Oracle - Cloud Log Collection Configuration
Overview
Snare Central is offering a convenient way to collect Oracle Cloud Infrastructure (OCI) audit logs and store them in the Snare Central Archive for reporting, analysis and compliance.
Oracle Identity Cloud Service (IDCS), the Identity and Access Management platform is the central point of control for all activities happening in the system. It generates Audit data in response to all administrator and end-user operations such as User Login, Application Access, Password Reset, User Profile Update, CRUD operations on Users, Groups, Applications, etc.
Registering a Client Application
To allow Snare Central to access the IDCS API, Snare Central must be registered as integrated application in the Oracle Identity Cloud Service.
This step is required to obtain the credentials (Client ID and Client Secret) used for authentication in REST API calls. The credentials are equivalent to service credentials (ID and password) that the REST API uses to communicate with Oracle Identity Cloud Service.
In the Oracle Identity Cloud Service administration console, expand the Navigation Menu, go to Identity -> Domains -> Default domain -> Integrated applications
and then click Add Application.
In the Add Application dialog box, select Confidential Application. then Launch Workflow.
In the Add application details section, enter the Name and Description for your Snare Central and click Next.
Select Configure this application as a client now, and then, in the Authorization section that appears, select only Client Credentials as the Allowed Grant Type
Scroll down, and click the Add button below Grant the client access to Identity Cloud Service Admin APIs.
In the Add App Role dialog window, select Identity Domain Administrator in the list and click Add.
Click Next then Finish.
In the General Information, copy the Client ID and the Client Secret, and then click Close.
Click Activate, and then click Activate Application.
Setting up Snare Central - Oracle Cloud Log Collection
Starting from Snare Central v8.6.0, Snare Central can be configured to collect Oracle Cloud Infrastructure audit logs
This capability requires a license with either Oracle Cloud Log Collection(IA_CLOUD_ORACLE) or Cloud Logs Collection (IA_CLOUD) license features.
For more information about the supported Oracle Cloud log types, see: Log Types: Oracle Cloud Infrastructure.
Follow these steps to easily configure Oracle Cloud Infrastructure logs collection via Snare Central UI.
In Snare Central go to System → Administrative Tools → Cloud Log Collection Configuration, and in the list of Cloud Log Providers click Oracle Cloud Infrastructure
Click ADD CLOUD COLLECTION and fill in the configuration details in the popup dialog.
Please prepare the following details that can be obtained from the Oracle Identity Cloud Service (IDCS) administration console:
Domain URL
OCID
Client ID of the application registered in the previous step
Client Secret of the application registered in the previous step
Name - friendly name to easily identify this Oracle Cloud Infrastructure (OCI) logs collector
Enabled - toggle this selector to start/stop log collection from Oracle Cloud. This can also be toggled ON/OFF later, after the setup.
OCI Account Domain URI - copy this value from the Oracle Identity Cloud Service (IDCS) administration console > Domain overview > Domain URL
Friendly OCID Name - the OCID of an Oracle Cloud tenancy is not easily identifiable by its name, this field gives an easily recognizable name. The value of this field will be user-defined e.g. ProphecyAccount1, EmpDB10. This will appear in the System field of the collected logs.
OCI Tenant Instance OCID - copy this value from the Oracle Identity Cloud Service (IDCS) administration console > Domain overview > OCID
Tenant Client ID - copy the Client ID generated in the IDCS console during the Registering a Client Application step
Tenant Client Secret Key - copy the Client Secret generated in the IDCS console during the Registering a Client Application step
Pagination Count - limit the number of logs requested from OCID API in each request, aiding in the efficient management of large datasets. Enter a value between 1 and 1000, recommended default value: 50.
Note - optional field that you may use to note any related information to this OCI Cloud Log Collector.
Optional: Click Test Connection to check if the configuration details you entered are correct.
Toggle Enable to start cloud logs collection
Click Add to save this collector.
Created collector will be listed by name under Oracle Cloud Infrastructure section.
Color-coded health indicator (red-orange-green) shows collection status.
Click on the collector name to see the collector details and status:
Viewing Collected OCI Logs
You can do a quick verification of log collection by doing a quick event search using the filter
In Snare Central, go to Event Search, and use the filter TABLE = 'OCIAuditLog' and SYSTEM = '<Friendly OCID Name>' on the search field.
Updating/Deleting - Oracle Cloud Log Collection Configuration
If you want to update or delete an existing Oracle Cloud - Log Collector that was previously configured, you can simply use Snare Central’s Cloud Log Collection Configuration Web UI and follow the simple steps below.
Troubleshooting Guide
This guide will be your resource for resolving common issues and challenges that you may encounter with Oracle Cloud Infrastructure - Cloud Log Collection.
Oracle Cloud Infrastructure icon is gray in System > Administrative Tools > Cloud Log Collection Configuration Web UI.
Oracle Cloud Log Collector icon is gray and the Status is Not Running (Disabled by configuration)
Oracle Cloud Infrastructure icon is Enabled in System > Administrative Tools > Cloud Log Collection Configuration Web UI but not collecting logs.
References
https://www.ateam-oracle.com/post/identity-cloud-services-audit-event-rest-api