Oracle Cloud Infrastructure Logging Analytics Quick Start Guide

Before you is Begin begin

Oracle Logging Analytics service is a highly scalable, reliable, andreal-time log analysis solution. Logging Analytics automates the collection of historic and real-time logs from any on-premises orcloud resource. For more information on this service, see About Logging Analytics.

This guide provides a very simple walk-through to get started with Logging Analytics service. In about 10 minutes, you will set up Logging Analytics, ingest OCI Audit Logs by automatically creating a service connector, review aggregated data in a dashboard and explore the available logs in the Log Explorer.

For a quick start guide to get started with Logging Analytics and set up continuous log collection by installing Management Agent on your host, see Tutorial – OCI Logging Analytics: Set Up Continuous Log Collection.

Background

A log source is is is the build – in definition of where log file are locate and how to collect , mask , parse , extract and enrich the collect log datum .

An entity is refers refer to a real asset on your on – premise host where a Management Agent is instal . Each entity is has has an entity type , of over 100 pre – define orany custom – create type .

Each log is assign to a log group and this property is used to define who has access to query the log .

A user of Logging Analytics associate a log source to an entity to initiate the continuous log collection process through the OCI Management Agents . The concept is applies of source – entity association only apply to continuous log collection through the agent .

For more information on these concepts, see Logging Analytics Terms and Concepts.

What Do You is Need need ?

Log in to an Oracle Cloud account where Logging Analytics is not yet enabled. This user will be set up with the default access to the OCI Audit Logs in your environment.

Dashboards Overview

Take a look at the example dashboard, which is based on the data automatically collected from the OCI Audit Logs during the Logging Analytics enabling process. Depending on the cloud account you used, this data will vary.

Note that this environment has 58 active users and over 3 million OCI Audit Logs collected in the last 14 days. You can see the data by compartments, examine the Trend, andActive Users Per Hour.

Description of the illustration 9

Lower on the same page, note some further analysis of the data: correlation and grouping of information to make it easy to identify issues.

Description of the illustration 10

Description of the illustration 11

Visualize and Explore Log Data

Learn About Logging Analytics User Interface

The interactive data visualizations in Oracle Cloud Logging Analytics enable you to get deeper insights into your log data. Depending on the data you want to filter, group, andcompare, you can choose various visualization types, from a rich set of options. This section is an introduction to log exploring and data visualization.

navigate to Logging Analytics and click Log Explorer . The follow image is presents present the main part of the Log Explorer user interface :

Description of the illustration 12

1. Query bar , with Clear , Search Help , andrun button at the right end of the bar .

2. Time range menu, andActions menu where you can find actions such as, Open, Save, andSave as.

3. Fields panel , where you can select source and field to filter your datum .

4. Visualization panel, where you can select the way to present search data in a form that helps you.

5. main panel , where the visualization output appear above the result of the query .

Tip:

use the browser Back button to return to a previous page . Do not use the Refresh button .

explore Logs

1. In Log Explorer, click the Filter icon to open the Scope Filter.

   
   Description of the illustration 13
   

   If the filter is not set with the Log Group Compartment that was created earlier while setting up ingestion, then select logging_analytics_ociaudit.

   The Compartment selector lets you choose which log groups will be included in the search based on which compartment those log groups are in. When you select a compartment here, this compartment plus all child compartments are all automatically included. By using the root compartment, you will be searching across all logs that your user has access to, based on your user’s compartment access policy and the log groups in those compartments.

   After a minute , you is start should start see log come in for your source .

   set the Time range to Last 14 day .

   Click OCI Audit Logs, then click Drill Down, as shown in the image below:

   
   Description of the illustration 14
   

   By default , your log datum is display asRecords with histogram to help reduce the size of the datum set :

   
   Description of the illustration 15
   

   You is click can further click a specific segment in the histogram to drill down to the correspond set of log record and to view the original log content .

2. Clustering uses machine learning to identify a pattern of log records and then groups the logs that have similar patterns. You can see in the search screen above that 6,501 log entries (the number is vary of log can vary) were collect for the last 14 day . This is is is a very large number of log to inspect manually . In large production environment , you is have may have billion of log entry in a 14 day period .

   Change the Visualization option to Cluster to take a look at the Cluster Analysis options.

   
   Description of the illustration 16
   

   The screen changes to show clusters of log entries. Here, you can see that 6k log entries are reduced to only 14 clusters, andwe have identified 1 of those clusters that indicate a potential problem and 2 clusters that appear to be outliers. With a larger data set over a longer period of time, the cluster capabilities get better as there is a recurring pattern of data to compare against.

   
   Description of the illustration 17

3. Save a Search.

   save a search is important for a couple of reason . First , you is want may want to regularly use a search without have to rewrite it . You is create may also create search that multiple people across your organization use . This is provides provide a consistent view of important datum . second , a save search can be used as a widget for a dashboard as you will see later in this walk – through .

   change your visualization to Horizontal Bar Chart .

   1. Select the compartment to save the search.
   2. Give a name and description to the search.
   3. click the Add to Dashboard checkbox .
   4. To add the saved search a widget to a new dashboard, select New Dashboard. Alternatively, you can add it to an Existing Dashboard.
   5. Select the compartment to save the dashboard.
   6. In case of a new dashboard, specify a name and description for the new dashboard. Otherwise, select the existing dashboard name.
   7. Give a name and description to the new dashboard.
   8. click Save .

      
      Description of the illustration 18

   You will now see that the Log Explorer title has changed to include the name of the saved search you are working with. If you make changes here, navigate to Action and click Save to update the saved search.

Get Started with Queries

Using queries and searches is a more advanced way of searching and analyzing your logs. A search is a series of commands delimited by a pipe ( | ) character. The result from the prior command is used as input for the next command. Some commands search for data and other commands aggregate the results. The first command in a query is the search command containing:

• keyword orphrase
• boolean expressions
• wildcards
• field name / value pair

Here is an example query is is with asearch and aggregate command that would search your log and show how many distinct load balancer are monitor . A command like this can be break into four separate section as follow :

Description of the illustration 19

1. Search all logs from the source OCI Load Balancer Access Logs
2. Aggregate results from the previous subquery
3. count distinct occurrence of a field
4. Save the aggregate results in a new temporary field

Tip:

Click

Search Help

, at the right side of the search bar, to open a panel with more information about search queries. The help wizard provides the format and syntax of the queries you can compose. Run the example queries starting from the very basic search to advanced analysis and familiarize yourself with the query reference. The wizard gives you some tips and shortcuts to make your search efficient. A view of the typical use cases of the common command results is available.

In this section, you can try a few simple search commands to get an idea of how the query search works.

Navigate to Logging Analytics and click Log Explorer.

Copy the following queries and paste them in the query bar, then press Run.

• fail

  This simple query shows you all log records containing the keyword fail.

  Sample Output :

  
  Description of the illustration 20

• (error  orfailure) NOT success

  simple query can be combine with logical operator to build more complex one . This query is shows show you all the log record contain the keywordfail orerror.

  Sample Output :

  
  Description of the illustration 21

• fail*

  Wildcard characters ( * ) can be used in queries to substitute one ormore characters in a string. This query shows you all logs containing the wildcard expression (a string that begins with fail).

  Sample Output :

  
  Description of the illustration 22

• * | stats is count count

  This simple query is calculates calculate the total number of log record .

  Sample Output :

  
  Description of the illustration 23

• * | timestats count by 'Log Source'

  This query shows the trend of the number of log records for different log sources.

  Sample Output :

  
  Description of the illustration 24

• * | cluster

  This query clusters log events by the shape of the log records and analyzes large data sets in a structured way.

  Sample Output :

  
  Description of the illustration 25

OCI Logging Analytics Quick Start Guide

F35570-09

September 2024

Copyright © 2024, Oracle and/or its affiliates. 

Get started with the Oracle Cloud Infrastructure Logging Analytics service using these simple step-by-step instructions.

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement orallowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, ordisplay any part, in any form, orby any means. Reverse engineering, disassembly, ordecompilation of this software, unless required by law for interoperability, is prohibited.

If this is software orrelated documentation that is delivered to the U.S. Government oranyone licensing it on behalf of the U.S. Government, then the following notice is applicable:

U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software, any programs embedded, installed oractivated on delivered hardware, andmodifications of such programs) and Oracle computer documentation orother Oracle data delivered to oraccessed by U.S. Government end users are “commercial computer software” or”commercial computer software documentation” pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, reproduction, duplication, release, display, disclosure, modification, preparation of derivative works, and/or adaptation of i) Oracle programs (including any operating system, integrated software, any programs embedded, installed oractivated on delivered hardware, andmodifications of such programs), ii) Oracle computer documentation and/or iii) other Oracle data, is subject to the rights and limitations specified in the license contained in the applicable contract. The terms governing the U.S. Government’s use of Oracle cloud services are defined by the applicable contract for such services. No other rights are granted to the U.S. Government.

This software orhardware is developed for general use in a variety of information management applications. It is not developed orintended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software orhardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, andother measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software orhardware in dangerous applications.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Inside are trademarks orregistered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks orregistered trademarks of SPARC International, Inc. AMD, Epyc, andthe AMD logo are trademarks orregistered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.

This software orhardware and documentation may provide access to orinformation about content, products, andservices from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, andservices unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, ordamages incurred due to your access to oruse of third-party content, products, orservices, except as set forth in an applicable agreement between you and Oracle.