This is the continuation for part 1 where we discussed about the use case, pre-requisite creations.
Here's the link to access -
In this part we would be discussing about the actual resource creation and the exercise.
Audit actions performed on an Object Storage using Logging Analytics:
This exercise has a series of steps which needs to be followed --
Creation of Log Group
Creation of object storage.
Enable Read, Write logs for Object Storage.
Creation of Log Group in Logging Analytics.
Creation of Service Connector.
Creation of Entities in Logging Analytics.
Use Logging Explorer to explore the logs ingested into Logging Analytics – Log Groups.
Creation of Dashboards.
Please note that all the activities from now on will be created by the user under SuperAdmins Group.
Creation of Log Group:
A log group under Logging needs to be created to ingest the logs enabled for Object Storage. This needs to be created under LE-OnM compartment.
Creation of Object Storage:
Let’s create an Object Storage as below with Emit Object Events feature enabled.
Enable Read, Write logs for Object Storage:
Enable the Read Access & Write Access Events Logs available under Resources -> Logs.
Hit the Not enabled Toggle to enable the Logs.
Select the Log Group which was created in the previous step for storing the access event logs.
Once enabled, it would look as below –
Creation of Log Group in Logging Analytics:
Steer to Logging Analytics -> Administration for creating Log Groups. Log Groups under Logging Analytics is required to ingest the Logs received from Log Groups under Logging Service.
Create a Log Group as below -
Creation of Service Connector:
A service connector needs to be created for pushing the logs under Logging -> Log Groups to Logging Analytics -> Log Groups.
Under Configure Service Connector section, the source would be Logging and Target would be Logging Analytics.
The Logs configured for Read & Write access events of the object storage needs to be tagged as source under Configure Source section as shown above.
The target would be Log Group under Logging Analytics -> Log Group -> LE-Bucket-Audit.
A policy would be created as a part of this service connector creation which needs to be created as you see in the image above.
Click on Service Connector creation.
Following is the policy created as a part of service connector creation –
allow any-user to {LOG_ANALYTICS_LOG_GROUP_UPLOAD_LOGS} in compartment id ocid1.compartment.oc1..****** where all {request.principal.type='serviceconnector', target.loganalytics-log-group.id='ocid1.loganalyticsloggroup.oc1.ap-hyderabad-1.******', request.principal.compartment.id='ocid1.compartment.oc1..*******'}
Creation of Entities in Logging Analytics:
An Entity of type Object Storage would need to be created under Logging Analytics. Only once the entity is created, it would be available under Logging Explorer to explore the logs.
Use Logging Explorer to explore the logs ingested into Logging Analytics – Log Groups:
Select the appropriate Log group compartment, Region & Entity created to get the logs.
Edit the Log Explorer Query to suit our needs. In our case, I just want to display the insert or delete operations done on the object storage we created.
* and Action = PUT or DELETE | fields -Label, -'Problem Priority', -'Host Name (Server)', 'Host IP Address (Client)', Principal, Action
Select the appropriate display options for the results.
Creation of Dashboards:
Click on actions as shown above and Hit Save As, Use Create New Dashboard option and save it as image below –
Steer to dashboards and select the dashboard just created.
Filter the date parameters as per our requirement to project data and use multiple options available under Action to download the data in csv or any format required.
References:
Thanks for going through, please leave a comment in case you have any queries or if you want me to test any new scenario.
Comments