Oracle Cloud Infrastructure (OCI) has introduced a fully managed Logging service (Limited Availability for Selected Customers on Request) which is a highly scalable log management and search platform that simplifies collecting, managing, and exploring your logs.
In this Blog, we go over all the necessary steps to use the OCI logging service & Log Search Console Viewer to ingest and manage the logs generated by Object Storage Service (OSS).
When access to end users are provided on the OCI OSS buckets to read and write objects, one of the key requirement is to monitor the usage pattern and also conduct a routine check on who all are accessing the objects or data stored inside a bucket. This might be required for audit purpose or for security reason to ensure that only the authorized resources are accessing the object or data stored inside an OSS bucket.
For the demonstration purpose, i am creating an OSS bucket named a-demo-bucket, enable OCI Logging Service on this bucket and then upload and download few objects to create some traffic and logging data.
Once the OSS bucket is created successfully, follow the steps mentioned below to enable the Logging for the OSS Bucket a-demo-bucket created in the previous step.
Log Groups are used to Organize and Control access to the logs.
Login to the OCI console and click on the Navigation Menu on the Top Left hand Corner and Then Select the Logging--> Log Management under Solution and Platform section.
Select the Log Groups Tab and Click on the Create Log Group Button and provide a name for the Log Group to be created.
Once the Log Group is created successfully, next step is to enable the logging on the OSS bucket created for this demo. Both Read and Write Log will be enabled to ensure that Both Upload and Download activities will be logged.
Click on the Logs tab and click on the Enable Log.
After the Read and Write logs are successfully enabled, next step is to upload and download objects to the OSS Bucket a-demo-bucket. For this demo, i created a bucket level Pre-authenticated request (PAR) and use the PAR url to upload and download the objects.
How to View and Search OSS Logs from Logging Console Viewer?
Navigate to the Logging--> Log Search under Solution and Platform section to launch the Log Search Console Viewer.
Select the Compartment, Log Groups (Optional), Logs (Read/Write Logs created on the OSS Bucket during the previous step) and select the specific time period to view the logs.
The output from the Log Search Console Viewer can be customized to suit the with the end user requirement using the Modify Filters & Columns option.
In this Example, i am retrieving the information of all the users who has accessed the OSS bucket a-demo-bucket and successfully downloaded the objects using the Pre-authenticated request.
Logs generated for the Logging enabled OCI services are stored in an OSS bucket created inside the compartment selected during the Log Group Creation. The same logs can be downloaded or can be ingested using a third party log analytic tools if required.
Also it is always a best practise to delete the PAR's created on bucket or object level once the use of the PAR url is completed.