0

Has anyone integrated OCI(Oracle cloud infrastructure) audit logs & OCI service logs to a Security Information and Event Management tool (SIEM,Arcsight). If yes , Where are these logs stored and from where these logs can be instantly accessed.

user2750212
  • 11
  • 2
  • 6

3 Answers3

0

There are a couple of ways you can approach the problem. Audit logs are available via Rest API and SDKs. You can call ListEvents documented here , to retrieve the audit logs. The call will return AuditEvent object as the body. This can be then parsed and ingested in the SIEM.

Alternatively you can raise a bulk export request for Audit log events and you can have them in Object Store bucket, from where the raw files can be pulled and ingested in SIEM.

Similarly you can export the service logs of your choice to an Object Store bucket and retrieve them ingest in SIEM.

Disclosure: I currently work for Oracle, though not directly on Audit/Logging service. Thoughts my own.

Shiva
  • 6,677
  • 4
  • 36
  • 61
0

its a bit late answer but I will leave it here for the benefit of everyone.

There is an architecture pattern that has been created on how to push different types of logs to external sources (one of them is SIEM).

Over the architecture center you can find the details of the pattern mentioned for QRadar but it is valid for any kafka compatible SIEMs.

https://docs.oracle.com/en/learn/oci_ibm_qradar/index.html#configure-ibm-qradar

ahmed sadek
  • 1
  • While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - [From Review](/review/late-answers/29892354) – reijerh Sep 23 '21 at 10:36
0

There are multiple ways you can access the logs.

  1. Service Connector >> Object storage >> OCI CLI - to read.
  2. Service Connector >> Streams (public) >> Kafka consumer - write to a file .
  3. Log analytics - List audit events on OCI Cli commands .

Eventually they need to be parsed. ArcSight has a JSON folder parser (Flex connector) which can be used for parsing this log.

einpoklum
  • 118,144
  • 57
  • 340
  • 684
Guna Ranganathan
  • 1
  • Your answer was difficult to read. I'm still not sure I got it right with this edit. Does the last paragraph "eventually they need to etc." belong in the third option? Or is it relevant to all options? I'd try rephrasing and clarifying further. – einpoklum Oct 16 '21 at 17:52