Managing and Searching Logs with Operator Access Control
Learn to enable logs to view the list of Operator Controls created and in use in a compartment. Also, to monitor operator activities in a cage.
- Enabling Logs and Creating Log Groups with Operator Access Control
To track Oracle operator activities on your system., learn how to enable logs, and how to create log groups to manage logs. - Log Format for Operator Access Control
Learn about the fields that an audit log published in the logging service contains. - Searching Logs
To perform a search on logs, use this procedure to specify the fields, time range, and text strings for logs that you want to search.
Enabling Logs and Creating Log Groups with Operator Access Control
To track Oracle operator activities on your system., learn how to enable logs, and how to create log groups to manage logs.
- On the left navigation menu, select Logging, and then select Logs.
- Click Enable Service Log. The Enable Resource Log window opens.
- In the Select Resource section, provide
information for each of the fields:
- Resource Compartment: Select the compartment where you want to create the log.
- Service: Select Operator Access Control Service for which you want to enable log.
- Resource: Select an Operator Control for which you want to enable log.
- In the Configure Log section, provide
information for the following fields:
- Log Category: Select Access Logs.
- Log Name: Provide a name for the log that you want to create.
- (Optional) Click Show Advanced Options.
- (Optional) In the Log Location section, provide
information for the following fields:
- Compartment: Select a compartment, if you want log files to be placed in a different compartment from the one for which you are creating an audit log.
- Log Group: Select a log group to
which you wan to add the log. A log group is a logical container for
logs. Use log groups to streamline log management, including applying
policy or analyzing groups of logs. If you want to create a new log
group, the click Create New Group, and provide
information for the following fields:
- Compartment Select the compartment where you want to place the log group.
- Name: Provide a name for the log group.
- Description: Provide a description for the purpose of the log group.
- In the Tag Namespace field, consider adding a tag namespace (an identifying text string applied to a set of compartments), or tagging the control with an existing tag namespace.
- In the Log Retention section, select a log retention period.
- When you have completed and reviewed your selections, click Enable Log. The log pertaining to the operator control is enabled.
Related Topics
Parent topic: Managing and Searching Logs with Operator Access Control
Log Format for Operator Access Control
Learn about the fields that an audit log published in the logging service contains.
Table 6-1 Audit Log Fields
Field | Description |
---|---|
|
Contains all the data obtained from the Exadata audit logs. |
|
Contains the Oracle Cloud Identifier (OCID) of the access request. This identifier is obtained from the access request listing page in the Console. |
|
Contains audit log in the raw format. The audit log
format follows the audit logging format as output by the
For more information, see the |
|
The Oracle Cloud Identifier (OCID) of the Exadata system from which the log was collected. |
|
The time stamp, usually in the Universal Time Coordinated (UTC) time zone (TZ) at which point the action that the log represents was performed. |
|
The service that is publishing the log. The source of the
log is the |
There are a few additional fields, which are primarily for accounting purposes of the service.
Example 6-1 Operator Access Control Audit Log
{
"logContent": {
"data": {
"accessRequestId": "ocid1.opctlaccessrequest.oc1.ap-chuncheon-1.aaaaaaaaqk67mpzb74nsssg4ppwk7cyg46dwoxegtvhopdp7lxbktpymk4kq",
"message": "type=PROCTITLE msg=audit(09/08/2021 09:01:24.335:34495595) : proctitle=ps -ef \ntype=PATH msg=audit(09/08/2021 09:01:24.335:34495595) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=2546207 dev=fc:00 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 \ntype=PATH msg=audit(09/08/2021 09:01:24.335:34495595) : item=0 name=/usr/bin/ps inode=33619160 dev=fc:00 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 \ntype=CWD msg=audit(09/08/2021 09:01:24.335:34495595) : cwd=/home/b9dc42d68f6e4e26a1d843a4c5e70187 \ntype=EXECVE msg=audit(09/08/2021 09:01:24.335:34495595) : argc=2 a0=ps a1=-ef \ntype=SYSCALL msg=audit(09/08/2021 09:01:24.335:34495595) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x1848d50 a1=0x184c360 a2=0x184c040 a3=0x7ffeec95b760 items=2 ppid=94699 pid=95635 auid=b9dc42d68f6e4e26a1d843a4c5e70187 uid=b9dc42d68f6e4e26a1d843a4c5e70187 gid=opctl_facc1 euid=b9dc42d68f6e4e26a1d843a4c5e70187 suid=b9dc42d68f6e4e26a1d843a4c5e70187 fsuid=b9dc42d68f6e4e26a1d843a4c5e70187 egid=opctl_facc1 sgid=opctl_facc1 fsgid=opctl_facc1 tty=pts0 ses=813000 comm=ps exe=/usr/bin/ps key=(null) \n",
"status": "",
"systemOcid": "ocid1.exadatainfrastructure.oc1.ap-chuncheon-1.ab4w4ljr46tyytihmindrbshch3jjhrxxpctq4eiaksakp4kqamluuwkzdga",
"target": "",
"timestamp": "2021-09-08T09:01:24.000Z"
},
"id": "b3b102aa-daee-4861-8e2c-9014faac9de2",
"oracle": {
"compartmentid": "ocid1.tenancy.oc1..aaaaaaaazxdmffivtoe32kvio5e2dcgz24re5rqbkis3452yi2e7tc3x2erq",
"ingestedtime": "2021-09-08T16:02:26.182Z",
"loggroupid": "ocid1.loggroup.oc1.ap-chuncheon-1.amaaaaaajobtc3ia3iypuri32bhvrgmosztobwi72wgdofkpfdbyfg4yxlrq",
"logid": "ocid1.log.oc1.ap-chuncheon-1.amaaaaaajobtc3iahnkkwizgpoakdafmrttikohparjl7icmcfjzkechekfq",
"tenantid": "ocid1.tenancy.oc1..aaaaaaaazxdmffivtoe32kvio5e2dcgz24re5rqbkis3452yi2e7tc3x2erq"
},
"source": "OperatorAccessControl",
"specversion": "1.0",
"time": "2021-09-08T16:01:52.989Z",
"type": "com.oraclecloud.opctl.audit"
},
"datetime": 1631116912989
}
Parent topic: Managing and Searching Logs with Operator Access Control
Searching Logs
To perform a search on logs, use this procedure to specify the fields, time range, and text strings for logs that you want to search.
The log is enabled based on specific Operator Controls. Hence these form the top level filter for the log searches. Additionally, you can also search logs for the Access Request IDs, Exadata systems where the operator action occurred, or the time when the action occurred.
The following examples help you understand how to search for specific field.
- On the left navigation menu, select Logging, and then select Logs.
- Choose the compartment where the logs are stored.
This will provide a list of logs which were enabled.
- Click the log that you are interested in. log detail page is displayed.
These logs are always related to a single operator control.
- Click the Explore with Log Search link to search for specific logs.
- Case 1: Searching for actions performed using the approval for
a specific access request, ocid.opctlaccessrequest.x during a period
T-start to T-end pertaining to an Operator Control, ocid.opctl.x.
- Choose Custom from the Filter By Time field.
- Select Start Date and End Date.
- Click Search.
After choosing you would be able to see a set of logs.
- Now, for example, add the following search criteria ino the
Filter By Field or Text Search
field.
data.accessRequestId='ocid.opctlaccessrequest.x'
This will list the logs matching the search criteria.
- Case 2: Searching for actions on an Exadata systems,
ocid.exadata.x during a period T-start to T-end pertaining to an
Operator Control, ocid.opctl.x.
- Choose Custom from the Filter By Time field.
- Click Search.
After choosing you would be able to see a set of logs.
- Now, for example, add the following search criteria ino the
Filter By Field or Text Search
field.
data.systemOcid ='ocid.exadata.x'
This will list the logs matching the search criteria.
- You can also search the logs by the content. Use the log-content field. For more information, see Searching Logs.
- To search for specific linux commands executed, use the Advanced
Mode.
- Create a basic search using the examples given above (case
1 or case 2), and then switch to Advanced Mode.
For example, to search for all the logs with the action
vi
add the following criteria:and text_contains(data.message, 'proctitle=vi ', true)
- Create a basic search using the examples given above (case
1 or case 2), and then switch to Advanced Mode.
- When performing a search on the Logging Search page, you
can click Show Advanced Mode to enter your own custom log
search queries.
For example:
search "ocid1.compartment.oc1..x/ocid1.loggroup.oc1.iad.loggroup_x/ocid1.log.oc1.iad.log_x" | data.systemOcid='ocid1.exadata.x' and text_contains(data.message, 'proctitle=vi ', true) | sort by datetime desc
Parent topic: Managing and Searching Logs with Operator Access Control