OCI Audit Log Analysis for Oracle Database Events Using CLI

 

🔹 Introduction

Every action in Oracle Cloud Infrastructure (OCI)—from creating a database to stopping a compute instance—is logged in the Audit service. For Oracle DBAs, this is a hidden gem: a way to track who did what, when, and from where.

In this blog, I’ll show you how to extract and analyze audit logs specifically for Oracle Database-related events, using the OCI CLI. You don’t need to set up any logging service—Audit is enabled by default for all OCI tenancies.

🔹 Why DBAs Should Care About Audit Logs

Audit logs help you:

• 🧾 Track DB system creation, deletion, and restarts

• 🔐 Identify who accessed or modified DB-related resources

• 🧯 Investigate incidents or unauthorized changes

• 💼 Meet compliance and internal audit requirements

🔹 What You’ll Learn

• Enable and understand audit logs

• Fetch logs using OCI CLI

• Filter logs for Oracle Database events

• Decode and interpret log details

• Optional: Export to CSV or file

🔹 Step 1: Prerequisites

• OCI CLI installed and configured

• Know your:

  • Compartment OCID

  • Region

🔹 Step 2: Basic Command to Fetch Audit Logs

oci audit event list \
--compartment-id <your_compartment_ocid> \
--start-time 2025-07-25T00:00:00Z \
--end-time 2025-08-02T23:59:59Z \
--all

This returns all audit events for the given date range.

🔹 Step 3: Filter for Oracle Database Events Only

Use --query to filter specific database services:

oci audit event list \
--compartment-id <your_compartment_ocid> \
--start-time 2025-07-25T00:00:00Z \
--end-time 2025-08-02T23:59:59Z \
--query "data[?contains(eventName, 'Db')]"

You can filter further for specific actions:

• CreateDbSystem

• UpdateDbSystem

• StopDbSystem

• DeleteDbHome

• LaunchAutonomousDatabase

🔹 Step 4: Understand Key Fields in Output

Each log event contains:

• eventName: Action taken (e.g., StopDbSystem)

• principalName: Who performed the action

• sourceIP: From where it was done

• requestAction: Full JSON of the request

• responseTime: Execution duration

• eventTime: When the event occurred

🔍 Example:

{
  "eventName": "StopDbSystem",
  "principalName": "vignesh.dba@example.com",
  "sourceIpAddress": "103.23.42.11",
  "eventTime": "2025-08-01T14:02:13Z"
}

🔹 Step 5: Save Audit Logs to File

oci audit event list \
--compartment-id <your_compartment_ocid> \
--start-time 2025-07-25T00:00:00Z \
--end-time 2025-08-02T23:59:59Z \
--all > db_audit_logs.json

You can parse and convert to CSV using tools like jq or Python.

🔹 Advanced: Filter Specific Action (e.g., DB Stop Events Only)

oci audit event list \
--compartment-id <your_compartment_ocid> \
--query "data[?eventName=='StopDbSystem']" \
--all

This gives you a focused view on any unplanned or unauthorized DB shutdowns.

🔹 Bonus: Combine with Logging Analytics (Optional)

If you’re using OCI Logging Analytics, you can stream audit logs to it and build custom dashboards:

• Query:
  eventName = "CreateDbSystem" | count by principalName

• Visualization:
  Top users who created DB systems in the last 30 days

💡 Vignesh’s Tip

Audit log data is retained for 90 days by default in OCI. If your security policy requires longer retention, export logs to Object Storage periodically.

You can even automate this using a scheduled function or CLI-based cron job.

🔹 Conclusion

OCI Audit logs are an underrated but powerful tool for DBAs. With a few CLI commands, you gain deep visibility into who’s touching your Oracle Database systems and can track events for auditing, security, and troubleshooting.