X

Audit Service Enhancements Are Now Available

Vimal Kocherla
Product Manager

We are pleased to announce the general availability of enhancements to the Oracle Cloud Infrastructure Audit service.

About Oracle Audit Service

The Audit service automatically records calls to all supported public API endpoints made from the Oracle Cloud Infrastructure Console, CLI, or SDK. Customers can access audit logs through the Console, CLI, or SDK, or by bulk exporting them to an Object Storage bucket, from which they can route them to a preferred Security Incident Management system for further analysis. The Audit service is a critical tool for IT and Security administrators for troubleshooting day-to-day operational and security issues, and for Compliance teams for enabling governance and compliance auditing of Oracle Cloud Infrastructure tenancies.

Audit Service Enhancements

The following top Audit service enhancements are available starting today.

State Change Summaries

IT and Security admins need the ability to back-trace resource states to investigate issues more effectively. Audit logs now provide information about the previous and current state of a resource after it has been mutated by a public-facing API. For example:

//The "previous" property captures state of a resource before it was mutated. The "current" property captures state of a resource after it was mutated. In this example, when a Compute instance is moved between compartments, "previous" and "current" states capture the previous and current compartments for the resource.

  "stateChange": {
      "previous": {
        "Instance": {
          "availabilityDomain": "NfHZ:PHX-AD-1",
          "compartmentId": "ocid1.compartment.oc1..aaaaaaaax2brdepqmzkurnwpjh5pz7diffwtl2nw4kfycz7vcesomi6",
          "definedTags": {},
          "displayName": "instance-20191001-1615",
          "extendedMetadata": {},
          "faultDomain": "FAULT-DOMAIN-1",
          "freeformTags": {
            "instanceowner": "finance",
            "instancegroup": "analytics"
          }
        }
      },
      "current": {
        "Instance": {
          "availabilityDomain": "NfHZ:PHX-AD-1",
          "compartmentId": "ocid1.compartment.oc1..aaaaaaaadb3r2mgpaiwvrkcxnpzxn7v5ngfafwlrh5w6cs66jv3nm4s",
          "definedTags": {},
          "displayName": "instance-20191001-1615",
          "extendedMetadata": {},
          "faultDomain": "FAULT-DOMAIN-1",
          "freeformTags": {
            "instanceowner": "finance",
            "instancegroup": "analytics"
          }
      }
    },

Begin and End Audit Events for Long-Running API Operations

Some API operations require a few minutes for the end-to-end operation to complete from the time they are invoked. For example, it takes a few minutes for a Compute instance to be available after the LaunchInstance API operation is invoked. To provide more visibility into when such long-running API operations begin and end, the Audit service now provides a .Begin event when the API operation is invoked, and an .End event when the operation ends. You can identify the Begin and End events for an API operation by using the eventGroupId property, which has the same value for both events. For example:

// .Begin event emitted when the API is invoked
  "eventType": "com.oraclecloud.ComputeApi.LaunchInstance.begin",
  "cloudEventsVersion": "0.1",
  "eventTypeVersion": "2.0",
  "source": "ComputeApi",
  "eventId": "1b353b0e-1910-4646-99e7-b3c84dcfa6ff",
  "eventTime": "2019-09-27T21:01:29.853Z",
  "contentType": "application/json",
  "data": {
    "eventGroupingId": "b92cf903-ad5c-45c6-8043-6a4ac58cfe23",


// .End event emitted when the API completes execution. Note that the Begin and End events have the same eventGroupingId which informs that both these events are related and triggered by the same API invocation.
  "eventType": "com.oraclecloud.ComputeApi.LaunchInstance.end",
  "cloudEventsVersion": "0.1",
  "eventTypeVersion": "2.0",
  "source": "ComputeApi",
  "eventId": "6183a87b-d56b-4656-a336-6d56fd7f3b16",
  "eventTime": "2019-09-27T21:03:16.699Z",
  "contentType": "application/json",
  "data": {
    "eventGroupingId": "b92cf903-ad5c-45c6-8043-6a4ac58cfe23",

Error Messages for Failed API Invocations

Audit logs now have a message property that provides information about why an API call failed. For example:

//"message" property provides insights into "why" an API invocation failed
"message": "The following tag namespaces / keys are not authorized or not found: TagNamespace Finance does not exists.\n"

Introducing the Audit v2 Schema

Because these enhancements require updates to the Audit schema for logging audit events, we are introducing a new Audit v2 schema that captures this additional information. For more information, see the documentation.  

Getting Started with Audit Service Enhancements

Customers who use the Audit service can access audit logs with the new enhancements in one of the following ways:

  • Console: You can access Audit v2 schema-based logs by querying for audit logs in the Audit Service UI under Governance (Governance > Audit). Access the logs by clicking the down arrow to the right of each audit event.
  • CLI, SDK, and Terraform: Customers who use the CLI, SDK, and Terraform can access Audit v2 schema-based logs by invoking version 20190901 of the ListEvents API operation. This new version of the operation returns all audit logs in the Audit v2 schema format. For more information, see the API documentation

Starting today, the following services are emitting logs in the Audit v2 schema format: Compute, Block Volumes, Object Storage, Key Management, NAT Gateway, Service Gateway, Streaming, Notifications and Resource Manager. Audit logs for the remaining services will be converted from the Audit v1 format to the Audit v2 format, leaving blank any Audit v2 schema attributes for which there is no information from the Audit v1 event.

Note: There are no changes to the previous version of the ListEvents API operation (API version 20160918) or the bulk audit log export functionality. Both will continue to return all logs in the Audit v1 schema format. Customers can continue to use Audit v1 logs while they update their automation to process Audit v2 schema-based logs.

Audit service enhancements are now available in all regions. To learn more about the Audit service, see the documentation.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.