OCI _Audit logs exceeding 8K bytes, lots of non actionable data in logs

[SimSama]

Hi Team,

I know this isn't directly an SDK problem, but can you route this to the cloud audit service team? Not sure who designs the audit logs at Oracle, but have a problem.

Many external systems truncate logs larger than 8K bytes. Several _Audit enriched events, particularly CreateUser is larger and gets truncated. Fields under identity such as credentials, and signature keyId are excessively large, and provide no tangible actionable data for an analyst looking at the logs.

Can you ask those team members to do a KISS review on some of the audit logs generated by OCI? -- Or more specifically, can we ensure that log sizes are minimized by demonstrating just what happened, what are the key points of interest?

For example, this part of my create user log (I sanitized a bit):

"credentials":"ST$eyJraWQxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxIiOiJvY2lkMS5zYW1sMmlkcC5vYzEuLmFhYWFhYWFhdGE3cmhnNHpwZWM0eDVld3RicWxycW53a25haWdsc2wyNGEyNm80Ynpvc3ZwdHp6ZnU0YVwvZXZhbnNyQGZvcnRpbmV0LmNvbSIsxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxN6VjhocFQxeDZXRDFsMkd3Mm9mMUZNSktQTXBIZ3NXbGRWMVRjZzhBX3VfWk9heGlEalpYbDduOXd2bVAwOUo3VXpiTDRHY044VU1nZXZqVWJDekNLcGtlZzc1RHg5a1gzZWVmVWdpVnk0dzVCQmlYZ3BQbnBSc0YycDJ1ZS1XNEo0ZDkwU3k0UENDOU82ZnpjajAtVk9xX1hUYWJEai1RSGo5al9ITDNKbkMyQ3laRUphblFuRXpzbWIxZ2lJQUprc3RLemlWSjlaN2NuUFp4bHBrVlA1WW9EeDd4d3RmQ2pIWVc4YUVXOEpJZ2Vsbk9aa0QwY2ljT0NYRXVsSzN2czdOOHhUTjRudEhYT1hyenZaMmdQX0tfT0IzMjFKdTR0VjlhWU9Ebm5HdDI1YTctNkRNUkUyR0dEd1wiLFwiZVwiOlwiQVFBQlwiLFwia3R5XCI6XCJSU0FcIixcImFsZ1wiOxxxxxxxxxxxxxxxxxxxxxxxxxxMG_zoIXFpD9xxxxxxxxG6X-"

This thing is huge! Why can't we just have a short name for a key or credential used? "credential_used" : "credential1" , etc?

Can close this after, I have a mitigation for now on my end.

[jodoglevy]

@SimSama yes, I will ask Audit team to take a look

[SimSama]

Thanks I appreciate. The events directly from the Events service are nice and compact, but are missing a lot of surrounding detail. The _Audit event wrapper has all of the surrounding detail, but each event is massive. Some of the fields could be minimized or pruned.

[vaibhavumd]

I guess the createUser and other Api calls that you mentioned come from source called Identity, so if some format change in Audit logs is needed , then it should go to Identity team as they send these logs so they can help mitigate this issue.