What is the difference between audit logs, service logs, and custom logs?

Audit logs are automatically generated by OCI and record all API calls made to OCI services — they cannot be disabled and are retained for 365 days. Service logs are generated by OCI services like VCN flow logs, load balancer access logs, and Object Storage access logs — they must be explicitly enabled per resource. Custom logs are application logs you send to OCI Logging via the API, agents, or the unified monitoring agent running on your instances.

How does the OCI Logging Query Language differ from SQL?

The OCI Logging Query Language uses a filter-chain syntax rather than SQL's SELECT/FROM/WHERE structure. You chain predicates with the search() function for full-text search and field-level filters with dot-notation paths like data.identity.principalId. Time ranges are specified with datetime functions rather than WHERE clauses. The language supports regex matching with =~ but does not support aggregations, joins, or GROUP BY — for those analytics, export logs to OCI Logging Analytics.

OCI Logging Query Builder

About This Tool

OCI Logging provides a centralized log management service that collects logs from OCI services, custom applications, and audit events. Searching these logs requires writing queries using the OCI Logging Query Language, which supports filtering by compartment, log group, log type, time range, and field-level predicates with operators like =, !=, =~, and search(). This builder helps you construct syntactically correct logging queries with proper field paths, time range specifications, and logical operators. It supports building queries for audit logs, service logs, and custom logs.

Real-World Scenario

Your security team needs to investigate who deleted a critical Object Storage bucket yesterday. Without the builder, you'd hunt through OCI Logging docs to figure out the audit log field paths. With it, you select audit log type, set time range to yesterday, filter eventName = 'DeleteBucket', and the query fires in seconds returning the user OCID, source IP, and exact timestamp. Investigation closed in 5 minutes; the audit log query becomes a saved search for future incidents.

When to Use This Tool

•Building queries to find all IAM policy changes across compartments in the last 24 hours from audit logs
•Constructing search queries that filter VCN flow logs by source IP, destination port, and action (ACCEPT/REJECT)
•Creating queries that correlate load balancer access logs with backend health check failures within specific time windows
•Generating queries for custom application logs that search for error patterns using regular expression matching

Pro Tips

TIP

Always tighten the time range BEFORE adding field filters. OCI Logging charges per GB scanned, and a 7-day query against busy logs can scan TB. Start with 'last 1 hour', narrow with field filters, then expand the time range only if needed. The cost difference between 1-hour and 7-day queries is enormous.

TIP

Audit log queries should filter on `data.eventName` first, NOT free-text `search()`. Field-level filters use the column index and are dramatically faster. Free-text search is for when you genuinely don't know which field contains the value you're looking for.

TIP

Save common queries as Saved Searches in the OCI console. The query language is verbose enough that team members will rewrite the same query weekly otherwise. Building a library of standard 'find IAM changes in compartment X' queries saves hours of repeated typing.

How It Works Under the Hood

The builder generates OCI Logging queries with the correct syntax: filter chains using equality (=), inequality (!=), regex (=~), and search() for full-text. It supports field paths into nested JSON (data.identity.principalName), time range specifications (datetime > '...'), boolean operators (and, or, not), and sorting. Output is a query string ready to paste into the OCI Logging Search console or use with `oci logging-search search-logs`.

Frequently Asked Questions

What is the difference between audit logs, service logs, and custom logs?: Audit logs are automatically generated by OCI and record all API calls made to OCI services — they cannot be disabled and are retained for 365 days. Service logs are generated by OCI services like VCN flow logs, load balancer access logs, and Object Storage access logs — they must be explicitly enabled per resource. Custom logs are application logs you send to OCI Logging via the API, agents, or the unified monitoring agent running on your instances.
How does the OCI Logging Query Language differ from SQL?: The OCI Logging Query Language uses a filter-chain syntax rather than SQL's SELECT/FROM/WHERE structure. You chain predicates with the search() function for full-text search and field-level filters with dot-notation paths like data.identity.principalId. Time ranges are specified with datetime functions rather than WHERE clauses. The language supports regex matching with =~ but does not support aggregations, joins, or GROUP BY — for those analytics, export logs to OCI Logging Analytics.

Related Learning Guides

OCI Security Best Practices24 min read

OCI Logging Query Builder