Oracle Announcing General Availability of Audit Service Enhancements

By Vimal Kocherla

We're pleased to announce the general availability release of enhancements to the Oracle Cloud Infrastructure Audit Service. 

About the Audit Service

The Audit Service automatically records calls to all supported public API endpoints made via the Console, CLI or SDK. Customers can access audit logs via the Console, CLI or SDK, or by bulk exporting them to their Object Storage from where they can route them to a preferred Security Incident Management system for further analysis. Audit Service is a critical tool for IT and Security Administrators for troubleshooting day-to-day operational and security issues, and for Compliance teams for enabling governance and compliance auditing of OCI tenancies. 

Audit Service Enhancements

Following are the top Audit Service enhancements that will be generally available starting today:

1. State Change Summaries: IT/Security admins need the ability to back trace resource states to investigate issues more effectively. Audit logs will therefore now provide information about the previous and current state of a resource after it has been mutated by a public facing API.

Example -
//"previous" property captures state of a resource before it was mutated. "current" property captures state of a resource after it was mutated "stateChange": { "previous": null, "current": null }

2. Begin and End Audit events for long-running APIs: To provide more visibility into when execution for long-running APIs starts and completes, such APIs e.g. Compute LaunchInstance, will now emit a .Begin event when the API is invoked, and a .End event when the operation completes execution. Example -

// .Begin event emitted when the API is invoked "eventType": "com.oraclecloud.Compute.LaunchInstance.Begin" // .End event emitted when the API completes execution "eventType": "com.oraclecloud.Compute.LaunchInstance.End" 

 3. Error messages for failed API invocations: To provide more insights into 'why' an API call failed, Audit logs will now have a message property that provides information around why an API call failed. Example - 

//"message" property provides insights into "why" an API invocation failed "message": "My_First_Compute_Instance LaunchInstance failed with response 'Unauthorized'" 

Introducing the Audit v2 Schema

Since these enhancements require updates to the Audit schema based on which audit events are logged, we are now introducing a new Audit v2 schema that captures this additional information. Technical documentation for this schema is available here. 

Getting started with Audit Service enhancements

Audit logs with the aforementioned enhancements can be accessed in one of the following ways: 

Console: The Audit Service UX in the console will display audit logs in the Audit v2 schema format. 

ListEventsV2 API: We are also introducing a new ListEventsV2 API for retrieving logs in the new Audit v2 schema format. Technical documentation for this API is available here. 

Please note that the console and the ListEventsV2 API will return logs in both Audit v1 (older format that doesn't support these new enhancements) and Audit v2 schema formats depending on which format a service is emitting audit logs in. For example, audit logs for a service will adhere to the Audit v2 schema if that service supports the Audit v2 schema. If not, audit logs will be returned in the Audit v1 schema. 

Please note that there are no changes to the existing ListEvents API and bulk audit log export functionality - they will continue to return audit logs in the Audit v1 schema for all services, independent of the schema the services are emitting logs in. 

Starting today, Audit v2 schema based logs will be available for Compute, Block Storage, Object Storage, Key Management, Service Gateway, Notifications and Orchestration services in all regions that the Audit Service is available currently. Technical documentation for Audit Service enhancements is available here.