Enable Access to Logging Analytics and Its Resources
Set up your Oracle Cloud Infrastructure tenancy to use Oracle Logging Analytics by performing these prerequisite configuration tasks.
Oracle Logging Analytics is a regional service. Before you get started, select a region that you want to use. You can follow these steps for each region that you want to set up, but each region will be a different instance. Select your region by using the region selector in the upper right corner of the console.
Topics:
For policies to perform specific tasks and a complete reference of the policy requirements in Logging Analytics, see IAM Policies Catalog for Logging Analytics.
You can use the readily available templates to create a policy for a user group or dynamic group to perform a specific operation or a collection of operations. See Oracle-defined Policy Templates for Common Use Cases.
If you enabled Oracle Logging Analytics using the onboarding UI which is available when you navigate to the service for the first time, then some policies are already created. See Policies Created While Onboarding Logging Analytics.
Enable Access from Logging Analytics to Its Features Family
A service-level IAM policy must be created to enable the Oracle Logging Analytics service to operate. Create policies by using standard Oracle Cloud Infrastructure IAM Policies and add the following policy statement to it.
Policy Statement | Description |
---|---|
allow service loganalytics to READ
loganalytics-features-family in tenancy |
Allow the Oracle Logging Analytics service READ access rights of the family loganalytics-features-family across the tenancy. |
Some of the above policy statements are included in the readily available Oracle-defined policy templates. You may want to consider using the template for your use case. See Oracle-defined Policy Templates for Common Use Cases.
For policies to perform specific tasks and a complete reference of the policy requirements in Logging Analytics, see IAM Policies Catalog for Logging Analytics.
If you enabled Oracle Logging Analytics using the onboarding UI which is available when you navigate to the service for the first time, then some policies are already created. See Policies Created While Onboarding Logging Analytics.
Identify OCI Compartments to Place the Logging Analytics Resources
Use compartments to create resources of Oracle Logging Analytics like entities and log groups. Fine tune the access to the compartments for better user access control.
You can use existing compartments or you can create new ones specifically forOracle Logging Analytics. You can create multiple compartments to give different sets of users access to different parts of the product or log data. For more guidance on how compartments work, see Managing Compartments in Oracle Cloud Infrastructure Documentation.
Resources in Oracle Logging Analytics must reside in the compartments. When you create any of the following resources, you must select the compartment that they will be in:
Resource | Access Control Using Oracle IAM Policies |
---|---|
Entities |
You can control who can enable or disable log collection for a specific entity |
Log Groups |
You can control who can search the logs after they have been collected, enriched, and indexed. |
Purge Policies |
You can control who can stop or change the purge policy definition. |
Object Storage Collection Rules |
You can control who can stop or change the collection rule. |
For policies to perform specific tasks and a complete reference of the policy requirements in Logging Analytics, see IAM Policies Catalog for Logging Analytics.
If you enabled Oracle Logging Analytics using the onboarding UI which is available when you navigate to the service for the first time, then some policies are already created. See Policies Created While Onboarding Logging Analytics.
Create User Groups to Implement Access Control
Create one or more user groups to grant varying levels of access to the users depending on how you want to use Oracle Logging Analytics.
A user who is a member of Administrators group will have full access to all the features of Oracle Logging Analytics. See The Administrators Group, Policy, and Administrator Roles.
Recommended User Groups
It is recommended that you create the user groups similar to the following examples to get started:
- Logging-Analytics-Users: The users that you add to this group will be able to query the logs and see various configurations. However, they cannot enable or disable log collection, change configurations, or delete logs.
- Logging-Analytics-Admins: The users that you add to this group will have Logging-Analytics-Users privileges and additionally can create or edit sources, parsers, entities, and log groups. These users can also enable or disable log collection. However, they cannot purge logs.
- Logging-Analytics-SuperAdmins: The users in this group have the privileges of Logging-Analytics-Admins and can additionally perform lifecycle activities such as onboarding and offboarding from Oracle Logging Analytics, and purging logs.
Note that the above groups are shown as examples, and will be used for creating IAM policies in this documentation. However, you can create the user groups based on your needs.
Aggregate Resource-Types in Logging Analytics
The following two families allow you to grant bulk access without having to assign individual permissions to each user group. For most cases, you can use these to simplify the management of your Oracle Logging Analytics policies.
- loganalytics-features-family to control the features that a
user has access to, and the actions that the user can perform using Console,
REST API, CLI, or SDK.
loganalytics-features-family and the resources contained in it can be set only at the tenancy level, not per compartment.
- loganalytics-resources-family to control the access that the
user has for creating, reading, updating, and deleting the resources such as
entities, log groups, purge policies, and object store collection rules.
This family and the resources contained in it can be granted access for the whole tenancy or for a specific compartment.
For policies to perform specific tasks and a complete reference of the policy requirements in Logging Analytics, see IAM Policies Catalog for Logging Analytics.
If you enabled Oracle Logging Analytics using the onboarding UI which is available when you navigate to the service for the first time, then some policies are already created. See Policies Created While Onboarding Logging Analytics.
Grant Access to User Groups
Create policies by using standard Oracle Cloud Infrastructure IAM Policies to define how your user groups can use Oracle Logging Analytics.
If you want to quickly try out Oracle Logging Analytics without managing groups and policies, a user who is a member of the Administrators group will have full access to all features. See The Administrators Group, Policy, and Administrator Roles.
To set up the policy according to the example groups in Create User Groups to Implement Access Control, apply the following sets of policies in Oracle Cloud Infrastructure IAM Policies feature:
Policy | Description |
---|---|
For Logging-Analytics-SuperAdmins user group: |
|
|
Allow the group Logging-Analytics-SuperAdmins to have the MANAGE access rights of the family loganalytics-features-family across the tenancy. This policy will enable rights to perform every task in the service including offboarding, deleting logs, setting up archiving, etc. |
OR
|
Allow the group Logging-Analytics-SuperAdmins to have MANAGE access rights of the family loganalytics-resources-family across the tenancy or in specific compartment. This policy will enable rights to perform any task in the service on any resource-type that belongs to the family loganalytics-resources-family. |
|
Allow the group Logging-Analytics-SuperAdmins to have the all the access rights for the Management Dashboard family of resources in the tenancy. You could change from tenancy to specific compartments. |
|
Allow the group Logging-Analytics-SuperAdmins to get the list of available compartments for the log groups that the group may have access to. This is required for using the Log Explorer. |
For Logging-Analytics-Admins user group: |
|
|
Allow the group Logging-Analytics-Admins to have the USE access rights of the family loganalytics-features-family across the tenancy. |
OR
|
Allow the group Logging-Analytics-Admins to have USE access rights of the family loganalytics-resources-family across the tenancy or in specific compartment. Allow this group to view, create, edit, or delete the resources in the family loganalytics-resources-family. |
OR
|
Allow the group Logging-Analytics-Admins to have the all the access rights for the Management Dashboard family of resources in the tenancy. You could change from tenancy to specific compartments. |
|
Allow the group Logging-Analytics-Admins to get the list of available compartments for the log groups that the group may have access to. This is required for using the Log Explorer. |
For Logging-Analytics-Users user group: |
|
|
Allow the group Logging-Analytics-Users to have the READ access rights of the family loganalytics-features-family across the tenancy. |
OR
|
Allow the group Logging-Analytics-Users to have READ access rights of the family loganalytics-resources-family across the tenancy. You could change from tenancy to specific compartments. Allow this group to view details of the resources in the family loganalytics-resources-family. User cannot create, edit, or delete any of them. |
OR
|
Allow the group Logging-Analytics-Users to have the USE access rights for the Management Dashboard family of resources in the tenancy. You could change from tenancy to specific compartments. |
|
Allow the group Logging-Analytics-Users to get the list of available compartments for the log groups that the group may have access to. This is required for using the Log Explorer. |
You can add compartment-specific policy statements for any number of compartments that you want to create for organizing the resources like entities and log groups. These resources can also be in different compartments altogether. It is not necessary that all the resource instances of different types be in the same compartment. However, you may find it easier to manage if you can minimize the number of compartments used.
Instead of using the resources family, you can also specify a policy that is at the individual resource level. For example:
Policy | Description |
---|---|
|
Users in DBA group can create, edit, or delete entities and enable or disable log collection for entities in Databases compartment. |
|
Users in DBA group can create, edit, or delete log groups and query the logs that are stored in Databases compartment. |
Some of the above policy statements are included in the readily available Oracle-defined policy templates. You may want to consider using the template for your use case. See Oracle-defined Policy Templates for Common Use Cases.
For policies to perform specific tasks and a complete reference of the policy requirements in Logging Analytics, see IAM Policies Catalog for Logging Analytics.
If you enabled Oracle Logging Analytics using the onboarding UI which is available when you navigate to the service for the first time, then some policies are already created. See Policies Created While Onboarding Logging Analytics.
Enable Logging Analytics
After completing the prerequisite tasks such as creating user groups, creating compartments, and defining access policies for the user groups, you can access Oracle Logging Analytics and enable it for use.
To enable Oracle Logging Analytics, you must be a member of the Administrators group. See The Administrators Group, Policy, and Administrator Roles.
-
Open the navigation menu, click Observability & Management, and then click Logging Analytics.
-
If this is the first time that you are using the service in this region, you will land on an on-boarding page that will give you some high level details of the service and an option to start using Oracle Logging Analytics service. Click Start Using Logging Analytics.
The Enable Logging Analytics dialog box is displayed. Here, the minimum required policies and log group are created if they don't exist already.
-
Click Next. The OCI Audit Log collection is configured.
The check box Include _Audit in subcompartments is enabled by default. You can disable it, if required. Based on your preference, the policies are created and suitable actions performed.
Click Next.
-
After the on-boarding is complete, click Take me to Log Explorer.
You can now explore Oracle Logging Analytics.
To view the list of policies created in the above process, see Policies Created While Onboarding Logging Analytics.