C Oracle Fusion Middleware Audit Framework Reference

This appendix provides reference information for the Oracle Fusion Middleware Audit Framework. It contains these topics:

Audit Events
Pre-built Audit Reports
The Audit Schema
WLST Commands for Auditing
Audit Filter Expression Syntax
Naming and Logging Format of Audit Files

C.1 Audit Events

This section describes the components that are audited and the types of events that can be audited.

C.1.1 What Components Can be Audited?

In 11g Release 1 (11.1.1), specific Java components and system components can generate audit records; they are known as audit-aware components.

Java Components that can be Audited

The following components can be audited with Fusion Middleware Audit Framework:

Directory Integration Platform Server
Oracle Platform Security Services
Oracle Web Services Manager
- Agent
- Policy Manager
- Policy Attachment
Oracle Web Services
Oracle Identity Federation
Reports Server

System Components that can be Audited

The following components can be audited with Fusion Middleware Audit Framework:

Oracle HTTP Server
Oracle Web Cache
Oracle Internet Directory
Oracle Virtual Directory

C.1.2 What Events can be Audited?

The set of tables in this section shows, for each audit-aware system components and subcomponent, what event types can be audited:

Oracle Directory Integration Platform Events and their Attributes
Oracle Platform Security Services Events and their Attributes
Oracle HTTP Server Events and their Attributes
Oracle Internet Directory Events and their Attributes
Oracle Identity Federation Events and their Attributes
Oracle Virtual Directory Events and their Attributes
OWSM-Agent Events and their Attributes
OWSM-PM-EJB Events and their Attributes
Reports Server Events and their Attributes
WS-Policy Attachment Events and their Attributes
Oracle Web Cache Events and their Attributes
Oracle Web Services Manager Events and their Attributes

C.1.2.1 Oracle Directory Integration Platform Events and their Attributes

Table C-1 Oracle Directory Integration Platform Events

Event Category	Event Type	Attributes used by Event
ServiceUtilize
	InvokeService	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles
	TerminateService	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles
SynchronizationEvents
	Add	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, AssociateProfileName, ProfileName, EntryDN
	Modify	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, AssociateProfileName, ProfileName, EntryDN
	Delete	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, AssociateProfileName, ProfileName, EntryDN
ProvisioningEvents	UserAdd	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, ProfileName, ProvEvent
	UserModify	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, ProfileName, ProvEvent
	UserDelete	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, ProfileName, ProvEvent
	GroupAdd	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, ProfileName, ProvEvent
	GroupModify	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, ProfileName, ProvEvent
	GroupDelete	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, ProfileName, ProvEven
	IdentityAdd	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, ProfileName, ProvEvent
	IdentityModify	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, ProfileName, ProvEvent
	IdentityDelete	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, ProfileName, ProvEvent
	SubscriptionAdd	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, ProfileName, ProvEvent
	SubscriptionModify	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, ProfileName, ProvEvent
	SubscriptionDelete	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, ProfileName, ProvEvent
ProfileManagementEvents	DeleteProvProfile	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode
	UpdateProvProfile	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode
	ActivateProvProfile	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode
	DeactivateProvProfile	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode
	CreateSyncProfile	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode
	DeleteSyncProfile	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode
	UpdateSyncProfile	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode
	ActivateSyncProfile	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode
	DeactivateSyncProfile	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode
	SyncProfileUpdateChgNum	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode
	ExpressSyncSetup	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode
	SyncProfileBootstrap	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode
	SyncProfileExtAuthPlugins	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode
	ProvProfileBulkProv	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode
SchedulerEvents
	AddJob	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, JobName, JobType
	RemoveJob	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, JobName, JobType

C.1.2.2 Oracle Platform Security Services Events and their Attributes

Table C-2 Oracle Platform Security Services Events

Event Category	Event Type	Attributes used by Event
Authorization
	CheckPermission	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, Subject, PermissionAction, PermissionTarget, PermissionClass
	CheckSubject	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, Subject

CredentialManagement	CreateCredential	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, mapName, key, CodeSource, Principals, InitiatorGUID
	DeleteCredential	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, mapName, key, CodeSource, Principals, InitiatorGUID
	AccessCredential	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, mapName, key, CodeSource, Principals, InitiatorGUID
	ModifyCredential	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, mapName, key, CodeSource, Principals, InitiatorGUID

PolicyManagement	PolicyGrant	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, PermissionAction, PermissionTarget, PermissionClass, PermissionScope
	PolicyRevoke	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, PermissionAction, PermissionTarget, PermissionClass, PermissionScope

RoleManagement	RoleMembershipAdd	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, ApplicationRole, EnterpriseRoles, PermissionScope
	RoleMembershipRemove	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, ApplicationRole, EnterpriseRoles, PermissionScope

C.1.2.3 Oracle HTTP Server Events and their Attributes

Table C-3 Oracle HTTP Server Events

Event Category	Event Type	Attributes used by Event
UserSession	UserLogin	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Resource, AuthenticationMethod, Reason
	UserLogout	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Resource, AuthenticationMethod, Reason
	Authentication	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Resource, AuthenticationMethod, Reason, SSLConnection

Authorization	CheckAuthorization	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Resource, Reason, AuthorizationType

C.1.2.4 Oracle Internet Directory Events and their Attributes

Table C-4 Oracle Directory Integration Platform Events

Event Category	Event Type	Attributes used by Event
UserSession	UserLogin	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Roles, custEventStatusDetail, custEventOp, AuthenticationMethod
	UserLogout	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Roles, custEventStatusDetail, custEventOp

Authorization	CheckAuthorization	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, custEventStatusDetail, custEventOp

DataAccess	ModifyDataItemAttributes	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Resource, custEventStatusDetail, custEventOp
	CompareDataItemAttributes	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Resource, custEventStatusDetail, custEventOp

AccountManagement	ChangePassword	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, custEventStatusDetail, custEventOp
	CreateAccount	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, custEventStatusDetail, custEventOp
	DeleteAccount	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, custEventStatusDetail, custEventOp
	DisableAccount	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, custEventStatusDetail, custEventOp
	EnableAccount	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, custEventStatusDetail, custEventOp
	ModifyAccount	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, custEventStatusDetail, custEventOp
	LockAccount	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, custEventStatusDetail, custEventOp

LDAPEntryAccess	custInternalOperation	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, custEventStatusDetail, custEventOp

C.1.2.5 Oracle Identity Federation Events and their Attributes

Table C-5 Oracle Identity Federation Events

Event Category	Event Type	Attributes used by Event
UserSession	LocalAuthentication	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, SessionID, AuthenticationMethod, UserID, AuthenticationMechanism, AuthenticationEngineID
	LocalLogout	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, SessionID, AuthenticationMethod, UserID
	CreateUserSession	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, SessionID, AuthenticationMethod, UserID, AuthenticationMechanism
	DeleteUserSession	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, SessionID, AuthenticationMethod, UserID
	CreateUserFederation	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, RemoteProviderID, ProtocolVersion, NameIDQualifier, NameIDValue, NameIDFormat, FederationID, UserID, FederationType
	DeleteUserFederation	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, RemoteProviderID, ProtocolVersion, NameIDQualifier, NameIDValue, NameIDFormat, FederationID, UserID, FederationType
	CreateActiveUserFederation	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, RemoteProviderID, ProtocolVersion, SessionID, FederationID, AuthenticationMethod, UserID, FederationType
	DeleteActiveUserFederation	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, RemoteProviderID, ProtocolVersion, SessionID, FederationID, AuthenticationMethod, UserID, FederationType
	UpdateUserFederation	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, RemoteProviderID, ProtocolVersion, NameIDQualifier, NameIDValue, NameIDFormat, FederationID, UserID, FederationType, OldNameIDQualifier, OldNameIDValue

ProtocolFlow	IncomingMessage	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, RemoteProviderID, ProtocolVersion, Binding, Role, UserID, MessageType, IncomingMessageString, IncomingMessageStringCLOB
	OutgoingMessage	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, RemoteProviderID, ProtocolVersion, Binding, Role, UserID, MessageType, OutgoingMessageString, OutgoingMessageStringCLOB
	AssertionCreation	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, RemoteProviderID, ProtocolVersion, NameIDQualifier, NameIDValue, NameIDFormat, SessionID, FederationID, UserID, AssertionVersion, IssueInstant, Issuer, AssertionID
	AssertionConsumption	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, RemoteProviderID, ProtocolVersion, NameIDQualifier, NameIDValue, NameIDFormat, SessionID, FederationID, UserID, AssertionVersion, IssueInstant, Issuer, AssertionID

Security	CreateSignature	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, RemoteProviderID, ProtocolVersion, NameIDQualifier, NameIDValue, NameIDFormat, SessionID, FederationID, Type
	VerifySignature	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, RemoteProviderID, ProtocolVersion, NameIDQualifier, NameIDValue, NameIDFormat, SessionID, FederationID, Type
	EncryptData	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, RemoteProviderID, ProtocolVersion, NameIDQualifier, NameIDValue, NameIDFormat, SessionID, FederationID, Type
	DecryptData	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, RemoteProviderID, ProtocolVersion, NameIDQualifier, NameIDValue, NameIDFormat, SessionID, FederationID, Type

ServerConfiguration	ChangeCOT	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, RemoteProviderID, NameIDQualifier, NameIDValue, NameIDFormat, SessionID, FederationID, COTBefore, COTAfter
	ChangeServerProperty	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, RemoteProviderID, NameIDQualifier, NameIDValue, NameIDFormat, SessionID, FederationID, ServerConfigBefore, ServerConfigAfter
	ChangeDataStore	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, RemoteProviderID, NameIDQualifier, NameIDValue, NameIDFormat, SessionID, FederationID, DataStoreBefore, DataStoreAfter
	CreateConfigProperty	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, RemoteProviderID, NameIDQualifier, NameIDValue, NameIDFormat, SessionID, FederationID, PropertyName, PropertyType, PeerProviderID, PropertyContext, NewValue
	ChangeConfigProperty	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, RemoteProviderID, NameIDQualifier, NameIDValue, NameIDFormat, SessionID, FederationID, PropertyName, PropertyType, PeerProviderID, PropertyContext, OldValue, NewValue
	DeleteConfigProperty	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, RemoteProviderID, ProtocolVersion, NameIDQualifier, NameIDValue, NameIDFormat, SessionID, FederationID, PropertyName, PropertyType, PeerProviderID, PropertyContext, Description, OldValue
	CreatePeerProvider	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, RemoteProviderID, ProtocolVersion, NameIDQualifier, NameIDValue, NameIDFormat, SessionID, FederationID, PeerProviderID, Description, ProviderType
	UpdatePeerProvider	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, RemoteProviderID, ProtocolVersion, NameIDQualifier, NameIDValue, NameIDFormat, SessionID, FederationID, PeerProviderID, Description, ProviderType
	DeletePeerProvider	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, RemoteProviderID, ProtocolVersion, NameIDQualifier, NameIDValue, NameIDFormat, SessionID, FederationID, PeerProviderID, Description, ProviderType
	LoadMetadata	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, RemoteProviderID, NameIDQualifier, NameIDValue, NameIDFormat, SessionID, FederationID, Description, Metadata
	SetDataStoreType	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, RemoteProviderID, NameIDQualifier, NameIDValue, NameIDFormat, SessionID, FederationID, OldValue, NewDataStoreType, DataStoreName

C.1.2.6 Oracle Virtual Directory Events and their Attributes

Table C-6 Oracle Virtual Directory Events

Event Category	Event Type	Attributes used by Event
UserSession	UserLogin	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, AuthenticationMethod
	UserLogout	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles

Authorization	CheckAuthorization	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles

DataAccess	QueryDataItemAttributes	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles
	ModifyDataItemAttributes	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles
	CompareDataItemAttributes	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles

ServiceManagement	RemoveService	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, ServiceOperation
	ModifyServiceConfig	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, ServiceOperation
	AddService	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, ServiceOperation

LDAPEntryAccess	Add	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles
	Delete	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles
	Modify	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles
	Rename	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles
	Compare	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles

C.1.2.7 OWSM-Agent Events and their Attributes

Table C-7 OWSM-Agent Events

Event Category	Event Type	Attributes used by Event
UserSession	Authentication	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Resource, AssertionName, CompositeName, Endpoint, AgentMode, ModelObjectName, Operation, ProcessingStage, Version, Protocol

Authorization	CheckAuthorization	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Resource, AssertionName, CompositeName, Endpoint, AgentMode, ModelObjectName, Operation, ProcessingStage, Version, Protocol

PolicyEnforcement	EnforceConfidentiality	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Resource, AssertionName, CompositeName, Endpoint, AgentMode, ModelObjectName, Operation, ProcessingStage, Version, Protocol
	EnforceIntegrity	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Resource, AssertionName, CompositeName, Endpoint, AgentMode, ModelObjectName, Operation, ProcessingStage, Version, Protocol
	EnforcePolicy	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Resource, AssertionName, CompositeName, Endpoint, AgentMode, ModelObjectName, Operation, ProcessingStage, Version, Protocol

C.1.2.8 OWSM-PM-EJB Events and their Attributes

Table C-8 OWSM-PM-EJB Events

Event Category	Event Type	Attributes used by Event
AssertionTemplateAuthoring	CreateAssertionTemplate	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, Resource, Version
	DeleteAssertionTemplate	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, Resource, Version, ToVersion
	ModifyAssertionTemplate	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, Resource, Version

PolicyAuthoring	CreatePolicy	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, Resource, Version
	DeletePolicy	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, Resource, Version, ToVersion,
	ModifyPolicy	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, Resource, Version

C.1.2.9 Reports Server Events and their Attributes

Table C-9 Reports Server Events

Event Category	Event Type	Attributes used by Event
UserSession	UserLogin	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles

Authorization	CheckAuthorization	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles

C.1.2.10 WS-Policy Attachment Events and their Attributes

Table C-10 WS-Policy Attachment Events

Event Category	Event Type	Attributes used by Event
PolicyAttachment	PolicyAttachmentEvent	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, PolicyChangeType, PolicyURI, PolicyCategory, PolicyStatus, ServiceEndPoint, PolicySubjRescPattern

C.1.2.11 Oracle Web Cache Events and their Attributes

Table C-11 Oracle Web Cache Events

Event Category	Event Type	Attributes used by Event
UserSession	UserLogin	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, AuthenticationMethod
	UserLogout	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, AuthenticationMethod

Authorization	CheckAuthorization	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles

DataAccess	FilterRequest	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles

ServiceManagement	ModifyServiceConfig	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles
	ConfigServicePermissions	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles

ServiceUtilize	InvokeService	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles
	TerminateService	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles

PeerAssocManagement	CreatePeerAssoc	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles
	TerminatePeerAssoc	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles
	ChallengePeerAssoc	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles

Authentication	ClientAuthentication	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles
	ServerAuthentication	ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles

C.1.2.12 Oracle Web Services Manager Events and their Attributes

Table C-12 Oracle Web Services Manager Events

Event Category	Event Type	Attributes used by Event
WS-Processing	RequestReceived	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Protocol, Endpoint, Operation, FaultUrl
	ResponseSent	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Protocol, Endpoint, Operation, FaultUri

WS-Fault	SoapFaultEvent	ComponentType, InstanceId, HostId, HostNwaddr, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, URI, Source, Protocol, Endpoint, Operation

C.1.3 Event Attribute Descriptions

lists all attributes for all audited events. Use this table to learn about the attributes used in the event of interest.

Table C-13 Attributes of Audited Events

Attribute Name	Description
AgentMode	Mode in which agent performed policy enforcement.
ApplicationName	The J2EE application name
ApplicationRole	This attribute used for application roles audit for role membership management
AssertionID	The value of the "AssertionID" attribute of the assertion
AssertionName	Name of the assertion that failed enforcement.
AssertionVersion	The version number of the assertion corresponding to this event (ex. 2.0)
AssociateProfileName	This attribute is used to audit the Associate Profile Name
AuthenticationEngineID	The identifier of the authentication engine used during local authentication
AuthenticationMechanism	The authentication mechanism used during local authentication
AuthenticationMethod	The Authentication method - password / SSL / Kerberos and so on.
AuthorizationType	Access/authorization configuration directive: Regular = 'Require' directive, SSL = 'SSLRequire' directive
Binding	The binding used to send the message (SOAP, POST, GET, Aritifact,...)
COTAfter	The contents of the federations configuration file after the change
COTBefore	The contents of the federations configuration file before the change
CodeSource	This attribute used for code source audit for rolemembershipmanagement
ComponentName	ComponentName
ComponentType	Type of the component.
CompositeName	Name of the composite (apply to SOA application only) against which the policy is being enforced.
ContextFields	This attribute contains the context fields extracted from dms context.
custEventOp	This attribute specifies the LDAP operation name associated with this event, e.g. ldapbind, ldapadd, ldapsearch and so on.
custEventStatusDetail	This attribute conveys event status detail info, e.g. error code and other details in case of failure of the associated LDAP operation.
DataStoreAfter	The data stores configuration after the change
DataStoreBefore	The data stores configuration before the change
DataStoreName	The name of the data store being modified (examples: user data store, federation datastore)
Description	Description of the trusted provider
ECID	Identifies the thread of execution that the originating component participates in.
Endpoint	The URI which identifies the endpoint for which the event was triggered. For example, an HTTP require will record the URL.
EnterpriseRoles	This attribute used for enterprise roles audit for rolemembershipmanagement
EntryDN	This attribute is used to audit the entry Distinguished Name
EventCategory	The category of the audit event.
EventStatus	The outcome of the audit event - success or failure
EventType	The type of the audit event. Use wlst listAuditEvents to list out all the events.
FailureCode	The error code in case EventStatus = failure
FaultUri	If processing yielded a fault, the URI of the fault that will be sent.
FederationID	The ID of the federation
FederationType	The type of the federation that is being created or deleted (SP/IdP)
HomeInstance	The ORACLE_INSTANCE directory of the component
HostId	DNS hostname of originating host
HostNwaddr	IP or other network address of originating host
IncomingMessageString	null
IncomingMessageStringCLOB	null
Initiator	Identifies the UID of the user who is doing the operation
InitiatorGUID	This attribute used for initiator guid audit for authorization
InstanceId	Name of the Oracle Instance to which this component belongs.
IssueInstant	The value of the "IssueInstant" attribute of the assertion
Issuer	The value of the "Issuer" attribute of the assertion
JobName	This attribute is used to audit the Scheduler Job Name
JobType	This attribute is used to audit the Scheduler Job Name
key	This is the credential key for the Credential Store
mapName	This is the map name (alias name) for the Credential Store
MessageText	Description of the audit event
MessageType	The type of the message (ex. SSOLoginRequest/SSOLoginResponse/SSOLogoutRequest/...)
Metadata	The provider metadata loaded
ModelObjectName	Name of the Web service or client name against which the policy is being enforced.
ModuleId	ID of the module that originated the message. Interpretation is specific to the Component ID.
NameIDFormat	The format of the NameID of the subject
NameIDQualifier	The qualifier of the nameID of the subject
NameIDValue	The value of the nameID of the subject
NewDataStoreType	The new type of the data store
NewValue	The value of the property after the configuration change
OldNameIDQualifier	The nameID qualifier before the update took place
OldNameIDValue	The nameID value before the update took place
OldValue	The value of the property before the configuration change
Operation	For SOAP requests, the operation for which the event was triggered.
OracleHome	The ORACLE_HOME directory of the component
OutgoingMessageString	null
OutgoingMessageStringCLOB	null
PeerProviderID	The ID of the trusted provider associated with the modified property (If the modified property does not correspond to a trusted provider, this attribute is empty.)
PermissionAction	This attribute used for permission action audit for authorization
PermissionClass	This attribute used for permission class audit for policy store
PermissionScope	This attribute used for permission scope audit for role membership management
PermissionTarget	This attribute used for permission target audit for policy store
PolicyCategory	The category of the policy for which the event was triggered.(comma-separated list)
PolicyChangeType	The type of change that occurred.
PolicyStatus	The status of the policy for which the event was triggered.(comma-separated list)
PolicySubjRescPattern	The policy subject resource pattern which identifies the policy subject for which the event was triggered.
PolicyURI	The URI which identifies the policy for which the event was triggered.(comma-separated list)
Principals	This attribute used for principals audit for role membership management
ProcessId	ID of the process that originated the message
ProcessingStage	Processing stage during which the policy enforcement occurred.
ProfileName	This attribute is used to audit the Sync Profile Name
PropertyContext	The location of the property in the configuration
PropertyName	The name of the configuration property
PropertyType	The type of the property (examples: PropertiesList, PropertiesMap, String, Boolean)
Protocol	The protocol of the request.
ProtocolVersion	The version of the protocol being used (examples: SAML2.0, Libv11)
ProvEvent	This attribute is used to audit the Prov Event
ProviderType	The type of the provider (examples: sp, idp, sp idp)
RID	This is the relationship identifier, it is used to provide the full and correct calling relationships between threads and processes.
Reason	The reason this event occurred
RemoteIP	IP address of the client initiating this event
RemoteProviderID	The provider ID of the remote server
Resource	Identifies a resource that is being accessed. A resource can be many things - web page, file, directory share, web service, XML document, a portlet. The resource can be named as a combination of a host name, and an URI.
Role	The role of Oracle Identity Federation during the protocol step performed (for example Service Provider/ Identity Provider/Attribute Authority/..)
Roles	The roles that the user was granted at the time of login.
SSLConnection	Was SSL connection used by client to transmit request?
ServerConfigAfter	The server configuration after the change
ServerConfigBefore	The server configuration before the change
ServiceEndPoint	The URI which identifies the service for which the event was triggered.
ServiceOperation	Name of the operation performed that changes the service configuration
SessionID	The ID of the current session
SessionId	ID of the login session.
Source	The source of the fault.
Subject	This attribute used for subject audit for authorization
Target	Identifies the UID of the user on whom the operation is being done. E.g. is Alice changes Bob's password, then Alice is the initiator and Bob is the target
TargetComponentType	This is the target component type.
ThreadId	ID of the thread that generated this event
ToVersion	Upper end when deleting a range of policy versions.
TstzOriginating	Date and time when the audit event was generated
Type	The type of cryptographic data being processed (XML, String)
URI	The URI of the fault.
UserID	The identifier of the user in this protocol step
Version	Version of policy that was modified.

C.2 Pre-built Audit Reports

Oracle Fusion Middleware Audit Framework provides a range of out-of-the-box reports that are accessible through Oracle Business Intelligence Publisher. The reports are grouped according to the type of audit data they contain:

Common Audit Reports
Component-Specific Audit Reports

C.2.1 Common Audit Reports

A list of common reports appears in Section 13.5, "Audit Report Details".

C.2.2 Component-Specific Audit Reports

Component-Specific reports are organized as follows:

Oracle Fusion Middleware Audit Framework
- Configuration Changes
Oracle HTTP Server
- Errors and Exceptions
- User Activities
- All Events
Oracle Internet Directory
- Account Management
  - Account Profile History
  - Accounts Deleted
  - Accounts Enabled
  - Password Changes
  - Accounts Created
  - Accounts Disabled
  - Accounts Locked Out
- User Activities
  - Authentication History
  - Authorization History
- Errors and Exceptions
  - All Errors and Exceptions
  - Authentication Failures
  - Authorization Failures
- All Events
Oracle Virtual Directory
- User Activities
  - Authentication History
  - Authorization History
- Errors and Exceptions
  - All Errors and Exceptions
  - Authentication Failures
  - Authorization Failures
- All Events
Reports Server
- User Activities
  - Authentication History
  - Authorization History
- Errors and Exceptions
  - All Errors and Exceptions
  - Authentication Failures
  - Authorization Failures
- All Events
Oracle Directory Integration Platform
- All Errors and Exceptions
- Profile Management Events
- All Events
Oracle Identity Federation
- Errors and Exceptions
  - All Errors and Exceptions
  - Authentication Failures
- All Events
- Federation user Activity
- Authentication History
- Assertion Activity
Oracle Platform Security Services
- Errors and Exceptions
  - All Errors and Exceptions
  - Authentication Failures
- All Events
- Application Role Management
- Credential Management
- Authorization History
- Application Policy Management
- Credential Access
- System Policy Management
Oracle Web Services Manager
- User Activities
  - Authentication History
  - Authorization History
- Errors and Exceptions
  - All Errors and Exceptions
  - Authentication Failures
  - Authorization Failures
- All Events
- Policy Management
  - Assertion Template Management
  - Web Services Policy Management
- Policy Enforcements
  - Confidentiality Enforcements
  - Policy Enforcements
  - Message Integrity Enforcements
  - Violations
- Request Response
- Policy Attachments
Oracle Web Cache
- User Activities
  - Authentication History
  - Authorization History
- Errors and Exceptions
  - All Errors and Exceptions
  - Authentication Failures
  - Authorization Failures
- All Events

C.3 The Audit Schema

If you have additional audit reporting requirements beyond the pre-built reports described in Section C.2, "Pre-built Audit Reports", you can create custom reports using your choice of reporting tools. For example, while the pre-built reports use a subset of the event attributes, you can make use of the entire audit attribute set for an event in creating custom reports.

Table C-14 describes the audit schema, which is useful when building custom reports.

Table C-14 The Audit Schema

Table Name	Column Name	Data Type	Nullable	Column ID
BASE TABLE	IAU_ID	NUMBER	Yes	1
	IAU_ORGID	VARCHAR2(255 Bytes)	Yes	2
	IAU_COMPONENTID	VARCHAR2(255 Bytes)	Yes	3
	IAU_COMPONENTTYPE	VARCHAR2(255 Bytes)	Yes	4
	IAU_INSTANCEID	VARCHAR2(255 Bytes)	Yes	5
	IAU_HOSTINGCLIENTID	VARCHAR2(255 Bytes)	Yes	6
	IAU_HOSTID	VARCHAR2(255 Bytes)	Yes	7
	IAU_HOSTNWADDR	VARCHAR2(255 Bytes)	Yes	8
	IAU_MODULEID	VARCHAR2(255 Bytes)	Yes	9
	IAU_PROCESSID	VARCHAR2(255 Bytes)	Yes	10
	IAU_ORACLEHOME	VARCHAR2(255 Bytes)	Yes	11
	IAU_HOMEINSTANCE	VARCHAR2(255 Bytes)	Yes	12
	IAU_UPSTREAMCOMPONENTID	VARCHAR2(255 Bytes)	Yes	13
	IAU_DOWNSTREAMCOMPONENTID	VARCHAR2(255 Bytes)	Yes	14
	IAU_ECID	VARCHAR2(255 Bytes)	Yes	15
	IAU_RID	VARCHAR2(255 Bytes)	Yes	16
	IAU_CONTEXTFIELDS	VARCHAR2(2000 Bytes)	Yes	17
	IAU_SESSIONID	VARCHAR2(255 Bytes)	Yes	18
	IAU_SECONDARYSESSIONID	VARCHAR2(255 Bytes)	Yes	19
	IAU_APPLICATIONNAME	VARCHAR2(255 Bytes)	Yes	20
	IAU_TARGETCOMPONENTTYPE	VARCHAR2(255 Bytes)	Yes	21
	IAU_EVENTTYPE	VARCHAR2(255 Bytes)	Yes	22
	IAU_EVENTCATEGORY	VARCHAR2(255 Bytes)	Yes	23
	IAU_EVENTSTATUS	NUMBER	Yes	24
	IAU_TSTZORIGINATING	TIMESTAMP(6)	Yes	25
	IAU_THREADID	VARCHAR2(255 Bytes)	Yes	26
	IAU_COMPONENTNAME	VARCHAR2(255 Bytes)	Yes	27
	IAU_INITIATOR	VARCHAR2(255 Bytes)	Yes	28
	IAU_MESSAGETEXT	VARCHAR2(255 Bytes)	Yes	29
	IAU_FAILURECODE	VARCHAR2(255 Bytes)	Yes	30
	IAU_REMOTEIP	VARCHAR2(255 Bytes)	Yes	31
	IAU_TARGET	VARCHAR2(255 Bytes)	Yes	32
	IAU_RESOURCE	VARCHAR2(255 Bytes)	Yes	33
	IAU_ROLES	VARCHAR2(255 Bytes)	Yes	34
	IAU_AUTHENTICATIONMETHOD	VARCHAR2(255 Bytes)	Yes	35
	IAU_TRANSACTIONID	VARCHAR2(255 Bytes)	Yes	36
	IAU_DOMAINNAME	VARCHAR2(255 Bytes)	Yes	37

DIP	IAU_ID	NUMBER	Yes	1
	IAU_TSTZORIGINATING	TIMESTAMP(6)	Yes	2
	IAU_EVENTTYPE	VARCHAR2(255 Bytes)	Yes	3
	IAU_EVENTCATEGORY	VARCHAR2(255 Bytes)	Yes	4
	IAU_ASSOCIATEPROFILENAME	VARCHAR2(512 Bytes)	Yes	5
	IAU_PROFILENAME	VARCHAR2(512 Bytes)	Yes	6
	IAU_ENTRYDN	VARCHAR2(1024 Bytes)	Yes	7
	IAU_PROVEVENT	VARCHAR2(2048 Bytes)	Yes	8
	IAU_JOBNAME	VARCHAR2(128 Bytes)	Yes	9
	IAU_JOBTYPE	VARCHAR2(128 Bytes)	Yes	10

IAU_DISP_NAME_TL	IAU_LOCALE_STR	VARCHAR2(7 Bytes)		1
	IAU_DISP_NAME_KEY	VARCHAR2(255 Bytes)		2
	IAU_COMPONENT_TYPE	VARCHAR2(255 Bytes)		3
	IAU_DISP_NAME_KEY_TYPE	VARCHAR2(255 Bytes)		4
	IAU_DISP_NAME_TRANS	VARCHAR2(4000 Bytes)	Yes	5

IAU_LOCALE_MAP_TL	IAU_LOC_LANG	VARCHAR2(2 Bytes)	Yes	1
	IAU_LOC_CNTRY	VARCHAR2(3 Bytes)	Yes	2
	IAU_LOC_STR	VARCHAR2(7 Bytes)	Yes	3

OPSS	IAU_ID	NUMBER	Yes	1
	IAU_TSTZORIGINATING	TIMESTAMP(6)	Yes	2
	IAU_EVENTTYPE	VARCHAR2(255 Bytes)	Yes	3
	IAU_EVENTCATEGORY	VARCHAR2(255 Bytes)	Yes	4
	IAU_CODESOURCE	VARCHAR2(1024 Bytes)	Yes	5
	IAU_PRINCIPALS	VARCHAR2(1024 Bytes)	Yes	6
	IAU_INITIATORGUID	VARCHAR2(1024 Bytes)	Yes	7
	IAU_SUBJECT	VARCHAR2(1024 Bytes)	Yes	8
	IAU_PERMISSIONACTION	VARCHAR2(1024 Bytes)	Yes	9
	IAU_PERMISSIONTARGET	VARCHAR2(1024 Bytes)	Yes	10
	IAU_PERMISSIONCLASS	VARCHAR2(1024 Bytes)	Yes	11
	IAU_MAPNAME	VARCHAR2(1024 Bytes)	Yes	12
	IAU_KEY	VARCHAR2(1024 Bytes)	Yes	13
	IAU_PERMISSIONSCOPE	VARCHAR2(1024 Bytes)	Yes	14
	IAU_APPLICATIONROLE	VARCHAR2(1024 Bytes)	Yes	15
	IAU_ENTERPRISEROLES	VARCHAR2(1024 Bytes)	Yes	16
	IAU_INITIATORDN	VARCHAR2(1024 Bytes)	Yes	17
	IAU_GUID	VARCHAR2(1024 Bytes)	Yes	18
	IAU_PERMISSION	VARCHAR2(1024 Bytes)	Yes	19
	IAU_MODIFIEDATTRIBUTENAME	VARCHAR2(1024 Bytes)	Yes	20
	IAU_MODIFIEDATTRIBUTEVALUE	VARCHAR2(2048 Bytes)	Yes	21
	IAU_PERMISSIONSETNAME	VARCHAR2(1024 Bytes)	Yes	22
	IAU_RESOURCEACTIONS	VARCHAR2(1024 Bytes)	Yes	23
	IAU_RESOURCETYPE	VARCHAR2(1024 Bytes)	Yes	24

OHS/OHS Component	IAU_ID	NUMBER	Yes	1
	IAU_TSTZORIGINATING	TIMESTAMP(6)	Yes	2
	IAU_EVENTTYPE	VARCHAR2(255 Bytes)	Yes	3
	IAU_EVENTCATEGORY	VARCHAR2(255 Bytes)	Yes	4
	IAU_REASON	CLOB	Yes	5
	IAU_SSLCONNECTION	VARCHAR2(255 Bytes)	Yes	6
	IAU_AUTHORIZATIONTYPE	VARCHAR2(255 Bytes)	Yes	7

OID/OID Component	IAU_ID	NUMBER	Yes	1
	IAU_TSTZORIGINATING	TIMESTAMP(6)	Yes	2
	IAU_EVENTTYPE	VARCHAR2(255 Bytes)	Yes	3
	IAU_EVENTCATEGORY	VARCHAR2(255 Bytes)	Yes	4
	IAU_CUSTEVENTSTATUSDETAIL	VARCHAR2(255 Bytes)	Yes	5
	IAU_CUSTEVENTOP	VARCHAR2(255 Bytes)	Yes	6

OIF	IAU_ID	NUMBER	Yes	1
	IAU_TSTZORIGINATING	TIMESTAMP(6)	Yes	2
	IAU_EVENTTYPE	VARCHAR2(255 Bytes)	Yes	3
	IAU_EVENTCATEGORY	VARCHAR2(255 Bytes)	Yes	4
	IAU_REMOTEPROVIDERID	VARCHAR2(255 Bytes)	Yes	5
	IAU_PROTOCOLVERSION	VARCHAR2(255 Bytes)	Yes	6
	IAU_NAMEIDQUALIFIER	VARCHAR2(255 Bytes)	Yes	7
	IAU_NAMEIDVALUE	VARCHAR2(255 Bytes)	Yes	8
	IAU_NAMEIDFORMAT	VARCHAR2(255 Bytes)	Yes	9
	IAU_SESSIONID	VARCHAR2(255 Bytes)	Yes	10
	IAU_FEDERATIONID	VARCHAR2(255 Bytes)	Yes	11
	IAU_USERID	VARCHAR2(255 Bytes)	Yes	12
	IAU_FEDERATIONTYPE	VARCHAR2(255 Bytes)	Yes	13
	IAU_AUTHENTICATIONMECHANISM	VARCHAR2(255 Bytes)	Yes	14
	IAU_AUTHENTICATIONENGINEID	VARCHAR2(255 Bytes)	Yes	15
	IAU_OLDNAMEIDQUALIFIER	VARCHAR2(255 Bytes)	Yes	16
	IAU_OLDNAMEIDVALUE	VARCHAR2(255 Bytes)	Yes	17
	IAU_BINDING	VARCHAR2(255 Bytes)	Yes	18
	IAU_ROLE	VARCHAR2(255 Bytes)	Yes	19
	IAU_MESSAGETYPE	VARCHAR2(255 Bytes)	Yes	20
	IAU_ASSERTIONVERSION	VARCHAR2(255 Bytes)	Yes	21
	IAU_ISSUEINSTANT	VARCHAR2(255 Bytes)	Yes	22
	IAU_ISSUER	VARCHAR2(255 Bytes)	Yes	23
	IAU_ASSERTIONID	VARCHAR2(255 Bytes)	Yes	24
	IAU_INCOMINGMESSAGESTRING	VARCHAR2(3999 Bytes)	Yes	25
	IAU_INCOMINGMESSAGESTRINGCLOB	CLOB	Yes	26
	IAU_OUTGOINGMESSAGESTRING	VARCHAR2(3999 Bytes)	Yes	27
	IAU_OUTGOINGMESSAGESTRINGCLOB	CLOB	Yes	28
	IAU_TYPE	VARCHAR2(255 Bytes)	Yes	29
	IAU_PROPERTYNAME	VARCHAR2(255 Bytes)	Yes	30
	IAU_PROPERTYTYPE	VARCHAR2(255 Bytes)	Yes	31
	IAU_PEERPROVIDERID	VARCHAR2(255 Bytes)	Yes	32
	IAU_PROPERTYCONTEXT	VARCHAR2(255 Bytes)	Yes	33
	IAU_DESCRIPTION	VARCHAR2(255 Bytes)	Yes	34
	IAU_OLDVALUE	VARCHAR2(255 Bytes)	Yes	35
	IAU_NEWVALUE	VARCHAR2(255 Bytes)	Yes	36
	IAU_PROVIDERTYPE	VARCHAR2(255 Bytes)	Yes	37
	IAU_COTBEFORE	CLOB	Yes	38
	IAU_COTAFTER	CLOB	Yes	39
	IAU_SERVERCONFIGBEFORE	CLOB	Yes	40
	IAU_SERVERCONFIGAFTER	CLOB	Yes	41
	IAU_DATASTOREBEFORE	CLOB	Yes	42
	IAU_DATASTOREAFTER	CLOB	Yes	43
	IAU_METADATA	VARCHAR2(255 Bytes)	Yes	44
	IAU_NEWDATASTORETYPE	VARCHAR2(255 Bytes)	Yes	45
	IAU_DATASTORENAME	VARCHAR2(255 Bytes)	Yes	46

OVD/OVD Component	IAU_ID	NUMBER	Yes	1
	IAU_TSTZORIGINATING	TIMESTAMP(6)	Yes	2
	IAU_EVENTTYPE	VARCHAR2(255 Bytes)	Yes	3
	IAU_EVENTCATEGORY	VARCHAR2(255 Bytes)	Yes	4
	IAU_SERVICEOPERATION	VARCHAR2(255 Bytes)	Yes	5

OWSM Agent	IAU_ID	NUMBER	Yes	1
	IAU_TSTZORIGINATING	TIMESTAMP(6)	Yes	2
	IAU_EVENTTYPE	VARCHAR2(255 Bytes)	Yes	3
	IAU_EVENTCATEGORY	VARCHAR2(255 Bytes)	Yes	4
	IAU_APPNAME	VARCHAR2(255 Bytes)	Yes	5
	IAU_ASSERTIONNAME	VARCHAR2(255 Bytes)	Yes	6
	IAU_COMPOSITENAME	VARCHAR2(255 Bytes)	Yes	7
	IAU_ENDPOINT	VARCHAR2(4000 Bytes)	Yes	8
	IAU_AGENTMODE	VARCHAR2(255 Bytes)	Yes	9
	IAU_MODELOBJECTNAME	VARCHAR2(255 Bytes)	Yes	10
	IAU_OPERATION	VARCHAR2(255 Bytes)	Yes	11
	IAU_PROCESSINGSTAGE	VARCHAR2(255 Bytes)	Yes	12
	IAU_VERSION	NUMBER	Yes	13
	IAU_PROTOCOL	VARCHAR2(255 Bytes)	Yes	14

OWSM_PM_EJB	IAU_ID	NUMBER	Yes	1
	IAU_TSTZORIGINATING	TIMESTAMP(6)	Yes	2
	IAU_EVENTTYPE	VARCHAR2(255 Bytes)	Yes	3
	IAU_EVENTCATEGORY	VARCHAR2(255 Bytes)	Yes	4
	IAU_VERSION	NUMBER	Yes	5
	IAU_TOVERSION	NUMBER	Yes	6

ReportsServer/ReportsServer Components	IAU_ID	NUMBER	Yes	1
	IAU_TSTZORIGINATING	TIMESTAMP(6)	Yes	2
	IAU_EVENTTYPE	VARCHAR2(255 Bytes)	Yes	3
	IAU_EVENTCATEGORY	VARCHAR2(255 Bytes)	Yes	4


WebCache/ WebCache Component	IAU_ID	NUMBER	Yes	1
	IAU_TSTZORIGINATING	TIMESTAMP(6)	Yes	2
	IAU_EVENTTYPE	VARCHAR2(255 Bytes)	Yes	3
	IAU_EVENTCATEGORY	VARCHAR2(255 Bytes)	Yes	4


WebServices	IAU_ID	NUMBER	Yes	1
	IAU_TSTZORIGINATING	TIMESTAMP(6)	Yes	2
	IAU_EVENTTYPE	VARCHAR2(255 Bytes)	Yes	3
	IAU_EVENTCATEGORY	VARCHAR2(255 Bytes)	Yes	4
	IAU_PROTOCOL	VARCHAR2(255 Bytes)	Yes	5
	IAU_ENDPOINT	VARCHAR2(4000 Bytes)	Yes	6
	IAU_OPERATION	VARCHAR2(255 Bytes)	Yes	7
	IAU_FAULTURI	VARCHAR2(4000 Bytes)	Yes	8
	IAU_URI	VARCHAR2(4000 Bytes)	Yes	9
	IAU_SOURCE	VARCHAR2(255 Bytes)	Yes	10

WS_Policy Attachment	IAU_ID	NUMBER	Yes	1
	IAU_TSTZORIGINATING	TIMESTAMP(6)	Yes	2
	IAU_EVENTTYPE	VARCHAR2(255 Bytes)	Yes	3
	IAU_EVENTCATEGORY	VARCHAR2(255 Bytes)	Yes	4
	IAU_PROTOCOL	VARCHAR2(255 Bytes)	Yes	5
	IAU_ENDPOINT	VARCHAR2(4000 Bytes)	Yes	6
	IAU_OPERATION	VARCHAR2(255 Bytes)	Yes	7
	IAU_FAULTURI	VARCHAR2(4000 Bytes)	Yes	8
	IAU_URI	VARCHAR2(4000 Bytes)	Yes	9
	IAU_SOURCE	VARCHAR2(255 Bytes)	Yes	10

OAM (Oracle Access Manager)	IAU_ID	NUMBER	Yes	1
	IAU_TSTZORIGINATING	TIMESTAMP(6)	Yes	2
	IAU_EVENTTYPE	VARCHAR2(255)	Yes	3
	IAU_EVENTCATEGORY	VARCHAR2(255)	Yes	4
	IAU_APPLICATIONDOMAINNAME	VARCHAR2(40)	Yes	5
	IAU_AUTHENTICATIONSCHEMEID	VARCHAR2(40)	Yes	6
	IAU_AGENTID	VARCHAR2(40)	Yes	7
	IAU_SSOSESSIONID	VARCHAR2(100)	Yes	8
	IAU_ADDITIONALINFO	VARCHAR2(1000)	Yes	9
	IAU_AUTHORIZATIONSCHEME	VARCHAR2(40)	Yes	10
	IAU_USERDN	VARCHAR2(255)	Yes	11
	IAU_RESOURCEID	VARCHAR2(40)	Yes	12
	IAU_AUTHORIZATIONPOLICYID	VARCHAR2(40)	Yes	13
	IAU_AUTHENTICATIONPOLICYID	VARCHAR2(255)	Yes	14
	IAU_USERID	VARCHAR2(40)	Yes	15
	IAU_RESOURCEHOST	VARCHAR2(255)	Yes	16
	IAU_REQUESTID	VARCHAR2(255)	Yes	17
	IAU_POLICYNAME	VARCHAR2(40)	Yes	18
	IAU_SCHEMENAME	VARCHAR2(40)	Yes	19
	IAU_RESOURCEHOSTNAME	VARCHAR2(100)	Yes	20
	IAU_OLDATTRIBUTES	VARCHAR2(1000)	Yes	21
	IAU_NEWATTRIBUTES	VARCHAR2(1000)	Yes	22
	IAU_SCHMETYPE	VARCHAR2(40)	Yes	23
	IAU_RESPONSETYPE	VARCHAR2(40)	Yes	24
	IAU_AGENTTYPE	VARCHAR2(40)	Yes	25
	IAU_CONSTRAINTTYPE	VARCHAR2(40)	Yes	26
	IAU_INSTANCENAME	VARCHAR2(40)	Yes	27
	IAU_DATASOURCENAME	VARCHAR2(100)	Yes	28
	IAU_DATASOURCETYPE	VARCHAR2(100)	Yes	29
	IAU_HOSTIDENTIFIERNAME	VARCHAR2(100)	Yes	30
	IAU_RESOURCEURI	VARCHAR2(255)	Yes	31
	IAU_RESOURCETEMPLATENAME	VARCHAR2(100)	Yes	32

OAAM (Oracle Adaptive Access Manager)	IAU_ID	NUMBER	Yes	1
	IAU_TSTZORIGINATING	TIMESTAMP(6)	Yes	2
	IAU_EVENTTYPE	VARCHAR2(255)	Yes	3
	IAU_EVENTCATEGORY	VARCHAR2(255)	Yes	4
	IAU_ACTIONNOTES	VARCHAR2(4000)	Yes	5
	IAU_CASEACTIONENUM	NUMBER(38)	Yes	6
	IAU_CASEACTIONRESULT	NUMBER	Yes	7
	IAU_CASECHALLENGEQUESTION	VARCHAR2(4000)	Yes	8
	IAU_CASECHALLENGERESULT	NUMBER(38)	Yes	9
	IAU_CASEDISPOSITION	NUMBER(38)	Yes	10
	IAU_CASEEXPRDURATIONINHRS	NUMBER(38)	Yes	11
	IAU_CASEID	NUMBER	Yes	12
	IAU_CASEIDS	VARCHAR2(4000)	Yes	13
	IAU_CASESEVERITY	NUMBER(38)	Yes	14
	IAU_CASESTATUS	NUMBER(38)	Yes	15
	IAU_CASESUBACTIONENUM	NUMBER(38)	Yes	16
	IAU_DESCRIPTION	VARCHAR2(4000)	Yes	17
	IAU_GROUPID	NUMBER	Yes	18
	IAU_GROUPIDS	VARCHAR2(4000)	Yes	19
	IAU_GROUPNAME	VARCHAR2(4000)	Yes	20
	IAU_GROUPDETAILS	VARCHAR2(4000)	Yes	21
	IAU_GROUPELEMENTID	NUMBER	Yes	22
	IAU_GROUPELEMENTIDS	NUMBER	Yes	23
	IAU_GROUPELEMENTVALUE	VARCHAR2(4000)	Yes	24
	IAU_GROUPELEMENTSDETAILS	VARCHAR2(4000)	Yes	25
	IAU_KBACATEGORYID	NUMBER	Yes	26
	IAU_KBACATEGORYIDS	VARCHAR2(4000)	Yes	27
	IAU_KBACATEGORYNAME	VARCHAR2(4000)	Yes	28
	IAU_KBACATEGORYDETAILS	VARCHAR2(4000)	Yes	29
	IAU_KBAQUESTIONID	NUMBER	Yes	30
	IAU_KBAQUESTIONIDS	VARCHAR2(4000)	Yes	31
	IAU_KBAQUESTION	VARCHAR2(4000)	Yes	32
	IAU_KBAQUESTIONTYPE	NUMBER(38)	Yes	33
	IAU_KBAQUESTIONDETAILS	VARCHAR2(4000)	Yes	34
	IAU_KBAVALIDATIONID	NUMBER	Yes	35
	IAU_KBAVALIDATIONIDS	VARCHAR2(4000)	Yes	36
	IAU_KBAVALIDATIONNAME	VARCHAR2(4000)	Yes	37
	IAU_KBAVALIDATIONDETAILS	VARCHAR2(4000)	Yes	38
	IAU_KBAREGLOGICDETAILS	VARCHAR2(4000)	Yes	39
	IAU_KBAANSWERLOGICDETAILS	VARCHAR2(4000)	Yes	40
	IAU_LOGINID	VARCHAR2(255)	Yes	41
	IAU_POLICYDETAILS	VARCHAR2(4000)	Yes	42
	IAU_POLICYID	NUMBER	Yes	43
	IAU_POLICYIDS	VARCHAR2(4000)	Yes	44
	IAU_POLICYNAME	NUMBER	Yes	45
	IAU_POLICYOVERRIDEDETAILS	VARCHAR2(4000)	Yes	46
	IAU_POLICYOVERRIDEID	NUMBER	Yes	47
	IAU_POLICYOVERRIDEIDS	VARCHAR2(4000)	Yes	48
	IAU_POLICYOVERRIDEROWID	NUMBER	Yes	49
	IAU_POLICYRULEMAPID	NUMBER	Yes	50
	IAU_POLICYRULEMAPIDS	VARCHAR2(4000)	Yes	51
	IAU_POLICYRULEMAPDETAILS	VARCHAR2(4000)	Yes	52
	IAU_RULEID	NUMBER	Yes	53
	IAU_RULECONDITIONID	NUMBER	Yes	54
	IAU_RULECONDITIONIDS	VARCHAR2(4000)	Yes	55
	IAU_RULENAME	VARCHAR2(4000)	Yes	56
	IAU_RULEDETAILS	VARCHAR2(4000)	Yes	57
	IAU_RULECONDITIONMAPID	NUMBER	Yes	58
	IAU_RULECONDITIONMAPIDS	VARCHAR2(4000)	Yes	59
	IAU_RULEPARAMVALUEDETAILS	VARCHAR2(4000)	Yes	60
	IAU_SOURCEPOLICYID	NUMBER	Yes	61
	IAU_USERGROUPNAME	VARCHAR2(255)	Yes	62
	IAU_USERID	NUMBER	Yes	63
	IAU_USERIDS	VARCHAR2(4000)	Yes	64

C.4 WLST Commands for Auditing

WLST is the command-line utility for administration of Oracle Fusion Middleware components and applications. It provides another option for administration in addition to Oracle Enterprise Manager Fusion Middleware Control.

Use the WLST commands listed in Table C-15 to view and manage audit policies and the audit store configuration.

Note:

When running audit WLST commands, you must invoke the WLST script from the Oracle Common home. See "Using Custom WLST Commands" in the Oracle Fusion Middleware Administrator's Guide for more information.

Table C-15 WLST Audit Commands

Use this command...	To...	Use with WLST...
getNonJavaEEAuditMBeanName	Display the mBean name for a system component.	Online
getAuditPolicy	Display audit policy settings.	Online
setAuditPolicy	Update audit policy settings.	Online
getAuditRepository	Display audit store settings.	Online
setAuditRepository	Update audit store settings.	Online
listAuditEvents	List audit events for one or all components.	Online
exportAuditConfig	Export a component's audit configuration.	Online
importAuditConfig	Import a component's audit configuration.	Online

C.4.1 getNonJavaEEAuditMBeanName

Online command that displays the mbean name for system components.

The MBean name must be provided when using WLST commands for system components; since the MBean name can have a complex composition, use this command to get the name.

C.4.1.1 Description

This command displays the mbean name for system components given the instance name, component name, component type, and the name of the Oracle WebLogic Server on which the component's audit mbean is running. The mbean name is a required parameter to other audit WLST commands when managing a system component.

C.4.1.2 Syntax

getNonJavaEEAuditMBeanName('instance-name', 'component-name', 'component-type')

Argument	Definition
instName	Specifies the name of the application server instance.
compName	Specifies the name of the component instance.
compType	Specifies the type of component. Valid values are ohs, oid, ovd, and WebCache.

C.4.1.3 Example

The following interactive command displays the mBean name for an Oracle Internet Directory component:

wls:/mydomain/serverConfig> getNonJavaEEAuditMBeanName(instName='inst1', compName='oid1', compType='oid')

C.4.2 getAuditPolicy

Online command that displays the audit policy settings.

C.4.2.1 Description

Online command that displays audit policy settings including the audit level, special users, custom events, maximum log file size, and maximum log directory size. The component mbean name is an optional parameter. If no parameter is provided, the domain audit policy is displayed.

C.4.2.2 Syntax

getAuditPolicy(['mbeanName'])

Argument	Definition
mbeanName	Specifies the name of the component audit MBean for system components.

C.4.2.3 Example

The following command displays the audit settings for all JavaEE components configured in the WebLogic Server domain:

wls:/mydomain/serverConfig> getAuditPolicy()

The following command displays the audit settings for MBean CSAuditProxyMBean:

wls:/mydomain/serverConfig> getAuditPolicy(on='oracle.security.audit.test:type=CSAuditMBean,
name=CSAuditProxyMBean')

C.4.3 setAuditPolicy

Online command that updates an audit policy.

C.4.3.1 Description

Online command that configures the audit policy settings. You can set the audit level, add or remove special users, and add or remove custom events. The component mbean name is required for system components like Oracle Internet Directory and Oracle Virtual Directory.

Remember to call save after issuing setAuditPolicy for system components. Otherwise, the new settings will not take effect.

C.4.3.2 Syntax

setAuditPolicy(['mbeanName'],['filterPreset'],['addSpecialUsers'],
['removeSpecialUsers'],['addCustomEvents'],['removeCustomEvents'])

Argument	Definition
mbeanName	Specifies the name of the component audit MBean for system components.
filterPreset	Specifies the audit level to be changed.
addSpecialUsers	Specifies the special users to be added.
removeSpecialUsers	Specifies the special users to be removed.
addCustomEvents	Specifies the custom events to be added.
removeCustomEvents	Specifies the custom events to be removed.

C.4.3.3 Example

The following interactive command a) sets the audit level to Low, and b) adds users user2 and user3 while removing user user1 from the policy:

wls:/mydomain/serverConfig> setAuditPolicy (filterPreset='Low',addSpecialUsers='user2,user3',removeSpecialUsers='user1')

The following interactive command adds login events while removing logout events from the policy:

wls:/mydomain/serverConfig> setAuditPolicy(filterPreset='Custom',addCustomEvents='UserLogin',removeCustomEvents='UserLogout')

C.4.4 getAuditRepository

Online command that displays audit store settings.

C.4.4.1 Description

Online command that displays audit store settings for Java components and applications (for system components like Oracle Internet Directory, the configuration resides in opmn.xml). Also displays database configuration if the data is stored in a database.

C.4.4.2 Syntax

getAuditRepository

C.4.4.3 Example

The following command displays audit store configuration:

wls:/mydomain/serverConfig> getAuditRepository()

C.4.5 setAuditRepository

Online command that updates audit store settings.

C.4.5.1 Description

Online command that sets the audit store settings for Java components and applications (for system components like Oracle Internet Directory, the store is configured by editing opmn.xml).

C.4.5.2 Syntax

setAuditRepository(['switchToDB'],['dataSourceName'],['interval'])

Argument	Definition
switchToDB	If `true`, switches the store from file to database.
dataSourceName	Specifies the name of the data source.
interval	Specifies intervals at which the audit loader moves file records to the database.

C.4.5.3 Example

The following interactive command changes audit store to a database defined by the data source jdbcAuditDB and sets the audit loader interval to 14 seconds:

wls:/mydomain/serverConfig> setAuditRepository(switchToDB='true',dataSourceName='jdbcAuditDB',interval='14')

Note:

The data source is created using the Oracle WebLogic Server administration console.

C.4.6 listAuditEvents

Online command that displays the definition of a component's audit events, including its attributes.

C.4.6.1 Description

This command displays a component's audit events and attributes. For system components, pass the component mbean name as a parameter. Java applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter. Without a component type, all generic attributes applicable to all components are displayed.

C.4.6.2 Syntax

listAuditEvents(['mbeanName'],['componentType'])

Argument	Definition
mbeanName	Specifies the name of the component MBean.
componentType	Specifies the component type.

C.4.6.3 Example

The following command displays audit events for an Oracle Internet Directory instance:

wls:/mydomain/serverConfig> listAuditEvents(on='oracle.as.management.mbeans.register:
type=component.auditconfig,name=auditconfig1,instance=oid1,component=oid')

The following command displays audit events for Oracle Identity Federation:

wls:/mydomain/serverConfig> listAuditEvents(componentType='oif')

C.4.7 exportAuditConfig

Online command that exports a component's audit configuration.

C.4.7.1 Description

This command exports the audit configuration to a file. For system components, pass the component mbean name as a parameter. Java applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter.

C.4.7.2 Syntax

exportAuditConfig(['mbeanName'],fileName')

Argument	Definition
mbeanName	Specifies the name of the system component MBean.
fileName	Specifies the path and file name to which the audit configuration should be exported.

C.4.7.3 Example

The following interactive command exports the audit configuration for a component:

wls:/mydomain/serverConfig> exportAuditConfig(on='oracle.security.audit.test:type=CSAuditMBean,name=CSAuditProxyMBean',fileName='/tmp/auditconfig')

The following interactive command exports the audit configuration for a component; no mBean is specified:

wls:/mydomain/serverConfig> exportAuditConfig(fileName='/tmp/auditconfig')

C.4.8 importAuditConfig

Online command that imports a component's audit configuration.

C.4.8.1 Description

This command imports the audit configuration from an external file. For system components, pass the component mbean name as a parameter. Java applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter.

Remember to call save after issuing importAuditConfig for system components. Otherwise, the new settings will not take effect.

C.4.8.2 Syntax

importAuditConfig(['mbeanName'],'fileName')

Argument	Definition
mbeanName	Specifies the name of the system component MBean.
fileName	Specifies the path and file name from which the audit configuration should be imported.

C.4.8.3 Example

The following interactive command imports the audit configuration for a component:

wls:/mydomain/serverConfig> importAuditConfig(on='oracle.security.audit.test:type=CSAuditMBean,name=CSAuditProxyMBean',fileName='/tmp/auditconfig')

The following interactive command imports the audit configuration for a JavaEE application (no mBean is specified):

wls:/mydomain/serverConfig> importAuditConfig(fileName='/tmp/auditconfig')

C.5 Audit Filter Expression Syntax

When you select a custom audit policy, you have the option of specifying a filter expression along with an event.

For example, you can use the following expression:

Host Id -eq "myhost123"

to enable the audit event for a particular host only.

You enter this expression either through the Fusion Middleware Control Edit Filter Dialog or through the setAuditPolicy WLST command.

C.6 Naming and Logging Format of Audit Files

This section explains the rules that are used to maintain audit files.

For Java components (both JavaEE and JavaSE), the file containing audit records is named "audit.log".

When that file is full (it reaches the configured maximum audit file size which is 100MB), it is renamed to "audit1.log" and a new "audit.log" is created. If this file too gets full, the audit.log file is renamed to "audit2.log" and a new audit.log is created.

This continues until the configured maximum audit directory size is reached (default is 0, which means unlimited size). When the max directory size is reached, the oldest auditn.log file is deleted.

If you have configured a database audit store, then the audit loader reads these files and transfers the records to the database in batches. After reading a complete audit<n>.log file, it deletes the file.

Note:

The audit loader never deletes the "current" file, that is, audit.log; it only deletes archive files audit<n>.log.

OPMN-managed components follow the same model, except the file name is slightly different. It has the process ID embedded in the file name; thus, if the process id is 11925 the current file is called "audit-pid11925.log", and after rotation it will be called audit-pid11925-1.log

Here is a sample audit.log file:

#Fields:Date Time Initiator EventType EventStatus MessageText HomeInstance ECID RID ContextFields SessionId TargetComponentType ApplicationName EventCategory ThreadId InitiatorDN TargetDN FailureCode RemoteIP Target Resource Roles CodeSource InitiatorGUID Principals PermissionAction PermissionClass mapName key
#Remark Values:ComponentType="JPS"
2008-12-08 10:46:05.492 - "CheckAuthorization" true "Oracle Platform Security Authorization Check Permission SUCCEEDED." - - - - - - - "Authorization" "48" - - "true" - - "(oracle.security.jps.service.policystore.PolicyStoreAccessPermission context=APPLICATION,name=SimpleServlet getApplicationPolicy)" - "file:/oracle/work/middleware/oracle_common/modules/oracle.jps_11.1.1/jps-internal.jar" - "[]" - - - -

This file follows the W3C extended logging format, which is a very common log format that is used by many Web Servers e.g. Apache and IIS:

The first line is a "#Fields" line; it specifies all the fields in the rest of the file.
The second line is a comment like "#Remark" which has a comment indicating some common attributes like the ComponentType.
All subsequent lines are data lines; they follow the exact format defined in the "#Fields" line. All attributes are separated by spaces, mussing attributes are indicated by a dash.