Oracle OCI Infrastructure Audit/Logs

Captures Oracle OCI infrastructure logs and audit

Oracle OCI infrastructure event logs can be captured and ingested into the Ascent platform. Here are the steps outlined

Configure the capture logs by creating a log group and including the desired logs at OCI
Create the OCI capture function using the example Python code and the OCI function interface.
Create OCI connector service connecting the log group to function.
Activate the process by invoking the function.

Creating the Log group and Configure Log inclusion

In the OCI portal, go to Logging -> Log Groups.
Create a log group.
Configure the logs into the log group from Resources.
Activate the logs by enabling the log with the enable-log button.

Create OCI Function

Create the custom OCI function starting from the OCI portal function UI.
Follow the Getting Started menu on the right-hand side
- Select Python and create OCI boilerplate code
- Replace the files in the function directory with the files (func.py, func.yaml, requiements.txt) from the GitHub directory: https://github.com/logiqai/Oracle-OCI-Infrastructure-Log-Capture/tree/main
- Update the fields inside the file func.yaml
  - End-point address with an example such as below, https://loadtest.apica.io:443/v1/json_batch
  - Ingestion token: https://docs.apica.io/integrations/overview/generating-a-secure-ingest-token#obtaining-an-ingest-token-using-ui
  - Namespace and Appname are needed for labeling the logs. This will be used for retrieving the log in the Ascent platform.

Create OCI Connector Service

Go to Logging -> Service Connector inside the OCI portal.
Go to the Service Connector page, and configure the Compartment name, Log Group, and Logs from previously created earlier.
For sending Audit Logs, click +Another Log while using the same Compartment, and replace the Log Group with text _Audit.
Select Compartment, Function application, and Function for the configure target.
It is necessary to create the policy at the bottom of the Connector service page; everything can be set to default.
At the end, create Create at the bottom of the page to finish creating the connector service.

References

OCI Infrastructure Service Connector Hub - https://blogs.oracle.com/cloud-infrastructure/post/oracle-cloud-infrastructure-service-connector-hub-now-generally-available
Available OCI infrastructure logs - https://docs.oracle.com/en-us/iaas/Content/Logging/Reference/service_log_reference.htm#service_log_reference
OCI logging in general - https://docs.oracle.com/en-us/iaas/Content/Logging/home.htm

PreviousObject store (S3 Compatible)NextOSSEC Variants (OSSEC/WAZUH/ATOMIC)

Last updated 1 month ago