Oracle Cloud Infrastructure (OCI) Logging Analytics is a powerful service that helps organizations aggregate, analyze, and act on log data from across their OCI resources. In this guide, we’ll walk through setting up Logging Analytics to detect and alert on suspicious activities, using Terraform for automation and a real-world example for context.
Step 1: Enable OCI Logging Analytics
- Navigate to the OCI Console:
Go to Observability & Management > Logging Analytics.
2. Create a Log Group:
oci logging-analytics log-group create \ --compartment-id <your-compartment-ocid> \ --display-name "Security-Logs" \ --description "Logs for security monitoring"Step 2: Ingest Logs from OCI Audit Service
Configure the OCI Audit service to forward logs to Logging Analytics:
Create a Service Connector:
resource "oci_sch_service_connector" "audit_to_la" { compartment_id = var.compartment_ocid display_name = "Audit-to-Logging-Analytics" source { kind = "logging" log_sources { compartment_id = var.tenant_ocid log_group_id = oci_logging_log_group.audit_logs.id } } target { kind = "loggingAnalytics" log_group_id = oci_logging_analytics_log_group.security_logs.id } }Step 3: Create Custom Detection Rules
Example: Detect repeated failed login attempts (brute-force attacks).
- Use OCI Query Language (OCIQL):
SELECT * FROM AuditLogs WHERE eventName = 'Login' AND action = 'FAIL' GROUP BY actorName HAVING COUNT(*) > 5- Set Up Alerts:
Configure an OCI Notification topic to trigger emails or PagerDuty alerts when the rule matches.
Step 4: Visualize with Dashboards
Create a dashboard to monitor security events:
- Metrics: Failed logins, API calls from unusual IPs.
Enjoy
Osama
