Oracle® Internet Directory Administrator's Guide 10g (9.0.4) Part Number B12118-01 |
|
Logging, Auditing, and Monitoring the Directory, 3 of 4
The audit log records critical events on the Oracle directory server that are important from both a security and an operational point of view. Because the log generation depends on events on the directory server, you cannot create audit log entries. Only the directory server itself can create them.
The audit log is made up of regular directory entries, one entry for each event. You can query the audit log by using ldapsearch, and you can view the audit log entries by using Oracle Directory Manager.
By default, audit logging is disabled. To enable it, modify the directory-specific entry (DSE) attribute orclauditlevel
to the level you want. You can configure audit levels to audit only selected events.
See Also:
|
Each audit log entry contains the orclAuditoc
object class. Like all other structural object classes, orclAuditoc
inherits from top
. Its attributes include:
Note that the audit log entries do not become part of a regular search result set even though the search filter can satisfy the query criteria. For example, a search with the condition objectclass=top
does not yield results from the auditlog entries. Only a search with cn=auditlog
as the base of the search can find audit log entries.
Note:
By default, the attributes |
See Also:
|
The audit log container is part of the DSE. It holds its entries as children, organized according to the orclsequence
attribute. See Figure 10-1.
Table 10-5 shows the auditable events and their audit levels. The third column, Audit Levels, contains hexidecimal values. You can audit more than one event by adding their corresponding values found in this column.
The setting for the DSE attribute orclauditlevel
indicates the current audit level. You can enable or disable the events described in the previous section. A value of 0
for this attribute, which is the default, disables auditing.
You can set the audit level by using either Oracle Directory Manager or ldapmodify. This section describes both methods.
To set the audit level by using Oracle Directory Manager:
Both successful and unsuccessful events are entered into the audit log if they are selected, except:
Restart the directory server instance for the changes to take effect.
See Also:
"Restarting Oracle Internet Directory Server Instances" for instructions on how to restart the directory server |
To audit more than one event, add the values of their the audit masks. For example, suppose you want to audit the events in Table 10-7.
Event | Audit Level | Value |
---|---|---|
Schema element delete |
0x0004 |
4 |
DSE modification |
0x0020 |
32 |
Add |
0x0200 |
512 |
548 |
The total value of the audit levels is 548. The ldapmodify command would therefore look something like this:
ldapmodify -p port -h host << EOF dn: changetype:modify replace: orclauditlevel orclauditlevel: 548 EOF
Restart the directory server instance after any changes are made to orclauditlevel
for the changes to take effect.
See Also:
"Restarting Oracle Internet Directory Server Instances" for instructions on how to restart the directory server |
You can search for audit log entries by using either Oracle Directory Manager or ldapsearch.
To use Oracle Directory Manager to view audit log entries:
cn
, you could type the particular common name you want to find.
"Configuring the Display and Duration of Searches in Oracle Directory Manager" for instructions on setting the number of entries to display in searches, and to set the time limit for searches
See Also:
The DN for the audit log container is cn=auditlog
. To search for audit log entries, perform a subtree or one-level search, with the container object cn=auditlog
as the base of the search.
You can use bulkdelete to purge audit log objects under the container cn=auditlog
. Run the following command:
bulkdelete.sh -connect connect_string -base "cn=auditlog"
|
![]() Copyright © 1999, 2003 Oracle Corporation. All Rights Reserved. |
|