Home / Middleware / Oracle Platform Security Services

C Oracle Fusion Middleware Audit Framework Reference

This appendix provides reference information for audit repors in the Oracle Fusion Middleware Audit Framework.

Use the information in this chapter for audit record administration and to develop audit reports for system components.

This chapter contains these topics:

• Audit Events

• Pre-built Audit Reports

• Customizing Audit Reports

• The Audit Schema

• WLST Commands for Auditing

• Audit Filter Expression Syntax

• Naming and Logging Format of Audit Files

Note:

This appendix covers reports based on the report template model with Oracle Business Intelligence Publisher 10g. A different approach is used for audit based on the dynamic metadata model; see Chapter 15 for details.

C.1 Audit Events

This section describes the components that are audited and the types of events that can be audited.

C.1.1 What Components Can be Audited?

The Oracle Fusion Middleware Audit Framework provides the foundation for auditing by Oracle Fusion Middleware components and applications. In 12c (12.1.2), a number of Java and system components can generate audit records; they are known as audit-aware components.

Some examples of Java components that utilize the Fusion Middleware Audit Framework are:

• Directory Integration Platform Server

• Oracle Platform Security Services

• Oracle Web Services Manager

• Oracle Web Services

• Reports Server

Some system components that utilize the Fusion Middleware Audit Framework are:

• Oracle HTTP Server

• Oracle Internet Directory

This appendix provides audit information only for events generated by Oracle Platform Security Services. For details about auditing in other components and applications, refer to the respective administration guides.

C.1.2 What Events can be Audited?

The set of tables in this section shows what event types can be audited:

• Oracle Platform Security Services Events and their Attributes

C.1.2.1 Oracle Platform Security Services Events and their Attributes

This section contains the following tables:

• Table C-2, "Core Oracle Platform Security Services Events"

• Table C-3, "Identity Directory Service Events"

• Table C-4, "Identity Virtualization Library Events"

Table C-1 System Categories and Events

Category	Event	Description
UserSession This set of events is for creating and using user sessions on the system. Common attribute for these events: AuthenticationMethod	UserLogin User Logins	In multi-tier applications, inner tiers often use some special user id (an end user or an administrator) to log in to the next tier. To make audit reports more meaningful, logins by these special users are considered in a separate category - Internal Logins. The User Logins/Logouts events only records actions by regular users (including administrators).
	UserLogout User Logouts	An end user or administrator logs out.
	Authentication	Authentication is very similar to UserLogin/InternalLogin, except that no session is created, so there is no corresponding UserLogout/InternalLogout. This event is usually generated by lower layers, while login is generated by higher layers.
	InternalLogin Internal Login	This is an internal login between two tiers.
	InternalLogout Internal Logout	This is an internal logout between two tiers.
	QuerySession Query Session	Query the attributes within a session object for a logged-in user.
	ModifySession	Modify the attributes within a session object for a logged-in user.
Authorization This set of events is for authorization.	CheckAuthorization Check Authorization
Data Access This set of events is for data access.	CreateDataItem Create a data item	Create a data item, for example a file.
	DeleteDataItem	Delete a data item.
	QueryDataItemAttributes	Query the attributes associated with a data item.
	ModifyDataItemAttributes	Modify the attributes associated with a data item, for example access.
AccountManagement This set of events is for the management of principal accounts.	ChangePassword	Change a user's password.
	CreateAccount	Create a user, or group, or any other principal account.
	DeleteAccount	Delete an account for a user, or group, or any other principal.
	EnableAccount	Enable an account for a user, or group, or any other principal
	DisableAccount	Disable an account for a user, or group, or any other principal.
	QueryAccount	Query the user's account.
	ModifyAccount	Modify the account attributes.
ServiceManagement This set of events relate to management of system services and applications.	InstallService	Install or upgrade a service or an application.
	RemoveService	De-install a service or an application.
	QueryServiceConfig	Query the configuration of a service or application.
	ModifyServiceConfig	Modify the configuration of a service or application.
	DisableService	Shut down or disable a service or application.
	EnableService	Start up or enable a service or application.
ServiceUtilize These events relate to the use of a service or application. They typically map to the execution of a program or procedure, and manipulation of the processing environment.	InvokeService	Invoke a service or an application. For example, execute a command-line script.
	TerminateService	Terminate a service or an application, either at the request of the application itself or by intervention of the domain in response to user or administrative action.
	QueryProcessContext	Query the attributes associated with the current processing context.
	ModifyProcessContext	Modify the attributes associated with the current processing context.
PeerAssocManagement This set of events creates and works with communication channels between system components.	CreatePeerAssoc	Creates a communication channel between system components.
	TerminatePeerAssoc	Terminates a communication channel between system components.
	QueryAssocContext	Query attributes associated with a communication channel between system components.
	ModifyAssocContext	Modify attributes associated with a communication channel between system components
		a communication channel between system components
	ReceiveDataViaAssoc	Receive data from an associated peer.
	SendDataViaAssoc	Send data to an associated peer.
DataItemContentAccess This set of events is to form an association between a service or application and a data item or resource element to use its content or services; for example a file or directory, a device special file, a memory segment, communication port, and so on.	CreateDataItemAssoc	Open a data item, for example a file.
	TerminateDataItemAssoc	Close a data item, for example a file.
	QueryDataItemAssocContext	Query attributes of a data item, for example mode of access, size limits, access paths, and so on.
	ModifyDataItemAssocContext	Modify attributes of a data item.
	QueryDataItemContents	Read the data item.
	ModifyDataItemContent	Write or append to the data item.
Exceptional These events are considered to be outside the generalized events.	StartSystem	Boot a system host.
	ShutdownSystem	Shut down the system.
	ResourceExhausted	Resources like data storage or communication endpoints have been exhausted.
	ResourceCorrupted	Resources like data storage have integrity failures.
	BackupDatastore	Make a backup copy of a data store.
	RecoverDatastore	Recover a data store from a backup copy.
AuditService This set of events applies to audit service configuration. Common attribute for these events: TransactionId	ConfigureAuditPolicy	Modify parameters that control auditing, for example the audit event filtering.
	ConfigureAuditRepository	Configure the audit repository, for example to change from a file-based repository to a database repository.

See Also:

Section 13.4.3 for background about system categories and events.

Table C-2 Core Oracle Platform Security Services Events

Event Category	Event Type	Attributes used by Event
Authorization	CheckPermission	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, Subject, PermissionAction, PermissionTarget, PermissionClass
	CheckSubject	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, Subject
CredentialManagement	CreateCredential	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, mapName, key, CodeSource, Principals, InitiatorGUID
	DeleteCredential	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, mapName, key, CodeSource, Principals, InitiatorGUID
	AccessCredential	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, mapName, key, CodeSource, Principals, InitiatorGUID
	ModifyCredential	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, mapName, key, CodeSource, Principals, InitiatorGUID
PolicyManagement	PolicyGrant	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, PermissionAction, PermissionTarget, PermissionClass, PermissionScope
	PolicyRevoke	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, PermissionAction, PermissionTarget, PermissionClass, PermissionScope
RoleManagement	RoleMembershipAdd	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, ApplicationRole, EnterpriseRoles, PermissionScope
	RoleMembershipRemove	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, ApplicationRole, EnterpriseRoles, PermissionScope

Table C-3 Identity Directory Service Events

Event Category	Event Type	Attributes used by Event
UserSession	Authentication	Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod
DataAccess	CreateDataItem	Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod
	DeleteDataItem	Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod
	ModifyDataItemAttributes	Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod

Table C-4 Identity Virtualization Library Events

Event Category	Eventy Type	Attributes used by Event
LDAPEntryAccess	Add	Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource Roles, SessionId, Target, ThreadId, AuthenticationMethod
	Delete	Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod
	Modify	Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod
	Rename	Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod
UserSession	UserLogin.FAILURESONLY	Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod
DataAccess	QueryDataItemAttributes	Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resourc,e Roles, SessionId, Target, ThreadId, AuthenticationMethod
	ModifyDataItemAttributes	Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod

C.1.3 OPSS Event Attribute Descriptions

Table C-5 lists all attributes for OPSS audited events. Use this table to learn about the attributes used in the event of interest.

Table C-5 Attributes of OPSS Audit Events

Namespace	Attribute Name	Description
common	ApplicationName	The Java EE application name.
	AuditUser	Identifies the user name of the user who is running the application.
	ComponentData	Where component-specific data are stored when there is no component-specific table in the schema.
	ComponentName	The name of this component.
	ComponentType	Type of the component.
	ContextFields	This attribute contains the context fields extracted from the dms context.
	DomainName	The WebLogic Server or IBM WebSphere Domain.
	EventCategory	The category of the audit event.
	EventStatus	The outcome of the audit event - success or failure.
	EventType	The type of the audit event. Use the wlst listAuditEvents command to list out all the events.
	FailureCode	The error code in case EventStatus = failure
	HomeInstance	The ORACLE_INSTANCE directory of the component.
	HostId	DNS hostname of originating host.
	HostNwaddr	The IP or other network address of originating host.
	Initiator	Identifies the UID of the user who is doing the operation.
	InstanceId	The name of the Oracle instance to which this component belongs.
	MajorVersion	The major version of a component.
	MessageText	Description of the audit event.
	MinorVersion	The minor version of a component.
	ModuleId	The ID of the module that originated the message. Interpretation is unique within Component ID.
	OracleHome	The ORACLE_HOME directory of the component.
	ProcessId	The ID of the process that originated the message.
	RemoteIP	The IP address of the client initiating this event.
	Resource	Identifies a resource that is being accessed. A resource can be many things - web page, file, directory share, web service, XML document, a portlet. The resource can be named as a combination of a host name, and a URI.
	RID	This is the relationship identifier; it is used to provide the full and correct calling relationships between threads and processes.
	Roles	The roles that the user was granted at the time of login.
	SessionId	The ID of the login session.
	Target	Identifies the UID of the user on whom the operation is being done. For example, if Alice changes Bob's password, then Alice is the initiator and Bob is the target.
	TargetComponentType	The target component type.
	TstzOriginating	Date and time when the audit event was generated.
	ThreadId	The ID of the thread that generated this event.
	TenantId	The tenant ID.
	TransactionId	The transaction ID.
	UserTenantId	The user tenant ID.
AuditService	TransactionId	The transaction ID.
UserSession	AuthenticationMethod	The Authentication method, namely password, SSL, Kerberos and so on.

See Also:

Section 13.4.2 for details about attribute groups and attributes.

C.2 Pre-built Audit Reports

Oracle Fusion Middleware Audit Framework provides a range of out-of-the-box reports for system components that are accessible through Oracle Business Intelligence Publisher. This section describes how to configure audit reporting with Oracle Business Intelligence Publisher and how to view audit reports:

C.2.1 Setting up Oracle Business Intelligence Publisher for Audit Reports

When your audit data resides in a database, you can run pre-defined Oracle Business Intelligence Publisher reports and create your own reports on the data. This section contains these topics about configuring your environment for audit reports:

• About Oracle Business Intelligence Publisher

• Install Oracle Business Intelligence Publisher

• Set Up Oracle Reports in Oracle Business Intelligence Publisher

• Set Up Audit Report Templates

• Set Up Audit Report Filters

• Configure Scheduler in Oracle Business Intelligence Publisher

See Also:

Oracle Business Intelligence Publisher Enterprise documentation at:

http://www.oracle.com/technology/documentation/bi_pub.html

C.2.1.1 About Oracle Business Intelligence Publisher

Reports help auditors determine whether there are any violations with respect to various industry regulations such as HIPPA, SOX, and other regulatory compliance demands. Oracle Fusion Middleware Audit Framework is integrated with Oracle Business Intelligence Publisher for out-of-the box reports.

Pre-defined reports are available as part of the Oracle Fusion Middleware Audit Framework. These reports are integrated with Oracle Business Intelligence Publisher to work in conjunction with the audit data in the audit store.

Oracle Fusion Middleware Audit Framework ships with over twenty pre-built reports in 12c (12.1.2). For convenience, the reports are grouped in Oracle Business Intelligence Publisher according to functional areas and by component.

The functional areas consists of the following:

• Error and Exception reports like authentication and authorization failures

• User Activities including transaction history and authorization history

• Operational reports including created, deleted, and locked-out users

• Audit Service Events

As the name implies, the component-specific reports are grouped based on the components themselves, for example, Oracle HTTP Server reports.

Other features of Oracle Business Intelligence Publisher include:

• Flexible Report Displays

  You can view reports online, change report parameters, change output types (pdf, html, rtf, excel and others), modify the appearance of reports, export to the desired format, and send to an E-mail address, fax or other destination.

• Report Filters

  You can filter audit records to be included in the report using a range of options including the ability to modify the SQL used to extract records from the audit repository.

• Scheduling Reports

  You can schedule reports to be run based on a range of criteria such as filters, templates, formats, locale, viewing restrictions and so on.

  See Also:

  For more information about scheduling features, see the Oracle Business Intelligence Publisher Enterprise documentation at:

  http://www.oracle.com/technology/documentation/bi_pub.html

• Custom Reporting

  You can design your own reports and specify the data model, layout, parameters, bursting (for example, you can enable delivery based on delivery preference).

See Also:

• Section J.6, "Troubleshooting Oracle Business Intelligence Reporting" for troubleshooting tips and other useful information about Oracle Business Intelligence

• Oracle Business Intelligence Publisher Enterprise documentation at:

  http://www.oracle.com/technology/documentation/bi_pub.html

All the auditing reports available in Oracle Business Intelligence Publisher provide these report filtering and formatting options:

• View - View the report using the current parameters.

• Schedule - Set up a schedule for the report along with job parameters and data filters.

• History - View history.

• Edit - Modify the query and parameter display formats.

• Configure - Set up runtime configuration controls.

• Export - Export to a file.

C.2.1.2 Install Oracle Business Intelligence Publisher

If you already have Oracle Business Intelligence Publisher 10.1.3.4 or later installed at your site, you can skip this section and go to Section C.2.1.3.

If you need to install Oracle Business Intelligence Publisher, follow the instructions provided with the Oracle Business Intelligence Publisher Companion CD.

See Also:

Oracle Business Intelligence Publisher Enterprise documentation at:

http://www.oracle.com/technology/documentation/bi_pub.html

C.2.1.3 Set Up Oracle Reports in Oracle Business Intelligence Publisher

In this section you configure Oracle Business Intelligence Publisher to work with the audit datasource.

Note:

11g Release 1 (11.1.1.4.0) PS3 reports can work only with an 11g Release 1 (11.1.1.4.0) PS3 schema; they cannot work with an earlier schema such as 12c (12.1.2).

Details about upgrading schemas with the Patch Set Assistant are available in the Oracle Fusion Middleware Patching Guide.

Take these steps to set up Oracle Business Intelligence Publisher for use with audit reports:

1. Navigate to the Reports folder in your Oracle Business Intelligence Publisher installation. By default, the Reports folder is at %BIP_HOME%\XMLP\Reports.

2. Unjar the AuditReportTemplates.jar into your Reports folder. You should see a new folder called Oracle_Fusion_Middleware_Audit. You can find AuditReportTemplates.jar at:

   $MW_ORA_HOME/oracle_common/modules/oracle.iau_12.1.2/reports/
   AuditReportTemplates.jar
   
   

3. Set up the data source for audit repository as follows:

   • Navigate to the Admin tab.

   • If you deployed on Oracle WebLogic Server in Step 1, set up JNDI as follows:

     • Click JNDI Connection.

     • Click Add DataSource.

     • Specify the DataSource details:

       Name the Data Source Audit.

       Note:

       The reports refer to the audit data source, so the naming convention is important.

       JNDI Name - 'jdbc/AuditDB'

     • Test for a successful connection. If the connection is not successful, check the values you entered.

     • Press Apply to save your changes.

   • If you deployed on Oracle Containers for Java EE in Step 1, set up JNDI as follows:

     • Click JDBC Connection.

     • Click Add DataSource.

     • Specify the DataSource details:

       Name the Data Source Audit.

       Note:

       The reports refer to the audit data source, so the naming convention is important.

       Enter the details for the URL, username, and password for the audit schema. (Note: The username and password consist of a prefix plus the audit schema name, which is IAU_VIEWER. For example, dev_iau_viewer or test_iau_viewer.)

     • Test for a successful connection. If the connection is not successful, check the values you entered.

     • Press Apply to save your changes.

C.2.1.4 Set Up Audit Report Templates

You can use the standard audit reports in their default formats out-of-the-box. However, if you wish to customize the appearance and other related aspects of the reports, you do so by setting up audit report templates.

From a report's Edit dialog, you can click the Layout option in the left panel to control layouts and output formats. Using this feature, you can:

• Customize the report template and design your own layout; for example you can rearrange fields and highlight selected field labels.

• Restrict the formats to which the report output is generated - by default, a large number of output formats are available including HTML, PDF, Excel spreadsheet, RTF, and others.

See Also:

Oracle Business Intelligence Publisher User's Guide.

C.2.1.5 Set Up Audit Report Filters

You can use the standard audit reports in their default formats out-of-the-box. However, if you wish to customize the scope of data and other related aspects of the reports, you do so by setting up audit report filters.

Oracle Business Intelligence Publisher provides both basic and advanced filtering options for your audit reports.

See Also:

Oracle Business Intelligence Publisher User's Guide.

Basic Filters

Clicking on the report's Schedule button brings up a page which you can use to schedule and administer the report.

In the Report Parameters area you can provide high-level filters to restrict the report:

• Date Filters

  • show only recent audit records such as last hour or last week.

  • show records generated within a specified starting and ending dates.

  • limit number of records returned.

• Selected Report Fields

  For example, the Authentication Failures report can be filtered by:

  • Username

  • Component Type

  • Component Name

  • Application Name

  • Domain Name

Advanced Filters

Clicking on the report's Edit button brings up a page at which you can specify more detailed report filters and properties. This page consists of two panels. The left panel lets you select what element of the report is to be modified through these options. For each element you select, the right panel displays the corresponding information.

• Data Model - This contains the SQL query that fetches the raw data for the report. The query can be modified according to your needs.

• List of Values - Shows all the report columns. Selecting on a column displays the underlying SQL query that filters data for the attribute. You can modify the query as needed; for example you can specify more restrictive filter values.

• Parameters - Shows all the report columns, and lets you select any column to modify display settings for that column. For example, you can specify a date display format for timestamp fields.

• Layouts and output formats - This feature is described in Section C.2.1.6.

C.2.1.6 Configure Scheduler in Oracle Business Intelligence Publisher

Clicking on the report's Schedule button brings up a page which you can use to schedule and administer the report. Information you can specify on this page includes:

Note:

This feature assumes that the Oracle Business Intelligence Publisher repository is already configured.

• Report Parameters - filters to restrict the data included in the report, for example records for the last hour only.

  See Also:

  Section C.2.1.5

• Job Properties - the job name, formatting locale and time zone, and so on.

• Notification - one or more users to be notified by E-mail when the job completes or fails.

• Time - report scheduling options; the report can be scheduled to run periodically or on a one-time basis.

• Delivery - deliver the report to one or more users.

C.2.2 Organization of Audit Reports

Oracle Fusion Middleware Audit Framework ships with a set of pre-defined reports that are designed to work, out-of-the-box, with Oracle Fusion Middleware components. These reports are organized into two main categories:

• Common Reports

  These reports capture common events such as authentication success and failures, account-related status (lockout, disabled, and so on). Many components have implemented audit capability for these common events. The common reports are located under the Common Reports subfolder of the Audit Reports, and all audit-enabled events from across the components are captured in these reports.

  For example, "Authentication History" displays authentication history across all the components where authentication events are being captured.

  You can use these reports to examine audit records for a specific area across components or to examine the audit records of a single user across multiple components for that specific area.

• Component-specific Reports

  These reports focus on individual components. They are needed because not all audit events may be relevant to each component. The Component Specific folder serves two purposes. First, it identifies the valid reports among the Common Reports that are relevant to the component and show only the audit records for that component. Secondly, for some components, component-specific reports have been defined to suit the specific needs of that component. While audit records themselves are generic for all the components, the representation of an audit record may have component-specific requirements. For example, an access policy may need to be shown in a format to be useful.

  For example, you can locate the Authentication History report in the Common folder, where it displays authentication events for all components. You can also find the same report under a component-specific folder, where it displays authentication events for that component only.

• There is also a generic report at the top level called "All Events", which shows all the events across all audit-enabled components. The "All Events" report is also available in each component-specific folder, to show all the events for individual components.

  This report can be used to query audit data.

C.2.3 View Audit Reports

This section explains how to view audit reports using Oracle Business Intelligence Publisher.

Take these steps to view an audit report:

1. Log in to Oracle Business Intelligence Publisher using a URL of the form:

   http://host.domain.com:port/xmlpserver/

2. On the main page, click Oracle Fusion Middleware Audit under Shared Folders.

3. The audit reports are organized into:

   • reports that are common to multiple components; these are further organized by report types.

   • reports that are specific to a component; these are further organized by component.

   See Also:

   Table C-6 for a description of the standard reports.

4. Navigate to the report of interest; for example, you can click on the Common Reports folder, then Errors and Exceptions, then click on All Errors and Exceptions.

   The report is displayed.

5. The report display page contains these major areas:

   • Filters at the top of the page enable you to determine the type, scope, and number of records to include in the report. These filters include:

     • User

     • Start and End Dates

     • Last n time period

     • Component type and name

     • Application Name

     • Domain Name

     Use relevant filters to limit the report to the desired records.

     Note:

     Initially, the report is displayed with default filter values that you can modify.

   • Format control buttons enable you to determine:

     • the template type, which can be:

          HTML - This is the default display format.

          PDF - Displays a printable PDF view.

          Data - Displays an unformatted XML data set.

       To change the template type while viewing a report, select the type from the drop-down list and click View.

     • output format

     • delivery options

   • The report record display area. The appearance and number of columns depend on previously selected options and filters.

     Each column header also acts as a sort option.

6. View, save or export the report as desired.

C.2.4 Example of Oracle Business Intelligence Publisher Reports

This section uses a common scenario to demonstrate how Oracle Business Intelligence Publisher reports are used to view audit data generated by Oracle Platform Security Services events.

In this example, some activity is generated on the credential store for an Oracle WebLogic Server domain. We then use Oracle Business Intelligence Publisher to take a look at the relevant report to see the audit records. Subsequently, a few other reports are examined.

1. As the system administrator, locate the domain whose credentials are to be managed.

2. Use the relevant commands to generate some credential management records; for example, create and delete some user credentials.

   See Also:

   Chapter 11, "Managing the Credential Store" for details about credential management.

3. Log in to Oracle Business Intelligence Publisher using a URL of the form:

   http://host.domain.com:port/xmlpserver/

4. Under the Reports tab, click on Shared Folders, and select Fusion Middleware Audit.

5. On the main page, click Fusion Middleware Audit under Shared Folders.

6. The audit report menu appears. Audit reports are organized in various folders by type.

7. To view audit records for Oracle Platform Security Services, for example, navigate to the Component Specific folder, then Oracle Platform Security Services.

8. The Oracle Platform Security Services folder contains several reports. Click All Events.

   The report shows activity in a default time range. Modify the time range to show only the day's events.

   The activity performed on that day appears on the page.

   
   

   Observe the different regions of the report and their functions: report filters, format control, scheduling, and the data display itself.

9. In each report, the last data column is a Detail column. Click on a detail to view all the attributes of the specific audit record.

   
   

10. Return to the main folder to view some other reports of interest. For example, in the Common Reports folder, navigate to the Account Management folder, and click Account Profile History.

    The Account Profile History report appears.

    
    

11. Click on the Event Details for an event of interest:

    
    

12. Finally, return to the Common Reports folder and select Errors and Exceptions. Select the All Errors and Exceptions report.

13. A number of records are displayed. To narrow the report to records of interest, use the Event drop-down to select checkPermission events.

    One row is returned showing an authorization check failure:

    
    

14. Click Details to obtain more information:

    
    

C.2.5 Audit Report Details

This section provides detailed reference information about the standard (pre-built) audit report.

The standard audit reports are grouped as follows:

1. The All Events report

   This report contains all audit records generated in a pre-defined interval.

2. Common Reports

   These are reports that contain audit records across multiple components.

3. Component-Specific Reports

   Each report is dedicated to a specific component.

Common Reports

Common reports are organized as follows:

• Account Management

  • Account Profile History

  • Accounts Deleted

  • Accounts Enabled

  • Accounts Disabled

  • Accounts Created

  • Accounts Locked Out

  • Password Changes

  • dashboard

• User Activities

  • Authentication History

  • Multiple Logins from Same IP

  • Authorization History

  • Event Details

  • Related Audit Events

  • Dashboard

• Errors and Exceptions

  • All Errors and Exceptions

  • Authorization Failures

  • Authentication Failures

  • Dashboard

Important:

Run the Event Details report only against an 11g Release 1 (11.1.1.4.0) PS3 (patch set 3) schema.

C.2.5.1 List of Audit Reports in Oracle Business Intelligence Publisher

Table C-6 provides a brief description of each audit report in Oracle Business Intelligence Publisher.

Note:

The folder path shown in the column titled "Located in Folder" is relative to the Oracle Fusion Middleware Audit folder. To get to this folder, log in to Oracle Business Intelligence Publisher, and navigate to Shared Folders, then Oracle Fusion Middleware Audit.

Table C-6 List of Audit Reports

Report	Description	Located in Folder
Accounts Created	shows accounts created in various components.	Common Reports, then Account Management. Also in Component Specific folders.
Accounts Deleted	shows accounts deleted in various components.	Common Reports, then Account Management. Also in Component Specific folders.
Accounts Disabled	shows accounts disabled in various components.	Common Reports, then Account Management. Also in Component Specific folders.
Accounts Enabled	shows accounts enabled in various components.	Common Reports, then Account Management. Also in Component Specific folders.
Accounts Locked Out	shows accounts locked out due to excessive authentication failures.	Common Reports, then Account Management. Also in Component Specific folders.
Account Profile History	shows profile changes in accounts, such as change in address and password changes.	Common Reports, then Account Management. Also in Component Specific folders.
All Errors and Exceptions	captures all errors and exceptions across components.	Common Reports, then Errors and Exceptions. Also in Component Specific folders.
All Events	displays all audit events.	Oracle Fusion Middleware Audit. Also in Component Specific folders.
Application Policy Management	displays application level policy management.	Component Specific, then Oracle Platform Security Services.
Application Role Management	shows application role to enterprise role mappings.	Component Specific, then Oracle Platform Security Services.
Assertion Activity	shows assertion activity in Oracle Identity Federation.	Component Specific, then Oracle Identity Federation.
Assertion Template Management	lists assertion template management operations in Oracle Web Services Manager.	Component Specific, then Oracle Web Services Manager, then Policy Management.
Authentication Failures	shows authentication errors and exceptions; can be cross-component or specific to a component.	Common Reports, then Errors and Exceptions. Also in Component Specific folders.
Authentication History	lists authentications across all components.	Common Reports, then User Activities. Also in Component Specific folders.
Authorization Failures	captures authorization failures.	Common Reports, then Errors and Exceptions. Also in Component Specific folders.
Authorization History	shows authorizations across all components.	Common Reports, then User Activities. Also in Component Specific folders.
Confidentiality Enforcements	lists enforcements related to confidentiality in Oracle Web Services Manager.	Component Specific, then Oracle Web Services Manager, then Policy Enforcements.
Configuration Changes	lists configuration changes made in Fusion Middleware Audit Framework.	Component Specific, then Oracle Fusion Middleware Audit Framework.
Credential Access	displays credential accesses by users and applications in Oracle Platform Security Services.	Component Specific, then Oracle Platform Security Services.
Credential Management	displays credential management operations performed in Oracle Platform Security Services.	Component Specific, then Oracle Platform Security Services.
Federation User Activity	lists federation user activities in Oracle Identity Federation.	Component Specific, then Oracle Identity Federation.
Message Integrity Enforcements	shows enforcements related to message integrity in Oracle Web Services Manager.	Component Specific, then Oracle Web Services Manager, then Policy Enforcements.
Multiple Logins from Same IP	lists machines from where successful logins are made into different user accounts.	Common Reports, then User Activities.
Password Changes	shows password changes done in various accounts.	Common Reports, then Account Management. Also in Component Specific folders.
Policy Attachments	shows policy to web service endpoint attachments.	Component Specific, then Oracle Web Services Manager.
Policy Enforcements	lists general policy enforcements for Oracle Web Services Manager.	Component Specific, then Oracle Web Services Manager, then Policy Enforcements.
Profile Management Events	shows changes to Directory Integration Platform's profiles.	Component Specific, then Directory Integration Platform.
Request Response	shows requests sent and responses received from web services.	Component Specific, then Oracle Web Services Manager.
System Policy Management	displays system level policy management operations	Component Specific, then Oracle Platform Security Services.
Violations	shows enforcement violations.	Component Specific, then Oracle Web Services Manager, then Policy Enforcements.
Web Services Policy Management	shows policy management operations.	Component Specific, then Oracle Web Services Manager, then Policy Management.

C.2.5.2 Attributes of Audit Reports in Oracle Business Intelligence Publisher

Table C-7 lists the attributes that appear in the various audit reports. When viewing a report, you can use this table to learn more about the attributes that appear in the report.

Note the following:

• Not all attributes appear in each report.

• The user or users attribute, which appears in each report, can mean different things in different reports; see Table C-6 for an explanation of this attribute.

• Not all the attributes are displayed in Oracle Business Intelligence Publisher audit reports. If you wish to include some additional attributes in your custom reports, see Appendix C, "Oracle Fusion Middleware Audit Framework Reference".

Table C-7 Attributes of Audit Reports

Attribute	Description
Activity	The type of action, either user- or system-initiated.
Application Name	The complete application path and name.
Application Server Instance	The instance of the application server in use.
Attempted	The action that was attempted, for example, a single sign-on attempted by the user.
Component Name	The name of the component instance.
Component Type	The type of component, for example Oracle Identity Federation.
Domain Name	Oracle WebLogic Server domain name.
ECID	The execution context ID.
Event Type	The type of event that occurred, for example, account creation.
Initiator	The user who initiated the event.
Internet Protocol Address, IP Address	The IP address of the user's machine from which the action was initiated.
Message Text	The text of the message; a description of the event.
Policy Name	The name of the policy involved in the action.
Time Range	The time range which allows you to limit your data set to a specific time interval, for example, the last 24 hours.
Timestamp	The date and time of the event.
Transaction ID	The transaction identifier.

C.3 Customizing Audit Reports

This section discusses advanced report generation and creation options:

• Using Advanced Filters on Pre-built Reports

• Creating Custom Reports

C.3.1 Using Advanced Filters on Pre-built Reports

Clicking on the report's Edit button brings up a page at which you can specify more detailed report filters and properties. This page consists of two panels. The left panel lets you select what element of the report is to be modified through these options. For each element you select, the right panel displays the corresponding information.

• Data Model - This contains the SQL query that fetches the raw data for the report. The query can be modified according to your needs.

• List of Values - Shows all the report columns. Selecting on a column displays the underlying SQL query that filters data for the attribute. You can modify the query as needed; for example you can specify more restrictive filter values.

• Parameters - Shows all the report columns, and lets you select any column to modify display settings for that column. For example, you can specify a date display format for timestamp fields.

• Layouts and output formats - This feature is described in the following section.

C.3.2 Creating Custom Reports

Oracle Business Intelligence Publisher provides a complete set of capabilities for designing and creating custom reports.

See Also:

• Oracle Business Intelligence Publisher User's Guide.

• Section C.4, "The Audit Schema"

Here is a simple example illustrating the basic steps to customize an existing audit report with Oracle Business Intelligence Publisher.

1. Log in to Oracle Business Intelligence Publisher as administrator.

   
   

2. Navigate to the Oracle Fusion Middleware Audit folder.

   
   

3. Create a folder to maintain your custom reports. Under Folder and Event Tasks, click New Folder.

   Enter a folder name.

   
   

4. The new folder, Custom BI Reports, appears on the main audit reports folder.

   
   

5. Select an existing report that will be a starting point to create a custom report, by clicking the icon to the left of the report. In this example the All Events report is selected:

   
   

   Click Copy this report.

6. This action copies the report to the clipboard. To send it to the new folder:

   • Select the Custom BI Reports folder.

   • Under Folder and Report Tasks, click Paste from clipboard.

   • A dialog box appears requesting confirmation. Click Yes.

     
     

     The report is now moved from the clipboard to the custom folder:

     
     

   • Provide a descriptive name for the new report by selecting the icon to the left of the report, and clicking Rename this report.

     
     

7. Now you are ready to customize the report. Click Edit from the menu choices under the report title.

8. The Edit page appears.

   
   

   Two panels are displayed; on the main panel titled General Settings, you can control basic features like the report title and runtime controls. To the left of the main panel, a second panel displays two sets of information that you can use to create relevant content for your report:

   • List of Values shows the fields that are being used currently in the report. When you click on a field, the main panel automatically displays the name and the SQL query used to select the values to include for that field.

   • Parameters shows the available parameters from which you can choose the ones to include in the report. Notice that a subset of the parameters is already in the report; for example, userid (which is the initiator of the audit event) provides the Users data, while timeRange provides the Time Range data.

   The palette of choices on the left panel is context-sensitive and provides information to help you build the report.

9. You can use the Query Builder to customize the data to include in your report. For example, to include only login events for a component, you can:

   • Select ComponentName from the list of values and click Query Builder.

     
     

   • A table appears listing the available components. Select the component, say JPS. A second table appears showing the component event fields:

     
     

   • In the JPS table select IAU_EVENTTYPE.

     
     

   • Click Conditions, enter the condition login and click Save.

     
     

10. The condition is now included in the report. Be sure to click Save again on the upper left corner to commit your changes to the report definition.

    
    

11. You can now return to the report in the Custom BI Reports folder and view the data.

C.4 The Audit Schema

If you have additional audit reporting requirements beyond the pre-built reports described in Section C.2, "Pre-built Audit Reports", you can create custom reports using your choice of reporting tools. For example, while the pre-built reports use a subset of the event attributes, you can make use of the entire audit attribute set for an event in creating custom reports.

Table C-8 and Table C-9 describe the audit schema, which is useful when building custom reports.

Table C-8 The Audit Schema

Table Name	Column Name	Data Type	Nullable	Column ID
BASE TABLE	IAU_ID	NUMBER	Yes	1
	IAU_ORGID	VARCHAR2(255 Bytes)	Yes	2
	IAU_COMPONENTID	VARCHAR2(255 Bytes)	Yes	3
	IAU_COMPONENTTYPE	VARCHAR2(255 Bytes)	Yes	4
	IAU_INSTANCEID	VARCHAR2(255 Bytes)	Yes	5
	IAU_HOSTINGCLIENTID	VARCHAR2(255 Bytes)	Yes	6
	IAU_HOSTID	VARCHAR2(255 Bytes)	Yes	7
	IAU_HOSTNWADDR	VARCHAR2(255 Bytes)	Yes	8
	IAU_MODULEID	VARCHAR2(255 Bytes)	Yes	9
	IAU_PROCESSID	VARCHAR2(255 Bytes)	Yes	10
	IAU_ORACLEHOME	VARCHAR2(255 Bytes)	Yes	11
	IAU_HOMEINSTANCE	VARCHAR2(255 Bytes)	Yes	12
	IAU_UPSTREAMCOMPONENTID	VARCHAR2(255 Bytes)	Yes	13
	IAU_DOWNSTREAMCOMPONENTID	VARCHAR2(255 Bytes)	Yes	14
	IAU_ECID	VARCHAR2(255 Bytes)	Yes	15
	IAU_RID	VARCHAR2(255 Bytes)	Yes	16
	IAU_CONTEXTFIELDS	VARCHAR2(2000 Bytes)	Yes	17
	IAU_SESSIONID	VARCHAR2(255 Bytes)	Yes	18
	IAU_SECONDARYSESSIONID	VARCHAR2(255 Bytes)	Yes	19
	IAU_APPLICATIONNAME	VARCHAR2(255 Bytes)	Yes	20
	IAU_TARGETCOMPONENTTYPE	VARCHAR2(255 Bytes)	Yes	21
	IAU_EVENTTYPE	VARCHAR2(255 Bytes)	Yes	22
	IAU_EVENTCATEGORY	VARCHAR2(255 Bytes)	Yes	23
	IAU_EVENTSTATUS	NUMBER	Yes	24
	IAU_TSTZORIGINATING	TIMESTAMP(6)	Yes	25
	IAU_THREADID	VARCHAR2(255 Bytes)	Yes	26
	IAU_COMPONENTNAME	VARCHAR2(255 Bytes)	Yes	27
	IAU_INITIATOR	VARCHAR2(255 Bytes)	Yes	28
	IAU_MESSAGETEXT	VARCHAR2(255 Bytes)	Yes	29
	IAU_FAILURECODE	VARCHAR2(255 Bytes)	Yes	30
	IAU_REMOTEIP	VARCHAR2(255 Bytes)	Yes	31
	IAU_TARGET	VARCHAR2(255 Bytes)	Yes	32
	IAU_RESOURCE	VARCHAR2(255 Bytes)	Yes	33
	IAU_ROLES	VARCHAR2(255 Bytes)	Yes	34
	IAU_AUTHENTICATIONMETHOD	VARCHAR2(255 Bytes)	Yes	35
	IAU_TRANSACTIONID	VARCHAR2(255 Bytes)	Yes	36
	IAU_DOMAINNAME	VARCHAR2(255 Bytes)	Yes	37
	IAU_COMPONENTDATA	clob	yes	38
DIP	IAU_ID	NUMBER	Yes	1
	IAU_TSTZORIGINATING	TIMESTAMP(6)	Yes	2
	IAU_EVENTTYPE	VARCHAR2(255 Bytes)	Yes	3
	IAU_EVENTCATEGORY	VARCHAR2(255 Bytes)	Yes	4
	IAU_ASSOCIATEPROFILENAME	VARCHAR2(512 Bytes)	Yes	5
	IAU_PROFILENAME	VARCHAR2(512 Bytes)	Yes	6
	IAU_ENTRYDN	VARCHAR2(1024 Bytes)	Yes	7
	IAU_PROVEVENT	VARCHAR2(2048 Bytes)	Yes	8
	IAU_JOBNAME	VARCHAR2(128 Bytes)	Yes	9
	IAU_JOBTYPE	VARCHAR2(128 Bytes)	Yes	10
IAU_DISP_NAME_TL	IAU_LOCALE_STR	VARCHAR2(7 Bytes)		1
	IAU_DISP_NAME_KEY	VARCHAR2(255 Bytes)		2
	IAU_COMPONENT_TYPE	VARCHAR2(255 Bytes)		3
	IAU_DISP_NAME_KEY_TYPE	VARCHAR2(255 Bytes)		4
	IAU_DISP_NAME_TRANS	VARCHAR2(4000 Bytes)	Yes	5
IAU_LOCALE_MAP_TL	IAU_LOC_LANG	VARCHAR2(2 Bytes)	Yes	1
	IAU_LOC_CNTRY	VARCHAR2(3 Bytes)	Yes	2
	IAU_LOC_STR	VARCHAR2(7 Bytes)	Yes	3

Table C-9 shows additional tables in the audit schema; these tables support the dynamic metadata model.

Table C-9 Additional Audit Schema Tables

Table Name	Column Name	Data Type
IAU_COMMON	IAU_ID	NUMBER
	IAU_OrgId	VARCHAR(255)
	IAU_ComponentId	VARCHAR(255)
	IAU_ComponentType	VARCHAR(255)
	IAU_MajorVersion	VARCHAR(255)
	IAU_MinorVersion	VARCHAR(255)
	IAU_InstanceId	VARCHAR(255)
	IAU_HostingClientId	VARCHAR(255)
	IAU_HostId	VARCHAR(255)
	IAU_HostNwaddr	VARCHAR(255)
	IAU_ModuleId	VARCHAR(255)
	IAU_ProcessId	VARCHAR(255)
	IAU_OracleHome	VARCHAR(255)
	IAU_HomeInstance	VARCHAR(255)
	IAU_UpstreamComponentId	VARCHAR(255)
	IAU_DownstreamComponentId	VARCHAR(255)
	IAU_ECID	VARCHAR(255)
	IAU_RID	VARCHAR(255
	IAU_ContextFields	VARCHAR(2000)
	IAU_SessionId	VARCHAR(255)
	IAU_SecondarySessionId	VARCHAR(255)
	IAU_ApplicationName	VARCHAR(255)
	IAU_TargetComponentType	VARCHAR(255)
	IAU_EventType	VARCHAR(255)
	IAU_EventCategory	VARCHAR(255)
	IAU_EventStatus	NUMBER
	IAU_TstzOriginating	TIMESTAMP
	IAU_ThreadId	VARCHAR(255)
	IAU_ComponentName	VARCHAR(255)
	IAU_Initiator	VARCHAR(255)
	IAU_MessageText	VARCHAR(2000)
	IAU_FailureCode	VARCHAR(255)
	IAU_RemoteIP	VARCHAR(255)
	IAU_Target	VARCHAR(255)
	IAU_Resource	VARCHAR(255)
	IAU_Roles	VARCHAR(255)
	IAU_AuthenticationMethod	VARCHAR(255)
	IAU_TransactionId	VARCHAR(255)
	IAU_DomainName	VARCHAR(255)
	IAU_ComponentVersion	VARCHAR(255)
	IAU_ComponentData	CLOB
IAU_CUSTOM	IAU_ID	NUMBER
	IAU_BOOLEAN_001 through IAU_BOOLEAN_050	NUMBER
	IAU_INT_001 through IAU_INT_050	NUMBER
	IAU_LONG_001 through IAU_LONG_050	NUMBER
	IAU_FLOAT_001 through IAU_FLOAT_050	NUMBER
	IAU_DOUBLE_001 through IAU_DOUBLE_050	NUMBER
	IAU_STRING_001 through IAU_STRING_100	VARCHAR(2048)
	IAU_DATETIME_001 through IAU_DATETIME_050	TIMESTAMP
	IAU_LONGSTRING_001 through IAU_LONGSTRING_050	CLOB
	IAU_BINARY_001 through IAU_BINARY_050	BLOB
IAU_AuditService	IAU_ID	NUMBER
	IAU_TransactionId	VARCHAR(255)
IAU_USERSESSION	IAU_ID	NUMBER
	IAU_AuthenticationMethod	VARCHAR(255)

C.5 WLST Commands for Auditing

Oracle WebLogic Server scripts are used at the command line to administer various features. WLST is the command-line utility for administration of Oracle Fusion Middleware components and applications in the Oracle WebLogic Server environment. It provides another option for administration in addition to Oracle Enterprise Manager Fusion Middleware Control.

For details about the WLST commands to view and manage audit policies and the audit store configuration, see "Audit Configuration Commands" in the Oracle Fusion Middleware Infrastructure Security WLST Command Reference.

Note:

When running audit commands, you must invoke the WLST script from the Oracle Common home. See "Using Custom WLST Commands" in the Oracle Fusion Middleware Administrator's Guide for more information.

C.6 Audit Filter Expression Syntax

When you select a custom audit policy, you have the option of specifying a filter expression along with an event.

For example, you can use the following expression:

Host Id -eq "myhost123"

to enable the audit event for a particular host only.

You enter this expression either through the Fusion Middleware Control Edit Filter Dialog or through the setAuditPolicy command.

See Also:

• Section 14.3.1, "Manage Audit Policies for Java Components with Fusion Middleware Control"

• Section 14.3.2, "Manage Audit Policies for System Components with Fusion Middleware Control"

There are some syntax rules you should follow when creating a filter expression.

The expression can either be a Boolean expression or a literal.

<Expr> ::= <BooleanExpression> | <BooleanLiteral>

A boolean expression can use combinations of RelationalExpression with –and, -or, -not and parenthesis. For example, (Host Id -eq "stadl17" -or ").

<BooleanExpression> ::=  <RelationalExpression>
   | ”(” <BooleanExpression> ”)”
   | <BooleanExpression> ”-and” <BooleanExpression>
   | <BooleanExpression> ”-or” <BooleanExpression>
   | ”-not” <BooleanExpression>

A relational expression compares an attribute name (on the left hand side) with a literal (on the right-hand side). The literal and the operator must be of the correct data type for the attribute.

<RelationalExpression> ::= <AttributeName> <RelationalOperator> <Literal>

Relational operators are particular to data types:

• -eq, -ne can be used with all data types

• -contains, -startswith, -endswith can be only used with strings

• -contains_case, -startswith_case and -endswith_case are case sensitive versions of the above three functions

• -lt, -le, -gt, -ge can be used with numeric and datetime

<RelationalOperator> : = "-eq" | "-ne" | "-lt" | "-le" | "-gt" | "-ge"
   | "-contains" | "-contains_case"
   | "-startswith" | "-startswith_case"
   | "-endswith" | "-endswith_case"

Rules for literals are as follows:

• Boolean literals are true or false, without quotes.

• Date time literals have to be in double quotes and can be in many different formats; "June 25, 2006", "06/26/2006 2:00 pm" are all valid.

• String literals have to be quotes, back-slash can be used to escape an embedded double quote.

• Numeric literals are in their usual format.

For example:

<Literal> ::=  <NumericLiteral> | <BooleanLiteral> | <DateTimeLiteral> | <StringLiteral><BooleanLiteral> ::= "true” | "false”

C.7 Naming and Logging Format of Audit Files

This section explains the rules that are used to maintain audit files.

For Java components (both Java EE and Java SE) the audit.log file contains audit records and comprises the bus-stop file.

When that file fills up (it reaches the configured maximum audit file size which is 100MB), it is renamed to audit1.log and records written to a new audit.log. When this file fills up, the audit.log file is renamed to "audit2.log" and the cycle starts with a new audit.log.

This process continues until it reaches configured maximum audit directory size (default is 0, which means unlimited size). Upon reaching the maximum directory size, the system deletes the oldest auditn.log file.

When you configure a database audit store, the audit loader reads these files and transfers the records to the database in batches. After reading a complete audit<n>.log file, it deletes the file.

Note:

The audit loader never deletes the "current" file, that is, audit.log; it only deletes archive files audit<n>.log.

System components follow the same model, except the file name is slightly different. The process ID is embedded in the file name; thus, if the process id is 11925 the current file is called audit-pid11925.log, and after rotation it is called audit-pid11925-1.log.

For applications with audit definitions in the dynamic model, the file name format is audit_major version number_minor version number.log; for example, audit_1_2.log.

Here is a sample audit.log file:

#Fields:Date Time Initiator EventType EventStatus MessageText HomeInstance ECID RID ContextFields SessionId TargetComponentType ApplicationName EventCategory ThreadId InitiatorDN TargetDN FailureCode RemoteIP Target Resource Roles CodeSource InitiatorGUID Principals PermissionAction PermissionClass mapName key
#Remark Values:ComponentType="JPS"
2008-12-08 10:46:05.492 - "CheckAuthorization" true "Oracle Platform Security Authorization Check Permission SUCCEEDED." - - - - - - - "Authorization" "48" - - "true" - - "(oracle.security.jps.service.policystore.PolicyStoreAccessPermission context=APPLICATION,name=SimpleServlet getApplicationPolicy)" - "file:/oracle/work/middleware/oracle_common/modules/oracle.jps_11.1.1/jps-internal.jar" - "[]" - - - - 

This file follows the W3C extended logging format, which is a very common log format that is used by many Web Servers e.g. Apache and IIS:

• The first line is a "#Fields" line; it specifies all the fields in the rest of the file.

• The second line is a comment like "#Remark" which has a comment indicating some common attributes like the ComponentType.

• All subsequent lines are data lines; they follow the exact format defined in the "#Fields" line. All attributes are separated by spaces, mussing attributes are indicated by a dash.