What is the difference between audit logs, service logs, and custom logs?

Audit logs are automatically generated by OCI and record all API calls made to OCI services — they cannot be disabled and are retained for 365 days. Service logs are generated by OCI services like VCN flow logs, load balancer access logs, and Object Storage access logs — they must be explicitly enabled per resource. Custom logs are application logs you send to OCI Logging via the API, agents, or the unified monitoring agent running on your instances.

How does the OCI Logging Query Language differ from SQL?

The OCI Logging Query Language uses a filter-chain syntax rather than SQL's SELECT/FROM/WHERE structure. You chain predicates with the search() function for full-text search and field-level filters with dot-notation paths like data.identity.principalId. Time ranges are specified with datetime functions rather than WHERE clauses. The language supports regex matching with =~ but does not support aggregations, joins, or GROUP BY — for those analytics, export logs to OCI Logging Analytics.

OCI Logging Query Builder

About This Tool

OCI Logging provides a centralized log management service that collects logs from OCI services, custom applications, and audit events. Searching these logs requires writing queries using the OCI Logging Query Language, which supports filtering by compartment, log group, log type, time range, and field-level predicates with operators like =, !=, =~, and search(). This builder helps you construct syntactically correct logging queries with proper field paths, time range specifications, and logical operators. It supports building queries for audit logs, service logs, and custom logs.

When to Use This Tool

•Building queries to find all IAM policy changes across compartments in the last 24 hours from audit logs
•Constructing search queries that filter VCN flow logs by source IP, destination port, and action (ACCEPT/REJECT)
•Creating queries that correlate load balancer access logs with backend health check failures within specific time windows
•Generating queries for custom application logs that search for error patterns using regular expression matching

Frequently Asked Questions

What is the difference between audit logs, service logs, and custom logs?: Audit logs are automatically generated by OCI and record all API calls made to OCI services — they cannot be disabled and are retained for 365 days. Service logs are generated by OCI services like VCN flow logs, load balancer access logs, and Object Storage access logs — they must be explicitly enabled per resource. Custom logs are application logs you send to OCI Logging via the API, agents, or the unified monitoring agent running on your instances.
How does the OCI Logging Query Language differ from SQL?: The OCI Logging Query Language uses a filter-chain syntax rather than SQL's SELECT/FROM/WHERE structure. You chain predicates with the search() function for full-text search and field-level filters with dot-notation paths like data.identity.principalId. Time ranges are specified with datetime functions rather than WHERE clauses. The language supports regex matching with =~ but does not support aggregations, joins, or GROUP BY — for those analytics, export logs to OCI Logging Analytics.

Related Learning Guides

OCI Security Best Practices24 min read

OCI Logging Query Builder