Contents of an Audit Log Event
Describes the contents of an Audit log event.
The following explains the contents of an Audit log event. Every Audit log event includes two main parts:
- Envelopes that act as a container for all event messages
- Payloads that contain data from the resource emitting the event message
Resource Identifiers
Most types of Oracle Cloud Infrastructure resources have a unique, Oracle-assigned identifier called an Oracle Cloud ID (OCID). For information about the OCID format and other ways to identify your resources, see Resource Identifiers.
Event Envelope
These attributes for an event envelope are the same for all events. The structure of the envelope follows the CloudEvents industry standard format hosted by the Cloud Native Computing Foundation ( CNCF).
Property | Description |
---|---|
cloudEventsVersion
|
The version of the CloudEvents specification. Note: Audit uses version 0.1 specification of the CloudEvents event envelope. |
contentType
|
Set to application/json . The content type of the data contained in the data attribute. |
data
|
The payload of the event. Information within data comes from the resource emitting the event. |
eventID
|
The UUID of the event. This identifier is not an OCID, but just a unique ID for the event. |
eventTime
|
The time of the event, expressed in RFC 3339 timestamp format. |
eventType
|
The type of event that happened. Note: The service that produces the event can also add, remove, or change the meaning of a field. A service implementing these type changes would publish a new version of an |
eventTypeVersion
|
The version of the event type. This version applies to the payload of the event, not the envelope. Use |
source
|
The resource that produced the event. For example, an Autonomous Database or an Object Storage bucket. |
Payload
The data in these fields depends on which service produced the event log and the event type it defines.
Data
The data object contains the following attributes.
Property | Description |
---|---|
data.additionalDetails
|
A container object for attributes unique to the resource emitting the event. |
data.availabilityDomain
|
The availability domain where the resource resides. |
data.compartmentId
|
The OCID of the compartment of the resource emitting the event. |
data.compartmentName
|
The name of the compartment of the resource emitting the event. |
data.definedTags
|
Defined tags added to the resource emitting the event. |
data.eventGroupingId
|
This value links multiple audit events that are part of the same API operation. For example, a long running API operation that emits an event at the start and the end of the operation. |
data.eventName
|
Name of the API operation that generated this event. Example: |
data.freeformTags
|
Free-form tags added to the resource emitting the event. |
data.identity
|
A container object for identity attributes. See Identity. |
data.request
|
A container object for request attributes. See Request. |
data.resourceId
|
An OCID or an ID for the resource emitting the event. |
data.resourceName
|
The name of the resource emitting the event. |
data.response
|
A container object for response attributes. See Response. |
data.stateChange
|
A container object for state change attributes. See State Change. |
Identity
The identity object contains the following attributes.
Property | Description |
---|---|
data.identity.authType
|
The type of authentication used. |
data.identity.callerId
|
The OCID of the caller. The caller that made a request on behalf of the principal. |
data.identity.callerName
|
The name of the user or service issuing the request. This value
is the friendly name associated with
callerId . |
data.identity.consoleSessionId
|
This value identifies any Console session associated with this request. |
data.identity.credentials
|
The credential ID of the user. |
data.identity.ipAddress
|
The IP address of the source of the request. |
data.identity.principalId
|
The OCID of the principal. |
data.identity.principalName
|
The name of the user or service. This value is the friendly name
associated with principalId . |
data.identity.tenantId
|
The OCID of the tenant. |
data.identity.userAgent
|
The user agent of the client that made the request. |
Request
The request object contains the following attributes.
Property | Description |
---|---|
data.request.action
|
The HTTP method of the request. Example: |
data.request.headers
|
The HTTP header fields and values in the request. |
data.request.id
|
The unique identifier of a request. |
data.request.parameters
|
All the parameters supplied by the caller during this operation. |
data.request.path
|
The full path of the API request. Example: |
Response
The response object contains the following attributes.
Property | Description |
---|---|
data.response.headers
|
The headers of the response. |
data.response.message
|
A friendly description of what happened during the operation. |
data.response.payload
|
This value is included for backward compatibility with the Audit version 1 schema, where it contained metadata of interest from the response payload. |
data.response.responseTime
|
The time of the response to the audited request, expressed in RFC 3339 timestamp format. |
data.response.status
|
The status code of the response. |
State Change
The state change object contains the following attributes.
Property | Description |
---|---|
data.stateChange.current
|
Provides the current state of fields that may have changed during
an operation. To determine how the current operation changed a
resource, compare the information in this attribute to
data.stateChange.previous . |
data.stateChange.previous
|
Provides the previous state of fields that may have changed
during an operation. To determine how the current operation changed
a resource, compare the information in this attribute to
data.stateChange.current . |
An Example Audit Log
The following is an example of an event recorded by the Audit service.
{
"eventType": "com.oraclecloud.ComputeApi.GetInstance",
"cloudEventsVersion": "0.1",
"eventTypeVersion": "2.0",
"source": "ComputeApi",
"eventId": "<unique_ID>",
"eventTime": "2019-09-18T00:10:59.252Z",
"contentType": "application/json",
"data": {
"eventGroupingId": null,
"eventName": "GetInstance",
"compartmentId": "ocid1.tenancy.oc1..<unique_ID>",
"compartmentName": "compartmentA",
"resourceName": "my_instance",
"resourceId": "ocid1.instance.oc1.phx.<unique_ID>",
"availabilityDomain": "<availability_domain>",
"freeformTags": null,
"definedTags": null,
"identity": {
"principalName": "ExampleName",
"principalId": "ocid1.user.oc1..<unique_ID>",
"authType": "natv",
"callerName": null,
"callerId": null,
"tenantId": "ocid1.tenancy.oc1..<unique_ID>",
"ipAddress": "172.24.80.88",
"credentials": null,
"userAgent": "Jersey/2.23 (HttpUrlConnection 1.8.0_212)",
"consoleSessionId": null
},
"request": {
"id": "<unique_ID>",
"path": "/20160918/instances/ocid1.instance.oc1.phx.<unique_ID>",
"action": "GET",
"parameters": {},
"headers": {
"opc-principal": [
"{\"tenantId\":\"ocid1.tenancy.oc1..<unique_ID>\",\"subjectId\":\"ocid1.user.oc1..<unique_ID>\",\"claims\":[{\"key\":\"pstype\",\"value\":\"natv\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"h_host\",\"value\":\"iaas.r2.oracleiaas.com\",\"issuer\":\"h\"},{\"key\":\"h_opc-request-id\",\"value\":\"<unique_ID>\",\"issuer\":\"h\"},{\"key\":\"ptype\",\"value\":\"user\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"h_date\",\"value\":\"Wed, 18 Sep 2019 00:10:58 UTC\",\"issuer\":\"h\"},{\"key\":\"h_accept\",\"value\":\"application/json\",\"issuer\":\"h\"},{\"key\":\"authorization\",\"value\":\"Signature headers=\\\"date (request-target) host accept opc-request-id\\\",keyId=\\\"ocid1.tenancy.oc1..<unique_ID>/ocid1.user.oc1..<unique_ID>/8c:b4:5f:18:e7:ec:db:08:b8:fa:d2:2a:7d:11:76:ac\\\",algorithm=\\\"rsa-pss-sha256\\\",signature=\\\"<unique_ID>\\\",version=\\\"1\\\"\",\"issuer\":\"h\"},{\"key\":\"h_(request-target)\",\"value\":\"get /20160918/instances/ocid1.instance.oc1.phx.<unique_ID>\",\"issuer\":\"h\"}]}"
],
"Accept": [
"application/json"
],
"X-Oracle-Auth-Client-CN": [
"splat-proxy-se-02302.node.ad2.r2"
],
"X-Forwarded-Host": [
"compute-api.svc.ad1.r2"
],
"Connection": [
"close"
],
"User-Agent": [
"Jersey/2.23 (HttpUrlConnection 1.8.0_212)"
],
"X-Forwarded-For": [
"172.24.80.88"
],
"X-Real-IP": [
"172.24.80.88"
],
"oci-original-url": [
"https://iaas.r2.oracleiaas.com/20160918/instances/ocid1.instance.oc1.phx.<unique_ID>"
],
"opc-request-id": [
"<unique_ID>"
],
"Date": [
"Wed, 18 Sep 2019 00:10:58 UTC"
]
}
},
"response": {
"status": "200",
"responseTime": "2019-09-18T00:10:59.278Z",
"headers": {
"ETag": [
"<unique_ID>"
],
"Connection": [
"close"
],
"Content-Length": [
"1828"
],
"opc-request-id": [
"<unique_ID>"
],
"Date": [
"Wed, 18 Sep 2019 00:10:59 GMT"
],
"Content-Type": [
"application/json"
]
},
"payload": {
"resourceName": "my_instance",
"id": "ocid1.instance.oc1.phx.<unique_ID>"
},
"message": null
},
"stateChange": {
"previous": null,
"current": null
},
"additionalDetails": {
"imageId": "ocid1.image.oc1.phx.<unique_ID>",
"shape": "VM.Standard1.1",
"type": "CustomerVmi"
}
}
}