Oracle Cloud Infrastructure Documentation

Managing and Searching Logs with Operator Access Control

Learn to enable logs to view the list of Operator Controls created and in use in a compartment. Also, to monitor operator activities in a cage.

Enabling Logs and Creating Log Groups with Operator Access Control

To track Oracle operator activities on your system, learn how to enable logs, and how to create log groups to manage logs.

To audit the actions that an Oracle operator performs on your system, you can create an audit log for a compartment and a particular service where you want to monitor Oracle operator actions.
  1. Log in to your Oracle Cloud Infrastructure tenancy.
  2. Open the navigation menu. Under Oracle AI Database, click Operator Access Control.
  3. Click Operator Controls.
  4. From the list of Operator Controls, click the name of the Operator Control that you want to enable logs.
  5. Click the Logs tab.

    You can enable Access Logs and Hypervisor Logs.

    For example, to enable Access Logs, do the following:

    • Click the Actions menu (three dots), and select the Enable log option
    • Compartment: Select the compartment where you want to create the log.
    • Log Group: Select a log group to which you want to add the log. A log group is a logical container for logs that helps streamline log management, such as applying policies or analyzing related logs.

      If you want to create a new log group, the click Create new group, and provide information for the following fields:

      • Compartment Select the compartment where you want to place the log group.
      • Name: Provide a name for the log group.
      • Description: Provide a description for the purpose of the log group.
      • Tags: Optionally, add tags to the log group.
    • Log Name: Provide a name for the log that you want to create.
    • Enable legacy archival logs: Enable this option to retain and manage archival logs.
    • (Optional) Click Show Advanced options. Set the Log retention period. Default: 30 days.
    • When you have completed and reviewed your selections, click Enable Log. The log pertaining to the operator control is enabled.

Viewing the Enabled Logs in Active State

Learn how to view the enabled logs in active state.

  1. Log in to your Oracle Cloud Infrastructure tenancy.
  2. Open the navigation menu. Under Oracle AI Database, click Operator Access Control.
  3. Click Operator Controls.
  4. From the list of Operator Controls, click the name of the Operator Control that you want to enable logs.
  5. Click the Logs tab.

Disabling the Enabled Logs

Learn how to disable the enabled logs.

  1. Log in to your Oracle Cloud Infrastructure tenancy.
  2. Open the navigation menu. Under Oracle AI Database, click Operator Access Control.
  3. Click Operator Controls.
  4. From the list of Operator Controls, click the name of the Operator Control that you want to enable logs.
  5. Click the Logs tab.

    You can disable Access Logs and Hypervisor Logs.

    For example, to disable Access Logs, click the Actions menu (three dots), and select the Disable log option.

Deleting the Enabled Logs

Learn how to delete the enabled logs.

  1. Log in to your Oracle Cloud Infrastructure tenancy.
  2. Open the navigation menu. Under Oracle AI Database, click Operator Access Control.
  3. Click Operator Controls.
  4. From the list of Operator Controls, click the name of the Operator Control that you want to enable logs.
  5. Click the Logs tab.

    You can delete Access Logs and Hypervisor Logs.

    For example, to delete Access Logs, click the Actions menu (three dots), and select the Delete option.

Log Format for Operator Access Control

Learn about the fields that an audit log published in the logging service contains.

Table 6-1 Audit Log Fields

Field Description

data

Contains all the data obtained from the Exadata audit logs.

data.accessRequestId

Contains the Oracle Cloud Identifier (OCID) of the access request. This identifier is obtained from the access request listing page in the Console.

data.message

Contains audit log in the raw format. The audit log format follows the audit logging format as output by the ausearch command.

For more information, see the ausearch(8) manual pages.

data.systemOcid

The Oracle Cloud Identifier (OCID) of the Exadata system from which the log was collected.

data.timestamp

The time stamp, usually in the Universal Time Coordinated (UTC) time zone (TZ) at which point the action that the log represents was performed.

source

The service that is publishing the log. The source of the log is the OperatorAccessControl for this service.

Note

There are a few additional fields, which are primarily for accounting purposes of the service.

Example 6-1 Operator Access Control Audit Log

{
  "logContent": {
    "data": {
      "accessRequestId": "ocid1.opctlaccessrequest.oc1.ap-chuncheon-1.aaaaaaaaqk67mpzb74nsssg4ppwk7cyg46dwoxegtvhopdp7lxbktpymk4kq",
      "message": "type=PROCTITLE msg=audit(09/08/2021 09:01:24.335:34495595) : proctitle=ps -ef \ntype=PATH msg=audit(09/08/2021 09:01:24.335:34495595) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=2546207 dev=fc:00 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 \ntype=PATH msg=audit(09/08/2021 09:01:24.335:34495595) : item=0 name=/usr/bin/ps inode=33619160 dev=fc:00 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 \ntype=CWD msg=audit(09/08/2021 09:01:24.335:34495595) : cwd=/home/b9dc42d68f6e4e26a1d843a4c5e70187 \ntype=EXECVE msg=audit(09/08/2021 09:01:24.335:34495595) : argc=2 a0=ps a1=-ef \ntype=SYSCALL msg=audit(09/08/2021 09:01:24.335:34495595) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x1848d50 a1=0x184c360 a2=0x184c040 a3=0x7ffeec95b760 items=2 ppid=94699 pid=95635 auid=b9dc42d68f6e4e26a1d843a4c5e70187 uid=b9dc42d68f6e4e26a1d843a4c5e70187 gid=opctl_facc1 euid=b9dc42d68f6e4e26a1d843a4c5e70187 suid=b9dc42d68f6e4e26a1d843a4c5e70187 fsuid=b9dc42d68f6e4e26a1d843a4c5e70187 egid=opctl_facc1 sgid=opctl_facc1 fsgid=opctl_facc1 tty=pts0 ses=813000 comm=ps exe=/usr/bin/ps key=(null) \n",
      "status": "",
      "systemOcid": "ocid1.exadatainfrastructure.oc1.ap-chuncheon-1.ab4w4ljr46tyytihmindrbshch3jjhrxxpctq4eiaksakp4kqamluuwkzdga",
      "target": "",
      "timestamp": "2021-09-08T09:01:24.000Z"
    },
    "id": "b3b102aa-daee-4861-8e2c-9014faac9de2",
    "oracle": {
      "compartmentid": "ocid1.tenancy.oc1..aaaaaaaazxdmffivtoe32kvio5e2dcgz24re5rqbkis3452yi2e7tc3x2erq",
      "ingestedtime": "2021-09-08T16:02:26.182Z",
      "loggroupid": "ocid1.loggroup.oc1.ap-chuncheon-1.amaaaaaajobtc3ia3iypuri32bhvrgmosztobwi72wgdofkpfdbyfg4yxlrq",
      "logid": "ocid1.log.oc1.ap-chuncheon-1.amaaaaaajobtc3iahnkkwizgpoakdafmrttikohparjl7icmcfjzkechekfq",
      "tenantid": "ocid1.tenancy.oc1..aaaaaaaazxdmffivtoe32kvio5e2dcgz24re5rqbkis3452yi2e7tc3x2erq"
    },
    "source": "OperatorAccessControl",
    "specversion": "1.0",
    "time": "2021-09-08T16:01:52.989Z",
    "type": "com.oraclecloud.opctl.audit"
  },
  "datetime": 1631116912989
}

Searching Logs

To perform a search on logs, use this procedure to specify the fields, time range, and text strings for logs that you want to search.

The log is enabled based on specific Operator Controls. Hence these form the top level filter for the log searches. Additionally, you can also search logs for the Access Request IDs, Exadata systems where the operator action occurred, or the time when the action occurred.

The following examples help you understand how to search for specific field.

  1. Log in to the Observability & Management console.
  2. On the left navigation menu, select Logging, and then select Logs.
  3. Choose the compartment where the logs are stored.

    This will provide a list of logs which were enabled.

  4. Click the log that you are interested in.

    The log detail page is displayed.

    These logs are always related to a single operator control.

  5. Click the Explore log tab.
  6. Click Explore with log search to search for specific logs.
  7. Case 1: Searching for actions performed using the approval for a specific access request, ocid.opctlaccessrequest.x during a period T-start to T-end pertaining to an Operator Control, ocid.opctl.x.
    1. Choose Custom from the Filter By Time field.
    2. Select Start Date and End Date.
    3. Click Search.

      After choosing you would be able to see a set of logs.

    4. Now, for example, add the following search criteria into the Custom filters field.
      data.accessRequestId='ocid.opctlaccessrequest.x'

      This will list the logs matching the search criteria.

  8. Case 2: Searching for actions on an Exadata systems, ocid.exadata.x during a period T-start to T-end pertaining to an Operator Control, ocid.opctl.x.
    1. Choose Custom from the Filter By Time field.
    2. Click Search.

      After choosing you would be able to see a set of logs.

    3. Now, for example, add the following search criteria into the Custom filters field.
      data.systemOcid ='ocid.exadata.x'

      This will list the logs matching the search criteria.

  9. You can also search the logs by the content. Use the log-content field. For more information, see Searching Logs.
  10. To search for specific Linux commands executed, use the Advanced Mode.
    1. Create a basic search using the examples given above (case 1 or case 2), and then switch to Advanced Mode.
      For example, to search for all the logs with the action vi add the following criteria:
      and text_contains(data.message, 'proctitle=vi ', true)
  11. When performing a search on the Logging Search page, you can click Show Advanced Mode to enter your own custom log search queries.
    For example:
    search "ocid1.compartment.oc1..x/ocid1.loggroup.oc1.iad.loggroup_x/ocid1.log.oc1.iad.log_x"
 | data.systemOcid='ocid1.exadata.x' and text_contains(data.message, 'proctitle=vi ', true)
 | sort by datetime desc