Contents of an Audit Log Event

Describes the contents of an Audit log event.

The following explains the contents of an Audit log event. Every Audit log event includes two main parts:

Envelopes that act as a container for all event messages
Payloads that contain data from the resource emitting the event message

Resource Identifiers

Most types of Oracle Cloud Infrastructure resources have a unique, Oracle-assigned identifier called an Oracle Cloud ID (OCID). For information about the OCID format and other ways to identify your resources, see Resource Identifiers.

Event Envelope

These attributes for an event envelope are the same for all events. The structure of the envelope follows the CloudEvents industry standard format hosted by the Cloud Native Computing Foundation ( CNCF).


Property	Description
`cloudEventsVersion`	The version of the CloudEvents specification. Note: Audit uses version 0.1 specification of the CloudEvents event envelope.
`contentType`	Set to `application/json`. The content type of the data contained in the `data` attribute.
`data`	The payload of the event. Information within `data` comes from the resource emitting the event.
`eventID`	The UUID of the event. This identifier is not an OCID, but just a unique ID for the event.
`eventTime`	The time of the event, expressed in RFC 3339 timestamp format.
`eventType`	The type of event that happened. Note: The service that produces the event can also add, remove, or change the meaning of a field. A service implementing these type changes would publish a new version of an `eventType` and revise the `eventTypeVersion` field.
`eventTypeVersion`	The version of the event type. This version applies to the payload of the event, not the envelope. Use `cloudEventsVersion` to determine the version of the envelope.
`source`	The resource that produced the event. For example, an Autonomous Database or an Object Storage bucket.

Payload

The data in these fields depends on which service produced the event log and the event type it defines.

Data

The data object contains the following attributes.


Property	Description
`data.additionalDetails`	A container object for attributes unique to the resource emitting the event.
`data.availabilityDomain`	The availability domain where the resource resides.
`data.compartmentId`	The OCID of the compartment of the resource emitting the event.
`data.compartmentName`	The name of the compartment of the resource emitting the event.
`data.definedTags`	Defined tags added to the resource emitting the event.
`data.eventGroupingId`	This value links multiple audit events that are part of the same API operation. For example, a long running API operation that emits an event at the start and the end of the operation.
`data.eventName`	Name of the API operation that generated this event. Example: `LaunchInstance`
`data.freeformTags`	Free-form tags added to the resource emitting the event.
`data.identity`	A container object for identity attributes. See Identity.
`data.request`	A container object for request attributes. See Request.
`data.resourceId`	An OCID or an ID for the resource emitting the event.
`data.resourceName`	The name of the resource emitting the event.
`data.response`	A container object for response attributes. See Response.
`data.stateChange`	A container object for state change attributes. See State Change.

Identity

The identity object contains the following attributes.


Property	Description
`data.identity.authType`	The type of authentication used.
`data.identity.callerId`	The OCID of the caller. The caller that made a request on behalf of the principal.
`data.identity.callerName`	The name of the user or service issuing the request. This value is the friendly name associated with `callerId`.
`data.identity.consoleSessionId`	This value identifies any Console session associated with this request.
`data.identity.credentials`	The credential ID of the user.
`data.identity.ipAddress`	The IP address of the source of the request.
`data.identity.principalId`	The OCID of the principal.
`data.identity.principalName`	The name of the user or service. This value is the friendly name associated with `principalId`.
`data.identity.tenantId`	The OCID of the tenant.
`data.identity.userAgent`	The user agent of the client that made the request.

Request

The request object contains the following attributes.


Property	Description
`data.request.action`	The HTTP method of the request. Example: `GET`
`data.request.headers`	The HTTP header fields and values in the request.
`data.request.id`	The unique identifier of a request.
`data.request.parameters`	All the parameters supplied by the caller during this operation.
`data.request.path`	The full path of the API request. Example: `/20160918/instances/ocid1.instance.oc1.phx.<unique_ID>`

Response

The response object contains the following attributes.


Property	Description
`data.response.headers`	The headers of the response.
`data.response.message`	A friendly description of what happened during the operation.
`data.response.payload`	This value is included for backward compatibility with the Audit version 1 schema, where it contained metadata of interest from the response payload.
`data.response.responseTime`	The time of the response to the audited request, expressed in RFC 3339 timestamp format.
`data.response.status`	The status code of the response.

State Change

The state change object contains the following attributes.


Property	Description
`data.stateChange.current`	Provides the current state of fields that may have changed during an operation. To determine how the current operation changed a resource, compare the information in this attribute to `data.stateChange.previous`.
`data.stateChange.previous`	Provides the previous state of fields that may have changed during an operation. To determine how the current operation changed a resource, compare the information in this attribute to `data.stateChange.current`.

An Example Audit Log

The following is an example of an event recorded by the Audit service.

{
	"eventType": "com.oraclecloud.ComputeApi.GetInstance",
	"cloudEventsVersion": "0.1",
	"eventTypeVersion": "2.0",
	"source": "ComputeApi",
	"eventId": "<unique_ID>",
	"eventTime": "2019-09-18T00:10:59.252Z",
	"contentType": "application/json",
	"data": {
		"eventGroupingId": null,
		"eventName": "GetInstance",
		"compartmentId": "ocid1.tenancy.oc1..<unique_ID>",
		"compartmentName": "compartmentA",
		"resourceName": "my_instance",
		"resourceId": "ocid1.instance.oc1.phx.<unique_ID>",
		"availabilityDomain": "<availability_domain>",
		"freeformTags": null,
		"definedTags": null,
		"identity": {
			"principalName": "ExampleName",
			"principalId": "ocid1.user.oc1..<unique_ID>",
			"authType": "natv",
			"callerName": null,
			"callerId": null,
			"tenantId": "ocid1.tenancy.oc1..<unique_ID>",
			"ipAddress": "172.24.80.88",
			"credentials": null,
			"userAgent": "Jersey/2.23 (HttpUrlConnection 1.8.0_212)",
			"consoleSessionId": null
		},
		"request": {
			"id": "<unique_ID>",
			"path": "/20160918/instances/ocid1.instance.oc1.phx.<unique_ID>",
			"action": "GET",
			"parameters": {},
			"headers": {
				"opc-principal": [
					"{\"tenantId\":\"ocid1.tenancy.oc1..<unique_ID>\",\"subjectId\":\"ocid1.user.oc1..<unique_ID>\",\"claims\":[{\"key\":\"pstype\",\"value\":\"natv\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"h_host\",\"value\":\"iaas.r2.oracleiaas.com\",\"issuer\":\"h\"},{\"key\":\"h_opc-request-id\",\"value\":\"<unique_ID>\",\"issuer\":\"h\"},{\"key\":\"ptype\",\"value\":\"user\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"h_date\",\"value\":\"Wed, 18 Sep 2019 00:10:58 UTC\",\"issuer\":\"h\"},{\"key\":\"h_accept\",\"value\":\"application/json\",\"issuer\":\"h\"},{\"key\":\"authorization\",\"value\":\"Signature headers=\\\"date (request-target) host accept opc-request-id\\\",keyId=\\\"ocid1.tenancy.oc1..<unique_ID>/ocid1.user.oc1..<unique_ID>/8c:b4:5f:18:e7:ec:db:08:b8:fa:d2:2a:7d:11:76:ac\\\",algorithm=\\\"rsa-pss-sha256\\\",signature=\\\"<unique_ID>\\\",version=\\\"1\\\"\",\"issuer\":\"h\"},{\"key\":\"h_(request-target)\",\"value\":\"get /20160918/instances/ocid1.instance.oc1.phx.<unique_ID>\",\"issuer\":\"h\"}]}"
				],
				"Accept": [
					"application/json"
				],
				"X-Oracle-Auth-Client-CN": [
					"splat-proxy-se-02302.node.ad2.r2"
				],
				"X-Forwarded-Host": [
					"compute-api.svc.ad1.r2"
				],
				"Connection": [
					"close"
				],
				"User-Agent": [
					"Jersey/2.23 (HttpUrlConnection 1.8.0_212)"
				],
				"X-Forwarded-For": [
					"172.24.80.88"
				],
				"X-Real-IP": [
					"172.24.80.88"
				],
				"oci-original-url": [
					"https://iaas.r2.oracleiaas.com/20160918/instances/ocid1.instance.oc1.phx.<unique_ID>"
				],
				"opc-request-id": [
					"<unique_ID>"
				],
				"Date": [
					"Wed, 18 Sep 2019 00:10:58 UTC"
				]
			}
		},
		"response": {
			"status": "200",
			"responseTime": "2019-09-18T00:10:59.278Z",
			"headers": {
				"ETag": [
					"<unique_ID>"
				],
				"Connection": [
					"close"
				],
				"Content-Length": [
					"1828"
				],
				"opc-request-id": [
					"<unique_ID>"
				],
				"Date": [
					"Wed, 18 Sep 2019 00:10:59 GMT"
				],
				"Content-Type": [
					"application/json"
				]
			},
			"payload": {
				"resourceName": "my_instance",
				"id": "ocid1.instance.oc1.phx.<unique_ID>"
			},
			"message": null
		},
		"stateChange": {
			"previous": null,
			"current": null
		},
		"additionalDetails": {
			"imageId": "ocid1.image.oc1.phx.<unique_ID>",
			"shape": "VM.Standard1.1",
			"type": "CustomerVmi"
		}
	}
}

Oracle Cloud Infrastructure Documentation