There are two tables in the Identity Manager repository that are used to store audit data:
waveset.log– Stores most of the event details.
waveset.logattr– Stores the IDs of the organizations to which each event belongs.
These tables are discussed first in this section.
When audit log data exceeds the column length limits specified for the above tables, Identity Manager truncates the data to fit. Audit log truncation is discussed on Audit Log Truncation.
A few columns in the audit log have configurable column length limits. To find out about these columns and learn how to change their length limits, see Audit Log Configuration.
This section describes the various column names and data types found in the waveset.log table. The data types are taken from the Oracle database definition and vary slightly from database to database. For a list of data schema values for all supported databases, see Appendix B, Audit Log Database Schema
A few of the column values are stored as keys in the database for space optimization. For key definitions, see the section titled Audit Log Database Mappings.
objectType CHAR(2) – A two-character key that represents the object type that is being audited.
action CHAR(2) – A two-character key that represents the action that was performed.
actionStatus CHAR(1) – A one-character key that represents the result of the action that was performed.
reason CHAR(2) – A two-character database key to describe a ReasonDenied object if there was a failure. ReasonDenied is a class that wraps a message catalog entry and is used for common failures such as invalid credentials and insufficient privileges.
actionDateTimeVARCHAR(21) – The date and time in which the above action took place. This value is stored in GMT time.
objectName VARCHAR(128) – The name of the object that was acted on during an operation.
resourceName VARCHAR(128) – The resource name that was used during an operation, if applicable. Some events do not reference resources; however, in many situations it gives greater detail to log the resource where an operation has performed.
accountName VARCHAR(255) – The account ID being acted on, if applicable.
server VARCHAR(128) – The server where the action was performed (automatically assigned by the event logger).
message VARCHAR(255*)or CLOB – Any localized messages associated with an action including things like error messages. The text is stored localized so it will not be internationalized. The column length limit for this column is configurable. The default data type is VARCHAR and the default size limit is 255. See Audit Log Configuration for information on how to adjust the size limit.
interface VARCHAR(50) – The Identity Manager interface (such as the Administrator, User, IVR, or SOAP interface) from which the operation was performed.
acctAttrChanges VARCHAR(4000) to CLOB – Stores the account attributes that have changed during a create and update. The attributes changes field is always populated during a create or update for a resource account or Identity Manager account object. All of the attributes changed during an action are stored in this field as a string. The data is in NAME=VALUE NAME2=VALUE2 format. This field can be queried by executing “contains” SQL statements against the name or value.
The following code example illustrates a value in the acctAttrChanges column.
COMPANY="COMPANY" DEPARTMENT="DEPT" DESCRIPTION="DSMITH DESCRIPTION" FAX NUMBER="5122222222" HOME ADDRESS="12282 MOCKINGBIRD LANE" HOME CITY="AUSTIN" HOME PHONE="5122495555" HOME STATE="TX" HOME ZIP="78729" JOB TITLE="DEVELOPER" MOBILE PHONE="5125551212" WORK PHONE="5126855555" EMAIL="someone@somecompany.COM" EXPIREPASSWORD="TRUE" FIRSTNAME="DANIEL" FULLNAME="DANIEL SMITH" LASTNAME="SMITH"
If your Identity Manager installation uses an Oracle repository, and you notice truncation errors in the audit log, you can convert the accountAttrChanges field in the audit log table from VARCHAR(4000) to CLOB. Identity Manager provides a sample DDL script in the /web/sample directory that converts log.acctAttrChanges from VARCHAR(4000) to CLOB. The convert_log_acctAttrChangesCHAR2CLOB.oracle.sql script preserves existing data and allows more than 4000 characters in the accountAttrChanges field.
This conversion is optional and should only be performed if you notice truncation errors. Also, be sure to back up the affected tables before running the conversion script.
After running the conversion script, stop and restart your web application server. When you run a new report, it should display correctly.
acctAttr01label-acctAttr05label VARCHAR(50) – These five additional NAME slots are columns that can promote up to five attribute names to be stored in their own column instead of in the big blob. You can promote an attribute from the Resource Schema Configuration page using the "audit?" setting, and the attribute will be available for data mining.
acctAttr01value-acctAttr05value VARCHAR(128) – Five additional VALUE slots that can promote up to five attribute values to be stored in a separate column instead of in the blob column.
parm01label-parm05label VARCHAR(50) – Five slots used to store parameters associated with an event. Examples of these are Client IP and Session ID names.
parm01value-parm05value VARCHAR(128*)or CLOB – Five slots used to store parameters associated with an event. Examples of these are Client IP and Session ID values. The column length limit for these columns is configurable. The default data type is VARCHAR and the default size limit is 128. See Audit Log Configuration for information on how to adjust the size limit.
id VARCHAR(50) – Unique ID assigned to each record by the repository referenced in the waveset.logattr table.
name VARCHAR(128) – Generated name assigned to each record.
xml BLOB – Used internally by Identity Manager.
The waveset.logattr table is used to store IDs of the organizational membership for each event, which is used to scope the audit log by organization.
id VARCHAR(50) – ID of the waveset.log record.
attrname VARCHAR(50) – Currently, always MEMBEROBJECTGROUPS.
attrval VARCHAR(255) – ID of the MemberObject group where the event belongs.
When one or more columns of audit log data exceed the specified column length limits, the column data is truncated to fit. Specifically, the data is truncated to the specified limit, less three characters. An ellipsis (...) is then appended to the column data to indicate truncation has occurred.
In addition, the NAME column of that audit record is prepended with the string #TRUNCATED# to facilitate querying of truncated records.
Identity Manager assumes UTF–8 encoding when it computes where to truncate messages. If your configuration uses encoding other than UTF–8, there is a chance that truncated data may still exceed the actual column size in your database. If this happens, the truncated message does not appear in the audit log and an error is written in the system log.