Oracle - Cloud Log Collection Configuration

Overview

Snare Central is offering a convenient way to collect Oracle Cloud Infrastructure (OCI) audit logs and store them in the Snare Central Archive for reporting, analysis and compliance.

Oracle Identity Cloud Service (IDCS), the Identity and Access Management platform is the central point of control for all activities happening in the system. It generates Audit data in response to all administrator and end-user operations such as User Login, Application Access, Password Reset, User Profile Update, CRUD operations on Users, Groups, Applications, etc.

image-20240310-231419.png

Registering a Client Application

To allow Snare Central to access the IDCS API, Snare Central must be registered as integrated application in the Oracle Identity Cloud Service.
This step is required to obtain the credentials (Client ID and Client Secret) used for authentication in REST API calls. The credentials are equivalent to service credentials (ID and password) that the REST API uses to communicate with Oracle Identity Cloud Service.

  1. In the Oracle Identity Cloud Service administration console, expand the Navigation Menu, go to Identity -> Domains -> Default domain -> Integrated applications

    and then click Add Application.

image-20240208-203419.png

 

  1. In the Add Application dialog box, select Confidential Application. then Launch Workflow.

 

  1. In the Add application details section, enter the Name and Description for your Snare Central and click Next.

 

  1. Select Configure this application as a client now, and then, in the Authorization section that appears, select only Client Credentials as the Allowed Grant Type

 

  1. Scroll down, and click the Add button below Grant the client access to Identity Cloud Service Admin APIs.

  2. In the Add App Role dialog window, select Identity Domain Administrator in the list and click Add.

 

  1. Click Next then Finish.

  2. In the General Information, copy the Client ID and the Client Secret, and then click Close.

 

  1. Click Activate, and then click Activate Application.

 

Setting up Snare Central - Oracle Cloud Log Collection

Starting from Snare Central v8.6.0, Snare Central can be configured to collect Oracle Cloud Infrastructure audit logs

This capability requires a license with either Oracle Cloud Log Collection(IA_CLOUD_ORACLE) or Cloud Logs Collection (IA_CLOUD) license features.

For more information about the supported Oracle Cloud log types, see: Log Types: Oracle Cloud Infrastructure.

Follow these steps to easily configure Oracle Cloud Infrastructure logs collection via Snare Central UI.

  1. In Snare Central go to System → Administrative Tools → Cloud Log Collection Configuration, and in the list of Cloud Log Providers click Oracle Cloud Infrastructure

  1. Click ADD CLOUD COLLECTION and fill in the configuration details in the popup dialog.

Please prepare the following details that can be obtained from the Oracle Identity Cloud Service (IDCS) administration console:

  • Domain URL

  • OCID

  • Client ID of the application registered in the previous step

  • Client Secret of the application registered in the previous step

  • Name - friendly name to easily identify this Oracle Cloud Infrastructure (OCI) logs collector

  • Enabled - toggle this selector to start/stop log collection from Oracle Cloud. This can also be toggled ON/OFF later, after the setup.

  • OCI Account Domain URI - copy this value from the Oracle Identity Cloud Service (IDCS) administration console > Domain overview > Domain URL

  • Friendly OCID Name - the OCID of an Oracle Cloud tenancy is not easily identifiable by its name, this field gives an easily recognizable name. The value of this field will be user-defined e.g. ProphecyAccount1, EmpDB10. This will appear in the System field of the collected logs.

  • OCI Tenant Instance OCID - copy this value from the Oracle Identity Cloud Service (IDCS) administration console > Domain overview > OCID

  • Tenant Client ID - copy the Client ID generated in the IDCS console during the Registering a Client Application step

  • Tenant Client Secret Key - copy the Client Secret generated in the IDCS console during the Registering a Client Application step

  • Pagination Count - limit the number of logs requested from OCID API in each request, aiding in the efficient management of large datasets. Enter a value between 1 and 1000, recommended default value: 50.

  • Note - optional field that you may use to note any related information to this OCI Cloud Log Collector.

  1. Optional: Click Test Connection to check if the configuration details you entered are correct.

  2. Toggle Enable to start cloud logs collection

  3. Click Add to save this collector.

Created collector will be listed by name under Oracle Cloud Infrastructure section.
Color-coded health indicator (red-orange-green) shows collection status.
Click on the collector name to see the collector details and status:

Viewing Collected OCI Logs

You can do a quick verification of log collection by doing a quick event search using the filter

  1. In Snare Central, go to Event Search, and use the filter TABLE = 'OCIAuditLog' and SYSTEM = '<Friendly OCID Name>' on the search field.

Updating/Deleting - Oracle Cloud Log Collection Configuration

If you want to update or delete an existing Oracle Cloud - Log Collector that was previously configured, you can simply use Snare Central’s Cloud Log Collection Configuration Web UI and follow the simple steps below.

Step 1. Go to Snare Central and navigate to System > Administrative Tools > Cloud Log Collection Configuration.

 

Step 2. Select Oracle Cloud Infrastructure and Click the Oracle Cloud Log Collector that you want to update.
The collector details panel will open on the right-hand side.
Click the Edit icon on the top right of the details panel.

 

Step 3. In the Edit screen, you can update the configuration and optionally do a Test Connection to check if the updated configuration can successfully connect to the Log Analytics API, then simply click the SAVE button to save the updated configuration.

 

Step 1. Go to Snare Central and navigate to System > Administrative Tools > Cloud Log Collection Configuration.

Step 2. Select Oracle Cloud Infrastructure and Click the Oracle Cloud Collector that you want to delete.
The collector details panel will open on the right-hand side.

Click the Delete icon on the top right of the details panel.

Troubleshooting Guide

This guide will be your resource for resolving common issues and challenges that you may encounter with Oracle Cloud Infrastructure - Cloud Log Collection.

  1. Oracle Cloud Infrastructure icon is gray in System > Administrative Tools > Cloud Log Collection Configuration Web UI.

When the Oracle Cloud Infrastructure icon in the Cloud Log Providers list is gray, it is possible that the Snare Central license does not have Oracle Cloud Log Collection(IA_CLOUD_ORACLE) or Cloud Logs Collection (IA_CLOUD) license features.

 

You can check it via navigating to Status > Snare Health Checker or click the heart icon in the lower left corner of Snare Central scroll down to Snare Central License and select Show Details to view the License Information.

 

If there is no IA_CLOUD or IA_CLOUD_ORACLE in the License Information, you need the correct license with IA_CLOUD or IA_CLOUD_ORACLE. Once you have the correct license, click the License Page button.

 

In the License Update page, click the Browse button, navigate to the correct license, and click the Load License button.

 

Wait for a while then navigate to System > Administrative Tools > Cloud Log Collection Configuration and you should be able to see the Oracle Cloud Infrastructure icon is now green and you should be able to Add Oracle Cloud Collection.

 

  1. Oracle Cloud Log Collector icon is gray and the Status is Not Running (Disabled by configuration)

When your configured Oracle Cloud Log Collector icon is gray, it is possible that the log collector is disabled during configuration or toggled off.

 

Select the Oracle Cloud Log Collector and check if Status: Not Running (Disabled by configuration)

 

To enable Oracle Cloud Log Collector, toggle the Enable button beside its name in Cloud Log Providers or the one in the upper right corner beside the Edit icon. Then click Confirm in the pop-up dialog box.

 

Once toggled on, the configured Oracle Cloud Log Collector icon should be green and enabled.

Snare Central will now start collecting ORACLE CLOUD Logs.

 

  1. Oracle Cloud Infrastructure icon is Enabled in System > Administrative Tools > Cloud Log Collection Configuration Web UI but not collecting logs.

The possible cause is invalid credentials(expired/incorrect). You can go to Edit and run a Test Connection

.

If “connection failed”(or any type of error) is encountered, check the correctness of your credentials in your cloud setup. You can refer to the user guide above for (re)generating credentials.

References

https://www.ateam-oracle.com/post/identity-cloud-services-audit-event-rest-api

System for Cross-domain Identity Management: Protocol

https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/idcs_rest_postman_obe/rest_postman.html