Saturday, January 17, 2026

  OCI Logging – Enable Flow logging for VCN

Oracle Cloud Infrastructure (OCI) provides built-in observability features to help you monitor cloud activity. For networking, VCN Flow Logs capture traffic flow metadata (source/destination IP, ports, protocol, direction, bytes/packets, and accept/reject status). This is very useful for troubleshooting connectivity, validating security posture, and supporting audits or penetration testing evidence.

In this article, we will enable Flow Logs at the subnet level and control the captured traffic using a Capture Filter.

To enable Logging to VCN, go to Network -> VCN -> Subnets page.

Click Monitoring tab and in the Monitoring page, we could see Logs section.

 We need to enable Flow Logs. Click the three dots located in the right side and click Enable Log option.

Specify compartment, Log location, Log group and Log name.

We ned to specify Capture filter, it’s a required parameter to enable log. We need to specify OCID of desired Capture filter.

The network activities will create huge amount of logs, OCI provides option to mention which traffic needs to be included or excluded from flow logs. The Capture Filter can be created in the Networking -> Network Command center -> Capture Filters.

Specify name, compartment for Capture filter. It can be created for either Flow log capture filter and VTAP. For our activity we need capture filter for Flow log. Sampling rate defines the percentage of network flows to be examined, we can specify one of the predefined percentage (1%,5%,10%,20%,25%,50%,100%).

The next section is defining rules which needs to included or excluded from flow logs. We can define upto 10 rules in a capture filter and it will follow the order to examine. If first rule is met then it will stop executing other rules, so we need to be careful with the rules.

The rules can also defined later in the capture filter. Suppose we are not sure about the traffic to be excluded/included, then we can leave with Traffic disposition as All (Accept and Reject) and Include/Exclude as Include, in that way we are making to include all the traffic without any condition.

Once the capture filter is created, copy the OCID of that.

Paste the OCID in the Subnet’s Enable resource log page that we discussed earlier.

It also gives option to specify retention period of captured logs. Its available in the Advanced option.

The default and minimum Log retention is 1 month and Maximum is 6 months.

 Click the Log name and in the Log details page, choose Explore log. We could see all the flow traffic captured in the log.

 

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

OCI Logging – Auditing VCN Security list changes In this article, we discuss a common governance requirement: auditing changes to a VCN Secu...

  • (no title)
        OCI - Vision The very common use case seen today is image recognition and detecting objects within that image. The image could have docu...
  • (no title)
      OCI Resource Manager OCI Resource manager is an automation tool for infrastructure. It can be considered as Infrastructure as a code too...
  • (no title)
    Installation of OCI Command line OCI CLI (Oracle Cloud Infrastructure Command Line Interface) is a powerful tool that allows users to mana...