C Oracle Fusion Middleware Audit Framework Reference

This appendix provides reference information for audit repors in the Oracle Fusion Middleware Audit Framework.

Use the information in this chapter for audit record administration and to develop audit reports for system components.

This chapter contains these topics:

Note:

This appendix covers reports based on the report template model with Oracle Business Intelligence Publisher 10g. A different approach is used for audit based on the dynamic metadata model; see Chapter 15 for details.

C.1 Audit Events

This section describes the components that are audited and the types of events that can be audited.

C.1.1 What Components Can be Audited?

The Oracle Fusion Middleware Audit Framework provides the foundation for auditing by Oracle Fusion Middleware components and applications. In 12c (12.1.2), a number of Java and system components can generate audit records; they are known as audit-aware components.

Some examples of Java components that utilize the Fusion Middleware Audit Framework are:

  • Directory Integration Platform Server

  • Oracle Platform Security Services

  • Oracle Web Services Manager

  • Oracle Web Services

  • Reports Server

Some system components that utilize the Fusion Middleware Audit Framework are:

  • Oracle HTTP Server

  • Oracle Internet Directory

This appendix provides audit information only for events generated by Oracle Platform Security Services. For details about auditing in other components and applications, refer to the respective administration guides.

C.1.2 What Events can be Audited?

The set of tables in this section shows what event types can be audited:

C.1.2.1 Oracle Platform Security Services Events and their Attributes

This section contains the following tables:

Table C-1 System Categories and Events

Category Event Description

UserSession

This set of events is for creating and using user sessions on the system.

Common attribute for these events: AuthenticationMethod

UserLogin

User Logins

In multi-tier applications, inner tiers often use some special user id (an end user or an administrator) to log in to the next tier. To make audit reports more meaningful, logins by these special users are considered in a separate category - Internal Logins. The User Logins/Logouts events only records actions by regular users (including administrators).

 

UserLogout

User Logouts

An end user or administrator logs out.

 

Authentication

Authentication is very similar to UserLogin/InternalLogin, except that no session is created, so there is no corresponding UserLogout/InternalLogout. This event is usually generated by lower layers, while login is generated by higher layers.

 

InternalLogin

Internal Login

This is an internal login between two tiers.

 

InternalLogout

Internal Logout

This is an internal logout between two tiers.

 

QuerySession

Query Session

Query the attributes within a session object for a logged-in user.

 

ModifySession

Modify the attributes within a session object for a logged-in user.

     

Authorization

This set of events is for authorization.

CheckAuthorization

Check Authorization

 
     

Data Access

This set of events is for data access.

CreateDataItem

Create a data item

Create a data item, for example a file.

 

DeleteDataItem

Delete a data item.

 

QueryDataItemAttributes

Query the attributes associated with a data item.

 

ModifyDataItemAttributes

Modify the attributes associated with a data item, for example access.

     

AccountManagement

This set of events is for the management of principal accounts.

ChangePassword

Change a user's password.

 

CreateAccount

Create a user, or group, or any other principal account.

 

DeleteAccount

Delete an account for a user, or group, or any other principal.

 

EnableAccount

Enable an account for a user, or group, or any other principal

 

DisableAccount

Disable an account for a user, or group, or any other principal.

 

QueryAccount

Query the user's account.

 

ModifyAccount

Modify the account attributes.

     

ServiceManagement

This set of events relate to management of system services and applications.

InstallService

Install or upgrade a service or an application.

 

RemoveService

De-install a service or an application.

 

QueryServiceConfig

Query the configuration of a service or application.

 

ModifyServiceConfig

Modify the configuration of a service or application.

 

DisableService

Shut down or disable a service or application.

 

EnableService

Start up or enable a service or application.

     

ServiceUtilize

These events relate to the use of a service or application. They typically map to the execution of a program or procedure, and manipulation of the processing environment.

InvokeService

Invoke a service or an application. For example, execute a command-line script.

 

TerminateService

Terminate a service or an application, either at the request of the application itself or by intervention of the domain in response to user or administrative action.

 

QueryProcessContext

Query the attributes associated with the current processing context.

 

ModifyProcessContext

Modify the attributes associated with the current processing context.

     

PeerAssocManagement

This set of events creates and works with communication channels between system components.

CreatePeerAssoc

Creates a communication channel between system components.

 

TerminatePeerAssoc

Terminates a communication channel between system components.

 

QueryAssocContext

Query attributes associated with a communication channel between system components.

 

ModifyAssocContext

Modify attributes associated with a communication channel between system components

   

a communication channel between system components

 

ReceiveDataViaAssoc

Receive data from an associated peer.

 

SendDataViaAssoc

Send data to an associated peer.

     

DataItemContentAccess

This set of events is to form an association between a service or application and a data item or resource element to use its content or services; for example a file or directory, a device special file, a memory segment, communication port, and so on.

CreateDataItemAssoc

Open a data item, for example a file.

 

TerminateDataItemAssoc

Close a data item, for example a file.

 

QueryDataItemAssocContext

Query attributes of a data item, for example mode of access, size limits, access paths, and so on.

 

ModifyDataItemAssocContext

Modify attributes of a data item.

 

QueryDataItemContents

Read the data item.

 

ModifyDataItemContent

Write or append to the data item.

     

Exceptional

These events are considered to be outside the generalized events.

StartSystem

Boot a system host.

 

ShutdownSystem

Shut down the system.

 

ResourceExhausted

Resources like data storage or communication endpoints have been exhausted.

 

ResourceCorrupted

Resources like data storage have integrity failures.

 

BackupDatastore

Make a backup copy of a data store.

 

RecoverDatastore

Recover a data store from a backup copy.

     

AuditService

This set of events applies to audit service configuration.

Common attribute for these events:

TransactionId

ConfigureAuditPolicy

Modify parameters that control auditing, for example the audit event filtering.

 

ConfigureAuditRepository

Configure the audit repository, for example to change from a file-based repository to a database repository.


See Also:

Section 13.4.3 for background about system categories and events.

Table C-2 Core Oracle Platform Security Services Events

Event Category Event Type Attributes used by Event

Authorization

CheckPermission

ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, Subject, PermissionAction, PermissionTarget, PermissionClass

 

CheckSubject

ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, Subject

     

CredentialManagement

CreateCredential

ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, mapName, key, CodeSource, Principals, InitiatorGUID

 

DeleteCredential

ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, mapName, key, CodeSource, Principals, InitiatorGUID

 

AccessCredential

ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, mapName, key, CodeSource, Principals, InitiatorGUID

 

ModifyCredential

ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, mapName, key, CodeSource, Principals, InitiatorGUID

     

PolicyManagement

PolicyGrant

ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, PermissionAction, PermissionTarget, PermissionClass, PermissionScope

 

PolicyRevoke

ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, PermissionAction, PermissionTarget, PermissionClass, PermissionScope

     

RoleManagement

RoleMembershipAdd

ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, ApplicationRole, EnterpriseRoles, PermissionScope

 

RoleMembershipRemove

ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, ApplicationRole, EnterpriseRoles, PermissionScope


Table C-3 Identity Directory Service Events

Event Category Event Type Attributes used by Event

UserSession

Authentication

Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod

     

DataAccess

CreateDataItem

Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod

 

DeleteDataItem

Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod

 

ModifyDataItemAttributes

Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod


Table C-4 Identity Virtualization Library Events

Event Category Eventy Type Attributes used by Event

LDAPEntryAccess

Add

Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource Roles, SessionId, Target, ThreadId, AuthenticationMethod

 

Delete

Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod

 

Modify

Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod

 

Rename

Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod

     

UserSession

UserLogin.FAILURESONLY

Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod

     

DataAccess

QueryDataItemAttributes

Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resourc,e Roles, SessionId, Target, ThreadId, AuthenticationMethod

 

ModifyDataItemAttributes

Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod


C.1.3 OPSS Event Attribute Descriptions

Table C-5 lists all attributes for OPSS audited events. Use this table to learn about the attributes used in the event of interest.

Table C-5 Attributes of OPSS Audit Events

Namespace Attribute Name Description

common

ApplicationName

The Java EE application name.

 

AuditUser

Identifies the user name of the user who is running the application.

 

ComponentData

Where component-specific data are stored when there is no component-specific table in the schema.

 

ComponentName

The name of this component.

 

ComponentType

Type of the component.

 

ContextFields

This attribute contains the context fields extracted from the dms context.

 

DomainName

The WebLogic Server or IBM WebSphere Domain.

 

EventCategory

The category of the audit event.

 

EventStatus

The outcome of the audit event - success or failure.

 

EventType

The type of the audit event. Use the wlst listAuditEvents command to list out all the events.

 

FailureCode

The error code in case EventStatus = failure

 

HomeInstance

The ORACLE_INSTANCE directory of the component.

 

HostId

DNS hostname of originating host.

 

HostNwaddr

The IP or other network address of originating host.

 

Initiator

Identifies the UID of the user who is doing the operation.

 

InstanceId

The name of the Oracle instance to which this component belongs.

 

MajorVersion

The major version of a component.

 

MessageText

Description of the audit event.

 

MinorVersion

The minor version of a component.

 

ModuleId

The ID of the module that originated the message. Interpretation is unique within Component ID.

 

OracleHome

The ORACLE_HOME directory of the component.

 

ProcessId

The ID of the process that originated the message.

 

RemoteIP

The IP address of the client initiating this event.

 

Resource

Identifies a resource that is being accessed. A resource can be many things - web page, file, directory share, web service, XML document, a portlet. The resource can be named as a combination of a host name, and a URI.

 

RID

This is the relationship identifier; it is used to provide the full and correct calling relationships between threads and processes.

 

Roles

The roles that the user was granted at the time of login.

 

SessionId

The ID of the login session.

 

Target

Identifies the UID of the user on whom the operation is being done. For example, if Alice changes Bob's password, then Alice is the initiator and Bob is the target.

 

TargetComponentType

The target component type.

 

TstzOriginating

Date and time when the audit event was generated.

 

ThreadId

The ID of the thread that generated this event.

 

TenantId

The tenant ID.

 

TransactionId

The transaction ID.

 

UserTenantId

The user tenant ID.

     

AuditService

TransactionId

The transaction ID.

     

UserSession

AuthenticationMethod

The Authentication method, namely password, SSL, Kerberos and so on.


See Also:

Section 13.4.2 for details about attribute groups and attributes.

C.2 Pre-built Audit Reports

Oracle Fusion Middleware Audit Framework provides a range of out-of-the-box reports for system components that are accessible through Oracle Business Intelligence Publisher. This section describes how to configure audit reporting with Oracle Business Intelligence Publisher and how to view audit reports:

C.2.1 Setting up Oracle Business Intelligence Publisher for Audit Reports

When your audit data resides in a database, you can run pre-defined Oracle Business Intelligence Publisher reports and create your own reports on the data. This section contains these topics about configuring your environment for audit reports:

See Also:

Oracle Business Intelligence Publisher Enterprise documentation at:

http://www.oracle.com/technology/documentation/bi_pub.html

C.2.1.1 About Oracle Business Intelligence Publisher

Reports help auditors determine whether there are any violations with respect to various industry regulations such as HIPPA, SOX, and other regulatory compliance demands. Oracle Fusion Middleware Audit Framework is integrated with Oracle Business Intelligence Publisher for out-of-the box reports.

Pre-defined reports are available as part of the Oracle Fusion Middleware Audit Framework. These reports are integrated with Oracle Business Intelligence Publisher to work in conjunction with the audit data in the audit store.

Oracle Fusion Middleware Audit Framework ships with over twenty pre-built reports in 12c (12.1.2). For convenience, the reports are grouped in Oracle Business Intelligence Publisher according to functional areas and by component.

The functional areas consists of the following:

  • Error and Exception reports like authentication and authorization failures

  • User Activities including transaction history and authorization history

  • Operational reports including created, deleted, and locked-out users

  • Audit Service Events

As the name implies, the component-specific reports are grouped based on the components themselves, for example, Oracle HTTP Server reports.

Other features of Oracle Business Intelligence Publisher include:

  • Flexible Report Displays

    You can view reports online, change report parameters, change output types (pdf, html, rtf, excel and others), modify the appearance of reports, export to the desired format, and send to an E-mail address, fax or other destination.

  • Report Filters

    You can filter audit records to be included in the report using a range of options including the ability to modify the SQL used to extract records from the audit repository.

  • Scheduling Reports

    You can schedule reports to be run based on a range of criteria such as filters, templates, formats, locale, viewing restrictions and so on.

    See Also:

    For more information about scheduling features, see the Oracle Business Intelligence Publisher Enterprise documentation at:

    http://www.oracle.com/technology/documentation/bi_pub.html

  • Custom Reporting

    You can design your own reports and specify the data model, layout, parameters, bursting (for example, you can enable delivery based on delivery preference).

See Also:

All the auditing reports available in Oracle Business Intelligence Publisher provide these report filtering and formatting options:

  • View - View the report using the current parameters.

  • Schedule - Set up a schedule for the report along with job parameters and data filters.

  • History - View history.

  • Edit - Modify the query and parameter display formats.

  • Configure - Set up runtime configuration controls.

  • Export - Export to a file.

C.2.1.2 Install Oracle Business Intelligence Publisher

If you already have Oracle Business Intelligence Publisher 10.1.3.4 or later installed at your site, you can skip this section and go to Section C.2.1.3.

If you need to install Oracle Business Intelligence Publisher, follow the instructions provided with the Oracle Business Intelligence Publisher Companion CD.

See Also:

Oracle Business Intelligence Publisher Enterprise documentation at:

http://www.oracle.com/technology/documentation/bi_pub.html

C.2.1.3 Set Up Oracle Reports in Oracle Business Intelligence Publisher

In this section you configure Oracle Business Intelligence Publisher to work with the audit datasource.

Note:

11g Release 1 (11.1.1.4.0) PS3 reports can work only with an 11g Release 1 (11.1.1.4.0) PS3 schema; they cannot work with an earlier schema such as 12c (12.1.2).

Details about upgrading schemas with the Patch Set Assistant are available in the Oracle Fusion Middleware Patching Guide.

Take these steps to set up Oracle Business Intelligence Publisher for use with audit reports:

  1. Navigate to the Reports folder in your Oracle Business Intelligence Publisher installation. By default, the Reports folder is at %BIP_HOME%\XMLP\Reports.

  2. Unjar the AuditReportTemplates.jar into your Reports folder. You should see a new folder called Oracle_Fusion_Middleware_Audit. You can find AuditReportTemplates.jar at:

    $MW_ORA_HOME/oracle_common/modules/oracle.iau_12.1.2/reports/
    AuditReportTemplates.jar
    
    
  3. Set up the data source for audit repository as follows:

    • Navigate to the Admin tab.

    • If you deployed on Oracle WebLogic Server in Step 1, set up JNDI as follows:

      • Click JNDI Connection.

      • Click Add DataSource.

      • Specify the DataSource details:

        Name the Data Source Audit.

        Note:

        The reports refer to the audit data source, so the naming convention is important.

        JNDI Name - 'jdbc/AuditDB'

      • Test for a successful connection. If the connection is not successful, check the values you entered.

      • Press Apply to save your changes.

    • If you deployed on Oracle Containers for Java EE in Step 1, set up JNDI as follows:

      • Click JDBC Connection.

      • Click Add DataSource.

      • Specify the DataSource details:

        Name the Data Source Audit.

        Note:

        The reports refer to the audit data source, so the naming convention is important.

        Enter the details for the URL, username, and password for the audit schema. (Note: The username and password consist of a prefix plus the audit schema name, which is IAU_VIEWER. For example, dev_iau_viewer or test_iau_viewer.)

      • Test for a successful connection. If the connection is not successful, check the values you entered.

      • Press Apply to save your changes.

C.2.1.4 Set Up Audit Report Templates

You can use the standard audit reports in their default formats out-of-the-box. However, if you wish to customize the appearance and other related aspects of the reports, you do so by setting up audit report templates.

From a report's Edit dialog, you can click the Layout option in the left panel to control layouts and output formats. Using this feature, you can:

  • Customize the report template and design your own layout; for example you can rearrange fields and highlight selected field labels.

  • Restrict the formats to which the report output is generated - by default, a large number of output formats are available including HTML, PDF, Excel spreadsheet, RTF, and others.

See Also:

Oracle Business Intelligence Publisher User's Guide.

C.2.1.5 Set Up Audit Report Filters

You can use the standard audit reports in their default formats out-of-the-box. However, if you wish to customize the scope of data and other related aspects of the reports, you do so by setting up audit report filters.

Oracle Business Intelligence Publisher provides both basic and advanced filtering options for your audit reports.

See Also:

Oracle Business Intelligence Publisher User's Guide.

Basic Filters

Clicking on the report's Schedule button brings up a page which you can use to schedule and administer the report.

In the Report Parameters area you can provide high-level filters to restrict the report:

  • Date Filters

    • show only recent audit records such as last hour or last week.

    • show records generated within a specified starting and ending dates.

    • limit number of records returned.

  • Selected Report Fields

    For example, the Authentication Failures report can be filtered by:

    • Username

    • Component Type

    • Component Name

    • Application Name

    • Domain Name

Advanced Filters

Clicking on the report's Edit button brings up a page at which you can specify more detailed report filters and properties. This page consists of two panels. The left panel lets you select what element of the report is to be modified through these options. For each element you select, the right panel displays the corresponding information.

  • Data Model - This contains the SQL query that fetches the raw data for the report. The query can be modified according to your needs.

  • List of Values - Shows all the report columns. Selecting on a column displays the underlying SQL query that filters data for the attribute. You can modify the query as needed; for example you can specify more restrictive filter values.

  • Parameters - Shows all the report columns, and lets you select any column to modify display settings for that column. For example, you can specify a date display format for timestamp fields.

  • Layouts and output formats - This feature is described in Section C.2.1.6.

C.2.1.6 Configure Scheduler in Oracle Business Intelligence Publisher

Clicking on the report's Schedule button brings up a page which you can use to schedule and administer the report. Information you can specify on this page includes:

Note:

This feature assumes that the Oracle Business Intelligence Publisher repository is already configured.

  • Report Parameters - filters to restrict the data included in the report, for example records for the last hour only.

    See Also:

    Section C.2.1.5

  • Job Properties - the job name, formatting locale and time zone, and so on.

  • Notification - one or more users to be notified by E-mail when the job completes or fails.

  • Time - report scheduling options; the report can be scheduled to run periodically or on a one-time basis.

  • Delivery - deliver the report to one or more users.

C.2.2 Organization of Audit Reports

Oracle Fusion Middleware Audit Framework ships with a set of pre-defined reports that are designed to work, out-of-the-box, with Oracle Fusion Middleware components. These reports are organized into two main categories:

  • Common Reports

    These reports capture common events such as authentication success and failures, account-related status (lockout, disabled, and so on). Many components have implemented audit capability for these common events. The common reports are located under the Common Reports subfolder of the Audit Reports, and all audit-enabled events from across the components are captured in these reports.

    For example, "Authentication History" displays authentication history across all the components where authentication events are being captured.

    You can use these reports to examine audit records for a specific area across components or to examine the audit records of a single user across multiple components for that specific area.

  • Component-specific Reports

    These reports focus on individual components. They are needed because not all audit events may be relevant to each component. The Component Specific folder serves two purposes. First, it identifies the valid reports among the Common Reports that are relevant to the component and show only the audit records for that component. Secondly, for some components, component-specific reports have been defined to suit the specific needs of that component. While audit records themselves are generic for all the components, the representation of an audit record may have component-specific requirements. For example, an access policy may need to be shown in a format to be useful.

    For example, you can locate the Authentication History report in the Common folder, where it displays authentication events for all components. You can also find the same report under a component-specific folder, where it displays authentication events for that component only.

  • There is also a generic report at the top level called "All Events", which shows all the events across all audit-enabled components. The "All Events" report is also available in each component-specific folder, to show all the events for individual components.

    This report can be used to query audit data.

C.2.3 View Audit Reports

This section explains how to view audit reports using Oracle Business Intelligence Publisher.

Take these steps to view an audit report:

  1. Log in to Oracle Business Intelligence Publisher using a URL of the form:

    http://host.domain.com:port/xmlpserver/

  2. On the main page, click Oracle Fusion Middleware Audit under Shared Folders.

  3. The audit reports are organized into:

    • reports that are common to multiple components; these are further organized by report types.

    • reports that are specific to a component; these are further organized by component.

    See Also:

    Table C-6 for a description of the standard reports.

  4. Navigate to the report of interest; for example, you can click on the Common Reports folder, then Errors and Exceptions, then click on All Errors and Exceptions.

    The report is displayed.

  5. The report display page contains these major areas:

    • Filters at the top of the page enable you to determine the type, scope, and number of records to include in the report. These filters include:

      • User

      • Start and End Dates

      • Last n time period

      • Component type and name

      • Application Name

      • Domain Name

      Use relevant filters to limit the report to the desired records.

      Note:

      Initially, the report is displayed with default filter values that you can modify.

    • Format control buttons enable you to determine:

      • the template type, which can be:

           HTML - This is the default display format.

           PDF - Displays a printable PDF view.

           Data - Displays an unformatted XML data set.

        To change the template type while viewing a report, select the type from the drop-down list and click View.

      • output format

      • delivery options

    • The report record display area. The appearance and number of columns depend on previously selected options and filters.

      Each column header also acts as a sort option.

  6. View, save or export the report as desired.

C.2.4 Example of Oracle Business Intelligence Publisher Reports

This section uses a common scenario to demonstrate how Oracle Business Intelligence Publisher reports are used to view audit data generated by Oracle Platform Security Services events.

In this example, some activity is generated on the credential store for an Oracle WebLogic Server domain. We then use Oracle Business Intelligence Publisher to take a look at the relevant report to see the audit records. Subsequently, a few other reports are examined.

  1. As the system administrator, locate the domain whose credentials are to be managed.

  2. Use the relevant commands to generate some credential management records; for example, create and delete some user credentials.

    See Also:

    Chapter 11, "Managing the Credential Store" for details about credential management.

  3. Log in to Oracle Business Intelligence Publisher using a URL of the form:

    http://host.domain.com:port/xmlpserver/

  4. Under the Reports tab, click on Shared Folders, and select Fusion Middleware Audit.

  5. On the main page, click Fusion Middleware Audit under Shared Folders.

  6. The audit report menu appears. Audit reports are organized in various folders by type.

  7. To view audit records for Oracle Platform Security Services, for example, navigate to the Component Specific folder, then Oracle Platform Security Services.

  8. The Oracle Platform Security Services folder contains several reports. Click All Events.

    The report shows activity in a default time range. Modify the time range to show only the day's events.

    The activity performed on that day appears on the page.

    Surrounding text describes audjpsrpt1.gif.

    Observe the different regions of the report and their functions: report filters, format control, scheduling, and the data display itself.

  9. In each report, the last data column is a Detail column. Click on a detail to view all the attributes of the specific audit record.

    Surrounding text describes audjpsrpt2.gif.
  10. Return to the main folder to view some other reports of interest. For example, in the Common Reports folder, navigate to the Account Management folder, and click Account Profile History.

    The Account Profile History report appears.

    Surrounding text describes audjpsrpt3.gif.
  11. Click on the Event Details for an event of interest:

    Surrounding text describes audjpsrpt4.gif.
  12. Finally, return to the Common Reports folder and select Errors and Exceptions. Select the All Errors and Exceptions report.

  13. A number of records are displayed. To narrow the report to records of interest, use the Event drop-down to select checkPermission events.

    One row is returned showing an authorization check failure:

    Surrounding text describes audcmnrpt1.gif.
  14. Click Details to obtain more information:

    Surrounding text describes audcmnrpt2.gif.

C.2.5 Audit Report Details

This section provides detailed reference information about the standard (pre-built) audit report.

The standard audit reports are grouped as follows:

  1. The All Events report

    This report contains all audit records generated in a pre-defined interval.

  2. Common Reports

    These are reports that contain audit records across multiple components.

  3. Component-Specific Reports

    Each report is dedicated to a specific component.

Common Reports

Common reports are organized as follows:

  • Account Management

    • Account Profile History

    • Accounts Deleted

    • Accounts Enabled

    • Accounts Disabled

    • Accounts Created

    • Accounts Locked Out

    • Password Changes

    • dashboard

  • User Activities

    • Authentication History

    • Multiple Logins from Same IP

    • Authorization History

    • Event Details

    • Related Audit Events

    • Dashboard

  • Errors and Exceptions

    • All Errors and Exceptions

    • Authorization Failures

    • Authentication Failures

    • Dashboard

Important:

Run the Event Details report only against an 11g Release 1 (11.1.1.4.0) PS3 (patch set 3) schema.

C.2.5.1 List of Audit Reports in Oracle Business Intelligence Publisher

Table C-6 provides a brief description of each audit report in Oracle Business Intelligence Publisher.

Note:

The folder path shown in the column titled "Located in Folder" is relative to the Oracle Fusion Middleware Audit folder. To get to this folder, log in to Oracle Business Intelligence Publisher, and navigate to Shared Folders, then Oracle Fusion Middleware Audit.

Table C-6 List of Audit Reports

Report Description Located in Folder

Accounts Created

shows accounts created in various components.

Common Reports, then Account Management. Also in Component Specific folders.

Accounts Deleted

shows accounts deleted in various components.

Common Reports, then Account Management. Also in Component Specific folders.

Accounts Disabled

shows accounts disabled in various components.

Common Reports, then Account Management. Also in Component Specific folders.

Accounts Enabled

shows accounts enabled in various components.

Common Reports, then Account Management. Also in Component Specific folders.

Accounts Locked Out

shows accounts locked out due to excessive authentication failures.

Common Reports, then Account Management. Also in Component Specific folders.

Account Profile History

shows profile changes in accounts, such as change in address and password changes.

Common Reports, then Account Management. Also in Component Specific folders.

All Errors and Exceptions

captures all errors and exceptions across components.

Common Reports, then Errors and Exceptions. Also in Component Specific folders.

All Events

displays all audit events.

Oracle Fusion Middleware Audit. Also in Component Specific folders.

Application Policy Management

displays application level policy management.

Component Specific, then Oracle Platform Security Services.

Application Role Management

shows application role to enterprise role mappings.

Component Specific, then Oracle Platform Security Services.

Assertion Activity

shows assertion activity in Oracle Identity Federation.

Component Specific, then Oracle Identity Federation.

Assertion Template Management

lists assertion template management operations in Oracle Web Services Manager.

Component Specific, then Oracle Web Services Manager, then Policy Management.

Authentication Failures

shows authentication errors and exceptions; can be cross-component or specific to a component.

Common Reports, then Errors and Exceptions. Also in Component Specific folders.

Authentication History

lists authentications across all components.

Common Reports, then User Activities. Also in Component Specific folders.

Authorization Failures

captures authorization failures.

Common Reports, then Errors and Exceptions. Also in Component Specific folders.

Authorization History

shows authorizations across all components.

Common Reports, then User Activities. Also in Component Specific folders.

Confidentiality Enforcements

lists enforcements related to confidentiality in Oracle Web Services Manager.

Component Specific, then Oracle Web Services Manager, then Policy Enforcements.

Configuration Changes

lists configuration changes made in Fusion Middleware Audit Framework.

Component Specific, then Oracle Fusion Middleware Audit Framework.

Credential Access

displays credential accesses by users and applications in Oracle Platform Security Services.

Component Specific, then Oracle Platform Security Services.

Credential Management

displays credential management operations performed in Oracle Platform Security Services.

Component Specific, then Oracle Platform Security Services.

Federation User Activity

lists federation user activities in Oracle Identity Federation.

Component Specific, then Oracle Identity Federation.

Message Integrity Enforcements

shows enforcements related to message integrity in Oracle Web Services Manager.

Component Specific, then Oracle Web Services Manager, then Policy Enforcements.

Multiple Logins from Same IP

lists machines from where successful logins are made into different user accounts.

Common Reports, then User Activities.

Password Changes

shows password changes done in various accounts.

Common Reports, then Account Management. Also in Component Specific folders.

Policy Attachments

shows policy to web service endpoint attachments.

Component Specific, then Oracle Web Services Manager.

Policy Enforcements

lists general policy enforcements for Oracle Web Services Manager.

Component Specific, then Oracle Web Services Manager, then Policy Enforcements.

Profile Management Events

shows changes to Directory Integration Platform's profiles.

Component Specific, then Directory Integration Platform.

Request Response

shows requests sent and responses received from web services.

Component Specific, then Oracle Web Services Manager.

System Policy Management

displays system level policy management operations

Component Specific, then Oracle Platform Security Services.

Violations

shows enforcement violations.

Component Specific, then Oracle Web Services Manager, then Policy Enforcements.

Web Services Policy Management

shows policy management operations.

Component Specific, then Oracle Web Services Manager, then Policy Management.


C.2.5.2 Attributes of Audit Reports in Oracle Business Intelligence Publisher

Table C-7 lists the attributes that appear in the various audit reports. When viewing a report, you can use this table to learn more about the attributes that appear in the report.

Note the following:

  • Not all attributes appear in each report.

  • The user or users attribute, which appears in each report, can mean different things in different reports; see Table C-6 for an explanation of this attribute.

  • Not all the attributes are displayed in Oracle Business Intelligence Publisher audit reports. If you wish to include some additional attributes in your custom reports, see Appendix C, "Oracle Fusion Middleware Audit Framework Reference".

Table C-7 Attributes of Audit Reports

Attribute Description

Activity

The type of action, either user- or system-initiated.

Application Name

The complete application path and name.

Application Server Instance

The instance of the application server in use.

Attempted

The action that was attempted, for example, a single sign-on attempted by the user.

Component Name

The name of the component instance.

Component Type

The type of component, for example Oracle Identity Federation.

Domain Name

Oracle WebLogic Server domain name.

ECID

The execution context ID.

Event Type

The type of event that occurred, for example, account creation.

Initiator

The user who initiated the event.

Internet Protocol Address, IP Address

The IP address of the user's machine from which the action was initiated.

Message Text

The text of the message; a description of the event.

Policy Name

The name of the policy involved in the action.

Time Range

The time range which allows you to limit your data set to a specific time interval, for example, the last 24 hours.

Timestamp

The date and time of the event.

Transaction ID

The transaction identifier.


C.3 Customizing Audit Reports

This section discusses advanced report generation and creation options:

C.3.1 Using Advanced Filters on Pre-built Reports

Clicking on the report's Edit button brings up a page at which you can specify more detailed report filters and properties. This page consists of two panels. The left panel lets you select what element of the report is to be modified through these options. For each element you select, the right panel displays the corresponding information.

  • Data Model - This contains the SQL query that fetches the raw data for the report. The query can be modified according to your needs.

  • List of Values - Shows all the report columns. Selecting on a column displays the underlying SQL query that filters data for the attribute. You can modify the query as needed; for example you can specify more restrictive filter values.

  • Parameters - Shows all the report columns, and lets you select any column to modify display settings for that column. For example, you can specify a date display format for timestamp fields.

  • Layouts and output formats - This feature is described in the following section.

C.3.2 Creating Custom Reports

Oracle Business Intelligence Publisher provides a complete set of capabilities for designing and creating custom reports.

See Also:

Here is a simple example illustrating the basic steps to customize an existing audit report with Oracle Business Intelligence Publisher.

  1. Log in to Oracle Business Intelligence Publisher as administrator.

    Surrounding text describes biplogin.gif.
  2. Navigate to the Oracle Fusion Middleware Audit folder.

    Surrounding text describes bipnav.gif.
  3. Create a folder to maintain your custom reports. Under Folder and Event Tasks, click New Folder.

    Enter a folder name.

    Surrounding text describes bipnewfolder.gif.
  4. The new folder, Custom BI Reports, appears on the main audit reports folder.

    Surrounding text describes bipnewmenu.gif.
  5. Select an existing report that will be a starting point to create a custom report, by clicking the icon to the left of the report. In this example the All Events report is selected:

    Surrounding text describes bipcopyreq.gif.

    Click Copy this report.

  6. This action copies the report to the clipboard. To send it to the new folder:

    • Select the Custom BI Reports folder.

    • Under Folder and Report Tasks, click Paste from clipboard.

    • A dialog box appears requesting confirmation. Click Yes.

      Surrounding text describes bipconfcopy.gif.

      The report is now moved from the clipboard to the custom folder:

      Surrounding text describes biprptpasted.gif.
    • Provide a descriptive name for the new report by selecting the icon to the left of the report, and clicking Rename this report.

      Surrounding text describes biprename.gif.
  7. Now you are ready to customize the report. Click Edit from the menu choices under the report title.

  8. The Edit page appears.

    Surrounding text describes bipeditpage.gif.

    Two panels are displayed; on the main panel titled General Settings, you can control basic features like the report title and runtime controls. To the left of the main panel, a second panel displays two sets of information that you can use to create relevant content for your report:

    • List of Values shows the fields that are being used currently in the report. When you click on a field, the main panel automatically displays the name and the SQL query used to select the values to include for that field.

    • Parameters shows the available parameters from which you can choose the ones to include in the report. Notice that a subset of the parameters is already in the report; for example, userid (which is the initiator of the audit event) provides the Users data, while timeRange provides the Time Range data.

    The palette of choices on the left panel is context-sensitive and provides information to help you build the report.

  9. You can use the Query Builder to customize the data to include in your report. For example, to include only login events for a component, you can:

    • Select ComponentName from the list of values and click Query Builder.

      Surrounding text describes bipcname.gif.
    • A table appears listing the available components. Select the component, say JPS. A second table appears showing the component event fields:

      Surrounding text describes bipqb1.gif.
    • In the JPS table select IAU_EVENTTYPE.

      Surrounding text describes bipqb2.gif.
    • Click Conditions, enter the condition login and click Save.

      Surrounding text describes bipqb3.gif.
  10. The condition is now included in the report. Be sure to click Save again on the upper left corner to commit your changes to the report definition.

    Surrounding text describes bipqb4.gif.
  11. You can now return to the report in the Custom BI Reports folder and view the data.

C.4 The Audit Schema

If you have additional audit reporting requirements beyond the pre-built reports described in Section C.2, "Pre-built Audit Reports", you can create custom reports using your choice of reporting tools. For example, while the pre-built reports use a subset of the event attributes, you can make use of the entire audit attribute set for an event in creating custom reports.

Table C-8 and Table C-9 describe the audit schema, which is useful when building custom reports.

Table C-8 The Audit Schema

Table Name Column Name Data Type Nullable Column ID

BASE TABLE

IAU_ID

NUMBER

Yes

1

 

IAU_ORGID

VARCHAR2(255 Bytes)

Yes

2

 

IAU_COMPONENTID

VARCHAR2(255 Bytes)

Yes

3

 

IAU_COMPONENTTYPE

VARCHAR2(255 Bytes)

Yes

4

 

IAU_INSTANCEID

VARCHAR2(255 Bytes)

Yes

5

 

IAU_HOSTINGCLIENTID

VARCHAR2(255 Bytes)

Yes

6

 

IAU_HOSTID

VARCHAR2(255 Bytes)

Yes

7

 

IAU_HOSTNWADDR

VARCHAR2(255 Bytes)

Yes

8

 

IAU_MODULEID

VARCHAR2(255 Bytes)

Yes

9

 

IAU_PROCESSID

VARCHAR2(255 Bytes)

Yes

10

 

IAU_ORACLEHOME

VARCHAR2(255 Bytes)

Yes

11

 

IAU_HOMEINSTANCE

VARCHAR2(255 Bytes)

Yes

12

 

IAU_UPSTREAMCOMPONENTID

VARCHAR2(255 Bytes)

Yes

13

 

IAU_DOWNSTREAMCOMPONENTID

VARCHAR2(255 Bytes)

Yes

14

 

IAU_ECID

VARCHAR2(255 Bytes)

Yes

15

 

IAU_RID

VARCHAR2(255 Bytes)

Yes

16

 

IAU_CONTEXTFIELDS

VARCHAR2(2000 Bytes)

Yes

17

 

IAU_SESSIONID

VARCHAR2(255 Bytes)

Yes

18

 

IAU_SECONDARYSESSIONID

VARCHAR2(255 Bytes)

Yes

19

 

IAU_APPLICATIONNAME

VARCHAR2(255 Bytes)

Yes

20

 

IAU_TARGETCOMPONENTTYPE

VARCHAR2(255 Bytes)

Yes

21

 

IAU_EVENTTYPE

VARCHAR2(255 Bytes)

Yes

22

 

IAU_EVENTCATEGORY

VARCHAR2(255 Bytes)

Yes

23

 

IAU_EVENTSTATUS

NUMBER

Yes

24

 

IAU_TSTZORIGINATING

TIMESTAMP(6)

Yes

25

 

IAU_THREADID

VARCHAR2(255 Bytes)

Yes

26

 

IAU_COMPONENTNAME

VARCHAR2(255 Bytes)

Yes

27

 

IAU_INITIATOR

VARCHAR2(255 Bytes)

Yes

28

 

IAU_MESSAGETEXT

VARCHAR2(255 Bytes)

Yes

29

 

IAU_FAILURECODE

VARCHAR2(255 Bytes)

Yes

30

 

IAU_REMOTEIP

VARCHAR2(255 Bytes)

Yes

31

 

IAU_TARGET

VARCHAR2(255 Bytes)

Yes

32

 

IAU_RESOURCE

VARCHAR2(255 Bytes)

Yes

33

 

IAU_ROLES

VARCHAR2(255 Bytes)

Yes

34

 

IAU_AUTHENTICATIONMETHOD

VARCHAR2(255 Bytes)

Yes

35

 

IAU_TRANSACTIONID

VARCHAR2(255 Bytes)

Yes

36

 

IAU_DOMAINNAME

VARCHAR2(255 Bytes)

Yes

37

 

IAU_COMPONENTDATA

clob

yes

38

         

DIP

IAU_ID

NUMBER

Yes

1

 

IAU_TSTZORIGINATING

TIMESTAMP(6)

Yes

2

 

IAU_EVENTTYPE

VARCHAR2(255 Bytes)

Yes

3

 

IAU_EVENTCATEGORY

VARCHAR2(255 Bytes)

Yes

4

 

IAU_ASSOCIATEPROFILENAME

VARCHAR2(512 Bytes)

Yes

5

 

IAU_PROFILENAME

VARCHAR2(512 Bytes)

Yes

6

 

IAU_ENTRYDN

VARCHAR2(1024 Bytes)

Yes

7

 

IAU_PROVEVENT

VARCHAR2(2048 Bytes)

Yes

8

 

IAU_JOBNAME

VARCHAR2(128 Bytes)

Yes

9

 

IAU_JOBTYPE

VARCHAR2(128 Bytes)

Yes

10

         

IAU_DISP_NAME_TL

IAU_LOCALE_STR

VARCHAR2(7 Bytes)

 

1

 

IAU_DISP_NAME_KEY

VARCHAR2(255 Bytes)

 

2

 

IAU_COMPONENT_TYPE

VARCHAR2(255 Bytes)

 

3

 

IAU_DISP_NAME_KEY_TYPE

VARCHAR2(255 Bytes)

 

4

 

IAU_DISP_NAME_TRANS

VARCHAR2(4000 Bytes)

Yes

5

         

IAU_LOCALE_MAP_TL

IAU_LOC_LANG

VARCHAR2(2 Bytes)

Yes

1

 

IAU_LOC_CNTRY

VARCHAR2(3 Bytes)

Yes

2

 

IAU_LOC_STR

VARCHAR2(7 Bytes)

Yes

3


Table C-9 shows additional tables in the audit schema; these tables support the dynamic metadata model.

Table C-9 Additional Audit Schema Tables

Table Name Column Name Data Type

IAU_COMMON

IAU_ID

NUMBER

 

IAU_OrgId

VARCHAR(255)

 

IAU_ComponentId

VARCHAR(255)

 

IAU_ComponentType

VARCHAR(255)

 

IAU_MajorVersion

VARCHAR(255)

 

IAU_MinorVersion

VARCHAR(255)

 

IAU_InstanceId

VARCHAR(255)

 

IAU_HostingClientId

VARCHAR(255)

 

IAU_HostId

VARCHAR(255)

 

IAU_HostNwaddr

VARCHAR(255)

 

IAU_ModuleId

VARCHAR(255)

 

IAU_ProcessId

VARCHAR(255)

 

IAU_OracleHome

VARCHAR(255)

 

IAU_HomeInstance

VARCHAR(255)

 

IAU_UpstreamComponentId

VARCHAR(255)

 

IAU_DownstreamComponentId

VARCHAR(255)

 

IAU_ECID

VARCHAR(255)

 

IAU_RID

VARCHAR(255

 

IAU_ContextFields

VARCHAR(2000)

 

IAU_SessionId

VARCHAR(255)

 

IAU_SecondarySessionId

VARCHAR(255)

 

IAU_ApplicationName

VARCHAR(255)

 

IAU_TargetComponentType

VARCHAR(255)

 

IAU_EventType

VARCHAR(255)

 

IAU_EventCategory

VARCHAR(255)

 

IAU_EventStatus

NUMBER

 

IAU_TstzOriginating

TIMESTAMP

 

IAU_ThreadId

VARCHAR(255)

 

IAU_ComponentName

VARCHAR(255)

 

IAU_Initiator

VARCHAR(255)

 

IAU_MessageText

VARCHAR(2000)

 

IAU_FailureCode

VARCHAR(255)

 

IAU_RemoteIP

VARCHAR(255)

 

IAU_Target

VARCHAR(255)

 

IAU_Resource

VARCHAR(255)

 

IAU_Roles

VARCHAR(255)

 

IAU_AuthenticationMethod

VARCHAR(255)

 

IAU_TransactionId

VARCHAR(255)

 

IAU_DomainName

VARCHAR(255)

 

IAU_ComponentVersion

VARCHAR(255)

 

IAU_ComponentData

CLOB

     

IAU_CUSTOM

IAU_ID

NUMBER

 

IAU_BOOLEAN_001
through
IAU_BOOLEAN_050

NUMBER

 

IAU_INT_001
through
IAU_INT_050

NUMBER

 

IAU_LONG_001
through
IAU_LONG_050

NUMBER

 

IAU_FLOAT_001
through
IAU_FLOAT_050

NUMBER

 

IAU_DOUBLE_001
through
IAU_DOUBLE_050

NUMBER

 

IAU_STRING_001
through
IAU_STRING_100

VARCHAR(2048)

 

IAU_DATETIME_001
through
IAU_DATETIME_050

TIMESTAMP

 

IAU_LONGSTRING_001
through
IAU_LONGSTRING_050

CLOB

 

IAU_BINARY_001
through
IAU_BINARY_050

BLOB

     

IAU_AuditService

IAU_ID

NUMBER

 

IAU_TransactionId

VARCHAR(255)

     

IAU_USERSESSION

IAU_ID

NUMBER

 

IAU_AuthenticationMethod

VARCHAR(255)


C.5 WLST Commands for Auditing

Oracle WebLogic Server scripts are used at the command line to administer various features. WLST is the command-line utility for administration of Oracle Fusion Middleware components and applications in the Oracle WebLogic Server environment. It provides another option for administration in addition to Oracle Enterprise Manager Fusion Middleware Control.

For details about the WLST commands to view and manage audit policies and the audit store configuration, see "Audit Configuration Commands" in the Oracle Fusion Middleware Infrastructure Security WLST Command Reference.

Note:

When running audit commands, you must invoke the WLST script from the Oracle Common home. See "Using Custom WLST Commands" in the Oracle Fusion Middleware Administrator's Guide for more information.

C.6 Audit Filter Expression Syntax

When you select a custom audit policy, you have the option of specifying a filter expression along with an event.

For example, you can use the following expression:

Host Id -eq "myhost123"

to enable the audit event for a particular host only.


You enter this expression either through the Fusion Middleware Control Edit Filter Dialog or through the setAuditPolicy command.

There are some syntax rules you should follow when creating a filter expression.

The expression can either be a Boolean expression or a literal.

<Expr> ::= <BooleanExpression> | <BooleanLiteral>

A boolean expression can use combinations of RelationalExpression with –and, -or, -not and parenthesis. For example, (Host Id -eq "stadl17" -or ").

<BooleanExpression> ::=  <RelationalExpression>
   | ”(” <BooleanExpression> ”)”
   | <BooleanExpression> ”-and” <BooleanExpression>
   | <BooleanExpression> ”-or” <BooleanExpression>
   | ”-not” <BooleanExpression>

A relational expression compares an attribute name (on the left hand side) with a literal (on the right-hand side). The literal and the operator must be of the correct data type for the attribute.

<RelationalExpression> ::= <AttributeName> <RelationalOperator> <Literal>

Relational operators are particular to data types:

  • -eq, -ne can be used with all data types

  • -contains, -startswith, -endswith can be only used with strings

  • -contains_case, -startswith_case and -endswith_case are case sensitive versions of the above three functions

  • -lt, -le, -gt, -ge can be used with numeric and datetime

<RelationalOperator> : = "-eq" | "-ne" | "-lt" | "-le" | "-gt" | "-ge"
   | "-contains" | "-contains_case"
   | "-startswith" | "-startswith_case"
   | "-endswith" | "-endswith_case"

Rules for literals are as follows:

  • Boolean literals are true or false, without quotes.

  • Date time literals have to be in double quotes and can be in many different formats; "June 25, 2006", "06/26/2006 2:00 pm" are all valid.

  • String literals have to be quotes, back-slash can be used to escape an embedded double quote.

  • Numeric literals are in their usual format.

For example:

<Literal> ::=  <NumericLiteral> | <BooleanLiteral> | <DateTimeLiteral> | <StringLiteral><BooleanLiteral> ::= "true” | "false”

C.7 Naming and Logging Format of Audit Files

This section explains the rules that are used to maintain audit files.

For Java components (both Java EE and Java SE) the audit.log file contains audit records and comprises the bus-stop file.

When that file fills up (it reaches the configured maximum audit file size which is 100MB), it is renamed to audit1.log and records written to a new audit.log. When this file fills up, the audit.log file is renamed to "audit2.log" and the cycle starts with a new audit.log.

This process continues until it reaches configured maximum audit directory size (default is 0, which means unlimited size). Upon reaching the maximum directory size, the system deletes the oldest auditn.log file.

When you configure a database audit store, the audit loader reads these files and transfers the records to the database in batches. After reading a complete audit<n>.log file, it deletes the file.

Note:

The audit loader never deletes the "current" file, that is, audit.log; it only deletes archive files audit<n>.log.

System components follow the same model, except the file name is slightly different. The process ID is embedded in the file name; thus, if the process id is 11925 the current file is called audit-pid11925.log, and after rotation it is called audit-pid11925-1.log.

For applications with audit definitions in the dynamic model, the file name format is audit_major version number_minor version number.log; for example, audit_1_2.log.

Here is a sample audit.log file:

#Fields:Date Time Initiator EventType EventStatus MessageText HomeInstance ECID RID ContextFields SessionId TargetComponentType ApplicationName EventCategory ThreadId InitiatorDN TargetDN FailureCode RemoteIP Target Resource Roles CodeSource InitiatorGUID Principals PermissionAction PermissionClass mapName key
#Remark Values:ComponentType="JPS"
2008-12-08 10:46:05.492 - "CheckAuthorization" true "Oracle Platform Security Authorization Check Permission SUCCEEDED." - - - - - - - "Authorization" "48" - - "true" - - "(oracle.security.jps.service.policystore.PolicyStoreAccessPermission context=APPLICATION,name=SimpleServlet getApplicationPolicy)" - "file:/oracle/work/middleware/oracle_common/modules/oracle.jps_11.1.1/jps-internal.jar" - "[]" - - - - 

This file follows the W3C extended logging format, which is a very common log format that is used by many Web Servers e.g. Apache and IIS:

  • The first line is a "#Fields" line; it specifies all the fields in the rest of the file.

  • The second line is a comment like "#Remark" which has a comment indicating some common attributes like the ComponentType.

  • All subsequent lines are data lines; they follow the exact format defined in the "#Fields" line. All attributes are separated by spaces, mussing attributes are indicated by a dash.