Leveraging Logging Analytics for Oracle Integration Cloud Logging and Monitoring - Part 2

February 15, 2024 | 12 minute read
Royce Fu
Principal Database and O&M Solution Architect
Nolan Trouve
Senior Cloud Engineer
Text Size 100%:

Oracle Integration Cloud is a fully managed, preconfigured environment that gives you the power to integrate your Oracle Cloud Infrastructure applications and services and on-premises applications. As more customers are onboarded to Oracle Cloud Infrastructure (OCI) and run their critical integrations between OCI cloud services. Having a robust observability and monitoring solution for Oracle Integration Cloud (OIC) is pivotal for ensuring the efficiency, reliability, and security of Oracle Integration solutions. It enables the organizations to maintain oversight over their integrations, diagnose issues promptly, and optimize performance. 

In the part 1 of the blog Leveraging Logging Analytics for Oracle Integration Cloud Logging and Monitoring, we talked about the observability and monitoring features for Oracle Integration Cloud (OIC). We can use the OIC metrics data, activitiy stream log data as well as ingesting the OIC Design Time Audit Log data into Logging Analytics to unlock the potential to transform raw OIC telemetry data into actionable insights so that we can maximize the operational intelligence and security posture of cloud integration environments. 

In this blog, we will deep dive into the details of the push method via OIC custom integration to ingest OIC Audit Logs into Logging Analytics.  

Architecture Diagram

Figure 1. OIC Audit Log Ingestion Push Method Architecture Diagram
Figure 1. OIC Audit Log Ingestion Push Method Architecture Diagram

 

Integration connection details

  • Get OIC Audit Logs using OIC REST API endpoint (/ic/api/integration/v1/monitoring/auditRecords) and OAuth2.0 Client Credentials
  • Stage the content of the OIC Audit Log into a stage file
  • (Optional) Push OIC Audit Log stage file into Object Storage bucket using OCI API key
  • Push OIC stage file to Logging Analytics via LA Log Upload REST API /20200601/namespaces/{namespaceName}/actions/uploadLogFile

Step 1. Setup OAuth 2.0 Client Credentials for Oracle Integration Cloud instance

Note: Beginning in March 2023, Oracle began a region-by-region migration of all tenancies to use identity domains. Tenancy owners will be notified two weeks prior to the migration of their tenancy. All IDCS instances in the tenancy will be converted at the same time regardless of the IDCS home region.

Configure the OAuth Client Credentials (Required in OIC Gen3, basic authentication is no longer supported in Gen3 Oracle defined REST API endpoints)

Determine Whether a Cloud Account Uses Identity Domains

To determine whether your cloud account uses identity domains, open the Oracle Cloud Infrastructure navigation menu, and click Identity & Security. Under Identity, check for Domains:

Figure 2. Determine Whether a Cloud Account Uses Identity Domains
Figure 2. Determine Whether a Cloud Account Uses Identity Domains

 

My cloud account uses the IDCS, so the following steps will be followed:

Authentication and authorization in Oracle Integration is managed by Oracle Identity Cloud Service. Oracle Integration REST APIs as well as REST endpoints exposed in integrations are protected using OAuth token-based authentication.

Oracle Integration supports various OAuth authentication grant types, we will use the Client Credentials grant type to authenticate and get the authorization to Oracle Integration Cloud service. This type of authentication is used for applications which need to access its owner resources, not on behalf of a particular user. It is suitable for machine-to-machine communication where an application needs to access services or data without human interaction. You don't need to share usernames and passwords with clients or manage user passwords that expire.

OAuth Client Credentials Flow

Figure 3. OAuth 2.0 Client Credentials Flow Diagram
Figure 3. OAuth 2.0 Client Credentials Flow Diagram

 

Note: Oracle Integration Cloud also supports other OAuth authentication grant types, for instance, Authorization Code, JWT user Assertion.

Oracle Integration REST APIs, integrations with REST adapters, and integrations with application adapters exposing REST endpoints are protected using OAuth.

  • The trusted application provides access to REST endpoints in Oracle Integration. You register a trusted application with Oracle Identity Cloud Service for each Oracle Integration instance. This trusted application provides access to the OAuth protected REST endpoints in Oracle Integration.
  • Clients use the trusted application client ID and secret. You provide clients with the client ID and client secret of your trusted application along with the Oracle Identity Cloud Service URL, and the Oracle Integration instance scope. The scope represents all the resources the trusted application can access. In the case of Oracle Integration, the scope provides access to all REST APIs and REST APIs exposed in integrations.
  • Clients get an access token. With the information you provide clients, each client can request an authorization code and access token from Oracle Identity Cloud Service. The authorization code is short-lived. Once the client receives the authorization code, it exchanges the code for an access token. Each user has a different access token. The access token contains information about the client application and who the end user is.
  • Clients use the access token to access Oracle Integration REST APIs. The client application uses the access token it received from Oracle Identity Cloud Service to call Oracle Integration REST APIs or REST endpoints exposed in integrations.
  • Clients can refresh expired access tokens. If an access token expires, the client can refresh it. Access tokens expire after one hour by default, but you can change this in the trusted application configuration.
  • Identity Domain Administrators can revoke access tokens for users. If security issues arise, you can revoke the access token for a specific user.

The OAuth Client Configuration in IDCS Trusted Application:

Figure 4. IDCS Trusted Application for OAuth Client Credentials
Figure 4. IDCS Trusted Application for OAuth Client Credentials

 

Test the OIC REST API endpoint using Postman

Once you have the Trusted Application created and configured with OAuth, you can start to test the REST API endpoint via Postman.

  • URL: https:// <oicgen2-instance-name>.integration.ocp.oraclecloud.com/ic/api/integration/v1/monitoring/auditRecords
  • Grant type: Client Credentials
  • Auth URL: https://<IDCS_URL>.identity.oraclecloud.com/oauth2/v1/authorize
  • Access Token URL: https:// <IDCS_URL>.identity.oraclecloud.com/oauth2/v1/token
  • Client ID: Retrieve from the trusted application page
  • Client Secret: Retrieve from the trusted application page
  • Scope: https://<OIC_INSTANCE_ID>.integration.ocp.oraclecloud.com:443urn:opc:resource:consumer::all
  • Client Authentication: Send client credentials in body
Figure 5. OIC AuditRecords REST API testing using Postman
Figure 5. OIC AuditRecords REST API testing using Postman

 

Postman test result:

Figure 6. Postman OIC AuditRecords API test result
Figure 6. Postman OIC AuditRecords API test result 

 

Step 2. Create Connections in Oracle Integration Cloud

  • Login OIC GEN2 service console
  • Create OIC connection to interact with Oracle Integration Cloud API – OAuth Client Credentials
    • Select Integrations within Oracle Integration
    • Select Connections
    • Create a Connection using the REST Adapter
    • Connection Type: REST API Base URL
    • Connection URL: https:// <oicgen2-instance-name>.integration.ocp.oraclecloud.com
    • Security: OAuth Client Credentials
    • Access Token URI: https:// <IDCS_URL>.identity.oraclecloud.com/oauth2/v1/token
    • Client Id
    • Client Secret
    • Scope: https://<OIC_INST_ID>.integration.ocp.oraclecloud.com:443urn:opc:resource:consumer::all
    • Client Authentication: Send client credentials in body
    • Click Test and Save
Figure 7. OIC OAuth Client Credentials Connection Configuration
Figure 7. OIC OAuth Client Credentials Connection Configuration

 

  • Create OIC connection to interact with OCI Logging Analytics API – OCI API Signature
Figure 8. OCI Logging Analytics UploadLogFile REST API Connection via OCI API Key
Figure 8. OCI Logging Analytics UploadLogFile REST API Connection via OCI API Key

 

Step 3. Create Oracle Integration Cloud Audit Log Source in OCI Logging Analytics

Logging Analytics GitHub community Repo for OIC

  • Download the OIC AuditLog log source from log-sources
  • Import the OIC Audit Log log source in OCI Logging Analytics
  • Select Import Configuration Content from Logging Analytics Administration
Figure 9. Logging Analytics Import Configuration Content Item
Figure 9. Logging Analytics Import Configuration Content Item

 

  • Select the downloaded Oracle Integration Cloud log source zip file and import
Figure 10. Select the downloaded Oracle Integration Audit Log Source zip file
Figure 10. Select the downloaded Oracle Integration Audit Log Source zip file

 

  • Select Sources and search “Integration”, you will find the OCI Integration Audit Logs imported
Figure 11. OCI Integration Audit Logs Source
Figure 11. OCI Integration Audit Logs Source

 

Step 4. Create Custom Integration in Oracle Integration Cloud

With all the ingredients ready, you can start to create the custom integration flow.

Figure 12. OIC Custom Integration to Push Audit Logs to Logging Analytics
Figure 12. OIC Custom Integration to Push Audit Logs to Logging Analytics

 

  • Retrieve OIC Audit Log records from the Oracle Integration Cloud via REST API endpoint
    • Configure REST connection endpoint to Fetch Audit Logs
    • Configure Query Parameter
    • Configure REST response
    • Verify the configuration summary
Figure 13. OIC REST Endpoint response
Figure 13. OIC REST Endpoint response

 

Figure 14. OIC REST Endpoint Verify Configuration Summary
Figure 14. OIC REST Endpoint Verify Configuration Summary

 

  • Save the OIC Audit Log records as json format
    • Add and configure Stage File Action
    • Specify the Filename
    • Configure Schema options
    • Specify the JSON Format
    • Configuration Summary for Stage File
Figure 15. Stage File Action Specify the Filename
Figure 15. Stage File Action Specify the Filename​​​

 

Figure 16. Stage File Action Summary
Figure 16. Stage File Action Summary 

 

  • Send the OIC Audit Log records json file to OCI Logging Analytics
    • Logging Analytics REST Endpoint Configuration
    • Provide Query Parameter
    • Configure the Payload
    • Configure the Logging Analytics log group id in the request header
    • REST Endpoint Configuration Summary
Figure 17. Logging Analytics UploadLogFile REST API Endpoint Configuration
Figure 17. Logging Analytics UploadLogFile REST API Endpoint Configuration

 

Figure 18. Logging Analytics UploadLogFile REST API Summary
Figure 18. Logging Analytics UploadLogFile REST API Summary

 

Step 5. Explore Oracle Integration Cloud Audit Log in Logging Analytics

  • Kick off the Custom Integration to Push the OIC Audit Records to Logging Analytics
Figure 19. Kick off the OIC Custom Integration to Push Audit Log to Logging Analytics
Figure 19. Kick off the OIC Custom Integration to Push Audit Log to Logging Analytics

 

  • Check the details of the custom integration
  • Check the result of the invocation of Fetching Audit Records from OIC
  • Expand each step for more details
  • Verify the Audit Records from OIC REST API
Figure 20. Check the Custom Integration Invocation Details
Figure 20. Check the Custom Integration Invocation Details 

 

  • Verify the OIC Audit Log records are successfully ingested and parsed within OCI Logging Analytics
Figure 21. Use Logging Analytics Log Explore Query OIC Audit Logs
Figure 21. Use Logging Analytics Log Explore Query OIC Audit Logs

 

  • Visualize the OIC Audit Logs in Dashboard
Figure 22. Oracle Integration Audit Log Analysis Sample Dashboard
Figure 22. Oracle Integration Audit Log Analysis Sample Dashboard

 

Reference

Acknowledgements

  • Contributor: Nolan Trouvé

 

Royce Fu

Principal Database and O&M Solution Architect

Royce Fu is the Principal Database Solution Architect of the North America Cloud Technology and Engineering Team. Royce's area of specialty is core Database Technology and OCI O&M especially in Database Platform Engineering, Architecture, and Integration. He started his career as Java software engineer and spent over a decade in database engineering and architecture.

Nolan Trouve

Senior Cloud Engineer

Nolan is a Cloud Engineer in the North America Cloud Adoption Engineering team. He has been with Oracle since 2019 and held several different roles within the Cloud Engineering organization, including two years as an Oracle Integration product specialist. Today he helps accelerate some of OCI’s most strategic clients’ journey to the cloud by driving customer adoption and utilization.


Previous Post

How to - DHCP Options – Change the custom DNS server and apply the changes immediately on Linux and Windows VMs

Marius Radulescu | 7 min read

Next Post


Best Practice: Using OCI WAF Access Control

Amit Chakraborty | 6 min read