This appendix provides reference information for audit repors in the Oracle Fusion Middleware Audit Framework.
Use the information in this chapter for audit record administration and to develop audit reports for system components.
This chapter contains these topics:
Note:
This appendix covers reports based on the report template model with Oracle Business Intelligence Publisher 10g. A different approach is used for audit based on the dynamic metadata model; see Chapter 15 for details.This section describes the components that are audited and the types of events that can be audited.
The Oracle Fusion Middleware Audit Framework provides the foundation for auditing by Oracle Fusion Middleware components and applications. In 12c (12.1.2), a number of Java and system components can generate audit records; they are known as audit-aware components.
Some examples of Java components that utilize the Fusion Middleware Audit Framework are:
Directory Integration Platform Server
Oracle Platform Security Services
Oracle Web Services Manager
Oracle Web Services
Reports Server
Some system components that utilize the Fusion Middleware Audit Framework are:
Oracle HTTP Server
Oracle Internet Directory
This appendix provides audit information only for events generated by Oracle Platform Security Services. For details about auditing in other components and applications, refer to the respective administration guides.
The set of tables in this section shows what event types can be audited:
This section contains the following tables:
Table C-1 System Categories and Events
Category | Event | Description |
---|---|---|
UserSession This set of events is for creating and using user sessions on the system. Common attribute for these events: AuthenticationMethod |
UserLogin User Logins |
In multi-tier applications, inner tiers often use some special user id (an end user or an administrator) to log in to the next tier. To make audit reports more meaningful, logins by these special users are considered in a separate category - Internal Logins. The User Logins/Logouts events only records actions by regular users (including administrators). |
UserLogout User Logouts |
An end user or administrator logs out. |
|
Authentication |
Authentication is very similar to UserLogin/InternalLogin, except that no session is created, so there is no corresponding UserLogout/InternalLogout. This event is usually generated by lower layers, while login is generated by higher layers. |
|
InternalLogin Internal Login |
This is an internal login between two tiers. |
|
InternalLogout Internal Logout |
This is an internal logout between two tiers. |
|
QuerySession Query Session |
Query the attributes within a session object for a logged-in user. |
|
ModifySession |
Modify the attributes within a session object for a logged-in user. |
|
Authorization This set of events is for authorization. |
CheckAuthorization Check Authorization |
|
Data Access This set of events is for data access. |
CreateDataItem Create a data item |
Create a data item, for example a file. |
DeleteDataItem |
Delete a data item. |
|
QueryDataItemAttributes |
Query the attributes associated with a data item. |
|
ModifyDataItemAttributes |
Modify the attributes associated with a data item, for example access. |
|
AccountManagement This set of events is for the management of principal accounts. |
ChangePassword |
Change a user's password. |
CreateAccount |
Create a user, or group, or any other principal account. |
|
DeleteAccount |
Delete an account for a user, or group, or any other principal. |
|
EnableAccount |
Enable an account for a user, or group, or any other principal |
|
DisableAccount |
Disable an account for a user, or group, or any other principal. |
|
QueryAccount |
Query the user's account. |
|
ModifyAccount |
Modify the account attributes. |
|
ServiceManagement This set of events relate to management of system services and applications. |
InstallService |
Install or upgrade a service or an application. |
RemoveService |
De-install a service or an application. |
|
QueryServiceConfig |
Query the configuration of a service or application. |
|
ModifyServiceConfig |
Modify the configuration of a service or application. |
|
DisableService |
Shut down or disable a service or application. |
|
EnableService |
Start up or enable a service or application. |
|
ServiceUtilize These events relate to the use of a service or application. They typically map to the execution of a program or procedure, and manipulation of the processing environment. |
InvokeService |
Invoke a service or an application. For example, execute a command-line script. |
TerminateService |
Terminate a service or an application, either at the request of the application itself or by intervention of the domain in response to user or administrative action. |
|
QueryProcessContext |
Query the attributes associated with the current processing context. |
|
ModifyProcessContext |
Modify the attributes associated with the current processing context. |
|
PeerAssocManagement This set of events creates and works with communication channels between system components. |
CreatePeerAssoc |
Creates a communication channel between system components. |
TerminatePeerAssoc |
Terminates a communication channel between system components. |
|
QueryAssocContext |
Query attributes associated with a communication channel between system components. |
|
ModifyAssocContext |
Modify attributes associated with a communication channel between system components |
|
a communication channel between system components |
||
ReceiveDataViaAssoc |
Receive data from an associated peer. |
|
SendDataViaAssoc |
Send data to an associated peer. |
|
DataItemContentAccess This set of events is to form an association between a service or application and a data item or resource element to use its content or services; for example a file or directory, a device special file, a memory segment, communication port, and so on. |
CreateDataItemAssoc |
Open a data item, for example a file. |
TerminateDataItemAssoc |
Close a data item, for example a file. |
|
QueryDataItemAssocContext |
Query attributes of a data item, for example mode of access, size limits, access paths, and so on. |
|
ModifyDataItemAssocContext |
Modify attributes of a data item. |
|
QueryDataItemContents |
Read the data item. |
|
ModifyDataItemContent |
Write or append to the data item. |
|
Exceptional These events are considered to be outside the generalized events. |
StartSystem |
Boot a system host. |
ShutdownSystem |
Shut down the system. |
|
ResourceExhausted |
Resources like data storage or communication endpoints have been exhausted. |
|
ResourceCorrupted |
Resources like data storage have integrity failures. |
|
BackupDatastore |
Make a backup copy of a data store. |
|
RecoverDatastore |
Recover a data store from a backup copy. |
|
AuditService This set of events applies to audit service configuration. Common attribute for these events: TransactionId |
ConfigureAuditPolicy |
Modify parameters that control auditing, for example the audit event filtering. |
ConfigureAuditRepository |
Configure the audit repository, for example to change from a file-based repository to a database repository. |
See Also:
Section 13.4.3 for background about system categories and events.Table C-2 Core Oracle Platform Security Services Events
Event Category | Event Type | Attributes used by Event |
---|---|---|
Authorization |
CheckPermission |
ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, Subject, PermissionAction, PermissionTarget, PermissionClass |
CheckSubject |
ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, Subject |
|
CredentialManagement |
CreateCredential |
ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, mapName, key, CodeSource, Principals, InitiatorGUID |
DeleteCredential |
ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, mapName, key, CodeSource, Principals, InitiatorGUID |
|
AccessCredential |
ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, mapName, key, CodeSource, Principals, InitiatorGUID |
|
ModifyCredential |
ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, mapName, key, CodeSource, Principals, InitiatorGUID |
|
PolicyManagement |
PolicyGrant |
ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, PermissionAction, PermissionTarget, PermissionClass, PermissionScope |
PolicyRevoke |
ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, PermissionAction, PermissionTarget, PermissionClass, PermissionScope |
|
RoleManagement |
RoleMembershipAdd |
ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, ApplicationRole, EnterpriseRoles, PermissionScope |
RoleMembershipRemove |
ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, ApplicationRole, EnterpriseRoles, PermissionScope |
Table C-3 Identity Directory Service Events
Event Category | Event Type | Attributes used by Event |
---|---|---|
UserSession |
Authentication |
Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod |
DataAccess |
CreateDataItem |
Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod |
DeleteDataItem |
Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod |
|
ModifyDataItemAttributes |
Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod |
Table C-4 Identity Virtualization Library Events
Event Category | Eventy Type | Attributes used by Event |
---|---|---|
LDAPEntryAccess |
Add |
Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource Roles, SessionId, Target, ThreadId, AuthenticationMethod |
Delete |
Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod |
|
Modify |
Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod |
|
Rename |
Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod |
|
UserSession |
UserLogin.FAILURESONLY |
Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod |
DataAccess |
QueryDataItemAttributes |
Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resourc,e Roles, SessionId, Target, ThreadId, AuthenticationMethod |
ModifyDataItemAttributes |
Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod |
Table C-5 lists all attributes for OPSS audited events. Use this table to learn about the attributes used in the event of interest.
Table C-5 Attributes of OPSS Audit Events
Namespace | Attribute Name | Description |
---|---|---|
common |
ApplicationName |
The Java EE application name. |
AuditUser |
Identifies the user name of the user who is running the application. |
|
ComponentData |
Where component-specific data are stored when there is no component-specific table in the schema. |
|
ComponentName |
The name of this component. |
|
ComponentType |
Type of the component. |
|
ContextFields |
This attribute contains the context fields extracted from the dms context. |
|
DomainName |
The WebLogic Server or IBM WebSphere Domain. |
|
EventCategory |
The category of the audit event. |
|
EventStatus |
The outcome of the audit event - success or failure. |
|
EventType |
The type of the audit event. Use the wlst listAuditEvents command to list out all the events. |
|
FailureCode |
The error code in case EventStatus = failure |
|
HomeInstance |
The ORACLE_INSTANCE directory of the component. |
|
HostId |
DNS hostname of originating host. |
|
HostNwaddr |
The IP or other network address of originating host. |
|
Initiator |
Identifies the UID of the user who is doing the operation. |
|
InstanceId |
The name of the Oracle instance to which this component belongs. |
|
MajorVersion |
The major version of a component. |
|
MessageText |
Description of the audit event. |
|
MinorVersion |
The minor version of a component. |
|
ModuleId |
The ID of the module that originated the message. Interpretation is unique within Component ID. |
|
OracleHome |
The ORACLE_HOME directory of the component. |
|
ProcessId |
The ID of the process that originated the message. |
|
RemoteIP |
The IP address of the client initiating this event. |
|
Resource |
Identifies a resource that is being accessed. A resource can be many things - web page, file, directory share, web service, XML document, a portlet. The resource can be named as a combination of a host name, and a URI. |
|
RID |
This is the relationship identifier; it is used to provide the full and correct calling relationships between threads and processes. |
|
Roles |
The roles that the user was granted at the time of login. |
|
SessionId |
The ID of the login session. |
|
Target |
Identifies the UID of the user on whom the operation is being done. For example, if Alice changes Bob's password, then Alice is the initiator and Bob is the target. |
|
TargetComponentType |
The target component type. |
|
TstzOriginating |
Date and time when the audit event was generated. |
|
ThreadId |
The ID of the thread that generated this event. |
|
TenantId |
The tenant ID. |
|
TransactionId |
The transaction ID. |
|
UserTenantId |
The user tenant ID. |
|
AuditService |
TransactionId |
The transaction ID. |
UserSession |
AuthenticationMethod |
The Authentication method, namely password, SSL, Kerberos and so on. |
See Also:
Section 13.4.2 for details about attribute groups and attributes.Oracle Fusion Middleware Audit Framework provides a range of out-of-the-box reports for system components that are accessible through Oracle Business Intelligence Publisher. This section describes how to configure audit reporting with Oracle Business Intelligence Publisher and how to view audit reports:
When your audit data resides in a database, you can run pre-defined Oracle Business Intelligence Publisher reports and create your own reports on the data. This section contains these topics about configuring your environment for audit reports:
Set Up Oracle Reports in Oracle Business Intelligence Publisher
Configure Scheduler in Oracle Business Intelligence Publisher
See Also:
Oracle Business Intelligence Publisher Enterprise documentation at:Reports help auditors determine whether there are any violations with respect to various industry regulations such as HIPPA, SOX, and other regulatory compliance demands. Oracle Fusion Middleware Audit Framework is integrated with Oracle Business Intelligence Publisher for out-of-the box reports.
Pre-defined reports are available as part of the Oracle Fusion Middleware Audit Framework. These reports are integrated with Oracle Business Intelligence Publisher to work in conjunction with the audit data in the audit store.
Oracle Fusion Middleware Audit Framework ships with over twenty pre-built reports in 12c (12.1.2). For convenience, the reports are grouped in Oracle Business Intelligence Publisher according to functional areas and by component.
The functional areas consists of the following:
Error and Exception reports like authentication and authorization failures
User Activities including transaction history and authorization history
Operational reports including created, deleted, and locked-out users
Audit Service Events
As the name implies, the component-specific reports are grouped based on the components themselves, for example, Oracle HTTP Server reports.
Other features of Oracle Business Intelligence Publisher include:
Flexible Report Displays
You can view reports online, change report parameters, change output types (pdf, html, rtf, excel and others), modify the appearance of reports, export to the desired format, and send to an E-mail address, fax or other destination.
Report Filters
You can filter audit records to be included in the report using a range of options including the ability to modify the SQL used to extract records from the audit repository.
Scheduling Reports
You can schedule reports to be run based on a range of criteria such as filters, templates, formats, locale, viewing restrictions and so on.
See Also:
For more information about scheduling features, see the Oracle Business Intelligence Publisher Enterprise documentation at:Custom Reporting
You can design your own reports and specify the data model, layout, parameters, bursting (for example, you can enable delivery based on delivery preference).
See Also:
Section J.6, "Troubleshooting Oracle Business Intelligence Reporting" for troubleshooting tips and other useful information about Oracle Business Intelligence
Oracle Business Intelligence Publisher Enterprise documentation at:
All the auditing reports available in Oracle Business Intelligence Publisher provide these report filtering and formatting options:
View - View the report using the current parameters.
Schedule - Set up a schedule for the report along with job parameters and data filters.
History - View history.
Edit - Modify the query and parameter display formats.
Configure - Set up runtime configuration controls.
Export - Export to a file.
If you already have Oracle Business Intelligence Publisher 10.1.3.4 or later installed at your site, you can skip this section and go to Section C.2.1.3.
If you need to install Oracle Business Intelligence Publisher, follow the instructions provided with the Oracle Business Intelligence Publisher Companion CD.
See Also:
Oracle Business Intelligence Publisher Enterprise documentation at:In this section you configure Oracle Business Intelligence Publisher to work with the audit datasource.
Note:
11g Release 1 (11.1.1.4.0) PS3 reports can work only with an 11g Release 1 (11.1.1.4.0) PS3 schema; they cannot work with an earlier schema such as 12c (12.1.2).Details about upgrading schemas with the Patch Set Assistant are available in the Oracle Fusion Middleware Patching Guide.
Take these steps to set up Oracle Business Intelligence Publisher for use with audit reports:
Navigate to the Reports folder in your Oracle Business Intelligence Publisher installation. By default, the Reports folder is at %BIP_HOME%\XMLP\Report
s.
Unjar the AuditReportTemplates.jar
into your Reports
folder. You should see a new folder called Oracle_Fusion_Middleware_Audit. You can find AuditReportTemplates.jar
at:
$MW_ORA_HOME/oracle_common/modules/oracle.iau_12.1.2/reports/ AuditReportTemplates.jar
Set up the data source for audit repository as follows:
Navigate to the Admin tab.
If you deployed on Oracle WebLogic Server in Step 1, set up JNDI as follows:
Click JNDI Connection.
Click Add DataSource.
Specify the DataSource details:
Name the Data Source Audit
.
Note:
The reports refer to the audit data source, so the naming convention is important.JNDI Name - 'jdbc/AuditDB'
Test for a successful connection. If the connection is not successful, check the values you entered.
Press Apply to save your changes.
If you deployed on Oracle Containers for Java EE in Step 1, set up JNDI as follows:
Click JDBC Connection.
Click Add DataSource.
Specify the DataSource details:
Name the Data Source Audit
.
Note:
The reports refer to the audit data source, so the naming convention is important.Enter the details for the URL, username, and password for the audit schema. (Note: The username and password consist of a prefix plus the audit schema name, which is IAU_VIEWER. For example, dev_iau_viewer or test_iau_viewer.)
Test for a successful connection. If the connection is not successful, check the values you entered.
Press Apply to save your changes.
You can use the standard audit reports in their default formats out-of-the-box. However, if you wish to customize the appearance and other related aspects of the reports, you do so by setting up audit report templates.
From a report's Edit dialog, you can click the Layout option in the left panel to control layouts and output formats. Using this feature, you can:
Customize the report template and design your own layout; for example you can rearrange fields and highlight selected field labels.
Restrict the formats to which the report output is generated - by default, a large number of output formats are available including HTML, PDF, Excel spreadsheet, RTF, and others.
See Also:
Oracle Business Intelligence Publisher User's Guide.You can use the standard audit reports in their default formats out-of-the-box. However, if you wish to customize the scope of data and other related aspects of the reports, you do so by setting up audit report filters.
Oracle Business Intelligence Publisher provides both basic and advanced filtering options for your audit reports.
See Also:
Oracle Business Intelligence Publisher User's Guide.Clicking on the report's Schedule button brings up a page which you can use to schedule and administer the report.
In the Report Parameters area you can provide high-level filters to restrict the report:
Date Filters
show only recent audit records such as last hour or last week.
show records generated within a specified starting and ending dates.
limit number of records returned.
Selected Report Fields
For example, the Authentication Failures report can be filtered by:
Username
Component Type
Component Name
Application Name
Domain Name
Clicking on the report's Edit button brings up a page at which you can specify more detailed report filters and properties. This page consists of two panels. The left panel lets you select what element of the report is to be modified through these options. For each element you select, the right panel displays the corresponding information.
Data Model - This contains the SQL query that fetches the raw data for the report. The query can be modified according to your needs.
List of Values - Shows all the report columns. Selecting on a column displays the underlying SQL query that filters data for the attribute. You can modify the query as needed; for example you can specify more restrictive filter values.
Parameters - Shows all the report columns, and lets you select any column to modify display settings for that column. For example, you can specify a date display format for timestamp fields.
Layouts and output formats - This feature is described in Section C.2.1.6.
Clicking on the report's Schedule button brings up a page which you can use to schedule and administer the report. Information you can specify on this page includes:
Note:
This feature assumes that the Oracle Business Intelligence Publisher repository is already configured.Report Parameters - filters to restrict the data included in the report, for example records for the last hour only.
See Also:
Section C.2.1.5Job Properties - the job name, formatting locale and time zone, and so on.
Notification - one or more users to be notified by E-mail when the job completes or fails.
Time - report scheduling options; the report can be scheduled to run periodically or on a one-time basis.
Delivery - deliver the report to one or more users.
Oracle Fusion Middleware Audit Framework ships with a set of pre-defined reports that are designed to work, out-of-the-box, with Oracle Fusion Middleware components. These reports are organized into two main categories:
Common Reports
These reports capture common events such as authentication success and failures, account-related status (lockout, disabled, and so on). Many components have implemented audit capability for these common events. The common reports are located under the Common Reports subfolder of the Audit Reports, and all audit-enabled events from across the components are captured in these reports.
For example, "Authentication History" displays authentication history across all the components where authentication events are being captured.
You can use these reports to examine audit records for a specific area across components or to examine the audit records of a single user across multiple components for that specific area.
Component-specific Reports
These reports focus on individual components. They are needed because not all audit events may be relevant to each component. The Component Specific folder serves two purposes. First, it identifies the valid reports among the Common Reports that are relevant to the component and show only the audit records for that component. Secondly, for some components, component-specific reports have been defined to suit the specific needs of that component. While audit records themselves are generic for all the components, the representation of an audit record may have component-specific requirements. For example, an access policy may need to be shown in a format to be useful.
For example, you can locate the Authentication History report in the Common folder, where it displays authentication events for all components. You can also find the same report under a component-specific folder, where it displays authentication events for that component only.
There is also a generic report at the top level called "All Events", which shows all the events across all audit-enabled components. The "All Events" report is also available in each component-specific folder, to show all the events for individual components.
This report can be used to query audit data.
This section explains how to view audit reports using Oracle Business Intelligence Publisher.
Take these steps to view an audit report:
Log in to Oracle Business Intelligence Publisher using a URL of the form:
http://
host.domain.com:port/
xmlpserver/
On the main page, click Oracle Fusion Middleware Audit under Shared Folders.
The audit reports are organized into:
reports that are common to multiple components; these are further organized by report types.
reports that are specific to a component; these are further organized by component.
See Also:
Table C-6 for a description of the standard reports.Navigate to the report of interest; for example, you can click on the Common Reports folder, then Errors and Exceptions, then click on All Errors and Exceptions.
The report is displayed.
The report display page contains these major areas:
Filters at the top of the page enable you to determine the type, scope, and number of records to include in the report. These filters include:
User
Start and End Dates
Last n time period
Component type and name
Application Name
Domain Name
Use relevant filters to limit the report to the desired records.
Note:
Initially, the report is displayed with default filter values that you can modify.Format control buttons enable you to determine:
the template type, which can be:
HTML - This is the default display format.
PDF - Displays a printable PDF view.
Data - Displays an unformatted XML data set.
To change the template type while viewing a report, select the type from the drop-down list and click View.
output format
delivery options
The report record display area. The appearance and number of columns depend on previously selected options and filters.
Each column header also acts as a sort option.
View, save or export the report as desired.
This section uses a common scenario to demonstrate how Oracle Business Intelligence Publisher reports are used to view audit data generated by Oracle Platform Security Services events.
In this example, some activity is generated on the credential store for an Oracle WebLogic Server domain. We then use Oracle Business Intelligence Publisher to take a look at the relevant report to see the audit records. Subsequently, a few other reports are examined.
As the system administrator, locate the domain whose credentials are to be managed.
Use the relevant commands to generate some credential management records; for example, create and delete some user credentials.
See Also:
Chapter 11, "Managing the Credential Store" for details about credential management.Log in to Oracle Business Intelligence Publisher using a URL of the form:
http://
host.domain.com:port/
xmlpserver/
Under the Reports tab, click on Shared Folders, and select Fusion Middleware Audit.
On the main page, click Fusion Middleware Audit under Shared Folders.
The audit report menu appears. Audit reports are organized in various folders by type.
To view audit records for Oracle Platform Security Services, for example, navigate to the Component Specific folder, then Oracle Platform Security Services.
The Oracle Platform Security Services folder contains several reports. Click All Events.
The report shows activity in a default time range. Modify the time range to show only the day's events.
The activity performed on that day appears on the page.
Observe the different regions of the report and their functions: report filters, format control, scheduling, and the data display itself.
In each report, the last data column is a Detail column. Click on a detail to view all the attributes of the specific audit record.
Return to the main folder to view some other reports of interest. For example, in the Common Reports folder, navigate to the Account Management folder, and click Account Profile History.
The Account Profile History report appears.
Click on the Event Details for an event of interest:
Finally, return to the Common Reports folder and select Errors and Exceptions. Select the All Errors and Exceptions report.
A number of records are displayed. To narrow the report to records of interest, use the Event drop-down to select checkPermission events.
One row is returned showing an authorization check failure:
Click Details to obtain more information:
This section provides detailed reference information about the standard (pre-built) audit report.
The standard audit reports are grouped as follows:
The All Events report
This report contains all audit records generated in a pre-defined interval.
Common Reports
These are reports that contain audit records across multiple components.
Component-Specific Reports
Each report is dedicated to a specific component.
Common reports are organized as follows:
Account Management
Account Profile History
Accounts Deleted
Accounts Enabled
Accounts Disabled
Accounts Created
Accounts Locked Out
Password Changes
dashboard
User Activities
Authentication History
Multiple Logins from Same IP
Authorization History
Event Details
Related Audit Events
Dashboard
Errors and Exceptions
All Errors and Exceptions
Authorization Failures
Authentication Failures
Dashboard
Important:
Run the Event Details report only against an 11g Release 1 (11.1.1.4.0) PS3 (patch set 3) schema.Table C-6 provides a brief description of each audit report in Oracle Business Intelligence Publisher.
Note:
The folder path shown in the column titled "Located in Folder" is relative to the Oracle Fusion Middleware Audit folder. To get to this folder, log in to Oracle Business Intelligence Publisher, and navigate to Shared Folders, then Oracle Fusion Middleware Audit.Table C-6 List of Audit Reports
Report | Description | Located in Folder |
---|---|---|
Accounts Created |
shows accounts created in various components. |
Common Reports, then Account Management. Also in Component Specific folders. |
Accounts Deleted |
shows accounts deleted in various components. |
Common Reports, then Account Management. Also in Component Specific folders. |
Accounts Disabled |
shows accounts disabled in various components. |
Common Reports, then Account Management. Also in Component Specific folders. |
Accounts Enabled |
shows accounts enabled in various components. |
Common Reports, then Account Management. Also in Component Specific folders. |
Accounts Locked Out |
shows accounts locked out due to excessive authentication failures. |
Common Reports, then Account Management. Also in Component Specific folders. |
Account Profile History |
shows profile changes in accounts, such as change in address and password changes. |
Common Reports, then Account Management. Also in Component Specific folders. |
All Errors and Exceptions |
captures all errors and exceptions across components. |
Common Reports, then Errors and Exceptions. Also in Component Specific folders. |
All Events |
displays all audit events. |
Oracle Fusion Middleware Audit. Also in Component Specific folders. |
Application Policy Management |
displays application level policy management. |
Component Specific, then Oracle Platform Security Services. |
Application Role Management |
shows application role to enterprise role mappings. |
Component Specific, then Oracle Platform Security Services. |
Assertion Activity |
shows assertion activity in Oracle Identity Federation. |
Component Specific, then Oracle Identity Federation. |
Assertion Template Management |
lists assertion template management operations in Oracle Web Services Manager. |
Component Specific, then Oracle Web Services Manager, then Policy Management. |
Authentication Failures |
shows authentication errors and exceptions; can be cross-component or specific to a component. |
Common Reports, then Errors and Exceptions. Also in Component Specific folders. |
Authentication History |
lists authentications across all components. |
Common Reports, then User Activities. Also in Component Specific folders. |
Authorization Failures |
captures authorization failures. |
Common Reports, then Errors and Exceptions. Also in Component Specific folders. |
Authorization History |
shows authorizations across all components. |
Common Reports, then User Activities. Also in Component Specific folders. |
Confidentiality Enforcements |
lists enforcements related to confidentiality in Oracle Web Services Manager. |
Component Specific, then Oracle Web Services Manager, then Policy Enforcements. |
Configuration Changes |
lists configuration changes made in Fusion Middleware Audit Framework. |
Component Specific, then Oracle Fusion Middleware Audit Framework. |
Credential Access |
displays credential accesses by users and applications in Oracle Platform Security Services. |
Component Specific, then Oracle Platform Security Services. |
Credential Management |
displays credential management operations performed in Oracle Platform Security Services. |
Component Specific, then Oracle Platform Security Services. |
Federation User Activity |
lists federation user activities in Oracle Identity Federation. |
Component Specific, then Oracle Identity Federation. |
Message Integrity Enforcements |
shows enforcements related to message integrity in Oracle Web Services Manager. |
Component Specific, then Oracle Web Services Manager, then Policy Enforcements. |
Multiple Logins from Same IP |
lists machines from where successful logins are made into different user accounts. |
Common Reports, then User Activities. |
Password Changes |
shows password changes done in various accounts. |
Common Reports, then Account Management. Also in Component Specific folders. |
Policy Attachments |
shows policy to web service endpoint attachments. |
Component Specific, then Oracle Web Services Manager. |
Policy Enforcements |
lists general policy enforcements for Oracle Web Services Manager. |
Component Specific, then Oracle Web Services Manager, then Policy Enforcements. |
Profile Management Events |
shows changes to Directory Integration Platform's profiles. |
Component Specific, then Directory Integration Platform. |
Request Response |
shows requests sent and responses received from web services. |
Component Specific, then Oracle Web Services Manager. |
System Policy Management |
displays system level policy management operations |
Component Specific, then Oracle Platform Security Services. |
Violations |
shows enforcement violations. |
Component Specific, then Oracle Web Services Manager, then Policy Enforcements. |
Web Services Policy Management |
shows policy management operations. |
Component Specific, then Oracle Web Services Manager, then Policy Management. |
Table C-7 lists the attributes that appear in the various audit reports. When viewing a report, you can use this table to learn more about the attributes that appear in the report.
Note the following:
Not all attributes appear in each report.
The user or users attribute, which appears in each report, can mean different things in different reports; see Table C-6 for an explanation of this attribute.
Not all the attributes are displayed in Oracle Business Intelligence Publisher audit reports. If you wish to include some additional attributes in your custom reports, see Appendix C, "Oracle Fusion Middleware Audit Framework Reference".
Table C-7 Attributes of Audit Reports
Attribute | Description |
---|---|
Activity |
The type of action, either user- or system-initiated. |
Application Name |
The complete application path and name. |
Application Server Instance |
The instance of the application server in use. |
Attempted |
The action that was attempted, for example, a single sign-on attempted by the user. |
Component Name |
The name of the component instance. |
Component Type |
The type of component, for example Oracle Identity Federation. |
Domain Name |
Oracle WebLogic Server domain name. |
ECID |
The execution context ID. |
Event Type |
The type of event that occurred, for example, account creation. |
Initiator |
The user who initiated the event. |
Internet Protocol Address, IP Address |
The IP address of the user's machine from which the action was initiated. |
Message Text |
The text of the message; a description of the event. |
Policy Name |
The name of the policy involved in the action. |
Time Range |
The time range which allows you to limit your data set to a specific time interval, for example, the last 24 hours. |
Timestamp |
The date and time of the event. |
Transaction ID |
The transaction identifier. |
This section discusses advanced report generation and creation options:
Clicking on the report's Edit button brings up a page at which you can specify more detailed report filters and properties. This page consists of two panels. The left panel lets you select what element of the report is to be modified through these options. For each element you select, the right panel displays the corresponding information.
Data Model - This contains the SQL query that fetches the raw data for the report. The query can be modified according to your needs.
List of Values - Shows all the report columns. Selecting on a column displays the underlying SQL query that filters data for the attribute. You can modify the query as needed; for example you can specify more restrictive filter values.
Parameters - Shows all the report columns, and lets you select any column to modify display settings for that column. For example, you can specify a date display format for timestamp fields.
Layouts and output formats - This feature is described in the following section.
Oracle Business Intelligence Publisher provides a complete set of capabilities for designing and creating custom reports.
See Also:
Oracle Business Intelligence Publisher User's Guide.
Here is a simple example illustrating the basic steps to customize an existing audit report with Oracle Business Intelligence Publisher.
Log in to Oracle Business Intelligence Publisher as administrator.
Navigate to the Oracle Fusion Middleware Audit folder.
Create a folder to maintain your custom reports. Under Folder and Event Tasks, click New Folder.
Enter a folder name.
The new folder, Custom BI Reports, appears on the main audit reports folder.
Select an existing report that will be a starting point to create a custom report, by clicking the icon to the left of the report. In this example the All Events report is selected:
Click Copy this report.
This action copies the report to the clipboard. To send it to the new folder:
Select the Custom BI Reports folder.
Under Folder and Report Tasks, click Paste from clipboard.
A dialog box appears requesting confirmation. Click Yes.
The report is now moved from the clipboard to the custom folder:
Provide a descriptive name for the new report by selecting the icon to the left of the report, and clicking Rename this report.
Now you are ready to customize the report. Click Edit from the menu choices under the report title.
The Edit page appears.
Two panels are displayed; on the main panel titled General Settings, you can control basic features like the report title and runtime controls. To the left of the main panel, a second panel displays two sets of information that you can use to create relevant content for your report:
List of Values shows the fields that are being used currently in the report. When you click on a field, the main panel automatically displays the name and the SQL query used to select the values to include for that field.
Parameters shows the available parameters from which you can choose the ones to include in the report. Notice that a subset of the parameters is already in the report; for example, userid (which is the initiator of the audit event) provides the Users data, while timeRange provides the Time Range data.
The palette of choices on the left panel is context-sensitive and provides information to help you build the report.
You can use the Query Builder to customize the data to include in your report. For example, to include only login events for a component, you can:
Select ComponentName
from the list of values and click Query Builder.
A table appears listing the available components. Select the component, say JPS
. A second table appears showing the component event fields:
In the JPS table select IAU_EVENTTYPE
.
Click Conditions, enter the condition login
and click Save.
The condition is now included in the report. Be sure to click Save again on the upper left corner to commit your changes to the report definition.
You can now return to the report in the Custom BI Reports folder and view the data.
If you have additional audit reporting requirements beyond the pre-built reports described in Section C.2, "Pre-built Audit Reports", you can create custom reports using your choice of reporting tools. For example, while the pre-built reports use a subset of the event attributes, you can make use of the entire audit attribute set for an event in creating custom reports.
Table C-8 and Table C-9 describe the audit schema, which is useful when building custom reports.
Table Name | Column Name | Data Type | Nullable | Column ID |
---|---|---|---|---|
BASE TABLE |
IAU_ID |
NUMBER |
Yes |
1 |
IAU_ORGID |
VARCHAR2(255 Bytes) |
Yes |
2 |
|
IAU_COMPONENTID |
VARCHAR2(255 Bytes) |
Yes |
3 |
|
IAU_COMPONENTTYPE |
VARCHAR2(255 Bytes) |
Yes |
4 |
|
IAU_INSTANCEID |
VARCHAR2(255 Bytes) |
Yes |
5 |
|
IAU_HOSTINGCLIENTID |
VARCHAR2(255 Bytes) |
Yes |
6 |
|
IAU_HOSTID |
VARCHAR2(255 Bytes) |
Yes |
7 |
|
IAU_HOSTNWADDR |
VARCHAR2(255 Bytes) |
Yes |
8 |
|
IAU_MODULEID |
VARCHAR2(255 Bytes) |
Yes |
9 |
|
IAU_PROCESSID |
VARCHAR2(255 Bytes) |
Yes |
10 |
|
IAU_ORACLEHOME |
VARCHAR2(255 Bytes) |
Yes |
11 |
|
IAU_HOMEINSTANCE |
VARCHAR2(255 Bytes) |
Yes |
12 |
|
IAU_UPSTREAMCOMPONENTID |
VARCHAR2(255 Bytes) |
Yes |
13 |
|
IAU_DOWNSTREAMCOMPONENTID |
VARCHAR2(255 Bytes) |
Yes |
14 |
|
IAU_ECID |
VARCHAR2(255 Bytes) |
Yes |
15 |
|
IAU_RID |
VARCHAR2(255 Bytes) |
Yes |
16 |
|
IAU_CONTEXTFIELDS |
VARCHAR2(2000 Bytes) |
Yes |
17 |
|
IAU_SESSIONID |
VARCHAR2(255 Bytes) |
Yes |
18 |
|
IAU_SECONDARYSESSIONID |
VARCHAR2(255 Bytes) |
Yes |
19 |
|
IAU_APPLICATIONNAME |
VARCHAR2(255 Bytes) |
Yes |
20 |
|
IAU_TARGETCOMPONENTTYPE |
VARCHAR2(255 Bytes) |
Yes |
21 |
|
IAU_EVENTTYPE |
VARCHAR2(255 Bytes) |
Yes |
22 |
|
IAU_EVENTCATEGORY |
VARCHAR2(255 Bytes) |
Yes |
23 |
|
IAU_EVENTSTATUS |
NUMBER |
Yes |
24 |
|
IAU_TSTZORIGINATING |
TIMESTAMP(6) |
Yes |
25 |
|
IAU_THREADID |
VARCHAR2(255 Bytes) |
Yes |
26 |
|
IAU_COMPONENTNAME |
VARCHAR2(255 Bytes) |
Yes |
27 |
|
IAU_INITIATOR |
VARCHAR2(255 Bytes) |
Yes |
28 |
|
IAU_MESSAGETEXT |
VARCHAR2(255 Bytes) |
Yes |
29 |
|
IAU_FAILURECODE |
VARCHAR2(255 Bytes) |
Yes |
30 |
|
IAU_REMOTEIP |
VARCHAR2(255 Bytes) |
Yes |
31 |
|
IAU_TARGET |
VARCHAR2(255 Bytes) |
Yes |
32 |
|
IAU_RESOURCE |
VARCHAR2(255 Bytes) |
Yes |
33 |
|
IAU_ROLES |
VARCHAR2(255 Bytes) |
Yes |
34 |
|
IAU_AUTHENTICATIONMETHOD |
VARCHAR2(255 Bytes) |
Yes |
35 |
|
IAU_TRANSACTIONID |
VARCHAR2(255 Bytes) |
Yes |
36 |
|
IAU_DOMAINNAME |
VARCHAR2(255 Bytes) |
Yes |
37 |
|
IAU_COMPONENTDATA |
clob |
yes |
38 |
|
DIP |
IAU_ID |
NUMBER |
Yes |
1 |
IAU_TSTZORIGINATING |
TIMESTAMP(6) |
Yes |
2 |
|
IAU_EVENTTYPE |
VARCHAR2(255 Bytes) |
Yes |
3 |
|
IAU_EVENTCATEGORY |
VARCHAR2(255 Bytes) |
Yes |
4 |
|
IAU_ASSOCIATEPROFILENAME |
VARCHAR2(512 Bytes) |
Yes |
5 |
|
IAU_PROFILENAME |
VARCHAR2(512 Bytes) |
Yes |
6 |
|
IAU_ENTRYDN |
VARCHAR2(1024 Bytes) |
Yes |
7 |
|
IAU_PROVEVENT |
VARCHAR2(2048 Bytes) |
Yes |
8 |
|
IAU_JOBNAME |
VARCHAR2(128 Bytes) |
Yes |
9 |
|
IAU_JOBTYPE |
VARCHAR2(128 Bytes) |
Yes |
10 |
|
IAU_DISP_NAME_TL |
IAU_LOCALE_STR |
VARCHAR2(7 Bytes) |
1 |
|
IAU_DISP_NAME_KEY |
VARCHAR2(255 Bytes) |
2 |
||
IAU_COMPONENT_TYPE |
VARCHAR2(255 Bytes) |
3 |
||
IAU_DISP_NAME_KEY_TYPE |
VARCHAR2(255 Bytes) |
4 |
||
IAU_DISP_NAME_TRANS |
VARCHAR2(4000 Bytes) |
Yes |
5 |
|
IAU_LOCALE_MAP_TL |
IAU_LOC_LANG |
VARCHAR2(2 Bytes) |
Yes |
1 |
IAU_LOC_CNTRY |
VARCHAR2(3 Bytes) |
Yes |
2 |
|
IAU_LOC_STR |
VARCHAR2(7 Bytes) |
Yes |
3 |
Table C-9 shows additional tables in the audit schema; these tables support the dynamic metadata model.
Table C-9 Additional Audit Schema Tables
Table Name | Column Name | Data Type |
---|---|---|
IAU_COMMON |
IAU_ID |
NUMBER |
IAU_OrgId |
VARCHAR(255) |
|
IAU_ComponentId |
VARCHAR(255) |
|
IAU_ComponentType |
VARCHAR(255) |
|
IAU_MajorVersion |
VARCHAR(255) |
|
IAU_MinorVersion |
VARCHAR(255) |
|
IAU_InstanceId |
VARCHAR(255) |
|
IAU_HostingClientId |
VARCHAR(255) |
|
IAU_HostId |
VARCHAR(255) |
|
IAU_HostNwaddr |
VARCHAR(255) |
|
IAU_ModuleId |
VARCHAR(255) |
|
IAU_ProcessId |
VARCHAR(255) |
|
IAU_OracleHome |
VARCHAR(255) |
|
IAU_HomeInstance |
VARCHAR(255) |
|
IAU_UpstreamComponentId |
VARCHAR(255) |
|
IAU_DownstreamComponentId |
VARCHAR(255) |
|
IAU_ECID |
VARCHAR(255) |
|
IAU_RID |
VARCHAR(255 |
|
IAU_ContextFields |
VARCHAR(2000) |
|
IAU_SessionId |
VARCHAR(255) |
|
IAU_SecondarySessionId |
VARCHAR(255) |
|
IAU_ApplicationName |
VARCHAR(255) |
|
IAU_TargetComponentType |
VARCHAR(255) |
|
IAU_EventType |
VARCHAR(255) |
|
IAU_EventCategory |
VARCHAR(255) |
|
IAU_EventStatus |
NUMBER |
|
IAU_TstzOriginating |
TIMESTAMP |
|
IAU_ThreadId |
VARCHAR(255) |
|
IAU_ComponentName |
VARCHAR(255) |
|
IAU_Initiator |
VARCHAR(255) |
|
IAU_MessageText |
VARCHAR(2000) |
|
IAU_FailureCode |
VARCHAR(255) |
|
IAU_RemoteIP |
VARCHAR(255) |
|
IAU_Target |
VARCHAR(255) |
|
IAU_Resource |
VARCHAR(255) |
|
IAU_Roles |
VARCHAR(255) |
|
IAU_AuthenticationMethod |
VARCHAR(255) |
|
IAU_TransactionId |
VARCHAR(255) |
|
IAU_DomainName |
VARCHAR(255) |
|
IAU_ComponentVersion |
VARCHAR(255) |
|
IAU_ComponentData |
CLOB |
|
IAU_CUSTOM |
IAU_ID |
NUMBER |
IAU_BOOLEAN_001 |
NUMBER |
|
IAU_INT_001 |
NUMBER |
|
IAU_LONG_001 |
NUMBER |
|
IAU_FLOAT_001 |
NUMBER |
|
IAU_DOUBLE_001 |
NUMBER |
|
IAU_STRING_001 |
VARCHAR(2048) |
|
IAU_DATETIME_001 |
TIMESTAMP |
|
IAU_LONGSTRING_001 |
CLOB |
|
IAU_BINARY_001 |
BLOB |
|
IAU_AuditService |
IAU_ID |
NUMBER |
IAU_TransactionId |
VARCHAR(255) |
|
IAU_USERSESSION |
IAU_ID |
NUMBER |
IAU_AuthenticationMethod |
VARCHAR(255) |
Oracle WebLogic Server scripts are used at the command line to administer various features. WLST
is the command-line utility for administration of Oracle Fusion Middleware components and applications in the Oracle WebLogic Server environment. It provides another option for administration in addition to Oracle Enterprise Manager Fusion Middleware Control.
For details about the WLST commands to view and manage audit policies and the audit store configuration, see "Audit Configuration Commands" in the Oracle Fusion Middleware Infrastructure Security WLST Command Reference.
Note:
When running audit commands, you must invoke theWLST
script from the Oracle Common home. See "Using Custom WLST Commands" in the Oracle Fusion Middleware Administrator's Guide for more information.When you select a custom audit policy, you have the option of specifying a filter expression along with an event.
For example, you can use the following expression:
Host Id -eq "myhost123"
to enable the audit event for a particular host only.
You enter this expression either through the Fusion Middleware Control Edit Filter Dialog or through the setAuditPolicy
command.
See Also:
There are some syntax rules you should follow when creating a filter expression.
The expression can either be a Boolean expression or a literal.
<Expr> ::= <BooleanExpression> | <BooleanLiteral>
A boolean expression can use combinations of RelationalExpression with –and, -or, -not and parenthesis. For example, (Host Id -eq "stadl17" -or "
).
<BooleanExpression> ::= <RelationalExpression> | ”(” <BooleanExpression> ”)” | <BooleanExpression> ”-and” <BooleanExpression> | <BooleanExpression> ”-or” <BooleanExpression> | ”-not” <BooleanExpression>
A relational expression compares an attribute name (on the left hand side) with a literal (on the right-hand side). The literal and the operator must be of the correct data type for the attribute.
<RelationalExpression> ::= <AttributeName> <RelationalOperator> <Literal>
Relational operators are particular to data types:
-eq, -ne can be used with all data types
-contains, -startswith, -endswith can be only used with strings
-contains_case, -startswith_case and -endswith_case are case sensitive versions of the above three functions
-lt, -le, -gt, -ge can be used with numeric and datetime
<RelationalOperator> : = "-eq" | "-ne" | "-lt" | "-le" | "-gt" | "-ge" | "-contains" | "-contains_case" | "-startswith" | "-startswith_case" | "-endswith" | "-endswith_case"
Rules for literals are as follows:
Boolean literals are true or false, without quotes.
Date time literals have to be in double quotes and can be in many different formats; "June 25, 2006", "06/26/2006 2:00 pm" are all valid.
String literals have to be quotes, back-slash can be used to escape an embedded double quote.
Numeric literals are in their usual format.
For example:
<Literal> ::= <NumericLiteral> | <BooleanLiteral> | <DateTimeLiteral> | <StringLiteral><BooleanLiteral> ::= "true” | "false”
This section explains the rules that are used to maintain audit files.
For Java components (both Java EE and Java SE) the audit.log
file contains audit records and comprises the bus-stop file.
When that file fills up (it reaches the configured maximum audit file size which is 100MB), it is renamed to audit1.log
and records written to a new audit.log. When this file fills up, the audit.log file is renamed to "audit2.log" and the cycle starts with a new audit.log.
This process continues until it reaches configured maximum audit directory size (default is 0, which means unlimited size). Upon reaching the maximum directory size, the system deletes the oldest auditn.log
file.
When you configure a database audit store, the audit loader reads these files and transfers the records to the database in batches. After reading a complete audit<n>.log file, it deletes the file.
Note:
The audit loader never deletes the "current" file, that is, audit.log; it only deletes archive files audit<n>.log.System components follow the same model, except the file name is slightly different. The process ID is embedded in the file name; thus, if the process id is 11925 the current file is called audit-pid11925.log
, and after rotation it is called audit-pid11925-1.log
.
For applications with audit definitions in the dynamic model, the file name format is audit_major version number_minor version number.log; for example, audit_1_2.log
.
Here is a sample audit.log file:
#Fields:Date Time Initiator EventType EventStatus MessageText HomeInstance ECID RID ContextFields SessionId TargetComponentType ApplicationName EventCategory ThreadId InitiatorDN TargetDN FailureCode RemoteIP Target Resource Roles CodeSource InitiatorGUID Principals PermissionAction PermissionClass mapName key #Remark Values:ComponentType="JPS" 2008-12-08 10:46:05.492 - "CheckAuthorization" true "Oracle Platform Security Authorization Check Permission SUCCEEDED." - - - - - - - "Authorization" "48" - - "true" - - "(oracle.security.jps.service.policystore.PolicyStoreAccessPermission context=APPLICATION,name=SimpleServlet getApplicationPolicy)" - "file:/oracle/work/middleware/oracle_common/modules/oracle.jps_11.1.1/jps-internal.jar" - "[]" - - - -
This file follows the W3C extended logging format, which is a very common log format that is used by many Web Servers e.g. Apache and IIS:
The first line is a "#Fields" line; it specifies all the fields in the rest of the file.
The second line is a comment like "#Remark" which has a comment indicating some common attributes like the ComponentType.
All subsequent lines are data lines; they follow the exact format defined in the "#Fields" line. All attributes are separated by spaces, mussing attributes are indicated by a dash.