteTime\\\": 304, \\\"PageDownloadTime\\\": 5, \\\"PageRenderTime\\\": 732, \\\"PageInteractiveTime\\\": 401, \\\"ApmrumPageUpdateType\\\": \\\"Page Load\\\", \\\"HttpUrl\\\": \\\"http://www.example.com/myIndex.html\\\", \\\"HttpUrlHost\\\": \\\"http://www.example.com\\\", \\\"HttpUrlPath\\\": \\\"/myIndex.html\\\", \\\"HttpStatusCode\\\": 200, \\\"Error\\\": false}, \\\"links\\\": []}]}",
"contentlength": "1616",
"dataformat": "apm",
"dataformatversion": "1",
"message": "The request is rejected due to throttling limits.",
"obstype": "public-span",
"rejectioncause": "PAYLOAD_THROTTLED"
},
"id": "unique_ID",
"oracle": {
"compartmentid": "ocid1.compartment.oc1.unique_ID",
"ingestedtime": "2023-03-14T15:21:35.427Z",
"loggroupid": "ocid1.loggroup.oc1.phx.unique_ID",
"logid": "ocid1.log.oc1.phx.unique_ID",
"tenantid": "ocid1.tenancy.oc1.unique_ID"
},
"source": "ocid1.apmdomain.oc1.phx.unique_ID",
"specversion": "1.0",
"time": "2023-03-14T15:21:27.324Z",
"type": "com.oraclecloud.apm.domain.dropped-data"
}
OCI Media Flow service Log Format
Parser name: oci_media_flow_service_logtype
Example Content:
{
"data": {
"mediaWorkflowId": "ocid1.mediaworkflow.oc1.iad.UniqueID",
"mediaWorkflowJobId": "ocid1.mediaworkflowjob.oc1.iad.UniqueID",
"message": "Job execution SUCCEEDED",
"taskKey": "move",
"taskType": "getFiles"
},
"id": "e60adf8e-48be-4adc-83f4-315768905600",
"oracle": {
"compartmentid": "ocid1.compartment.oc1..UniqueID",
"ingestedtime": "2023-03-07T07:16:39.975Z",
"loggroupid": "ocid1.loggroup.oc1.iad.UniqueID",
"logid": "ocid1.log.oc1.iad.UniqueID",
"tenantid": "ocid1.tenancy.oc1..UniqueID"
},
"source": "ocid1.mediaworkflow.oc1.iad.UniqueID",
"specversion": "1.0",
"time": "2023-03-07T07:16:37.460Z",
"type": "com.oraclecloud.mediaservice.mediaworkflowjob.execution"
}
Oracle Operator Access Control Log Format
Parser name: oracle_operator_access_control_logtype
Example Content:
{
"data": {
"accessRequestId": "ocid1.opctlaccessrequest.oc1.ap-region.uniqueId",
"message": "type=PROCTITLE msg=audit(09/08/2021 09:01:24.335:34495595) : proctitle=ps -ef",
"status": "",
"systemOcid": "ocid1.exadatainfrastructure.oc1.region.uniqueId",
"target": "",
"timestamp": "2021-09-08T09:01:24.000Z"
},
"id": "b3b102aa-daee-4861-8e2c-123456789123",
"oracle": {
"compartmentid": "ocid1.tenancy.oc1.uniqueId",
"ingestedtime": "2021-09-08T16:02:26.182Z",
"loggroupid": "ocid1.loggroup.oc1.region.uniqueId",
"logid": "ocid1.log.oc1.region.uniqueId",
"tenantid": "ocid1.tenancy.oc1.uniqueId"
},
"source": "OperatorAccessControl",
"specversion": "1.0",
"time": "2021-09-08T16:01:52.989Z",
"type": "com.oraclecloud.opctl.audit"
}
OCI Load Balancer Access Log Format
Parser name: oci_loadbalancer_access_logtype
Example Content:
{
"data": {
"timestamp": "2020-09-28T17:10:39+00:00",
"clientAddr": "192.0.2.1:3427",
"host": "LB_VirtualAddress",
"backendAddr": "192.0.2.100:24443",
"requestProcessingTime": "0.003",
"backendConnectTime": "0.001",
"lbStatusCode": "200",
"receivedBytes": 100,
"sentBytes": 300,
"request": "GET /foo/abc",
"sslCipher": "ECDHE-RSA-AES256-GCM-SHA384",
"sslProtocol": "TLSv1.2",
"userAgent": "curl/7.29.0"
},
"id": "adbd63f2-0da7-4d9f-818b-308ee6-a-1849",
"oracle": {
"compartmentid": "ocid1.compartment.oc1..aaaaaaaaenufxomt",
"ingestedtime": "2020-09-28T17:10:47.369Z",
"loggroupid": "ocid1.loggroup.oc1.iad.amaaaaaamdyb6aia4c",
"logid": "ocid1.log.oc1.iad.amaaaaaamdyb6aiaqgflbcvgcfc",
"tenantid": "ocid1.tenancy.oc1..aaaaaaaau6w4ohcbz7otxxy"
},
"source": "logan-data-ingest-api-lb",
"specversion": "1.0",
"subject": "subject",
"time": "2020-09-28T17:10:39.266Z",
"type": "com.oraclecloud.loadbalancer.access"
}
OCI Load Balancer Error Log Format
Parser name: oci_loadbalancer_error_logtype
Example Content:
{
"data": {
"errorLog": {
"type": "healthChecker",
"errorDetails": {
"healthStatus": "Healthy to Unhealthy",
"backendSetName": "newtest",
"backend": "192.0.2.10:80",
"details": {
"date": 1596583722793,
"failures": 3,
"successes": 0,
"skips": 0,
"message": {
"statusCode": 200,
"expectedRegex": "^notexist$",
"msg": "response match result: failed",
"base641kData": "CjwhRE9DVFAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBUwgMS4wIFRyYW5zaXRpb25hb++Q+CiAgICA8c3R5bGUgdHlwZT0i"
}
}
}
},
"timestamp": "2020-08-04T23:28:52+00:00"
},
"id": "7b06a283-140b-4870-8cda--e-0",
"oracle": {
"compartmentid": "ocid1.compartment.oc1..aaaaaaaaenufx",
"ingestedtime": "2020-10-07T06:02:40.433Z",
"loggroupid": "ocid1.loggroup.oc1.iad.amaaaaaamdyb6a",
"logid": "ocid1.log.oc1.iad.amaaaaaamdyb6aiadglsu6l",
"tenantid": "ocid1.tenancy.oc1..aaaaaaaau6w4ohcbz7o"
},
"source": "logan-scheduled-search-lb",
"specversion": "1.0",
"subject": "",
"time": "2020-10-07T06:02:34.564Z",
"type": "com.oraclecloud.loadbalancer.error"
}
OCI Function Log Format
Parser name: oci_function_logtype
Example Content:
{
"data": {
"applicationId": "ocid1.fnapp.oc1.region-1.abcdefg",
"containerId": "01EMNSA3300000000000000502",
"functionId": "ocid1.fnfunc.oci1.region-1.1112233abcdef",
"message": "2020-10-15 11:11:35,568 - root - INFO - Headers: {\"host\": [\"localhost\", \"abcdefg.apigateway.region-1.test\"], \"user-agent\": [\"lua-resty-http/0.14 (Lua) ngx_lua/10015\", \"curl/7.29.0\"], \"transfer-encoding\": \"chunked\", \"content-type\": [\"application/octet-stream\", \"application/octet-stream\"], \"date\": \"Thu, 15 Oct 2020 11:11:35 GMT\", \"fn-call-id\": \"01EMNZAH461BT0H4GZJ000VNEQ\", \"fn-deadline\": \"2020-10-15T11:12:05Z\", \"accept\": \"*/*\", \"cdn-loop\": \"v3pC1JgjsYAdqr6Qp6ZcMg\", \"forwarded\": \"for=192.168.0.21\", \"x-forwarded-for\": \"192.168.0.21\", \"x-myheader1\": \"headerValue\", \"x-real-ip\": \"192.168.0.21\", \"fn-http-method\": \"GET\", \"fn-http-request-url\": \"/V2/display-httprequest-info\", \"fn-intent\": \"httprequest\", \"fn-invoke-type\": \"sync\", \"oci-subject-id\": \"ocid1.apigateway.oc1.region-1.abcdef\", \"oci-subject-tenancy-id\": \"ocid1.tenancy.oc1..abcdef1234\", \"oci-subject-type\": \"resource\", \"opc-request-id\": \"/ABCDEF1122F08CD72BCDF9568DA7CC8B/01EMNZAH451BT0H4GZJ000VNEP\", \"x-content-sha256\": \"47DEQpj8HBSa+/TImW+123009abc=\", \"accept-encoding\": \"gzip\"}",
"requestId": "/ABCDEF1122F08CD72BCDF9568DA7CC8B/01EMNZAH451BT0H4GZJ000VNEP",
"src": "STDERR"
},
"id": "ceae7406-f7ba-43c4-ac12-1234",
"oracle": {
"compartmentid": "ocid1.compartment.oc1..12345abcdef",
"ingestedtime": "2020-10-15T11:11:35.802Z",
"loggroupid": "ocid1.loggroup.oci1.region-1.22222abcdef",
"logid": "ocid1.log.oci1.region-1.12345abcdef",
"tenantid": "ocid1.tenancy.oc1..abcdef1234"
},
"source": "HTTP-REQUEST",
"specversion": "1.0",
"subject": "http-request",
"time": "2020-10-15T11:11:35.000Z",
"type": "function message type"
}
OCI Events Log Format
Parser name: oci_events_logtype
Example Content:
{
"data": {
"eventId": "0d06215a-e51b-3616-93c6-123456789abc",
"message": "Event delivered successfully",
"ruleId": "ocid1.eventrule.oc1.abc.abcdef12345678901234567891234567812345678",
"target": "ocid1.stream.oc1.def.abcdef12345678901234567891234567812345698"
},
"id": "9c3cb4e7-e664-4bc7-a7c7-111223344",
"oracle": {
"compartmentid": "ocid1.compartment.abc.1111111111111111111111111111111111122222222222",
"ingestedtime": "2020-09-22T03:03:04.749Z",
"loggroupid": "ocid1.loggroup.oc1.iad.abcdef12345678901234567891234567812345677",
"logid": "ocid1.log.oc1.ghi.abcdef12345678901234567891234567812345678",
"tenantid": "ocid1.tenancy.oc1..aaaaaabcdef12345678901234567891234567812345666"
},
"source": "Stream Create Object events from log bucket to log stream",
"specversion": "1.0",
"time": "2020-09-22T03:02:54.000Z",
"type": "com.oraclecloud.eventsservice.eventrule.ruleexecutionlog"
}
OCI Object Storage Access Log Format
Parser name: oci_objectstorage_access_logtype
Example Content:
{
"data": {
"apiType": "native",
"authenticationType": "instance",
"bucketCreator": "Unknown",
"bucketId": "ocid1.bucket.oc1.abc.abcdef123456789",
"bucketName": "log",
"clientIpAddress": "192.0.2.1",
"compartmentId": "ocid1.compartment.oc1..abcdefg1234568888",
"compartmentName": "compartment_name",
"credentials": "abcdef123456789abcdef",
"eTag": "45385429-904b-4db1-866e-123",
"endTime": "2020-09-29T20:02:31.811Z",
"isPar": false,
"message": "Object retrieved.",
"namespaceName": "namespace_value",
"objectName": "object_name",
"opcRequestId": "iad-1:x-uGtXG5Wdk3abc",
"principalId": "ocid1.instance.oc1.12345",
"principalName": "UnknownPrincipal",
"region": "us-region-1",
"requestAction": "GET",
"requestResourcePath": "/n/namespace_value/b/log/o/object_name",
"startTime": "2020-09-29T20:02:31.787Z",
"statusCode": 200,
"tenantId": "ocid1.tenancy.oc1..6w4ohcbz7otxxy6kd",
"tenantName": "loganprod",
"userAgent": "Oracle-JavaSDK/1.19.3 (Linux/4.14.35-1902.305.4.el7uek.x86_64; Java/1.8.0_251; Java HotSpot(TM) 64-Bit GraalVM EE 19.3.2/25.251-b08-jvmci-20.1-b02-dev)",
"vcnId": "477016"
},
"id": "20919d7c-2d6d-401a-9858-123",
"oracle": {
"compartmentid": "ocid1.compartment.oc1..lxenat5opur",
"ingestedtime": "2020-09-29T20:02:37.678Z",
"loggroupid": "ocid1.loggroup.oc1.gmsmd5c7qmebnsyx7dm",
"logid": "ocid1.log.oc1.iz6lu3innhmdyb6aiamaaaaa",
"tenantid": "ocid1.tenancy.oc1..1234"
},
"source": "log",
"specversion": "1.0",
"subject": "subject value",
"time": "2020-09-29T20:02:31.811Z",
"type": "com.oraclecloud.objectstorage.getobject"
}
OCI API Gateway Access Log Format
Parser name: oci_api_gw_access_logtype
Example Content:
{
"data": {
"bodyBytesSent": 22,
"gatewayId": "ocid1.apigateway.oc1.region-1-ocidddddddd",
"httpUserAgent": "curl/7.29.0",
"message": "GET /V1/weather HTTP/1.1",
"opcRequestId": "/12345B88C07D061F8221193082B12345/12345801AEDEEF3BE80938595EEABCDE",
"remoteAddr": "192.0.2.1",
"requestDuration": 0.161,
"requestMethod": "GET",
"requestUri": "/V1/weather",
"serverProtocol": "HTTP/1.1",
"status": 200
},
"id": "571aab5c-f9a9-11ea-a9a1-ABC1234",
"oracle": {
"compartmentid": "ocid1.compartment.oc1..ABC1234OCID",
"ingestedtime": "2020-09-18T12:21:29.526Z",
"loggroupid": "ocid1.loggroup.oc1.region-1.12345ABC1234OCID",
"logid": "ocid1.log.oc1.region-1.AAAABBBB",
"tenantid": "ocid1.tenancy.oc1..AAA11223344"
},
"source": "Weather",
"specversion": "1.0",
"time": "2020-09-18T12:20:29.000Z",
"type": "com.oraclecloud.apigateway.apideployment.access"
}
OCI API Gateway Execution Log Format
Parser name: oci_api_gw_exec_logtype
Example Content:
{
"data": {
"code": "httpBackend.requestSent",
"functionId":"ocid1.fnfunc.oc1.region-1.123456",
"gatewayId": "ocid1.apigateway.oc1.region-1.AAA11223355",
"level": "INFO",
"message": "Sending request to upstream",
"opcRequestId": "/0431C52F31E68CE19AD638AAE1B05854/F6D390655FD11520B8566BF5046284CE"
},
"id": "cb851077-f9a8-11ea-a9a1-ABC1234",
"oracle": {
"compartmentid": "ocid1.compartment.oc1..ABC1234OCID",
"ingestedtime": "2020-09-18T12:17:28.699Z",
"loggroupid": "ocid1.loggroup.oc1.region-1.12345ABC1234OCID",
"logid": "ocid1.log.oc1.region-1.AAA11223356",
"tenantid": "ocid1.tenancy.oc1..AAA11223344"
},
"source": "Weather",
"specversion": "1.0",
"time": "2020-09-18T12:16:35.000Z",
"type": "com.oraclecloud.apigateway.apideployment.execution"
}
OCI Unified Schema Log Format
Parser name: oci_unifiedschema_logtype
Example Content:
{
"data": {
},
"id": "571aab5c-f9a9-11ea-a9a1-ABC1234",
"oracle": {
"compartmentid": "ocid1.compartment.oc1..ABC1234OCID",
"ingestedtime": "2020-09-18T12:21:29.526Z",
"loggroupid": "ocid1.loggroup.oc1.region-1.12345ABC1234OCID",
"logid": "ocid1.log.oc1.region-1.AAAABBBB",
"tenantid": "ocid1.tenancy.oc1..AAA11223344"
},
"source": "message source",
"specversion": "1.0",
"time": "2020-09-18T12:20:29.000Z",
"type": "message type"
}
OCI VCN Flow Unified Schema Format
Parser name: oci_vcn_flow_unifmt_logtype
Example Content:
{
"data": {
"action": "ACCEPT",
"bytesOut": 4843,
"destinationAddress": "192.0.2.11",
"destinationPort": 443,
"endTime": 1601204026,
"flowid": "27f8550a",
"packets": 15,
"protocol": 6,
"protocolName": "TCP",
"sourceAddress": "192.0.2.1",
"sourcePort": 46660,
"startTime": 1601204026,
"status": "OK",
"version": "2"
},
"id": "409971d6",
"oracle": {
"compartmentid": "ocid1.compartment.oc1..aaaaaaaaenufxomtrgajc",
"ingestedtime": "2020-09-27T10:54:41.449Z",
"loggroupid": "ocid1.loggroup.oc1.iad.amaaaaaamdyb6aia4clhgcw",
"logid": "ocid1.log.oc1.iad.amaaaaaamdyb6aiaon3xwya2hcrsdnn",
"tenantid": "ocid1.tenancy.oc1..aaaaaaaau6w4ohcbz7otxxy6kdtk",
"vniccompartmentocid": "ocid1.compartment.oc1..aaaaaaaaywgrjl",
"vnicocid": "ocid1.vnic.oc1.iad.abuwcljtw",
"vnicsubnetocid": "ocid1.subnet.oc1.iad.aaaaaaaaz"
},
"source": "ocid1.subnet.oc1.iad.aaaaaaaaz",
"specversion": "1.0",
"subject": "ocid1.vnic.oc1.iad.abuwcljtw",
"time": "2020-09-27T10:53:46.000Z",
"type": "com.oraclecloud.vcn.flowlogs.DataEvent"
}
OCI Audit Unified Schema Format
Parser name: oci_audit_unifmt_logtype
Example Content:
{
"data": {
"additionalDetails": {
"X-Real-Port": 60760
},
"availabilityDomain": "AD1",
"compartmentId": "ocid1.tenancy.uniqueId",
"compartmentName": "emdemo",
"definedTags": null,
"eventGroupingId": "eventGroupingId",
"eventName": "ParseQuery",
"freeformTags": null,
"identity": {
"authType": "fed",
"callerId": null,
"callerName": null,
"consoleSessionId": "consoleSessionId",
"credentials": "***",
"ipAddress": "203.0.113.1",
"principalId": "ocid1.saml2idp.uniqueId",
"principalName": "principalName",
"tenantId": "ocid1.tenancy.uniqueId",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
},
"message": "ParseQuery succeeded",
"request": {
"action": "POST",
"headers": {
"Accept": [
"*/*"
],
"Accept-Encoding": [
"gzip, deflate, br"
],
"Accept-Language": [
"en"
],
"Authorization": [
"Signature ***"
],
"Connection": [
"keep-alive"
],
"Content-Length": [
"273"
],
"Content-Type": [
"application/json"
],
"Origin": [
"https://cloud.oracle.com"
],
"Referer": [
"https://cloud.oracle.com/"
],
"Sec-Fetch-Dest": [
"empty"
],
"Sec-Fetch-Mode": [
"cors"
],
"Sec-Fetch-Site": [
"cross-site"
],
"User-Agent": [
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
],
"opc-request-id": [
"opc-request-id"
],
"sec-ch-ua": [
"\"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"114\", \"Google Chrome\";v=\"114\""
],
"sec-ch-ua-mobile": [
"?0"
],
"sec-ch-ua-platform": [
"\"macOS\""
],
"x-content-sha256": [
"sha256"
],
"x-date": [
"Fri, 23 Jun 2023 03:25:56 GMT"
]
},
"id": "id",
"parameters": {},
"path": "/20200601/namespaces/resource/search/actions/parse"
},
"resourceId": "resource",
"response": {
"headers": {
"Access-Control-Allow-Credentials": [
"true"
],
"Access-Control-Allow-Origin": [
"https://cloud.oracle.com"
],
"Access-Control-Expose-Headers": [
"opc-previous-page,opc-next-page,opc-client-info,ETag,opc-total-items,opc-request-id,Location"
],
"Content-Length": [
"2407"
],
"Content-Type": [
"application/json"
],
"Date": [
"Fri, 23 Jun 2023 03:25:57 GMT"
],
"Timing-Allow-Origin": [
"https://cloud.oracle.com"
],
"Vary": [
"Origin"
],
"X-Content-Type-Options": [
"nosniff"
],
"X-Frame-Options": [
"SAMEORIGIN"
],
"opc-request-id": [
"opc-request-id"
]
},
"message": null,
"payload": {},
"responseTime": "2023-06-23T03:25:57.342Z",
"status": "200"
},
"stateChange": {
"current": {
"columns": [
{
"displayName": "Log Source",
"internalName": "msrcid",
"isCaseSensitive": false,
"isEvaluable": true,
"isGroupable": true,
"isListOfValues": true,
"isMultiValued": false,
"subSystem": "LOG",
"type": "COLUMN",
"valueType": "STRING"
},
{
"displayName": "Type",
"internalName": "type",
"isCaseSensitive": false,
"isEvaluable": true,
"isGroupable": true,
"isListOfValues": false,
"isMultiValued": false,
"subSystem": "LOG",
"type": "COLUMN",
"valueType": "STRING"
}
],
"commands": [
{
"category": "FILTER",
"displayQueryString": "'Log Source' = 'OCI Audit Logs' and Type like '%logginganalytics%' and Type = com.oraclecloud.logginganalytics.query",
"internalQueryString": "log.msrcid = omc_ociAuditLogSource and log.type like '%logginganalytics%' and log.type = com.oraclecloud.logginganalytics.query",
"isHidden": false,
"name": "SEARCH",
"referencedFields": [
{
"displayName": "Log Source",
"internalName": "msrcid",
"isGroupable": true,
"name": "FIELD",
"originalDisplayNames": [
"Log Source"
],
"valueType": "STRING"
},
{
"displayName": "Type",
"internalName": "type",
"isGroupable": true,
"name": "FIELD",
"originalDisplayNames": [
"Type"
],
"valueType": "STRING"
}
],
"subQueries": []
},
{
"category": "FILTER",
"displayQueryString": "clusterdetails collection = 'dummyId' on h[1:0],u[dummyId2]",
"internalQueryString": "clusterdetails collection = 'dummyId' on h[1:0],u[dummyId2]",
"isHidden": false,
"name": "CLUSTER_DETAILS"
}
],
"displayQueryString": "'Log Source' = 'OCI Audit Logs' and Type like '%logginganalytics%' and Type = com.oraclecloud.logginganalytics.query | clusterdetails collection = 'dummyId' on h[1:0],u[dummyId2]",
"internalQueryString": "log.msrcid = omc_ociAuditLogSource and log.type like '%logginganalytics%' and log.type = com.oraclecloud.logginganalytics.query | clusterdetails collection = 'dummyId' on h[1:0],u[dummyId2]",
"responseTimeInMs": 1
},
"previous": {}
}
},
"dataschema": "2.0",
"id": "id",
"oracle": {
"compartmentid": "ocid1.tenancy.uniqueId",
"ingestedtime": "2023-06-23T03:26:02.913Z",
"loggroupid": "_Audit",
"tenantid": "ocid1.tenancy.uniqueId"
},
"source": "",
"specversion": "1.0",
"time": "2023-06-23T03:25:57.342Z",
"type": "com.oraclecloud.LoggingAnalytics.ParseQuery"
}
{
"data": {
"additionalDetails": null,
"availabilityDomain": "AD3",
"compartmentId": "ocid1.tenancy.oc1..aaaaaaaaa",
"compartmentName": "ociateam",
"definedTags": null,
"eventGroupingId": null,
"eventName": "ListCompartments",
"freeformTags": null,
"identity": {
"authType": "natv",
"callerId": "loganalytics/C5C0E55526E263A3F9111111111111",
"callerName": "loganalytics",
"consoleSessionId": null,
"credentials": "***",
"ipAddress": "192.0.2.1,198.51.100.1",
"principalId": "ocid1.user.oc1..aaaaaaaaea",
"principalName": "Admin User",
"tenantId": "ocid1.tenancy.oc1..aaaaaaaaa",
"userAgent": "Oracle-JavaSDK/2.66.0 (Linux/4.14.35-2047.529.3.2.el7uek.x86_64; Java/17.0.8; Java HotSpot(TM) 64-Bit Server VM/17.0.8+9-LTS-jvmci-21.3-b32)"
},
"message": "ListCompartments succeeded",
"request": {
"action": "GET",
"headers": {
"Accept": [
"application/json"
],
"Connection": [
"keep-alive"
],
"Date": [
"Thu, 26 Oct 2023 20:57:00 GMT"
],
"User-Agent": [
"Oracle-JavaSDK/2.66.0 (Linux/4.14.35-2047.529.3.2.el7uek.x86_64; Java/17.0.8; Java HotSpot(TM) 64-Bit Server VM/17.0.8+9-LTS-jvmci-21.3-b32)"
],
"X-Forwarded-For": [
"192.0.2.254,198.51.100.254"
],
"X-OCI-LB-NetworkMetadata": [
"{\"originalConnection\":{\"sourceIp\":\"192.0.2.84\",\"sourcePort\":57470,\"destinationIp\":\"192.0.2.12\",\"destinationPort\":443,\"protocol\":\"https\"},\"paResourceConnection\":{\"sourceIp\":\"192.0.2.19\",\"sourcePort\":57470,\"destinationIp\":\"192.0.2.12\",\"destinationPort\":443},\"paResource\":{\"ocid\":\"\",\"vcnOcid\":\"ocid1.vcn.oc1.iad.aaaaaaamdyb6aq\"}}"
],
"X-OCI-LB-PrivateAccessMetadata": [
"eyJvcmlnaW5hbENvbm5lAAAAAAAAAAAAAAAAAAAAAA="
],
"X-Real-IP": [
"203.0.113.84"
],
"X-Real-Port": [
"57470"
],
"oci-original-host": [
"identity.us-ashburn-1.oci.oraclecloud.com"
],
"oci-original-url": [
"https://identity.us-ashburn-1.oci.oraclecloud.com/20160918/compartments"
],
"oci-splat-audited": [
"true"
],
"oci-splat-service-operation-id": [
"compartments.ListCompartments"
],
"opc-client-info": [
"Oracle-JavaSDK/2.66.0"
],
"opc-obo-principal": [
"{\"tenantId\":\"ocid1.tenancy.oc1..aaaaaaaaa\",\"subjectId\":\"ocid1.user.oc1..aaaaaaaaea\",\"claims\":[{\"key\":\"pstype\",\"value\":\"natv\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"chain\",\"value\":\"\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"tgt\",\"value\":\"ocid1.tenancy.oc1..aaaaaaaaa\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"tgts\",\"value\":\"[\\\"ocid1.tenancy.oc1..aaaaaaaaa\\\"]\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"name-chain\",\"value\":\"\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"mfa_verified\",\"value\":\"true\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"ptype\",\"value\":\"user\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"ttype\",\"value\":\"obo\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"tgt_name\",\"value\":\"identity\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"own\",\"value\":\"ocid1.tenancy.oc1..aaaaaaaaa\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"tgt_names\",\"value\":\"[\\\"identity\\\"]\",\"issuer\":\"authService.oracle.com\"}]}"
],
"opc-principal": [
"{\"tenantId\":\"ocid1.tenancy.oc1..aaaaaaaaa\",\"subjectId\":\"loganalytics/C5C0E55526AAAA\",\"claims\":[{\"key\":\"opc-instance\",\"value\":\"ocid1.instance.oc1.iad.aaaaaaaa\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"h_date\",\"value\":\"Thu, 26 Oct 2023 20:57:00 GMT\",\"issuer\":\"h\"},{\"key\":\"h_host\",\"value\":\"identity.us-ashburn-1.oci.oraclecloud.com\",\"issuer\":\"h\"},{\"key\":\"svcHostingTenantId\",\"value\":\"ocid1.tenancy.oc1..aaaaaaaaa\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"ttype\",\"value\":\"x509\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"ptype\",\"value\":\"service\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"h_opc-obo-token\",\"value\":\"DUMMY\",\"issuer\":\"h\"},{\"key\":\"authorization\",\"value\":\"Signature ***\",keyId=\\\"DUMMY\\\",algorithm=\\\"rsa-sha256\\\",signature=\\\"*****\\\",version=\\\"1\\\"\",\"issuer\":\"h\"},{\"key\":\"svc\",\"value\":\"loganalytics\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"is_svc\",\"value\":\"true\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"opc-tenant\",\"value\":\"ocid1.tenancy.oc1..aaaaaaaaa\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"opc-compartment\",\"value\":\"ocid1.compartment.oc1..aaaaaaaa\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"h_(request-target)\",\"value\":\"get /20160918/compartments?compartmentId=ocid1.tenancy.oc1..aaaaaaaaa;page=AFUWCLJTAAAAAAAA&limit=1000&accessLevel=ACCESSIBLE&compartmentIdInSubtree=true\",\"issuer\":\"h\"},{\"key\":\"opc-certtype\",\"value\":\"instance\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"fprint\",\"value\":\"C5:C0:77\",\"issuer\":\"authService.oracle.com\"}]}"
],
"opc-request-id": [
"74298AAAAAAAAAAAAAAA"
]
},
"id": "74298AAAAAAAAAAAAAAAAA",
"parameters": {
"accessLevel": [
"ACCESSIBLE"
],
"compartmentId": [
"ocid1.tenancy.oc1..aaaaaaaaa"
],
"compartmentIdInSubtree": [
"true"
],
"limit": [
"1"
],
"page": [
"AAAAAAAAAAJleUpyYVdRaU9pSXpOek13SWtiMzJVR0E="
]
},
"path": "/20160918/compartments"
},
"resourceId": null,
"response": {
"headers": {
"Cache-Control": [
"no-cache, no-store, must-revalidate"
],
"Content-Length": [
"784"
],
"Content-Type": [
"application/json"
],
"Date": [
"Thu, 26 Oct 2023 20:57:00 GMT"
],
"Pragma": [
"no-cache"
],
"opc-limit": [
"1"
],
"opc-next-page": [
"AAAAAAAAAAJleUpyYVdRaU9pSXpOek13SWl3aVpXNWpJam9pUVRJhZnc="
],
"opc-request-id": [
"742986C36DC6/7A39F697849/87DC14D30B3055B7"
]
},
"message": null,
"payload": null,
"responseTime": "2023-10-26T20:57:00.394Z",
"status": "200"
},
"stateChange": {
"current": null,
"previous": null
}
},
"dataschema": "2.0",
"id": "f132bf7a-c3d5-4cdb-b3e4-42344b73d48a",
"oracle": {
"compartmentid": "ocid1.tenancy.oc1..aaaaaaaaa",
"ingestedtime": "2023-10-26T20:57:09.668Z",
"loggroupid": "_Audit",
"tenantid": "ocid1.tenancy.oc1..aaaaaaaaa"
},
"source": "",
"specversion": "1.0",
"time": "2023-10-26T20:57:00.379Z",
"type": "com.oraclecloud.Compartments.ListCompartments"
}
{
"data": {
"additionalDetails": {
"bucketName": "testBucket",
"namespace": "NAMESPACE"
},
"availabilityDomain": "PHX-AD-2",
"compartmentId": "ocid1.tenancy.oc1..aaaaaaaaa",
"compartmentName": "logantest1",
"definedTags": {},
"eventGroupingId": "phx-1:WRk50BSDAZ",
"eventName": "GetBucket",
"freeformTags": {},
"identity": {
"authType": "natv",
"callerId": null,
"callerName": null,
"consoleSessionId": null,
"credentials": "***",
"ipAddress": "192.0.2.16",
"principalId": "ocid1.user.oc1..aaaaaaaa",
"principalName": "manageUser",
"tenantId": "ocid1.tenancy.oc1..aaaaaaaaa",
"userAgent": "Apache-HttpClient/4.5.8 (Java/1.8.0_381)"
},
"message": "Bucket details retrieved.",
"request": {
"action": "GET",
"headers": {
"Accept": [
"application/json"
],
"Accept-Encoding": [
"gzip,deflate"
],
"Authorization": [
"Signature ***"
],
"Connection": [
"Keep-Alive"
],
"User-Agent": [
"Apache-HttpClient/4.5.8 (Java/1.8.0_381)"
],
"date": [
"Thu, 14 Dec 2023 17:59:28 GMT"
],
"host": [
"objectstorage.us-phoenix-1.oraclecloud.com"
]
},
"id": "phx-1:WRk50BSDAZ",
"parameters": {
"fields": [
"approximateCount,approximateSize"
],
"param0": [
"NAMESPACE"
],
"param1": [
"testBucket"
]
},
"path": "/n/NAMESPACE/b/testBucket/?fields=approximateCount%2CapproximateSize"
},
"resourceId": "/n/NAMESPACE/b/testBucket/?fields=approximateCount%2CapproximateSize",
"response": {
"headers": {
"Content-Length": [
"827"
],
"Content-Type": [
"application/json"
],
"access-control-allow-credentials": [
"true"
],
"access-control-allow-methods": [
"POST,PUT,GET,HEAD,DELETE,OPTIONS"
],
"access-control-allow-origin": [
"*"
],
"access-control-expose-headers": [
"access-control-allow-credentials,access-control-allow-methods,access-control-allow-origin,cache-control,content-length,content-type,date,etag,opc-client-info,opc-request-id,x-api-id"
],
"cache-control": [
"no-store"
],
"date": [
"Thu, 14 Dec 2023 17:59:28 GMT"
],
"etag": [
"b863c403-7b12-4e49-94ca-5555555555AAAA"
],
"opc-request-id": [
"phx-1:WRk50BSDAZ"
],
"x-api-id": [
"native"
]
},
"message": null,
"payload": {
"id": "/n/NAMESPACE/b/testBucket/?fields=approximateCount%2CapproximateSize",
"resourceName": "/n/NAMESPACE/b/testBucket/?fields=approximateCount%2CapproximateSize"
},
"responseTime": "2023-12-14T17:59:28.169Z",
"status": "200"
},
"stateChange": null
},
"dataschema": "2.0",
"id": "b60d4c03-3d70-2e32-f9cf-13b9d87d0a24",
"oracle": {
"compartmentid": "ocid1.tenancy.oc1..aaaaaaaaa",
"ingestedtime": "2023-12-14T17:59:32.486Z",
"loggroupid": "_Audit",
"tenantid": "ocid1.tenancy.oc1..aaaaaaaaa"
},
"source": "testBucket",
"specversion": "1.0",
"time": "2023-12-14T17:59:28.169Z",
"type": "com.oraclecloud.objectstorage.getbucket"
}
{
"data": {
"additionalDetails": {
"actorDisplayName": "Test User6",
"actorOcid": "bbbbbbbbbbbbbbbbbbbbbbbbbb",
"actorType": "User",
"resourceType": "AppRole",
"adminRefResourceName": "G",
"adminRefResourceType": "User",
"adminResourceType": "User",
"test": "test",
"adminAppRoleAppName": "AUTOANALYTICS",
"adminResourceName": "AUTONOMOUS_ANALYTICS_ServiceAdministrator",
"clientIp": "192.0.2.2",
"domainId": "ocid1.domain.oc1..aaa",
"domainName": "idcs-123",
"auditEventMapValue": "{\"schemas\"}",
"domainDisplayName": "Default",
"eventId": "sso.session.create.success",
"hostIp": "198.51.100.18",
"hostName": "idcs-sso-56d",
"message": "Session create success",
"rId": "0:1:6:14",
"ecId": "vm4Cr1w^j00000000",
"reasonValue": "",
"ssoApplicationId": "LoginClient_APPID",
"ssoApplicationName": "IAM LoginClient",
"ssoApplicationType": "APP",
"ssoBrowser": "Firefox",
"ssoCSR": "false",
"ssoComments": "Session create success",
"ssoCompletedFactors": "{USERNAME_PASSWORD=AUTH_SUCCESS}",
"ssoIdentityProvider": "UserNamePassword",
"ssoIdentityProviderType": "LOCAL",
"ssoLocalIp": "192.0.2.1",
"ssoMatchedSignOnPolicy": "DefaultSignOnPolicy",
"ssoMatchedSignOnPolicyName": "Default Sign-On Policy",
"ssoMatchedSignOnRule": "DefaultSignOnRule",
"ssoMatchedSignOnRuleName": "Default Sign-On Rule",
"ssoPlatform": "Mac OS X",
"ssoPolicyObligations": "effect:ALLOW,authenticationFactor:IDP,allowUserToSkip2FAEnrolment:false,2FAFrequency:SESSION,reAuthenticate:false,trustedDevice2FAFrequency:",
"ssoProtectedResource": "https://cloud.oracle.com",
"ssoRp": "LoginClient_APPID",
"ssoSessionCreateTime": "2022-03-09T17:18:33Z",
"ssoSessionExpiryTime": "2022-03-10T01:18:33Z",
"ssoSessionId": "61142895dd5b4d",
"ssoUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0",
"idcsCreatedBy": {
"value": "0f7f60294be042b"
},
"idcsLastModifiedBy": {
"value": "0f7f60294be"
},
"adminValuesAdded": {
"authenticationFactors": [
{
"status": "ENROLLED",
"type": "TOTP"
},
{
"publicKey": "DUMMY",
"status": "INPROGRESS",
"type": "PUSH"
}
]
}
},
"availabilityDomain": "AD3",
"compartmentId": "ocid1.tenancy.oc1..aaaaa",
"compartmentName": "cc",
"definedTags": null,
"eventGroupingId": null,
"eventName": "InteractiveLogin",
"freeformTags": null,
"identity": {
"authType": null,
"callerId": null,
"callerName": null,
"consoleSessionId": null,
"credentials": null,
"ipAddress": "192.0.2.64",
"principalId": null,
"principalName": "gstest6",
"tenantId": "ocid1.tenancy.oc1..aa",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0"
},
"message": " InteractiveLogin succeeded",
"request": {
"action": null,
"headers": null,
"id": "DWsez1ESf10000000",
"parameters": null,
"path": null
},
"resourceId": null,
"response": {
"headers": null,
"message": null,
"payload": null,
"responseTime": "2022-03-09T17:18:33.983Z",
"status": null
},
"stateChange": {
"current": null,
"previous": null
}
},
"dataschema": "2.0",
"id": "fd380a65-c887-4d48-8a52-c405c0c96bc4",
"oracle": {
"compartmentid": "ocid1.tenancy.oc1..aaaaa",
"ingestedtime": "2022-03-09T17:18:38.743Z",
"loggroupid": "_Audit",
"tenantid": "ocid1.tenancy.oc1..aaaa"
},
"source": "",
"specversion": "1.0",
"time": "2022-03-09T17:18:33.983Z",
"type": "com.oraclecloud.IdentitySignOn.InteractiveLogin"
}
OCI Audit Log Format
Parser name: omc_oci_audit_logtype
Example Content:
{
"tenantId":"ocid1.tenancy.oc1..aaaaaaaagABCDEFGHKUYGASDGADDGADAGADGDAGJDAGGDjiujvy2hjgxvabc",
"compartmentId":"ocid1.tenancy.oc1..aaaaaaaauAADBCISHGDKUHAFFFFFFFFFDDDDDDDDDDDDxjlcnunxo2hbsixyz",
"compartmentName":"mycompname",
"eventId":"762d978e-f995-4208-93cf-af0e97bca529",
"eventName":"GetCapabilities",
"eventSource":"Compartments",
"eventType":"ServiceAPI",
"eventTime":"2019-09-25T15:38:48.784Z",
"principalId":"ocid1.user.oc1..aaaaaaaaabcdefghiklm6hh2fv4szofhnz62nkzdvtalajs3nzvrmcdxyza",
"credentialId":"ST$ABCDEFGHIJKLM3dfb2MxXzIwMTktMDRABCDEFGHIJKLMOiJSUzI1NiJ9eyJzd-p-9SFwuT86c-M5QC8gDZfMJ6u2Wwuu6eb91U7J3xVZdxRIHiloz20wm3JoGww7Q0YwpwV4Zyrub0c0UrW_xyzKLJYBAADYLBD",
"requestAction":"GET",
"requestId":"34d8ed99-e62c-4425-96d3-118ea684/1232AD2DD02E066E005B4A35F8B931E8/17BB11E992A4D540996942C24175C3A1",
"requestAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36",
"requestHeaders":{
"Origin":[
"https://console.us-ashburn-1.oraclecloud.com"
],
"Accept":[
"*/*"
],
"X-Forwarded-Proto":[
"http"
],
"X-Forwarded-Host":[
"identity.us-phoenix-1.oraclecloud.com:80"
],
"User-Agent":[
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
],
"Referer":[
"https://console.us-ashburn-1.oraclecloud.com/a/identity/users/ocid1.user.oc1..aaaaaaaabfABCDEFGHIJKLMN123456789nz62nkzdvtalajs3nzvrmcdqhvq"
],
"Sec-Fetch-Site":[
"same-site"
],
"Accept-Encoding":[
"gzip, deflate, br"
],
"X-Forwarded-Port":[
"80"
],
"x-date":[
"Wed, 25 Sep 2019 15:38:48 GMT"
],
"Sec-Fetch-Mode":[
"cors"
],
"Authorization":[
"Signature keyId=\"ST$eyJraWQiOiJhABNCDEFILUYADLBDUYDADjciLCJhbGciOiJIj.E-p-EE0FzMWBsv_sixzmzbxuasdKJFYKVBLjkPLzH-9SFwuT86c-M5QC8gDZfMJ6u2WwuuasdklhdanaABCDEFGHloz20wm3JoGww7Q0YwpwV4ajsfdkavkdgkbjdVVVVVVVaasdadw\",version=\"1\",algorithm=\"rsa-sha256\",headers=\"(request-target) host x-date\",signature=\"*****\""
],
"Opc-Request-Id":[
"34d8ed99-e62c-4425-96d3-118ea6844100"
],
"X-Forwarded-For":[
"192.0.2.19, 192.0.2.1"
],
"Accept-Language":[
"en-US,en;q=0.9,fr;q=0.8"
],
"Opc-Client-Info":[
"Oracle-HgConsole/0.0.1"
],
"X-Real-IP":[
"192.0.2.1"
],
"oci-original-url":[
"http://identity.us-phoenix-1.oraclecloud.com/20160918/compartments/ocid1.tenancy.oc1..aaaaaaaauj75yrhgABCJKFKALBSDYADTVKDA6e5c7nxlxjlcnAJDGDJAHGDA/capabilities"
]
},
"requestOrigin":"192.0.2.11",
"requestResource":"/20160918/compartments/ocid1.tenancy.oc1..aaaaaaaauj7JAHGDVKADUGashgajssJHGJKDKVSJYTDSVKUDTKSYTSKbs6ca/capabilities",
"responseHeaders":{
"Access-Control-Expose-Headers":[
"opc-previous-page,opc-next-page,opc-client-info,ETag,opc-total-items,opc-request-id,Location"
],
"Cache-Control":[
"no-cache, no-store, must-revalidate"
],
"Access-Control-Allow-Origin":[
"https://console.us-ashburn-1.oraclecloud.com"
],
"Access-Control-Allow-Credentials":[
"true"
],
"Vary":[
"Origin"
],
"Pragma":[
"no-cache"
],
"opc-request-id":[
"34d8ed99-e62c-4425-96d3-118ea684/1232ADABCJASHSDGAS234523234231E8/JADFVADTDATDAD40996942C24175C3A1"
],
"Date":[
"Wed, 25 Sep 2019 15:38:48 GMT"
],
"Content-Type":[
"application/json"
]
},
"responseStatus":"200",
"responseTime":"2019-09-25T15:38:48.851Z",
"responsePayload":{
"resourceName":"logandev",
"id":"ocid1.tenancy.oc1..aaaaaaaauj7RABCDEFGHxktbikwiqtywqdqbbbbbbaaaaaaaaanxo2hbs6ca"
},
"userName":"user100"
}
OCI Audit Log Format v2
Parser name: omc_oci_audit_logtype_v2
Example Content:
{
"eventType":"com.oraclecloud.virtualNetwork.CreateVcn",
"cloudEventsVersion":"0.1",
"eventTypeVersion":"2.0",
"source":"virtualNetwork",
"eventId":"1fd6329b-6e11-40a5-bb48-b4db04cce956",
"eventTime":"2019-12-08T03:08:53.799Z",
"contentType":"application/json",
"data":{
"eventGroupingId":"csid0234d20c41bcafe8ae4426aa5e56/6c9d69d339e8464598b2d7",
"eventName":"CreateVcn",
"compartmentId":"ocid1.compartment.oc1..aaaaaaaa2bhu3kzsu5jhmsstbf4olwmd",
"compartmentName":"storage",
"availabilityDomain":"AD",
"identity":{
"principalName":"user1",
"principalId":"ocid1.user.oc1..aaaaaaaa36xdrbtaqilj7zqdkfotn2u53kq5a",
"authType":"natf",
"tenantId":"ocid1.tenancy.oc1..aaaaaaaagkbzgg6lpzrf47xzy4rjoxg4de6n",
"credentials":"ABCDEF0123456789",
"userAgent":"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0",
"consoleSessionId":"ABCDEF34d20c41bcafe8ae4426aa5e56",
"ipAddress":"192.0.2.1"
},
"request":{
"id":"39e8464598b2d76e3dc9f256/E60985C6435ECBF85AAAABBBCCCCD020",
"path":"/20160918/vcns",
"action":"POST",
"parameters":{
},
"headers":{
"Origin":[
"https://compute.plugins.oci.dummy.com"
],
"Accept":[
"*/*"
],
"User-Agent":[
"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0"
],
"Referer":[
"https://compute.plugins.oci.dummy.com/compute/instances/create"
],
"Connection":[
"keep-alive"
],
"Accept-Encoding":[
"gzip, deflate, br"
],
"x-date":[
"Sun, 08 Dec 2019 03:08:53 GMT"
],
"Authorization":[
"Signature keyId=\"ABCDEF0123456789-SZOT-By3-kG5Jgfbu2Zyw4Xq8va6TymkuoPw\",version=\"1\",headers=\"(request-target) host content-length content-type opc-request-id x-date\",signature=\"*****\""
],
"Accept-Language":[
"en-US,en;q=0.5"
],
"Content-Length":[
"231"
],
"opc-request-id":[
"ABCDEF0123456789339e8464598b2d76e3dc9f256"
],
"Content-Type":[
"application/json"
]
}
},
"response":{
"status":"404",
"responseTime":"2019-12-08T03:08:53.799Z",
"headers":{
"Access-Control-Expose-Headers":[
"opc-previous-page,opc-next-page,opc-client-info,ETag,opc-work-request-id,opc-total-items,opc-request-id,Location"
],
"Access-Control-Allow-Origin":[
"https://compute.plugins.oci.oraclecloud.com"
],
"Access-Control-Allow-Credentials":[
"true"
],
"X-Content-Type-Options":[
"nosniff"
],
"Connection":[
"keep-alive"
],
"Content-Length":[
"111"
],
"opc-request-id":[
"ABCDEF0123456789b2d76e3dc9f256/E60985C64112233333B2BA2CB7A8D020"
],
"Date":[
"Sun, 08 Dec 2019 03:08:53 GMT"
],
"Content-Type":[
"application/json"
]
},
"message":"CreateVcn failed with response 'NotAuthorizedOrNotFound'"
},
"stateChange":{
"previous": "previous state",
"current": "current state"
},
"additionalDetails":{
},
"internalDetails":{
}
}
}
OCI DevOps Log Format
Parser name: oci_devopslog_logtype
Example Content:
{
"specversion": "1.0",
"type": "com.oraclecloud.devops.deployment",
"source": "Project name",
"subject": "ocid1.instance.oc1.region.uniqueID",
"id": "e3002eaa-d717-472e-8474-d024943a0f27",
"time": "2020-10-18T21:02:40.58Z",
"oracle": {
"logid": "ocid1.log.oc1.region.uniqueID",
"loggroupid": "ocid1.loggroup.oc1.region.uniqueID",
"tenantid": "ocid1.tenant.oc1.region.uniqueID",
"compartmentid": "ocid1.compartment.oc1.region.uniqueID",
"ingestedtime": "2020-10-18T21:02:40.58Z"
},
"data": {
"deploymentId": "ocid1.devopsdeployment.oc1.region.uniqueID",
"deployPipelineId": "ocid1.devopsdeploypipeline.oc1.region.uniqueID",
"deployStageId": "ocid1.devopsdeploystage.oc1.region.uniqueID",
"message": "Manual Approval stage: Waiting for required approvals",
"producer": "DEVOPS_SERVICE"
}
}
OCI DevOps Build Log Format
Parser name: oci_devopsbuild_logtype
Example Content:
{
"specversion": "1.0",
"type": "com.oraclecloud.devops.build",
"source": "project name",
"subject": "ocid1.devopsbuildrun.oc1.region.uniqueID",
"id": "27868e6f-b91d-4318-868e-6fb91d9318e9",
"time": "2020-10-18T21:02:40.58Z",
"oracle": {
"logid": "ocid1.log.oc1.region.uniqueID",
"loggroupid": "ocid1.loggroup.oc1.region.uniqueID",
"tenantid": "ocid1.tenancy.oc1.uniqueID",
"compartmentid": "ocid1.compartment.oc1.uniqueID",
"ingestedtime": "2020-10-18T21:02:40.58Z"
},
"data": {
"buildPipelineId": "ocid1.devopsbuildpipeline.oc1.region.uniqueID",
"buildRunId": "ocid1.devopsbuildrun.oc1.region.uniqueID",
"buildStageId": "ocid1.devopsbuildpipelinestage.oc1.region.uniqueID",
"message": "Starting BUILD_SPEC_EXECUTION",
"producer": "DEVOPS_SERVICE"
}
}
OCI Email Delivery Log Format
Parser name: oci_emaildelivery_logtype
Example Content:
{
"specversion": "1.0",
"type": "com.oraclecloud.emaildelivery.emaildomain.outboundrelayed",
"source": "example.com",
"time": "2021-02-20T09:01:40.000Z",
"id": "2eefd817-0a53-4be0-990c-224708aff337",
"oracle": {
"logid": "ocid1.log.oc1.region.uniqueID"
},
"data": {
"action": "relay",
"messageId": "12345",
"sender": "support@example.com",
"senderCompartmentId": "ocid1.compartment.oc1.region.uniqueID",
"senderId": "ocid1.emailsender.oc1.region.uniqueID",
"recipient": "user@example.com",
"receivingDomain": "example.com",
"sourceAddress": "192.0.2.10",
"dkimSelector": "selector1",
"messageSizeInKiB": 2,
"recipientMailServer": "bmta.email.region.oraclecloud.com (198.51.100.1)",
"internalProcessingDurationInMs": 20,
"tlsCipher": "TLS_AES_128_GCM_SHA256",
"sendingPoolName": "REGOCIVMTAs",
"bounceCategory": "bad-mailbox",
"bounceCode": "5.1.1",
"reportGeneratedTime": "2021-02-24T22:50:22.123Z",
"originalMessageAcceptedTime": "2021-02-23T22:50:22.123Z",
"headers": {
"X-Campaign-ID": "campaign1",
"Recipient-Group-ID": "group1",
"Sub-Account-ID": "account1"
},
"errorType": "Authorization failure",
"smtpStatus": "550 5.1.1 unknown or illegal alias: 974-4710-b440-52e9e1a70cb8-user@example.com",
"message": "Email approved Body From address: support@example.com is not authorized or not found"
}
}
OCI Site-to-Site VPN Log Format
Parser name: oci_site2sitevpn_logtype
Example Content:
{
"data":
{
"message":" \"2062988354_1\": terminating SAs using this connection",
"tunnelId":"ocid1.ipsectunnel.oc1.region.uniqueID"
},
"id":"e3002eaa-d717-472e-8474-d024943a0f27",
"oracle":
{
"compartmentid":"ocid1.compartment.oc1.region.uniqueID",
"ingestedtime":"2021-02-18T18:22:01.453Z",
"loggroupid":"ocid1.loggroup.oc1.region.uniqueID",
"logid":"ocid1.log.oc1.region.uniqueID",
"tenantid":"ocid1.tenancy.oc1.region..uniqueID"
},
"source":"ocid1.ipsecconnection.oc1.region.uniqueID",
"specversion":"1.0",
"time":"2021-02-18T18:21:52.024Z",
"type":"com.oraclecloud.vpn.ipseclog.read"
}
OCI WAF Log Format
Parser name: oci_waf_logtype
Example Content:
{
"data": {
"backendStatusCode": "200",
"clientAddr": "192.0.2.150",
"countryCode": "us",
"host": "hostnamefoo",
"listenerPort": "80",
"request": {
"httpVersion": "HTTP/1.1",
"id": "685e4e2015eb0ebeea93123456789",
"method": "GET",
"path": "/?tst=KztAAU"
},
"requestAccessControl": {
"matchedRules": "block_test_host_url"
},
"requestProtection": {
"matchedData": "Matched Data: KztAAU found within ARGS:tst",
"matchedIds": "944210_v001",
"matchedRules": "Java_Code_Injection"
},
"response": {
"code": "401",
"size": "303"
},
"responseAccessControl": {
"matchedRules": "1st_rule"
},
"responseProtection": {},
"responseProvider": "requestProtection/Java_Code_Injection",
"timestamp": "2021-09-29T15:52:47Z"
},
"id": "5c328018-f7d1-45ac-8d66-af0ad919bd85-waf-342734",
"oracle": {
"compartmentid": "ocid1.compartment.oc1.region.uniqueId",
"ingestedtime": "2021-09-29T15:52:53.764Z",
"loggroupid": "ocid1.loggroup.oc1.region.uniqueId",
"logid": "ocid1.log.oc1.region.uniqueId",
"resourceid": "ocid1.webappfirewall.oc1.region.uniqueId",
"tenantid": "ocid1.tenancy.oc1.region.uniqueId"
},
"source": "lbwaf_source",
"specversion": "1.0",
"subject": "",
"time": "2021-09-29T15:52:47.875Z",
"type": "com.oraclecloud.loadbalancer.waf"
}
OCI Web Application Acceleration Log Format
Parser name: oci_waa_logtype
Example Content:
{
"data":{
"request":{
"id":"727b8fabcc23662a8ad3754d4a3573f2"
},
"response":{
"code":"200",
"size":"73805"
},
"timestamp":"2023-08-14T05:40:24+00:00"
},
"id":"6cf12c5a-846f-4394-b882-861c5b698032-waa-192433",
"oracle":{
"compartmentid":"ocid1.compartment.oc1.uniqueId",
"ingestedtime":"2023-08-14T05:40:33.086Z",
"loggroupid":"ocid1.loggroup.oc1.uniqueId",
"logid":"ocid1.log.oc1.uniqueId",
"resourceid":"ocid1.loadbalancer.oc1.uniqueId",
"tenantid":"ocid1.tenancy.oc1.uniqueId"
},
"source":"fortLB",
"specversion":"1.0",
"subject":"",
"time":"2023-08-14T05:40:24.526Z",
"type":"com.oraclecloud.loadbalancer.waa"
}
OCI Integration Activity Stream Log Format
Parser name: oci_integration_actstream_logtype
Example Content:
{
"data": {
"actionName": "log2",
"actionType": "Logger",
"operationName": "execute",
"endpointName": "helloWorld",
"instanceId": "65202025",
"executionTimeInMillis":"1",
"integrationFlowIdentifier": "HELLO_WORLD!01.02.0000",
"message": "Length of parameter is 4",
"userId": "user@domain.com"
},
"id": "38c5cc58-f9f6-11eb-bee4-0200170046fa",
"oracle": {
"compartmentid": "ocid1.compartment.oc1.region.uniqueID",
"ingestedtime": "2021-07-10T16:16:01.527Z",
"loggroupid": "ocid1.loggroup.oc1.region.uniqueID",
"logid": "ocid1.log.oc1.region.uniqueID",
"tenantid": "ocid1.tenancy.oc1.region.uniqueID"
},
"source": "HelloWorld Integration Instance",
"specversion": "1.0",
"time": "2021-07-10T16:15:59.469Z",
"type": "com.oraclecloud.integration.integrationinstance.activitystream"
}
OCI Network Firewall Threat Log Format
Parser name: oci_network_firewall_threat_logtype
Example Content:
{
"data": {
"action": "alert",
"device_name": "PA-VM",
"direction": "server-to-client",
"dst": "192.0.2.250",
"dstloc": "192.0.2.1-192.0.2.254",
"dstuser": "no-value",
"firewall-id": "ocid1.networkfirewall.oc1.region.uniqueID",
"proto": "udp",
"receive_time": "2022/10/18 14:27:15",
"rule": "AllowAll",
"sessionid": "613924",
"severity": "informational",
"src": "203.0.113.1",
"srcloc": "United States",
"srcuser": "no-value",
"subtype": "vulnerability",
"thr_category": "protocol-anomaly",
"threatid": "Non-RFC Compliant DNS Traffic on Port 53/5353"
},
"id": "ab991b1b-286a-4968-b1a2-77b31bf0fa12",
"oracle": {
"compartmentid": "ocid1.tenancy.oc1.region.uniqueID",
"ingestedtime": "2022-10-18T14:27:37.295Z",
"loggroupid": "ocid1.loggroup.oc1.region.uniqueID",
"logid": "ocid1.log.oc1.region.uniqueID",
"tenantid": "ocid1.tenancy.oc1.region.uniqueID"
},
"source": "ocid1.networkfirewall.oc1.region.uniqueID",
"specversion": "1.0",
"time": "2022-10-18T14:27:15.000Z",
"type": "com.oraclecloud.networkfirewall.threat"
}
OCI Network Firewall Traffic Log Format
Parser name: oci_network_firewall_traffic_logtype
Example Content:
{
"data": {
"action": "allow",
"bytes": "588",
"bytes_received": "0",
"bytes_sent": "588",
"chunks": "0",
"chunks_received": "0",
"chunks_sent": "0",
"config_ver": "2561",
"device_name": "PA-VM",
"dport": "0",
"dst": "192.0.2.2",
"dstloc": "India",
"firewall-id": "ocid1.networkfirewall.oc1.region.uniqueID",
"packets": "6",
"pkts_received": "0",
"pkts_sent": "6",
"proto": "icmp",
"receive_time": "2022/08/27 08:00:52",
"rule": "AllowAll",
"rule_uuid": "ce6bc5b0-3ea8-4592-85f6-b470c4702e1f",
"serial": "192743405F7D70D",
"sessionid": "32114",
"sport": "0",
"src": "198.51.100.10",
"srcloc": "198.51.100.1-198.51.100.254",
"time_received": "2022/08/27 08:00:52"
},
"id": "5e905ffe-a528-420d-a9df-7b1b2c221cdf",
"oracle": {
"compartmentid": "ocid1.tenancy.oc1.region.uniqueID",
"ingestedtime": "2022-08-27T08:00:56.004Z",
"loggroupid": "ocid1.loggroup.oc1.region.uniqueID",
"logid": "ocid1.log.oc1.region.uniqueID",
"tenantid": "ocid1.tenancy.oc1.region.uniqueID"
},
"source": "ocid1.networkfirewall.oc1.region.uniqueID",
"specversion": "1.0",
"time": "2022-08-27T08:00:52.000Z",
"type": "com.oraclecloud.networkfirewall.traffic"
}