Introduction:
Observability & Management has recently added a new feature Logging Analytics which brings us a whole lot of features to explore. This is basically Oracle Management Cloud ingested in to OCI. OMC used to be a separate entity earlier, but now is about to reach it’s end of Life (31st Jan 2024) and got itself added in to OCI as a service which actually is a good thing. This creates seamless integration of it with various other services in OCI. Oracle Logging Analytics is a cloud solution in Oracle Cloud Infrastructure that let us index, enrich, aggregate, explore, search, analyse, correlate, visualise and monitor all log data from our applications and system infrastructure on cloud or on-premises.
Business Case & Advantage:
In this paper we would be discussing about How to –
Set up policies for enabling Logging Analytics & it’s features.
Setup Users, Groups & Policies to enable or utilize various Logging Analytics features.
Audit actions performed on an Object Storage using Logging Analytics and project it as a dashboard which can be used for any audit purpose.
The solution discussed in this article brings advantages in terms of fine grain audit of individuals performing changes to data which is stored in Oracle Cloud Object Storage. It not only makes the audit log review process easy but provides a hawk eye view through the custom designed dashboard. Consolidated log data can be viewed through the dashboard at single location with custom filters as per the requirement of customer. It makes the data change audit process very easy and accessible on-demand which in-turn reduces the manual effort and brings in cost saving in terms of effort and man hours savings.
Assumptions:
We assume to have root level access on the tenancy to enable Logging Analytics and creating domains/users/groups/policies for usage of Logging Analytics & it’s features.
Business Case Architecture – Auditing an Object Storage using Logging Analytics:

Creation of Compartment & Domain:
Let’s start by creating a compartment by the name LE-OnM for our exercise. Please note that below activities are performed by the user root level access till explicitly mentioned.

Let’s create a Domain by name On-LE for creating all our groups, users & Policies pertaining to this demo. We are going to use Free Domain Type here in this exercise.

We’ll see the domain as active once created. We have to make sure to create the groups, users & policies in this compartment.

Creation of Groups, Users & Policies:
Our aim is to create 3 groups – SuperAdmins, Admins & Users where each of them would be having various level of access to Logging Analytics.
Users: The users that you add to this group will be able to query the logs and see various configurations. However, they cannot enable or disable log collection, change configurations, or delete logs.
Admins: The users that you add to this group will have Logging-Analytics-Users privileges and additionally can create or edit sources, parsers, entities, and log groups. These users can also enable or disable log collection. However, they cannot purge logs.
SuperAdmins: The users in this group have the privileges of Logging-Analytics-Admins and can additionally perform lifecycle activities such as onboarding and offboarding from Oracle Logging Analytics, and purging logs.
Below is creation of SuperAdmin group -

Similarly, the rest of the two groups were also created.

Moving on to creation of policies, there are two policies that needs to be created. One at tenancy level & one at Compartment level. There are few policies which needs to be granted at the tenancy level for SuperAdmins access, rest can be granted at the compartment level. Please note that policies to be granted at tenancy level need root level access.
Tenancy level Policies:
The below policies need to be granted under the root compartment.
allow group OnM-LE/LE-OnM-SuperAdmins to MANAGE loganalytics-features-family in tenancy
allow group OnM-LE/LE-OnM-SuperAdmins to MANAGE loganalytics-resources-family in tenancy
allow group OnM-LE/LE-OnM-SuperAdmins to read compartments in tenancy
Compartment level Policies:
The below policies need to be granted under our LE-OnM compartment.
allow group OnM-LE/LE-OnM-SuperAdmins to MANAGE loganalytics-features-family in compartment LE-OnM
allow group OnM-LE/LE-OnM-SuperAdmins to MANAGE loganalytics-resources-family in compartment LE-OnM
allow group OnM-LE/LE-OnM-SuperAdmins to MANAGE management-dashboard-family in compartment LE-OnM
allow group OnM-LE/LE-OnM-SuperAdmins to manage all-resources in compartment LE-OnM
allow group OnM-LE/LE-OnM-SuperAdmins to read compartments in compartment LE-OnM
allow group OnM-LE/LE-OnM-Admins to use loganalytics-features-family in compartment LE-OnM
allow group OnM-LE/LE-OnM-Admins to use loganalytics-resources-family in compartment LE-OnM
allow group OnM-LE/LE-OnM-Admins to manage management-dashboard-family in compartment LE-OnM
allow group OnM-LE/LE-OnM-Admins to read compartments in compartment LE-OnM
allow group OnM-LE/LE-OnM-Users to read loganalytics-features-family in compartment LE-OnM
allow group OnM-LE/LE-OnM-Users to read loganalytics-resources-family in compartment LE-OnM
allow group OnM-LE/LE-OnM-Users to use management-dashboard-family in compartment LE-OnM
allow group OnM-LE/LE-OnM-Users to read compartments in compartment LE-OnM
allow group OnM-LE/LE-OnM-SuperAdmins to manage all-resources in compartment LE-OnM
User Creation:
In this demo we would be using the user created under SuperAdmins group only to perform the audit of object storage. Let’s go ahead and create a user under this SuperAdmins group.

Part 2 would be the continuation for this article. We would be continuing with creation of actual resources, including the exercise in there.
Here's the URL for Part 2 -
Comments