Skip to content

Add OCI Logging and KMS Support (oci.logging, oci.kms resources) #6553

New issue
New issue
Open
Open
Add OCI Logging and KMS Support (oci.logging, oci.kms resources)#6553
Labels
enhancementNew feature or request
@syrull

Description

@syrull
syrull
opened on Feb 3, 2026

Summary

Add support for Oracle Cloud Infrastructure Logging and Key Management services to enable audit of logging configurations and encryption key management.

OCI API Reference

Logging Service

Key Management Service (KMS)

Proposed MQL Resources

oci.logging

Field Type Description
logGroups []oci.logging.logGroup Log groups in the tenancy

oci.logging.logGroup

Field Type Description
id string Log group OCID
name string Display name
description string Log group description
compartmentID string Compartment OCID
state string Lifecycle state
logs []oci.logging.log Logs in the group
created time Creation time

oci.logging.log

Field Type Description
id string Log OCID
name string Display name
logType string Log type (SERVICE, CUSTOM)
logGroupId string Parent log group OCID
isEnabled bool Whether log is enabled
state string Lifecycle state
retentionDuration int Retention duration in days
configuration dict Log configuration (source type, category, resource)

oci.kms

Field Type Description
vaults []oci.kms.vault Key vaults in the tenancy

oci.kms.vault

Field Type Description
id string Vault OCID
name string Display name
compartmentID string Compartment OCID
vaultType string Vault type (DEFAULT, VIRTUAL_PRIVATE)
state string Lifecycle state
managementEndpoint string Vault management endpoint
keys []oci.kms.key Keys in the vault
created time Creation time

oci.kms.key

Field Type Description
id string Key OCID
name string Display name
compartmentID string Compartment OCID
vaultId string Parent vault OCID
algorithm string Key algorithm (AES, RSA, ECDSA)
length int Key length in bits
protectionMode string Protection mode (HSM, SOFTWARE)
state string Lifecycle state
currentKeyVersion string Current key version OCID
created time Creation time
timeOfDeletion time Scheduled deletion time (if pending)

Example MQL Queries

# Check VCN flow logging is enabled
oci.logging.logGroups.any(
  logs.any(
    configuration["source"]["service"] == "flowlogs" &&
    isEnabled == true
  )
)

# Check Object Storage write logging is enabled
oci.logging.logGroups.any(
  logs.any(
    configuration["source"]["service"] == "objectstorage" &&
    configuration["source"]["category"] == "write" &&
    isEnabled == true
  )
)

# Check customer-managed keys exist and are active
oci.kms.vaults.any(
  keys.any(state == "ENABLED")
)

# Check key rotation (keys created within last year)
oci.kms.vaults.all(
  keys.all(time.now - created < time.day * 365)
)

Use Cases

  • Verify VCN flow logging is enabled for subnets
  • Audit Object Storage write-level logging configuration
  • Ensure customer-managed encryption keys are properly configured
  • Monitor key rotation compliance
  • Validate logging retention policies

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions