This appendix provides reference information for audit reports in the Oracle Fusion Middleware Audit Framework.
Use the information in this chapter for audit record administration and to develop reports from your audit data.
This chapter contains these topics:
Note:
This appendix covers reports based on the report template model with Oracle Business Intelligence Publisher 10g. A different approach is used for audit based on the dynamic metadata model; see Chapter 15 for details.This section describes the components that are audited and the types of events that can be audited.
The Oracle Fusion Middleware Audit Framework provides the foundation for auditing by Oracle Fusion Middleware components and applications. In 12c (12.1.2), a number of Java and system components can generate audit records; they are known as audit-aware components.
Some examples of Java components that utilize the Fusion Middleware Audit Framework are:
Directory Integration Platform Server
Oracle Platform Security Services
Oracle Web Services Manager
Oracle Web Services
Reports Server
Some system components that utilize the Fusion Middleware Audit Framework are:
Oracle HTTP Server
Oracle Internet Directory
This appendix provides audit information only for events generated by Oracle Platform Security Services. For details about auditing in other components and applications, refer to the respective administration guides.
The set of tables in this section shows what event types can be audited:
This section contains the following tables:
Table C-1 System Categories and Events
| Category | Event | Description |
|---|---|---|
|
UserSession This set of events is for creating and using user sessions on the system. Common attribute for these events: AuthenticationMethod |
UserLogin User Logins |
In multi-tier applications, inner tiers often use some special user id (an end user or an administrator) to log in to the next tier. To make audit reports more meaningful, logins by these special users are considered in a separate category - Internal Logins. The User Logins/Logouts events only records actions by regular users (including administrators). |
|
UserLogout User Logouts |
An end user or administrator logs out. |
|
|
Authentication |
Authentication is very similar to UserLogin/InternalLogin, except that no session is created, so there is no corresponding UserLogout/InternalLogout. This event is usually generated by lower layers, while login is generated by higher layers. |
|
|
InternalLogin Internal Login |
This is an internal login between two tiers. |
|
|
InternalLogout Internal Logout |
This is an internal logout between two tiers. |
|
|
QuerySession Query Session |
Query the attributes within a session object for a logged-in user. |
|
|
ModifySession |
Modify the attributes within a session object for a logged-in user. |
|
|
Authorization This set of events is for authorization. |
CheckAuthorization Check Authorization |
|
|
Data Access This set of events is for data access. |
CreateDataItem Create a data item |
Create a data item, for example a file. |
|
DeleteDataItem |
Delete a data item. |
|
|
QueryDataItemAttributes |
Query the attributes associated with a data item. |
|
|
ModifyDataItemAttributes |
Modify the attributes associated with a data item, for example access. |
|
|
AccountManagement This set of events is for the management of principal accounts. |
ChangePassword |
Change a user's password. |
|
CreateAccount |
Create a user, or group, or any other principal account. |
|
|
DeleteAccount |
Delete an account for a user, or group, or any other principal. |
|
|
EnableAccount |
Enable an account for a user, or group, or any other principal |
|
|
DisableAccount |
Disable an account for a user, or group, or any other principal. |
|
|
QueryAccount |
Query the user's account. |
|
|
ModifyAccount |
Modify the account attributes. |
|
|
ServiceManagement This set of events relate to management of system services and applications. |
InstallService |
Install or upgrade a service or an application. |
|
RemoveService |
De-install a service or an application. |
|
|
QueryServiceConfig |
Query the configuration of a service or application. |
|
|
ModifyServiceConfig |
Modify the configuration of a service or application. |
|
|
DisableService |
Shut down or disable a service or application. |
|
|
EnableService |
Start up or enable a service or application. |
|
|
ServiceUtilize These events relate to the use of a service or application. They typically map to the execution of a program or procedure, and manipulation of the processing environment. |
InvokeService |
Invoke a service or an application. For example, execute a command-line script. |
|
TerminateService |
Terminate a service or an application, either at the request of the application itself or by intervention of the domain in response to user or administrative action. |
|
|
QueryProcessContext |
Query the attributes associated with the current processing context. |
|
|
ModifyProcessContext |
Modify the attributes associated with the current processing context. |
|
|
PeerAssocManagement This set of events creates and works with communication channels between system components. |
CreatePeerAssoc |
Creates a communication channel between system components. |
|
TerminatePeerAssoc |
Terminates a communication channel between system components. |
|
|
QueryAssocContext |
Query attributes associated with a communication channel between system components. |
|
|
ModifyAssocContext |
Modify attributes associated with a communication channel between system components |
|
|
a communication channel between system components |
||
|
ReceiveDataViaAssoc |
Receive data from an associated peer. |
|
|
SendDataViaAssoc |
Send data to an associated peer. |
|
|
DataItemContentAccess This set of events is to form an association between a service or application and a data item or resource element to use its content or services; for example a file or directory, a device special file, a memory segment, communication port, and so on. |
CreateDataItemAssoc |
Open a data item, for example a file. |
|
TerminateDataItemAssoc |
Close a data item, for example a file. |
|
|
QueryDataItemAssocContext |
Query attributes of a data item, for example mode of access, size limits, access paths, and so on. |
|
|
ModifyDataItemAssocContext |
Modify attributes of a data item. |
|
|
QueryDataItemContents |
Read the data item. |
|
|
ModifyDataItemContent |
Write or append to the data item. |
|
|
Exceptional These events are considered to be outside the generalized events. |
StartSystem |
Boot a system host. |
|
ShutdownSystem |
Shut down the system. |
|
|
ResourceExhausted |
Resources like data storage or communication endpoints have been exhausted. |
|
|
ResourceCorrupted |
Resources like data storage have integrity failures. |
|
|
BackupDatastore |
Make a backup copy of a data store. |
|
|
RecoverDatastore |
Recover a data store from a backup copy. |
|
|
AuditService This set of events applies to audit service configuration. Common attribute for these events: TransactionId |
ConfigureAuditPolicy |
Modify parameters that control auditing, for example the audit event filtering. |
|
ConfigureAuditRepository |
Configure the audit storage type, for example to change from file-based storage to a database. |
See Also:
Section 13.4.3 for background about system categories and events.Table C-2 Core Oracle Platform Security Services Events
| Event Category | Event Type | Attributes used by Event |
|---|---|---|
|
Authorization |
CheckPermission |
ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, Subject, PermissionAction, PermissionTarget, PermissionClass |
|
CheckSubject |
ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, Subject |
|
|
IsAccessAllowed |
||
|
CredentialManagement |
CreateCredential |
ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, mapName, key, CodeSource, Principals, InitiatorGUID |
|
DeleteCredential |
ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, mapName, key, CodeSource, Principals, InitiatorGUID |
|
|
AccessCredential |
ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, mapName, key, CodeSource, Principals, InitiatorGUID |
|
|
ModifyCredential |
ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, mapName, key, CodeSource, Principals, InitiatorGUID |
|
|
PolicyManagement |
PolicyGrant |
ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, PermissionAction, PermissionTarget, PermissionClass, PermissionScope |
|
PolicyRevoke |
ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, PermissionAction, PermissionTarget, PermissionClass, PermissionScope |
|
|
RoleManagement |
RoleMembershipAdd |
ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, ApplicationRole, EnterpriseRoles, PermissionScope |
|
RoleMembershipRemove |
ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, ApplicationRole, EnterpriseRoles, PermissionScope |
|
|
,RolePolicy |
RolePolicyCreation |
CodeSource, Principals, InitiatorGUID, InitiatorDN, ManagedApplication, PolicyName, PolicyApplicationRolePrincipals, RoleMembers, PolicyRules, ResourceNames, ResourceNameExpressions, PolicyApplicationRolePrincipalsOld, RoleMembersOld, PolicyRulesOld, ResourceNamesOld, ResourceNameExpressionsOld |
|
,RolePolicyModification |
CodeSource, Principals, InitiatorGUID, InitiatorDN, ManagedApplication, PolicyName, PolicyApplicationRolePrincipals, RoleMembers, PolicyRules, ResourceNames, ResourceNameExpressions, PolicyApplicationRolePrincipalsOld, RoleMembersOld, PolicyRulesOld, ResourceNamesOld, ResourceNameExpressionsOld |
|
|
RolePolicyDeletion |
CodeSource, Principals, InitiatorGUID, InitiatorDN, ManagedApplication, PolicyName, PolicyApplicationRolePrincipals, RoleMembers, PolicyRules, ResourceNames, ResourceNameExpressions, PolicyApplicationRolePrincipalsOld, RoleMembersOld, PolicyRulesOld, ResourceNamesOld, ResourceNameExpressionsOld |
|
|
ResourceManagement |
ResourceCreation |
InitiatorDN, GUID, CodeSource, Principals, Permission, PermissionClass, ManagedApplication, ResName, ResTypeName, PolicyDomainName, ResourceAttributes, Cascade, ModifiedAttributeName, ModifiedAttributeValue, ModifiedAttributeValueOld, ResourceAttributesOld, SqlPredicate, SqlPredicateOld, XmlExpression, XmlExpressionOld, |
|
ResourceDeletion |
InitiatorDN, GUID, CodeSource, Principals, Permission, PermissionClass, ManagedApplication, ResName, ResTypeName, PolicyDomainName, ResourceAttributes, Cascade, ModifiedAttributeName, ModifiedAttributeValue, ModifiedAttributeValueOld, ResourceAttributesOld, SqlPredicate, SqlPredicateOld, XmlExpression, XmlExpressionOld, |
|
|
ResourceModification |
InitiatorDN, GUID, CodeSource, Principals, Permission, PermissionClass, ManagedApplication, ResName, ResTypeName, PolicyDomainName, ResourceAttributes, Cascade, ModifiedAttributeName, ModifiedAttributeValue, ModifiedAttributeValueOld, ResourceAttributesOld, SqlPredicate, SqlPredicateOld, XmlExpression, XmlExpressionOld, |
|
|
,KeyStoreManagement |
CreateKeyStore |
stripeName, keystoreName, alias, operation, CodeSource, Principals, InitiatorGUID |
|
DeleteKeyStore |
stripeName, keystoreName, alias, operation, CodeSource, Principals, InitiatorGUID |
|
|
ModifyKeyStore |
stripeName, keystoreName, alias, operation, CodeSource, Principals, InitiatorGUID |
|
|
,PermissionSet |
PermissionSetCreation |
InitiatorDN, GUID, CodeSource, Principals, Permission, PermissionClass, ManagedApplication, PermissionSetName, PolicyDomainName, ResourceActions, Cascade, ModifiedAttributeName, ModifiedAttributeValue, ModifiedAttributeValueOld, ResourceActionsOld |
|
PermissionSetDeletion |
InitiatorDN, GUID, CodeSource, Principals, Permission, PermissionClass, ManagedApplication, PermissionSetName, PolicyDomainName, ResourceActions, Cascade, ModifiedAttributeName, ModifiedAttributeValue, ModifiedAttributeValueOld, ResourceActionsOld |
|
|
PermissionSetModification |
InitiatorDN, GUID, CodeSource, Principals, Permission, PermissionClass, ManagedApplication, PermissionSetName, PolicyDomainName, ResourceActions, Cascade, ModifiedAttributeName, ModifiedAttributeValue, ModifiedAttributeValueOld, ResourceActionsOld |
Table C-3 Identity Directory Service Events
| Event Category | Event Type | Attributes used by Event |
|---|---|---|
|
UserSession |
Authentication |
Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod |
|
DataAccess |
CreateDataItem |
Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod |
|
DeleteDataItem |
Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod |
|
|
ModifyDataItemAttributes |
Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod |
Table C-4 Identity Virtualization Library Events
| Event Category | Eventy Type | Attributes used by Event |
|---|---|---|
|
LDAPEntryAccess |
Add |
Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource Roles, SessionId, Target, ThreadId, AuthenticationMethod |
|
Delete |
Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod |
|
|
Modify |
Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod |
|
|
Rename |
Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod |
|
|
UserSession |
UserLogin.FAILURESONLY |
Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod |
|
DataAccess |
QueryDataItemAttributes |
Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resourc,e Roles, SessionId, Target, ThreadId, AuthenticationMethod |
|
ModifyDataItemAttributes |
Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod |
Table C-5 lists all attributes for OPSS audited events. Use this table to learn about the attributes used in the event of interest.
Table C-5 Attributes of OPSS Audit Events
| Namespace | Attribute Name | Description |
|---|---|---|
|
common |
ApplicationName |
The Java EE application name. |
|
AuditUser |
Identifies the user name of the user who is running the application. |
|
|
ComponentData |
Where component-specific data are stored when there is no component-specific table in the schema. |
|
|
ComponentName |
The name of this component. |
|
|
ComponentType |
Type of the component. |
|
|
ContextFields |
This attribute contains the context fields extracted from the dms context. |
|
|
DomainName |
The WebLogic Server or IBM WebSphere Domain. |
|
|
ECID |
Identifies the thread of execution in which the originating component participates. |
|
|
EventCategory |
The category of the audit event. |
|
|
EventStatus |
The outcome of the audit event - success or failure. |
|
|
EventType |
The type of the audit event. Use the wlst listAuditEvents command to list out all the events. |
|
|
FailureCode |
The error code in case EventStatus = failure |
|
|
HomeInstance |
The ORACLE_INSTANCE directory of the component. |
|
|
HostId |
DNS hostname of originating host. |
|
|
HostNwaddr |
The IP or other network address of originating host. |
|
|
Initiator |
Identifies the UID of the user who is doing the operation. |
|
|
InstanceId |
The name of the Oracle instance to which this component belongs. |
|
|
MajorVersion |
The major version of a component. |
|
|
MessageText |
Description of the audit event. |
|
|
MinorVersion |
The minor version of a component. |
|
|
ModuleId |
The ID of the module that originated the message. Interpretation is unique within Component ID. |
|
|
OracleHome |
The ORACLE_HOME directory of the component. |
|
|
ProcessId |
The ID of the process that originated the message. |
|
|
RemoteIP |
The IP address of the client initiating this event. |
|
|
Resource |
Identifies a resource that is being accessed. A resource can be many things - web page, file, directory share, web service, XML document, a portlet. The resource can be named as a combination of a host name, and a URI. |
|
|
RID |
This is the relationship identifier; it is used to provide the full and correct calling relationships between threads and processes. |
|
|
Roles |
The roles that the user was granted at the time of login. |
|
|
ServerName |
The name of the server. |
|
|
SessionId |
The ID of the login session. |
|
|
Target |
Identifies the UID of the user on whom the operation is being done. For example, if Alice changes Bob's password, then Alice is the initiator and Bob is the target. |
|
|
TargetComponentType |
The target component type. |
|
|
TstzOriginating |
Date and time when the audit event was generated. |
|
|
ThreadId |
The ID of the thread that generated this event. |
|
|
TenantId |
The tenant ID. |
|
|
TransactionId |
The transaction ID. |
|
|
UserTenantId |
The user tenant ID. |
|
|
AuditService |
TransactionId |
The transaction ID. |
|
UserSession |
AuthenticationMethod |
The Authentication method, namely password, SSL, Kerberos and so on. |
See Also:
Section 13.4.2 for details about attribute groups and attributes.You can create custom reports using your choice of reporting tools. For example, while the pre-built reports use a subset of the event attributes, you can make use of the entire audit attribute set for an event in creating custom reports.
Table C-6 and Table C-7 describe the audit schema, which is useful when building custom reports. The IAU_ID column in the schema is indexed to enhance query performance.
| Table Name | Column Name | Data Type | Nullable | Column ID |
|---|---|---|---|---|
|
BASE TABLE |
IAU_ID |
NUMBER |
Yes |
1 |
|
IAU_ORGID |
VARCHAR2(255 Bytes) |
Yes |
2 |
|
|
IAU_COMPONENTID |
VARCHAR2(255 Bytes) |
Yes |
3 |
|
|
IAU_COMPONENTTYPE |
VARCHAR2(255 Bytes) |
Yes |
4 |
|
|
IAU_INSTANCEID |
VARCHAR2(255 Bytes) |
Yes |
5 |
|
|
IAU_HOSTINGCLIENTID |
VARCHAR2(255 Bytes) |
Yes |
6 |
|
|
IAU_HOSTID |
VARCHAR2(255 Bytes) |
Yes |
7 |
|
|
IAU_HOSTNWADDR |
VARCHAR2(255 Bytes) |
Yes |
8 |
|
|
IAU_MODULEID |
VARCHAR2(255 Bytes) |
Yes |
9 |
|
|
IAU_PROCESSID |
VARCHAR2(255 Bytes) |
Yes |
10 |
|
|
IAU_ORACLEHOME |
VARCHAR2(255 Bytes) |
Yes |
11 |
|
|
IAU_HOMEINSTANCE |
VARCHAR2(255 Bytes) |
Yes |
12 |
|
|
IAU_UPSTREAMCOMPONENTID |
VARCHAR2(255 Bytes) |
Yes |
13 |
|
|
IAU_DOWNSTREAMCOMPONENTID |
VARCHAR2(255 Bytes) |
Yes |
14 |
|
|
IAU_ECID |
VARCHAR2(255 Bytes) |
Yes |
15 |
|
|
IAU_RID |
VARCHAR2(255 Bytes) |
Yes |
16 |
|
|
IAU_CONTEXTFIELDS |
VARCHAR2(2000 Bytes) |
Yes |
17 |
|
|
IAU_SESSIONID |
VARCHAR2(255 Bytes) |
Yes |
18 |
|
|
IAU_SECONDARYSESSIONID |
VARCHAR2(255 Bytes) |
Yes |
19 |
|
|
IAU_APPLICATIONNAME |
VARCHAR2(255 Bytes) |
Yes |
20 |
|
|
IAU_TARGETCOMPONENTTYPE |
VARCHAR2(255 Bytes) |
Yes |
21 |
|
|
IAU_EVENTTYPE |
VARCHAR2(255 Bytes) |
Yes |
22 |
|
|
IAU_EVENTCATEGORY |
VARCHAR2(255 Bytes) |
Yes |
23 |
|
|
IAU_EVENTSTATUS |
NUMBER |
Yes |
24 |
|
|
IAU_TSTZORIGINATING |
TIMESTAMP(6) |
Yes |
25 |
|
|
IAU_THREADID |
VARCHAR2(255 Bytes) |
Yes |
26 |
|
|
IAU_COMPONENTNAME |
VARCHAR2(255 Bytes) |
Yes |
27 |
|
|
IAU_INITIATOR |
VARCHAR2(255 Bytes) |
Yes |
28 |
|
|
IAU_MESSAGETEXT |
VARCHAR2(255 Bytes) |
Yes |
29 |
|
|
IAU_FAILURECODE |
VARCHAR2(255 Bytes) |
Yes |
30 |
|
|
IAU_REMOTEIP |
VARCHAR2(255 Bytes) |
Yes |
31 |
|
|
IAU_TARGET |
VARCHAR2(255 Bytes) |
Yes |
32 |
|
|
IAU_RESOURCE |
VARCHAR2(255 Bytes) |
Yes |
33 |
|
|
IAU_ROLES |
VARCHAR2(255 Bytes) |
Yes |
34 |
|
|
IAU_AUTHENTICATIONMETHOD |
VARCHAR2(255 Bytes) |
Yes |
35 |
|
|
IAU_TRANSACTIONID |
VARCHAR2(255 Bytes) |
Yes |
36 |
|
|
IAU_DOMAINNAME |
VARCHAR2(255 Bytes) |
Yes |
37 |
|
|
IAU_COMPONENTDATA |
clob |
yes |
38 |
|
|
DIP |
IAU_ID |
NUMBER |
Yes |
1 |
|
IAU_TSTZORIGINATING |
TIMESTAMP(6) |
Yes |
2 |
|
|
IAU_EVENTTYPE |
VARCHAR2(255 Bytes) |
Yes |
3 |
|
|
IAU_EVENTCATEGORY |
VARCHAR2(255 Bytes) |
Yes |
4 |
|
|
IAU_ASSOCIATEPROFILENAME |
VARCHAR2(512 Bytes) |
Yes |
5 |
|
|
IAU_PROFILENAME |
VARCHAR2(512 Bytes) |
Yes |
6 |
|
|
IAU_ENTRYDN |
VARCHAR2(1024 Bytes) |
Yes |
7 |
|
|
IAU_PROVEVENT |
VARCHAR2(2048 Bytes) |
Yes |
8 |
|
|
IAU_JOBNAME |
VARCHAR2(128 Bytes) |
Yes |
9 |
|
|
IAU_JOBTYPE |
VARCHAR2(128 Bytes) |
Yes |
10 |
|
|
IAU_DISP_NAME_TL |
IAU_LOCALE_STR |
VARCHAR2(7 Bytes) |
1 |
|
|
IAU_DISP_NAME_KEY |
VARCHAR2(255 Bytes) |
2 |
||
|
IAU_COMPONENT_TYPE |
VARCHAR2(255 Bytes) |
3 |
||
|
IAU_DISP_NAME_KEY_TYPE |
VARCHAR2(255 Bytes) |
4 |
||
|
IAU_DISP_NAME_TRANS |
VARCHAR2(4000 Bytes) |
Yes |
5 |
|
|
IAU_LOCALE_MAP_TL |
IAU_LOC_LANG |
VARCHAR2(2 Bytes) |
Yes |
1 |
|
IAU_LOC_CNTRY |
VARCHAR2(3 Bytes) |
Yes |
2 |
|
|
IAU_LOC_STR |
VARCHAR2(7 Bytes) |
Yes |
3 |
Table C-7 shows additional tables in the audit schema; these tables support the dynamic metadata model.
Table C-7 Additional Audit Schema Tables
| Table Name | Column Name | Data Type |
|---|---|---|
|
IAU_COMMON |
IAU_ID |
NUMBER |
|
IAU_OrgId |
VARCHAR(255) |
|
|
IAU_ComponentId |
VARCHAR(255) |
|
|
IAU_ComponentType |
VARCHAR(255) |
|
|
IAU_MajorVersion |
VARCHAR(255) |
|
|
IAU_MinorVersion |
VARCHAR(255) |
|
|
IAU_InstanceId |
VARCHAR(255) |
|
|
IAU_HostingClientId |
VARCHAR(255) |
|
|
IAU_HostId |
VARCHAR(255) |
|
|
IAU_HostNwaddr |
VARCHAR(255) |
|
|
IAU_ModuleId |
VARCHAR(255) |
|
|
IAU_ProcessId |
VARCHAR(255) |
|
|
IAU_OracleHome |
VARCHAR(255) |
|
|
IAU_HomeInstance |
VARCHAR(255) |
|
|
IAU_UpstreamComponentId |
VARCHAR(255) |
|
|
IAU_DownstreamComponentId |
VARCHAR(255) |
|
|
IAU_ECID |
VARCHAR(255) |
|
|
IAU_RID |
VARCHAR(255 |
|
|
IAU_ContextFields |
VARCHAR(2000) |
|
|
IAU_SessionId |
VARCHAR(255) |
|
|
IAU_SecondarySessionId |
VARCHAR(255) |
|
|
IAU_ApplicationName |
VARCHAR(255) |
|
|
IAU_TargetComponentType |
VARCHAR(255) |
|
|
IAU_EventType |
VARCHAR(255) |
|
|
IAU_EventCategory |
VARCHAR(255) |
|
|
IAU_EventStatus |
NUMBER |
|
|
IAU_TstzOriginating |
TIMESTAMP |
|
|
IAU_ThreadId |
VARCHAR(255) |
|
|
IAU_ComponentName |
VARCHAR(255) |
|
|
IAU_Initiator |
VARCHAR(255) |
|
|
IAU_MessageText |
VARCHAR(2000) |
|
|
IAU_FailureCode |
VARCHAR(255) |
|
|
IAU_RemoteIP |
VARCHAR(255) |
|
|
IAU_Target |
VARCHAR(255) |
|
|
IAU_Resource |
VARCHAR(255) |
|
|
IAU_Roles |
VARCHAR(255) |
|
|
IAU_AuthenticationMethod |
VARCHAR(255) |
|
|
IAU_TransactionId |
VARCHAR(255) |
|
|
IAU_DomainName |
VARCHAR(255) |
|
|
IAU_ComponentVersion |
VARCHAR(255) |
|
|
IAU_ComponentData |
CLOB |
|
|
IAU_CUSTOM |
IAU_ID |
NUMBER |
|
IAU_BOOLEAN_001 |
NUMBER |
|
|
IAU_INT_001 |
NUMBER |
|
|
IAU_LONG_001 |
NUMBER |
|
|
IAU_FLOAT_001 |
NUMBER |
|
|
IAU_DOUBLE_001 |
NUMBER |
|
|
IAU_STRING_001 |
VARCHAR(2048) |
|
|
IAU_DATETIME_001 |
TIMESTAMP |
|
|
IAU_LONGSTRING_001 |
CLOB |
|
|
IAU_BINARY_001 |
BLOB |
|
|
IAU_AuditService |
IAU_ID |
NUMBER |
|
IAU_TransactionId |
VARCHAR(255) |
|
|
IAU_USERSESSION |
IAU_ID |
NUMBER |
|
IAU_AuthenticationMethod |
VARCHAR(255) |
Oracle WebLogic Server scripts are used at the command line to administer various features. WLST is the command-line utility for administration of Oracle Fusion Middleware components and applications in the Oracle WebLogic Server environment. It provides another option for administration in addition to Oracle Enterprise Manager Fusion Middleware Control.
For details about the WLST commands to view and manage audit policies and the audit store configuration, see "Audit Configuration Commands" in the Oracle Fusion Middleware Infrastructure Security WLST Command Reference.
Note:
When running audit commands, you must invoke theWLST script from the Oracle Common home. See "Using Custom WLST Commands" in the Oracle Fusion Middleware Administrator's Guide for more information.When you select a custom audit policy, you have the option of specifying a filter expression along with an event.
For example, you can use the following expression:
Host Id -eq "myhost123"
to enable the audit event for a particular host only.
You enter this expression either through the Fusion Middleware Control Edit Filter Dialog or through the setAuditPolicy command.
See Also:
There are some syntax rules you should follow when creating a filter expression.
The expression can either be a Boolean expression or a literal.
<Expr> ::= <BooleanExpression> | <BooleanLiteral>
A boolean expression can use combinations of RelationalExpression with –and, -or, -not and parenthesis. For example, (Host Id -eq "stadl17" -or ").
<BooleanExpression> ::= <RelationalExpression> | ”(” <BooleanExpression> ”)” | <BooleanExpression> ”-and” <BooleanExpression> | <BooleanExpression> ”-or” <BooleanExpression> | ”-not” <BooleanExpression>
A relational expression compares an attribute name (on the left hand side) with a literal (on the right-hand side). The literal and the operator must be of the correct data type for the attribute.
<RelationalExpression> ::= <AttributeName> <RelationalOperator> <Literal>
Relational operators are particular to data types:
-eq, -ne can be used with all data types
-contains, -startswith, -endswith can be only used with strings
-contains_case, -startswith_case and -endswith_case are case sensitive versions of the above three functions
-lt, -le, -gt, -ge can be used with numeric and datetime
<RelationalOperator> : = "-eq" | "-ne" | "-lt" | "-le" | "-gt" | "-ge" | "-contains" | "-contains_case" | "-startswith" | "-startswith_case" | "-endswith" | "-endswith_case"
Rules for literals are as follows:
Boolean literals are true or false, without quotes.
Date time literals have to be in double quotes and can be in many different formats; "June 25, 2006", "06/26/2006 2:00 pm" are all valid.
String literals have to be quotes, back-slash can be used to escape an embedded double quote.
Numeric literals are in their usual format.
For example:
<Literal> ::= <NumericLiteral> | <BooleanLiteral> | <DateTimeLiteral> | <StringLiteral><BooleanLiteral> ::= "true” | "false”
This section explains the rules that are used to maintain audit files.
For Java components (both Java EE and Java SE) the audit.log file contains audit records and comprises the bus-stop file.
When that file fills up (it reaches the configured maximum audit file size which is 100MB), it is renamed to audit1.log and records written to a new audit.log. When this file fills up, the audit.log file is renamed to "audit2.log" and the cycle starts with a new audit.log.
When you configure a database audit store, the audit loader reads these files and transfers the records to the database in batches. After reading a complete audit<n>.log file, it deletes the file.
Note:
The audit loader never deletes the "current" file, that is, audit.log; it only deletes archive files audit<n>.log.System components follow the same model, except the file name is slightly different. The process ID is embedded in the file name; thus, if the process id is 11925 the current file is called audit-pid11925.log, and after rotation it is called audit-pid11925-1.log.
For applications with audit definitions in the dynamic model, the file name format is audit_major version number_minor version number.log; for example, audit_1_2.log.
Here is a sample audit.log file:
#Fields:Date Time Initiator EventType EventStatus MessageText AuditUser ApplicationName AuditService:TransactionId ContextFields DomainName ECID EventCategory FailureCode HomeInstance HostId HostNwaddr JPS:AccessResult JPS:AclParameters JPS:AclParametersOld JPS:ActionCollName JPS:ActionCollRefs JPS:ActionCollRefsOld JPS:ActionConstraint JPS:ActionConstraintOld JPS:AdminRoleName JPS:Advices JPS:AdvicesOld JPS:AnonymousRole JPS:AnonymousUser JPS:AppContext JPS:ApplicableDBRes JPS:ApplicableDBResOld JPS:ApplicationRole JPS:AttrCollName JPS:AuthenticatedRole JPS:Cascade JPS:CodeSource JPS:CodeSourceTarget JPS:CodeSourceTargetOld JPS:CombiningAlgorithmID JPS:Condition JPS:ConditionOld JPS:ConfigurationId JPS:Direction JPS:Efect JPS:EfectOld JPS:EnterpriseRoles JPS:EnvironmentConstraint JPS:EnvironmentConstraintOld JPS:Flush JPS:GUID JPS:HandlerFunction JPS:HandlerFunctionOld JPS:ImpliedActions JPS:ImpliedActionsOld JPS:InitiatorDN JPS:InitiatorGUID JPS:ManagedApplication JPS:ModifiedAttributeName JPS:ModifiedAttributeValue JPS:ModifiedAttributeValueOld JPS:Obligations JPS:ObligationsOld JPS:PdpAddress JPS:PermSets JPS:PermSetsOld JPS:Permission JPS:PermissionAction JPS:PermissionCheckResult JPS:PermissionClass JPS:PermissionScope JPS:PermissionSetName JPS:PermissionTarget JPS:PoliciesAndPolicySets JPS:PoliciesAndPolicySetsOld JPS:PolicyApplicationRolePrincipals JPS:PolicyApplicationRolePrincipalsOld JPS:PolicyCategory JPS:PolicyCodeSource JPS:PolicyCodeSourceOld JPS:PolicyCombiningAlgorithmID JPS:PolicyCombiningAlgorithmIDOld JPS:PolicyDefaults JPS:PolicyDefaultsOld JPS:PolicyDomainName JPS:PolicyIssuer JPS:PolicyIssuerOld JPS:PolicyName JPS:PolicyPrincipals JPS:PolicyPrincipalsOld JPS:PolicyRuleName JPS:PolicyRules JPS:PolicyRulesOld JPS:PolicySemantic JPS:PolicySetDefaults JPS:PolicySetName JPS:PolicySetRef JPS:PolicyType JPS:PrincipalConstraint JPS:PrincipalConstraintOld JPS:Principals JPS:PrincipalsTarget JPS:PrincipalsTargetOld JPS:PurgeTime JPS:ResName JPS:ResTypeName JPS:ResourceActions JPS:ResourceActionsOld JPS:ResourceAttributes JPS:ResourceAttributesOld JPS:ResourceConstraint JPS:ResourceConstraintOld JPS:ResourceNameExpressions JPS:ResourceNameExpressionsOld JPS:ResourceNames JPS:ResourceNamesOld JPS:ResourceType JPS:RoleMembers JPS:RoleMembersOld JPS:RuleCombiningAlgorithmID JPS:RuleCombiningAlgorithmIDOld JPS:RuntimeAction JPS:RuntimeResource JPS:SqlPredicate JPS:SqlPredicateOld JPS:Subject JPS:Version JPS:VersionOld JPS:XmlExpression JPS:XmlExpressionOld JPS:alias JPS:credStoreContext JPS:key JPS:keystoreName JPS:mapName JPS:operation JPS:stripeName MajorVersion MinorVersion RID RemoteIP Resource Roles ServerName SessionId Target TargetComponentType TenantId ThreadId TransactionId UserSession:AuthenticationMethod UserTenantId #Remark Values:ComponentType="JPS" ReleaseVersion="MAIN" 2014-04-11 19:17:04.450 "biauthoruser1" "CreateKeyStore" true "Created keystore kk in stripe ss" "biauthoruser1" "opsscactus" - - "jrfServer_domain" "824656f5-097d-4d78-a29d-30c16132a56e-00000065,0" "KeyStoreManagement" - - "testnd01" "10.240.97.183" - - - - - - - - - - - - - - - - - - - - "file:/scratch/example/view_storage/example_e51/work/utp/testout/functional/jps/wls-jrfServer/servers/jrfServer_admin/tmp/_WL_user/opsscactus/tfuchd/war/WEB-INF/lib/_wl_cls_gen.jar" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "kk" - - "ss" "1" "2" - - - - "jrfServer_admin" - - - "cisco" "88" - - - 2014-04-11 19:17:04.470 "biauthoruser1" "AccessKeyStore" true "Successfully got the handle to keystore castore in stripe system" "biauthoruser1" "opsscactus" - - "jrfServer_domain" "824656f5-097d-4d78-a29d-30c16132a56e-00000065,0" "KeyStoreManagement" - - "testnd01" "10.240.97.183" - - - - - - - - - - - - - - - - - - - - "file:/scratch/example/view_storage/example_e51/work/utp/testout/functional/jps/wls-jrfServer/servers/jrfServer_admin/tmp/_WL_user/opsscactus/tfuchd/war/WEB-INF/lib/_wl_cls_gen.jar" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "castore" - - "system" "1" "2" - - - - "jrfServer_admin" - - - "cisco" "88" - -
This file follows the W3C extended logging format, which is a very common log format that is used by many Web Servers including Apache and IIS:
The first line is a "#Fields" line; it specifies all the fields in the rest of the file.
The second line is a comment like "#Remark" which has a comment indicating some common attributes like the ComponentType.
All subsequent lines are data lines; they follow the exact format defined in the "#Fields" line. All attributes are separated by spaces, mussing attributes are indicated by a dash.