Move OCI Logs to IBM QRadar

Introduction

Organizations using Oracle Corporation Oracle Cloud Infrastructure often need centralized security monitoring across hybrid cloud environments. One common enterprise requirement is integrating Oracle Cloud Infrastructure (OCI) logs with IBM IBM QRadar for Security Information and Event Management (SIEM).

Moving logs from Oracle Cloud Infrastructure into IBM QRadar enables organizations to centralize security monitoring, detect threats faster, meet compliance requirements, and correlate cloud activities with on-premise security events.

In modern Oracle Cloud implementations using OCI 26A architecture standards and OCI native logging services, security teams frequently integrate OCI Audit Logs, VCN Flow Logs, Load Balancer Logs, and Object Storage access logs into external SIEM tools such as IBM QRadar.

This article explains the complete architecture, integration flow, implementation approach, configuration steps, testing procedures, troubleshooting techniques, and best practices for integrating OCI logs with IBM QRadar in real-world enterprise environments.

What is OCI Logging Integration with IBM QRadar?

OCI provides centralized logging services that collect operational and security-related logs from Oracle Cloud services. These logs help administrators monitor user activities, network traffic, infrastructure events, API calls, and system behavior.

IBM QRadar is an enterprise SIEM platform used to:

• Monitor security events
• Detect anomalies
• Perform threat intelligence correlation
• Generate compliance reports
• Investigate incidents

The integration between OCI and QRadar allows OCI-generated logs to be pushed or forwarded into QRadar for centralized analysis.

Types of OCI Logs Commonly Sent to QRadar

The following OCI logs are typically integrated into IBM QRadar:

Real-World Integration Use Cases

Scenario 1 – Financial Institution Security Monitoring

A banking organization running Oracle Fusion workloads on OCI sends Audit Logs and VCN Flow Logs to IBM QRadar to monitor:

• Unauthorized API access
• Suspicious login attempts
• Network scanning activity
• Privileged account misuse

QRadar correlates OCI security events with Active Directory and firewall logs.

Scenario 2 – Healthcare Compliance Monitoring

A healthcare company hosting patient applications on OCI integrates Object Storage logs with QRadar to satisfy HIPAA compliance requirements.

The organization tracks:

• Sensitive file downloads
• Unauthorized access attempts
• Cross-region data movement
• Admin changes

Scenario 3 – Enterprise SOC Centralization

A global enterprise operating multi-cloud environments centralizes logs from:

• OCI
• AWS
• Azure
• On-premises servers

All events are analyzed through QRadar dashboards for enterprise-wide threat monitoring.

OCI to QRadar Integration Architecture

A typical OCI-to-QRadar architecture involves the following components:

1. OCI Logging Service
2. Service Connector Hub
3. OCI Streaming Service or Functions
4. IBM QRadar Syslog Receiver or REST API
5. Security Monitoring Dashboard

High-Level Flow

OCI Services
     ↓
OCI Logging
     ↓
Service Connector Hub
     ↓
OCI Streaming / Functions
     ↓
Syslog / REST Push
     ↓
IBM QRadar

OCI Services Used in the Integration

Prerequisites

Before implementing the integration, ensure the following are available.

OCI Requirements

• OCI tenancy access
• Logging enabled
• IAM administrator privileges
• Service Connector Hub permissions
• OCI Streaming configured (optional)

IBM QRadar Requirements

• QRadar console access
• Syslog listener configured
• Log source setup
• Firewall ports opened
• DSM support for OCI logs

Network Requirements

Ensure connectivity between:

• OCI environment
• QRadar SIEM server

Required ports may include:

Understanding OCI Logging Architecture

OCI Logging consists of two major log categories.

1. Audit Logs

Automatically enabled logs that record:

• User logins
• API calls
• Resource creation
• IAM policy changes

Audit logs are critical for security monitoring.

2. Service Logs

Custom logs generated by OCI services.

Examples:

• Load Balancer access logs
• API Gateway logs
• OKE logs
• Functions logs

Step-by-Step OCI to QRadar Integration

Step 1 – Enable OCI Logging

Navigate to:

OCI Console → Observability & Management → Logging

Verify logging is enabled.

For service logs:

OCI Console → Resource → Logs → Enable Log

Example:

Enable VCN Flow Logs for a subnet.

Step 2 – Create a Log Group

Navigation:

OCI Console → Logging → Log Groups

Create a log group.

Example:

Save the configuration.

Step 3 – Configure Service Logs

Example for enabling VCN Flow Logs:

Navigation:

Networking → Virtual Cloud Networks

Select subnet.

Choose:

Resources → Logs → Enable Log

Example values:

Save the setup.

Step 4 – Create OCI Streaming Stream

OCI Streaming enables real-time event processing.

Navigation:

Analytics & AI → Streaming

Create a stream.

Example:

Step 5 – Configure Service Connector Hub

Service Connector Hub routes logs from OCI Logging to Streaming.

Navigation:

Observability & Management → Service Connector Hub

Create connector.

Source

Target

Save configuration.

Step 6 – Configure OCI Functions for Log Forwarding

In many implementations, OCI Functions are used to:

• Parse logs
• Transform JSON format
• Send Syslog messages
• Push REST payloads

Typical OCI Function Flow

OCI Stream Trigger
        ↓
OCI Function
        ↓
Transform Log
        ↓
Send to QRadar

Step 7 – Create OCI Function Application

Navigation:

Developer Services → Functions

Create application.

Example:

Step 8 – Deploy Function Code

Most integrations use Python-based OCI Functions.

Sample pseudo logic:

Read Stream Message
Parse JSON Log
Convert to Syslog Format
Send to QRadar IP

Common Python libraries:

• requests
• socket
• json
• logging

Step 9 – Configure QRadar Log Source

In QRadar:

Navigation:

Admin → Log Sources

Add new log source.

Example configuration:

Save configuration.

Step 10 – Validate Connectivity

Verify QRadar receives messages.

Check:

Log Activity → Real Time Events

Look for OCI log entries.

Sample OCI Audit Log Event

Example JSON payload:

{
  "eventType": "com.oraclecloud.computeapi.launchinstance",
  "principalName": "admin.user",
  "resourceName": "Prod-Compute",
  "responseTime": "2026-05-20T10:00:00Z"
}

Transforming OCI Logs for QRadar

OCI logs are typically JSON-based.

QRadar may require:

• Syslog formatting
• CEF conversion
• LEEF conversion

Many enterprises use OCI Functions to convert OCI JSON events into:

CEF:0|Oracle|OCI|26A|Audit|

This improves QRadar parsing and correlation.

Testing the Integration

After completing the configuration, perform end-to-end testing.

Test Scenario 1 – IAM Login Event

Perform:

OCI Console Login

Expected Result:

• Audit event generated
• Log appears in OCI Logging
• Event forwarded to QRadar

Test Scenario 2 – VCN Traffic Test

Generate traffic between instances.

Expected Result:

• Flow logs generated
• QRadar displays network event

Test Scenario 3 – Failed Authentication Attempt

Attempt invalid login.

Expected Result:

• Security event captured
• QRadar offense triggered

Validation Checklist

Common Errors and Troubleshooting

1. Logs Not Reaching QRadar

Possible Causes

• Firewall blocked
• Wrong QRadar IP
• Incorrect Syslog port
• IAM permissions missing

Solution

Verify:

OCI Security Lists
Network Security Groups

2. Service Connector Failure

Cause

Incorrect target configuration.

Solution

Check connector health status:

OCI Console → Service Connector Hub

3. Function Execution Errors

Cause

Improper parsing logic.

Solution

Check logs:

Functions → Metrics and Logs

4. QRadar Parsing Issues

Cause

Unsupported JSON structure.

Solution

Use:

• DSM customization
• CEF conversion
• LEEF formatting

Security Considerations

When integrating OCI with QRadar, security should be carefully planned.

Recommended Security Controls

OCI IAM Policies Required

Example policies:

Allow service loganalytics to read log-groups in compartment Security
Allow dynamic-group FunctionsDG to use streams in compartment Security

Best Practices for OCI to QRadar Integration

1. Use OCI Service Connector Hub

Avoid building custom polling solutions whenever possible.

OCI Service Connector Hub provides:

• Native scalability
• Better reliability
• Lower operational effort

2. Use Secure Syslog (TLS)

Do not use plain UDP syslog for enterprise production systems.

Recommended:

TCP + TLS (6514)

3. Archive Logs to Object Storage

Maintain long-term retention.

Typical retention strategy:

4. Separate Security Compartments

Use dedicated OCI compartments for:

• Logging
• Security monitoring
• SIEM integrations

5. Monitor Function Performance

OCI Functions processing high log volumes should be monitored for:

• Timeout issues
• Memory consumption
• Stream lag

6. Implement Log Filtering

Avoid forwarding unnecessary logs.

Benefits:

• Reduced QRadar licensing cost
• Better performance
• Easier investigations

Advanced Architecture Enhancements

Large enterprises often implement:

Multi-Region Logging

Forward logs from multiple OCI regions into centralized QRadar.

Event Correlation

Combine OCI logs with:

• Active Directory
• Firewalls
• Endpoint Security
• Kubernetes Security Events

Threat Intelligence Integration

QRadar can enrich OCI events with:

• IP reputation feeds
• Geo-location analysis
• Threat intelligence services

FAQ

1. Can OCI logs be directly integrated with IBM QRadar?

Yes. OCI logs can be integrated using Service Connector Hub, OCI Streaming, OCI Functions, and Syslog or REST APIs.

2. Which OCI logs are most important for security monitoring?

Audit Logs, VCN Flow Logs, WAF Logs, and IAM-related events are the most critical for enterprise security monitoring.

3. Is OCI Streaming mandatory for QRadar integration?

No. Some implementations directly push logs using OCI Functions, but OCI Streaming is recommended for scalable enterprise integrations.

Summary

Integrating Oracle Cloud Infrastructure logs into IBM QRadar is a critical requirement for organizations implementing enterprise-grade cloud security monitoring and SIEM operations.

Using OCI Logging, Service Connector Hub, OCI Streaming, and OCI Functions, organizations can build scalable and secure integrations that provide centralized visibility across OCI environments.

A properly designed integration helps organizations:

• Improve threat detection
• Meet compliance standards
• Monitor cloud activities centrally
• Reduce incident response time
• Enhance enterprise SOC operations

Modern OCI 26A implementations strongly favor native OCI logging services combined with secure event forwarding patterns using OCI Functions and Streaming services.

For additional implementation guidance, refer to the official Oracle documentation:

Oracle Cloud Infrastructure Documentation

OCI Logging Documentation

OCI Service Connector Hub Documentation