What is Oracle Cloud Infrastructure Audit?
Oracle Audit is a web service that automatically records calls to public application programming interface (API) endpoints for your Oracle Cloud Infrastructure tenancy. The service creates audit log events for each of these calls that can be viewed, retrieved, stored, and analyzed. These log events include information such as the ID of the caller, the target resource, the time of the recorded event, request parameters, and response parameters. You can access log events using the API, the Console, and the Java Software Development Kit (SDK).
What are the benefits of Oracle Cloud Infrastructure Audit?
The main benefit of Oracle Audit is to provide visibility into activities related to your Oracle Cloud Infrastructure resources and tenancy. Audit log events can be used for security audits, to track usage of and changes to Oracle Cloud Infrastructure resources, and to help ensure compliance with standards or regulations.
Is Oracle Cloud Infrastructure Audit available by default?
Yes. By default, Oracle Audit is turned on for every tenant. You cannot turn it off. Every tenant administrator has access to read audit log events in every compartment in the tenancy. To allow other groups of users to view and manage audit logs, you must configure a policy using Oracle Identity and Access Management (IAM).
How do I consume log events created by the Oracle Cloud Infrastructure Audit service?
Who should have access to the audit logs?
By default, the tenant administrator has full access to the audit logs for the tenancy. Oracle Audit integrates with IAM to support a rich policy language that allows the administrator flexibility to grant READ access to other groups. Typically, you would create a group of users in each compartment that you allow access to audit log events for that compartment.
What is the retention period for Oracle Audit logs? Can I change the default retention period?
Oracle Audit stores logs for 365 days. The 365-day period starts from the time an event is processed and logged. If you want to store logs beyond 365 days, you can use the Java SDK to make a copy and archive the logs independently. However, you cannot change the default retention period.
How do I aggregate log files across compartments?
You can download audit log events from each compartment by using the Java SDK. The current API can only be used to filter log events and cannot be used for bulk transfer of log events or streaming log events.
What is the cost of Oracle Cloud Infrastructure Audit?
Oracle Cloud Infrastructure customers are entitled to Oracle Audit at no additional charge.
Audit Event Processing
What information is available in Oracle Audit log events?
A log file consists of a list of log events. Each log event reflects API activity on public API endpoints. Log events contain information about what happened, when it happened, and who did it.
A log event provides information to identify: the user who called the API, the time the activity occurred, the source IP, the region, and the request and response. For more information about the log event schema, see the documentation.
How long does it take to process and deliver an audit event into the log file?
It typically requires 15 minutes from the occurrence of the event to delivery of the log event to the Oracle Audit log file.
How often does Oracle Cloud Infrastructure Audit deliver audit events?
Oracle Audit typically delivers events every five minutes.
Service and Region Support
What services are supported by the Oracle Cloud Infrastructure Audit?
At release, Oracle Block Volumes, Compute, Database, Identity and Access Management, Load Balancing, and Networking use Oracle Audit to log events.
Are Oracle Audit events recorded for all regions?
Yes, Oracle Audit records events across all regions.
Oracle Audit Library
What is the Oracle Audit Processing SDK?
The Oracle Audit Processing SDK is a Java library that helps simplify building an application to enumerate and download audit log events. For more information, see the Oracle Audit SDK file.
What functionality does the Oracle Audit Processing SDK provide?
The Oracle Audit Processing SDK enables you to write an application that accesses the audit log events in all the compartments to which you have access. You can then use the SDK to enumerate events processed for a compartment during a specific time range.
We recommend you retrieve a maximum of one week of log events at a time. Using the SDK to perform a transfer of log events over an extended period of time is not recommended due to the size of the download.