This chapter describes how to configure audit reporting and view audit reports.
This chapter includes the following topics:
The Oracle Fusion Middleware Audit Framework offers two approaches to audit reporting. The approach you adopt is determined by the audit model that components use at your site:
Dynamic Metadata Model
This model was introduced in 11g Release 1 (11.1.1.6.0). Oracle Fusion Middleware installations starting with 12c (12.1.2) use this mode. For information about this model, see Audit Reporting with the Dynamic Metadata Model.
Report Template Model
This earlier model is used by system components. When you upgrade, the Oracle Fusion Middleware Audit Framework continues to use this model.
Audit events are saved into the iau_common common attribute table and the iau_custom_nnn custom attribute tables. Oracle Platform Security Services Common Audit Framework generates SQL scripts to create Oracle Database views. Component reporting applications can use these views to query audit event data from audit database tables.
To set up audit reporting with the Dynamic Metadata Model:
Register your application with audit. Audit registration creates audit views that lets you run queries on audit data. For information about generating audit views manually, see Registering the Application with the Service.
Configure audit policies so that audit logs events to generate audit data. For information about audit logging, see Logging Audit Events Programmatically.
Configure the audit loader to ensure bus-stop files are migrated to the database. For information about bus-stop files, see Managing Bus-Stop Files.
If audit views were not created at registration, then:
Use createAuditDBView to generate a SQL script of audit definitions.
Log in to the database as the IAU schema user to create a view using the SQL script.
Configure your reporting application to query the view.
See also:
createAuditDBView in WLST Command Reference for Infrastructure Security
Starting with Release 12c (12.2.1), database views of your audit data can be created at registration. The views supported are:
Simple view - This view is based on the runtime database mappings of the component attributes against the columns in IAU_COMMON and IAU_CUSTOM_* tables.
A Simple database view is created in the IAU VIEWER schema when a component registers with audit. This view type is available for all supported databases. Note that a simple view is automatically generated for the component when you create the schema with Oracle Fusion Middleware Repository Creation Utility.
Indexable view - A simple view that is indexable. This view leverages Oracle materialized views for improved performance of reporting queries. These views are supported ready-to-use for Oracle Databases only.
Use indexable views with care, as they can impact the audit loader performance. A component can switch to an indexable view with the createIAUView WebLogic Scripting Tool (WLST) command. Qualified event attributes must be present in the component audit definitions. For information about indexes, see Creating Indexes on Custom Table Attributes Using Materialized Views.
File audit repositories do not support views.
To create audit views manually, use the createAuditDBView command. Here is the output that this command generated when it was called to create a view for the ApplicationAudit component:
-- Audit View for Component CREATE VIEW ApplicationAudit_AUDITVIEW AS SELECT IAU_AUDITSERVICE.IAU_TRANSACTIONID AS AUDITSERVICE_TRANSACTIONID, IAU_COMMON.IAU_COMPONENTTYPE AS ComponentType, IAU_COMMON.IAU_MAJORVERSION AS MajorVersion, IAU_COMMON.IAU_MINORVERSION AS MinorVersion, IAU_COMMON.IAU_INSTANCEID AS InstanceId, IAU_COMMON.IAU_HOSTID AS HostId, IAU_COMMON.IAU_HOSTNWADDR AS HostNwaddr, IAU_COMMON.IAU_MODULEID AS ModuleId, IAU_COMMON.IAU_PROCESSID AS ProcessId, IAU_COMMON.IAU_ORACLEHOME AS OracleHome, IAU_COMMON.IAU_HOMEINSTANCE AS HomeInstance, IAU_COMMON.IAU_ECID AS ECID, IAU_COMMON.IAU_RID AS RID, IAU_COMMON.IAU_CONTEXTFIELDS AS ContextFields, IAU_COMMON.IAU_SESSIONID AS SessionId, IAU_COMMON.IAU_TARGETCOMPONENTTYPE AS TargetComponentType, IAU_COMMON.IAU_APPLICATIONNAME AS ApplicationName, IAU_COMMON.IAU_EVENTTYPE AS EventType, IAU_COMMON.IAU_EVENTCATEGORY AS EventCategory, IAU_COMMON.IAU_EVENTSTATUS AS EventStatus, IAU_COMMON.IAU_TSTZORIGINATING AS TstzOriginating, IAU_COMMON.IAU_THREADID AS ThreadId, IAU_COMMON.IAU_COMPONENTNAME AS ComponentName, IAU_COMMON.IAU_INITIATOR AS Initiator, IAU_COMMON.IAU_MESSAGETEXT AS MessageText, IAU_COMMON.IAU_FAILURECODE AS FailureCode, IAU_COMMON.IAU_REMOTEIP AS RemoteIP, IAU_COMMON.IAU_TARGET AS Target, IAU_COMMON.IAU_RESOURCE AS IAU_RESOURCE, IAU_COMMON.IAU_ROLES AS Roles, IAU_COMMON.IAU_DOMAINNAME AS DomainName, IAU_COMMON.IAU_COMPONENTDATA AS ComponentData, IAU_COMMON.IAU_AUDITUSER AS AuditUser, IAU_COMMON.IAU_TENANTID AS TenantId, IAU_COMMON.IAU_TRANSACTIONID AS TransactionId, IAU_COMMON.IAU_USERTENANTID AS UserTenantId, IAU_CUSTOM.IAU_INT_001 AS AccountNumber, IAU_CUSTOM.IAU_DATETIME_001 AS Date, IAU_CUSTOM.IAU_FLOAT_001 AS Amount, IAU_CUSTOM.IAU_STRING_002 AS Status, IAU_CUSTOM.IAU_FLOAT_002 AS Balance, IAU_USERSESSION.IAU_AUTHENTICATIONMETHOD AS AuthenticationMethod FROM IAU_AUDITSERVICE, IAU_COMMON, IAU_CUSTOM, IAU_USERSESSION WHERE IAU_COMMON.IAU_ID = IAU_AUDITSERVICE.IAU_ID AND IAU_COMMON.IAU_ID = IAU_CUSTOM.IAU_ID AND IAU_COMMON.IAU_ID = IAU_USERSESSION.IAU_ID AND IAU_COMMON.IAU_ComponentType = 'ApplicationAudit';