Oracle Cloud Infrastructure (OCI) audit logs are related to events emitted by the OCI Audit service. These logs are available from the Oracle Cloud Console Logging Audit page and are searchable on the Search page with the rest of your logs. You can export audit logs in JSON format for a custom time range of maximum 14 days from the Console.
To export audit logs from OCI, go to the Observability & Management option on the main menu of Console home page and click Audit, choose the filter criteria, choose the time range (14 days at a time), click Apply, and click Export Log data (JSON). The filtered audit logs download in JSON format from there.
Now, what if you need the exported logs in CSV format and need data for more than 14 days? We explore those options in this blog post. However, the audit logs have a maximum retention period of 365 days.
Prerequisites
We deploy a custom Python script for exporting logs in CSV format for a custom time range, so we need the following prerequisites:
-
Create a Linux virtual machine (VM) instance to deploy the script on.
-
Install the OCI command line interface (CLI) on the VM or run the script from Cloud Shell.
-
Install Python3 on the VM.
About the script
The script uses the following CLI command for logging-search:
#oci logging-search search-logs --search-query 'search "<COMPARTMENT_ID>/_Audit" | sort by datetime desc' --time-start “<START-TIME>" --time-end “<END-TIME>"This command searches out the audit in the compartment for the given duration of time. However, the difference between the start date and end date can’t be more than 14 days.
Now, in the script the command runs in a loop every day and because it has no limitation for that time, you can run the command as many times a day as you want from the start to the end date.
The script also uses a pandas library for Python for converting the JSON-based output of the command into CSV format. Currently, the following fields are part of the output CSV file:
-
Date-Time
-
CompartmentID
-
CompartmentName
-
Message
-
TenantId
-
UserAgent
-
Path
-
Ingested-Time
-
Type
-
ID
You can change these columns by adding more fields to the script.
Solution overview
The solution in this use case involves a custom script deployed on in Cloud Shell or on an OCI Compute instance with the OCI CLI software developer kit (SDK) installed. Run the custom script deployed on the VM and provide necessary details as prompted, including compartment ID, start, and end dates. The script then uses the CLI to get the data from the Audit service and converts that data into CSV format. This process repeats in a loop to gather data for the duration and is stored in a file on the VM. For detailed steps about implementing this solution on OCI, see our tutorial.
About the services used in this solution
OCI CLI is a small-footprint tool that you can use on its own or with the Console to complete tasks. The CLI provides the same core functionality as the Console with more commands. Some of these commands, such as the ability to run scripts, extend the Console’s functionality. To learn more about the OCI CLI, see the documentation. You can also check the CLI commands of various OCI services in the documentation.
The Audit service automatically records calls to all supported OCI public API endpoints as log events. Currently, all services support logging by Audit. To learn more about OCI Audit service, see the documentation.
Cloud Shell is a web browser-based terminal accessible from the Oracle Cloud Console. Cloud Shell is free to use within monthly tenancy limits and provides access to a Linux shell with a preauthenticated CLI, a pre-authenticated Ansible installation, and many other useful tools. To learn more about Cloud Shell, see the documentation.
Conclusion
In this article, we saw how we can use a custom script for exporting the audit logs for a duration of more than 14 days in CSV format. We also discussed the working of the script and the solution working OCI.
Oracle Cloud Infrastructure provides Enterprise features for developers to build modern cloud applications. If you want to try out this blog for free, I recommend the Oracle Cloud Free Tier with US$300 credits for a 30-day free trial. Free Tier also includes several Always Free services that are available for an unlimited time, even after your free credits expire.