Using the Audit Log

The audit log records critical events on the Oracle directory server that are important from both a security and an operational point of view. Because the log generation depends on events on the directory server, you cannot create audit log entries. Only the directory server itself can create them.

The audit log is made up of regular directory entries, one entry for each event. You can query the audit log by using ldapsearch, and you can view the audit log entries by using Oracle Directory Manager.

By default, audit logging is disabled. To enable it, modify the directory-specific entry (DSE) attribute orclauditlevel to the level you want. You can configure audit levels to audit only selected events.

See Also: "Auditable Events" for a listing of audit levels "Setting the Audit Level" for instructions on specifying the audit level "Searching for Audit Log Entries by Using Oracle Directory Manager" "Searching for Audit Log Entries by Using ldapsearch" "ldapdelete Syntax"

Structure of Audit Log Entries

Each audit log entry contains the orclAuditoc object class. Like all other structural object classes, orclAuditoc inherits from top. Its attributes include:

Table 10-4  Attributes of the orclAuditoc Object Class

Attribute	Description
orclsequence	Used to create the name of the entry. The name is generated using a database sequence.
orcleventtype	Specifies the type of event that occurred. This is a cataloged attribute.
orcleventtime	Specifies the time at which the event occurred. This is formatted in UTC (Coordinated Universal Time). UTC is indicated by a z at the end of the value. For example, orcleventtime: 199811281010z
orcluserdn	Specifies the identity of the user who logged into the Oracle directory server to perform the operation. This attribute is cataloged.
orclopresult	Specifies the outcome of the operation. It states either SUCCESS if the operation succeeds, or the reason why the operation failed.
orclauditmessage	Specifies the textual message. This attribute is not cataloged.
objectclass	Contains the preset values top and orclauditoc.

Note that the audit log entries do not become part of a regular search result set even though the search filter can satisfy the query criteria. For example, a search with the condition objectclass=top does not yield results from the auditlog entries. Only a search with cn=auditlog as the base of the search can find audit log entries.

Note: By default, the attributes orcleventtype and orcluserdn are indexed at installation of Oracle Internet Directory. If you drop the indexes from these attributes, you cannot search for them. To re-create the index for these attributes, use the Catalog Management tool. See "Indexing an Attribute by Using Command-Line Tools".

See Also: "The Catalog Management Tool (catalog.sh) Syntax" for information about cataloged attributes "Object Class Types" for a description of top

Position of Audit Log Entries in the DIT

The audit log container is part of the DSE. It holds its entries as children, organized according to the orclsequence attribute. See Figure 10-1.

Figure 10-1 Sample Audit Log in DSE

Text description of the illustration oidag018.gif

Auditable Events

Table 10-5 shows the auditable events and their audit levels. The third column, Audit Levels, contains hexidecimal values. You can audit more than one event by adding their corresponding values found in this column.

Table 10-5  Auditable Events

Event	Description	Audit Levels
Super user login	Super user bind to the server (successes or failures)	0x0001
Schema element add/replace	Addition of a new schema element (successes or failures)	0x0002
Schema element delete	Deletion of a schema (successes or failures)	0x0004
Bind	Unsuccessful bind cases	0x0008
Access violation	Access denied by access control policy point	0x0010
directory-specific entry (DSE) modification	Changes to a DSE (successes or failures)	0x0020
Replication login	Replication server authentication (successes or failures)	0x0040
ACL modification	Changes to an access control list (ACL)	0x0080
User password modification	Modification of user password attribute	0x0100
Add	ldapadd operation (successes or failures)	0x0200
Delete	ldapdelete operation (successes or failures)	0x0400
Modify	ldapmodify operation (successes or failures)	0x0800
ModifyDN	ldapModifyDN operation (successes or failures)	0x1000

Setting the Audit Level

The setting for the DSE attribute orclauditlevel indicates the current audit level. You can enable or disable the events described in the previous section. A value of 0 for this attribute, which is the default, disables auditing.

You can set the audit level by using either Oracle Directory Manager or ldapmodify. This section describes both methods.

Setting the Audit Level by Using Oracle Directory Manager

To set the audit level by using Oracle Directory Manager:

1. In the navigator pane, expand Oracle Internet Directory Servers and select the directory server instance.

2. In the right pane, select the Audit Mask Levels tab page. This tab page lists the auditable events described in this table:

   Table 10-6  Audit Mask Levels

   Audit Level	Description
   Super user login	Super user bind to the server (successes or failures)
   Schema element add/replace	Addition of a new schema element (successes or failures)
   Schema element delete	Deletion of a schema (successes or failures)
   Bind	Unsuccessful bind cases
   Access violation	Access denied by ACP
   DSE modification	Changes to DSE entry (successes or failures)
   Replication login	Replication server authentication (successes or failures)
   ACL modification	Changes to ACPs
   User password modification	Modification of user password attribute
   Add	ldapadd operation (successes or failures)
   Delete	ldapdelete operation (successes or failures)
   Modify	ldapmodify operation (successes or failures)
   ModifyDN	ldapModifyDN operation (successes or failures)

3. Select the audit level you want to use.

4. Choose Apply.

Both successful and unsuccessful events are entered into the audit log if they are selected, except:

• Bind, which logs only unsuccessful bind attempts

• Access Violation, which logs only events in which access is denied by an ACP.

Restart the directory server instance for the changes to take effect.

See Also: "Restarting Oracle Internet Directory Server Instances" for instructions on how to restart the directory server

Setting the Audit Level by Using ldapmodify

To audit more than one event, add the values of their the audit masks. For example, suppose you want to audit the events in Table 10-7.

Table 10-7  Example: Setting the Audit Level

Event	Audit Level	Value
Schema element delete	0x0004	4
DSE modification	0x0020	32
Add	0x0200	512
Total		548

The total value of the audit levels is 548. The ldapmodify command would therefore look something like this:

ldapmodify -p port -h host << EOF
dn:
changetype:modify
replace: orclauditlevel
orclauditlevel: 548
EOF

Restart the directory server instance after any changes are made to orclauditlevel for the changes to take effect.

See Also: "Restarting Oracle Internet Directory Server Instances" for instructions on how to restart the directory server

Searching for Audit Log Entries

You can search for audit log entries by using either Oracle Directory Manager or ldapsearch.

Searching for Audit Log Entries by Using Oracle Directory Manager

To use Oracle Directory Manager to view audit log entries:

1. In the navigator pane, expand successively Oracle Internet Directory Servers and directory server instance, and select Audit Log Management. The corresponding right pane appears.

2. In the Max Results (entries) field, type the maximum number of entries you want your search to retrieve. The default is 200. The directory server retrieves the number you specify, up to 1000.

3. In the Max Search Time (seconds) box, type the maximum number of seconds for the duration of your search. The value you enter here must be at least that of the default, namely, 25. The directory server searches for the amount of time you specify, up to one hour.

4. In the Search Criteria box, use the lists and text fields on the search criteria bar to focus your search.
   1. From the list at the left end of the search criteria bar, select an attribute of the entry you want to search for. Because not all attributes are used in every entry, be sure that the attribute you specify actually corresponds to one in the entry that you are searching for. Otherwise, the search fails.

   2. From the list in the middle of the search criteria bar, select a filter. These are described in Table C-37.

   3. In the text box at the right end of the search criteria bar, type the value for the attribute you just selected. For example, if the attribute you selected was cn, you could type the particular common name you want to find.

5. To further refine your search, use the buttons in the Search Criteria box to enhance the search criteria bar. These are described in Table C-38.

6. Choose Search. The results of your search appear in the Distinguished Name box.

7. To view the properties of a particular audit log entry, select it in the Distinguished Name box, then choose to exploit the features of Oracle Internet Directory Server Manageability. The Audit Log Entry dialog box displays the properties for the audit log entry you selected.

   See Also: "Configuring the Display and Duration of Searches in Oracle Directory Manager" for instructions on setting the number of entries to display in searches, and to set the time limit for searches

Searching for Audit Log Entries by Using ldapsearch

The DN for the audit log container is cn=auditlog. To search for audit log entries, perform a subtree or one-level search, with the container object cn=auditlog as the base of the search.

See: "ldapsearch Syntax"

Purging the Audit Log

You can use bulkdelete to purge audit log objects under the container cn=auditlog. Run the following command:

bulkdelete.sh -connect connect_string -base "cn=auditlog"