This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Integration of Oracle Cloud Audit with Google SecOps

Posted on 02-14-2025 01:16 AM
manoj610
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

 

Hello Team,

I recently integrated Oracle Cloud Audit logs via an S3 bucket. The logs are in JSON format, and while SecOps is successfully pulling them, Iโ€™m encountering an issue with the log format. The logs are breaking incorrectlyโ€”either after each line, comma, or curly brace {}โ€”resulting in improper ingestion.

Iโ€™ve already verified the basics but havenโ€™t been able to identify the root cause.

Could someone help me troubleshoot this issue, or suggest alternative methods to ingest Oracle Cloud Audit logs into SecOps?

Thanks in advance for your help!

0 3 309
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
matthewnichols
Staff
Reply posted on --/--/---- --:-- AM

Hi @manoj610 There are two log labels for the Oracle cloud audit logs. It could be using the wrong one. I would take one of the raw logs and confirm that it parses correctly. You can do this by creating a duplicate parser and paste the raw log you have into the raw log section after clicking the edit button that looks like a pencil. Then you can preview the UDM. This will allow you to find out which parser(and log label) works for the logs you have. You don't save the duplicate parser. It's just for testing. 

0 Likes

Posted on --/--/---- --:-- AM
manoj610
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi @matthewnichols 

Thanks for your response.

I have tested both log labels for the Oracle Cloud audit logs, but the logs are not being parsed.

The primary issue seems to be with ingestion from S3 to SecOpsโ€”the logs are being ingested line by line. Could you confirm if thereโ€™s an issue or suggest an alternative method for ingesting Oracle logs into SecOps?

Looking forward to your insights.

Thanks,




manoj610_0-1739773511117.png

 

 

0 Likes

Posted on --/--/---- --:-- AM
ipninichuck
Staff
Reply posted on --/--/---- --:-- AM

Hello,

I have looked over our internal guidelines on this topic. I concur with my colleagues that using a webhook will provide a method to get around the json formatting that is causing the problem when you ingest multiple logs from the S3 bucket. I researched the issue from the Oracle side to see what options there were with the json, but they don't have any specific configuration changes that can assist in this situation. 

 

0 Likes
Top Solution Authors
View all