This chapter describes how to configure audit reporting with Oracle Business Intelligence Publisher and how to view audit reports. It contains these topics:
Note:
If you are using a different report application for audit reporting, see Section 28.7.
When your audit data resides in a database, you can run pre-defined Oracle Business Intelligence Publisher reports and create your own reports on the data. This section contains these topics about configuring your environment for audit reports:
Set Up Oracle Reports in Oracle Business Intelligence Publisher
Configure Scheduler in Oracle Business Intelligence Publisher
See Also:
Oracle Business Intelligence Publisher Enterprise documentation at:
Reports help auditors determine whether there are any violations with respect to various industry regulations such as HIPPA, SOX, and other regulatory compliance demands. Oracle Fusion Middleware Audit Framework is integrated with Oracle Business Intelligence Publisher for out-of-the box reports.
Pre-defined reports are available as part of the Oracle Fusion Middleware Audit Framework. These reports are integrated with Oracle Business Intelligence Publisher to work in conjunction with the audit data in the audit store.
Oracle Fusion Middleware Audit Framework ships with over twenty pre-built reports in 11g Release 1 (11.1.1). For convenience, the reports are grouped in Oracle Business Intelligence Publisher according to functional areas and by component.
The functional areas consists of the following:
Error and Exception reports like authentication and authorization failures
User Activities including transaction history and authorization history
Operational reports including created, deleted, and locked-out users
Audit Service Events
The component-specific reports, as the name implies, are grouped based on the components themselves, for example, Oracle HTTP Server reports and Oracle Identity Federation reports.
Other features of Oracle Business Intelligence Publisher include:
Flexible Report Displays
You can view reports online, change report parameters, change output types (pdf, html, rtf, excel and others), modify the appearance of reports, export to the desired format, and send to an E-mail address, fax or other destination.
Report Filters
You can filter audit records to be included in the report using a range of options including the ability to modify the SQL used to extract records from the audit repository.
Scheduling Reports
You can schedule reports to be run based on a range of criteria such as filters, templates, formats, locale, viewing restrictions and so on.
See Also:
For more information about scheduling features, see the Oracle Business Intelligence Publisher Enterprise documentation at:
Custom Reporting
You can design your own reports and specify the data model, layout, parameters, bursting (for example, you can enable delivery based on delivery preference).
See Also:
Section L.19, "Troubleshooting Oracle Business Intelligence Reporting" for troubleshooting tips and other useful information about Oracle Business Intelligence
Oracle Business Intelligence Publisher Enterprise documentation at:
All the auditing reports available in Oracle Business Intelligence Publisher provide these report filtering and formatting options:
View - View the report using the current parameters.
Schedule - Set up a schedule for the report along with job parameters and data filters.
History
Edit - Modify the query and parameter display formats.
Configure - Set up runtime configuration controls.
Export
If you already have Oracle Business Intelligence Publisher 10.1.3.4 or later installed at your site, you can skip this section and go to Section 14.1.3, "Set Up Oracle Reports in Oracle Business Intelligence Publisher".
If you need to install Oracle Business Intelligence Publisher, follow the instructions provided with the Oracle Business Intelligence Publisher Companion CD.
See Also:
Oracle Business Intelligence Publisher Enterprise documentation at:
In this section you configure Oracle Business Intelligence Publisher to work with the audit datasource.
Note:
11g Release 1 (11.1.1.4.0) PS3 reports can work only with an 11g Release 1 (11.1.1.4.0) PS3 schema; they cannot work with an earlier schema such as 11g Release 1 (11.1.1).
Details about upgrading schemas with the Patch Set Assistant are available in the Oracle Fusion Middleware Patching Guide.
Take these steps to set up Oracle Business Intelligence Publisher for use with audit reports:
Navigate to the Reports folder in your Oracle Business Intelligence Publisher installation. By default, the Reports folder is at %BIP_HOME%\XMLP\Report
s.
Unjar the AuditReportTemplates.jar
into your Reports
folder. You should see a new folder called Oracle_Fusion_Middleware_Audit. You can find AuditReportTemplates.jar
at:
$MW_ORA_HOME/oracle_common/modules/oracle.iau_11.1.1/reports/ AuditReportTemplates.jar
Set up the data source for audit repository as follows:
Navigate to the Admin tab.
If you deployed on Oracle WebLogic Server in Step 1, set up JNDI as follows:
Click JNDI Connection.
Click Add DataSource.
Specify the DataSource details:
Name the Data Source Audit
.
Note:
The reports refer to the audit data source, so the naming convention is important.
JNDI Name - 'jdbc/AuditDB'
Test for a successful connection. If the connection is not successful, check the values you entered.
Press Apply to save your changes.
If you deployed on Oracle Containers for Java EE in Step 1, set up JNDI as follows:
Click JDBC Connection.
Click Add DataSource.
Specify the DataSource details:
Name the Data Source Audit
.
Note:
The reports refer to the audit data source, so the naming convention is important.
Enter the details for the URL, username, and password for the audit schema. (Note: The username and password consist of a prefix plus the audit schema name, which is IAU_VIEWER. For example, dev_iau_viewer or test_iau_viewer.)
Test for a successful connection. If the connection is not successful, check the values you entered.
Press Apply to save your changes.
You can use the standard audit reports in their default formats out-of-the-box. However, if you wish to customize the appearance and other related aspects of the reports, you do so by setting up audit report templates.
From a report's Edit dialog, you can click the Layout option in the left panel to control layouts and output formats. Using this feature, you can:
Customize the report template and design your own layout; for example you can rearrange fields and highlight selected field labels.
Restrict the formats to which the report output is generated - by default, a large number of output formats are available including HTML, PDF, Excel spreadsheet, RTF, and others.
See Also:
Oracle Business Intelligence Publisher User's Guide.
You can use the standard audit reports in their default formats out-of-the-box. However, if you wish to customize the scope of data and other related aspects of the reports, you do so by setting up audit report filters.
Oracle Business Intelligence Publisher provides both basic and advanced filtering options for your audit reports.
See Also:
Oracle Business Intelligence Publisher User's Guide.
Clicking on the report's Schedule button brings up a page which you can use to schedule and administer the report.
In the Report Parameters area you can provide high-level filters to restrict the report:
Date Filters
show only recent audit records such as last hour or last week
show records generated within a specified starting and ending dates
limit number of records returned
Selected Report Fields
For example, the Authentication Failures report can be filtered by:
Username
Component Type
Component Name
Application Name
Domain Name
Clicking on the report's Edit button brings up a page at which you can specify more detailed report filters and properties. This page consists of two panels. The left panel lets you select what element of the report is to be modified through these options. For each element you select, the right panel displays the corresponding information.
Data Model - This contains the SQL query that fetches the raw data for the report. The query can be modified according to your needs.
List of Values - Shows all the report columns. Selecting on a column displays the underlying SQL query that filters data for the attribute. You can modify the query as needed; for example you can specify more restrictive filter values.
Parameters - Shows all the report columns, and lets you select any column to modify display settings for that column. For example, you can specify a date display format for timestamp fields.
Layouts and output formats - This feature is described in Section 14.1.6, "Configure Scheduler in Oracle Business Intelligence Publisher".
Clicking on the report's Schedule button brings up a page which you can use to schedule and administer the report. Information you can specify on this page includes:
Note:
This feature assumes that the Oracle Business Intelligence Publisher repository is already configured.
Report Parameters - filters to restrict the data included in the report, for example records for the last hour only.
Job Properties - the job name, formatting locale and time zone, and so on.
Notification - one or more users to be notified by E-mail when the job completes or fails.
Time - report scheduling options; the report can be scheduled to run periodically or on a one-time basis.
Delivery - deliver the report to one or more users
Oracle Fusion Middleware Audit Framework ships with a set of pre-defined reports that are designed to work, out-of-the-box, with Oracle Fusion Middleware components. These reports are organized into two main categories:
Common Reports
These reports capture common events such as authentication success and failures, account-related status (lockout, disabled, and so on). Many components have implemented audit capability for these common events. The common reports are located under the Common Reports subfolder of the Audit Reports, and all audit-enabled events from across the components are captured in these reports.
For example, "Authentication History" displays authentication history across all the components where authentication events are being captured.
You can use these reports to examine audit records for a specific area across components or to examine the audit records of a single user across multiple components for that specific area.
Component-specific Reports
These reports focus on individual components. They are needed because not all audit events may be relevant to each component. The Component Specific folder serves two purposes. First, it identifies the valid reports among the Common Reports that are relevant to the component and show only the audit records for that component. Secondly, for some components, component-specific reports have been defined to suit the specific needs of that component. While audit records themselves are generic for all the components, the representation of an audit record may have component-specific requirements. For example, an access policy may need to be shown in a format to be useful.
For example, you can locate the Authentication History report in the Common folder, where it displays authentication events for all components. You can also find the same report under a component-specific folder, where it displays authentication events for that component only.
There is also a generic report at the top level called "All Events", which shows all the events across all audit-enabled components. The "All Events" report is also available in each component-specific folder, to show all the events for individual components.
This report can be used to query audit data.
This section explains how to view audit reports using Oracle Business Intelligence Publisher.
Take these steps to view an audit report:
Log in to Oracle Business Intelligence Publisher using a URL of the form:
http://
host.domain.com:port/
xmlpserver/
On the main page, click Oracle Fusion Middleware Audit under Shared Folders.
The audit reports are organized into:
reports that are common to multiple components; these are further organized by report types
reports that are specific to a component; these are further organized by component
See Also:
Table 14-1 for a description of the standard reports.
Navigate to the report of interest; for example, you can click on the Common Reports folder, then Errors and Exceptions, then click on All Errors and Exceptions.
The report is displayed.
The report display page contains these major areas:
Filters at the top of the page enable you to determine the type, scope, and number of records to include in the report. These filters include:
User
Start and End Dates
Last n time period
Component type and name
Application Name
Domain Name
Use relevant filters to limit the report to the desired records.
Note:
Initially, the report is displayed with default filter values that you can modify.
Format control buttons enable you to determine:
the template type, which can be:
HTML - This is the default display format.
PDF - Displays a printable PDF view.
Data - Displays an unformatted XML data set.
To change the template type while viewing a report, select the type from the drop-down list and click View.
output format
delivery options
The report record display area. The appearance and number of columns depend on previously selected options and filters.
Each column header also acts as a sort option.
View, save or export the report as desired.
This section uses a common scenario to demonstrate how Oracle Business Intelligence Publisher reports are used to view audit data generated by Oracle Platform Security Services events.
In this example, some activity is generated on the credential store for an Oracle WebLogic Server domain. We then use Oracle Business Intelligence Publisher to take a look at the relevant report to see the audit records. Subsequently, a few other reports are examined.
As the system administrator, locate the domain whose credentials are to be managed.
Use the relevant commands to generate some credential management records; for example, create and delete some user credentials.
See Also:
Section 10.3, "Managing the Credential Store" for details about credential management.
Log in to Oracle Business Intelligence Publisher using a URL of the form:
http://
host.domain.com:port/
xmlpserver/
Under the Reports tab, click on Shared Folders, and select Fusion Middleware Audit.
On the main page, click Fusion Middleware Audit under Shared Folders.
The audit report menu appears. Audit reports are organized in various folders by type.
To view audit records for Oracle Platform Security Services, for example, navigate to the Component Specific folder, then Oracle Platform Security Services.
The Oracle Platform Security Services folder contains several reports. Click All Events.
The report shows activity in a default time range. Modify the time range to show only the day's events.
The activity performed on that day appears on the page.
Observe the different regions of the report and their functions: report filters, format control, scheduling, and the data display itself.
In each report, the last data column is a Detail column. Click on a detail to view all the attributes of the specific audit record.
Return to the main folder to view some other reports of interest. For example, in the Common Reports folder, navigate to the Account Management folder, and click Account Profile History.
The Account Profile History report appears.
Click on the Event Details for an event of interest:
Finally, return to the Common Reports folder and select Errors and Exceptions. Select the All Errors and Exceptions report.
A number of records are displayed. To narrow the report to records of interest, use the Event drop-down to select checkPermission events.
One row is returned showing an authorization check failure:
Click Details to obtain more information:
This section provides detailed reference information about the standard (pre-built) audit report.
The standard audit reports are grouped as follows:
The All Events report
This report contains all audit records generated in a pre-defined interval.
Common Reports
These are reports that contain audit records across multiple components.
Component-Specific Reports
Each report is dedicated to a specific component.
Common reports are organized as follows:
Account Management
Account Profile History
Accounts Deleted
Accounts Enabled
Accounts Disabled
Accounts Created
Accounts Locked Out
Password Changes
dashboard
User Activities
Authentication History
Multiple Logins from Same IP
Authorization History
Event Details
Related Audit Events
Dashboard
Errors and Exceptions
All Errors and Exceptions
Authorization Failures
Authentication Failures
Dashboard
Important:
Run the Event Details report only against an 11g Release 1 (11.1.1.4.0) PS3 (patch set 3) schema.
For a list of reports, see Section C.2.2, "Component-Specific Audit Reports".
Table 14-1 provides a brief description of each audit report in Oracle Business Intelligence Publisher.
Note:
The folder path shown in the column titled "Located in Folder" is relative to the Oracle Fusion Middleware Audit folder. To get to this folder, log in to Oracle Business Intelligence Publisher, and navigate to Shared Folders, then Oracle Fusion Middleware Audit.
Table 14-1 List of Audit Reports
Report | Description | Located in Folder |
---|---|---|
Accounts Created |
shows accounts created in various components |
Common Reports, then Account Management. Also in Component Specific folders. |
Accounts Deleted |
shows accounts deleted in various components |
Common Reports, then Account Management. Also in Component Specific folders. |
Accounts Disabled |
shows accounts disabled in various components |
Common Reports, then Account Management. Also in Component Specific folders. |
Accounts Enabled |
shows accounts enabled in various components |
Common Reports, then Account Management. Also in Component Specific folders. |
Accounts Locked Out |
shows accounts locked out due to excessive authentication failures |
Common Reports, then Account Management. Also in Component Specific folders. |
Account Profile History |
shows profile changes in accounts, such as change in address and password changes |
Common Reports, then Account Management. Also in Component Specific folders. |
All Errors and Exceptions |
captures all errors and exceptions across components |
Common Reports, then Errors and Exceptions. Also in Component Specific folders. |
All Events |
displays all audit events |
Oracle Fusion Middleware Audit. Also in Component Specific folders. |
Application Policy Management |
displays application level policy management |
Component Specific, then Oracle Platform Security Services. |
Application Role Management |
shows application role to enterprise role mappings |
Component Specific, then Oracle Platform Security Services. |
Assertion Activity |
Assertion Activity in Oracle Identity Federation |
Component Specific, then Oracle Identity Federation. |
Assertion Template Management |
lists assertion Template management operations in Oracle Web Services Manager |
Component Specific, then Oracle Web Services Manager, then Policy Management |
Authentication Failures |
authentication errors and exceptions; can be cross-component or specific to a component. |
Common Reports, then Errors and Exceptions. Also in Component Specific folders. |
Authentication History |
Authentications across all components |
Common Reports, then User Activities. Also in Component Specific folders. |
Authorization Failures |
captures authorization failures |
Common Reports, then Errors and Exceptions. Also in Component Specific folders. |
Authorization History |
Authorizations across all components |
Common Reports, then User Activities. Also in Component Specific folders. |
Confidentiality Enforcements |
lists enforcements related to confidentiality in Oracle Web Services Manager |
Component Specific, then Oracle Web Services Manager, then Policy Enforcements |
Configuration Changes |
configuration changes made in Fusion Middleware Audit Framework. |
Component Specific, then Oracle Fusion Middleware Audit Framework |
Credential Access |
displays credential accesses by users and applications in Oracle Platform Security Services |
Component Specific, then Oracle Platform Security Services. |
Credential Management |
displays credential management operations performed in Oracle Platform Security Services. |
Component Specific, then Oracle Platform Security Services. |
Federation User Activity |
lists federation user activities in Oracle Identity Federation |
Component Specific, then Oracle Identity Federation. |
Message Integrity Enforcements |
shows enforcements related to message integrity in Oracle Web Services Manager |
Component Specific, then Oracle Web Services Manager, then Policy Enforcements |
Multiple Logins from Same IP |
lists machines from where successful logins are made into different user accounts. |
Common Reports, then User Activities. |
Password Changes |
shows password changes done in various accounts. |
Common Reports, then Account Management. Also in Component Specific folders. |
Policy Attachments |
shows Policy to web service endpoint attachments |
Component Specific, then Oracle Web Services Manager |
Policy Enforcements |
general policy enforcements for Oracle Web Services Manager |
Component Specific, then Oracle Web Services Manager, then Policy Enforcements |
Profile Management Events |
shows changes to Directory Integration Platform's profiles. |
Component Specific, then Directory Integration Platform. |
Request Response |
shows requests sent and responses received from web services |
Component Specific, then Oracle Web Services Manager |
System Policy Management |
displays system level policy management operations |
Component Specific, then Oracle Platform Security Services. |
Violations |
Enforcement violations. |
Component Specific, then Oracle Web Services Manager, then Policy Enforcements |
Web Services Policy Management |
shows policy management operations. |
Component Specific, then Oracle Web Services Manager, then Policy Management |
Table 14-2 lists the attributes that appear in the various audit reports. When viewing a report, you can use this table to learn more about the attributes that appear in the report.
Note the following:
Not all attributes appear in each report.
The user or users attribute, which appears in each report, can mean different things in different reports; see Table 14-1 for an explanation of this attribute.
Not all the attributes are displayed in Oracle Business Intelligence Publisher audit reports. If you wish to include some additional attributes in your custom reports, see Appendix C, "Oracle Fusion Middleware Audit Framework Reference".
Table 14-2 Attributes of Audit Reports
Attribute | Description |
---|---|
Activity |
The type of action, either user- or system-initiated. |
Application Name |
The complete application path and name. |
Application Server Instance |
The instance of the application server in use. |
Attempted |
The action that was attempted, for example, a single sign-on attempted by the user. |
Component Name |
The name of the component instance. |
Component Type |
The type of component, for example Oracle Identity Federation. |
Domain Name |
Oracle WebLogic Server domain name. |
ECID |
The execution context ID. |
Event Type |
The type of event that occurred, for example, account creation. |
Initiator |
The user who initiated the event. |
Internet Protocol Address, IP Address |
The IP address of the user's machine from which the action was initiated. |
Message Text |
The text of the message; a description of the event. |
Policy Name |
The name of the policy involved in the action. |
Time Range |
The time range which allows you to limit your data set to a specific time interval, for example, the last 24 hours. |
Timestamp |
The date and time of the event. |
Transaction ID |
The transaction identifier. |
This section discusses advanced report generation and creation options:
Clicking on the report's Edit button brings up a page at which you can specify more detailed report filters and properties. This page consists of two panels. The left panel lets you select what element of the report is to be modified through these options. For each element you select, the right panel displays the corresponding information.
Data Model - This contains the SQL query that fetches the raw data for the report. The query can be modified according to your needs.
List of Values - Shows all the report columns. Selecting on a column displays the underlying SQL query that filters data for the attribute. You can modify the query as needed; for example you can specify more restrictive filter values.
Parameters - Shows all the report columns, and lets you select any column to modify display settings for that column. For example, you can specify a date display format for timestamp fields.
Layouts and output formats - This feature is described in the following section.
Oracle Business Intelligence Publisher provides a complete set of capabilities for designing and creating custom reports.
See Also:
Oracle Business Intelligence Publisher User's Guide.
Here is a simple example illustrating the basic steps to customize an existing audit report with Oracle Business Intelligence Publisher.
Log in to Oracle Business Intelligence Publisher as administrator.
Navigate to the Oracle Fusion Middleware Audit folder.
Create a folder to maintain your custom reports. Under Folder and Event Tasks, click New Folder.
Enter a folder name.
The new folder, Custom BI Reports, appears on the main audit reports folder.
Select an existing report that will be a starting point to create a custom report, by clicking the icon to the left of the report. In this example the All Events report is selected:
Click Copy this report.
This action copies the report to the clipboard. To send it to the new folder:
Select the Custom BI Reports folder.
Under Folder and Report Tasks, click Paste from clipboard.
A dialog box appears requesting confirmation. Click Yes.
The report is now moved from the clipboard to the custom folder:
Provide a descriptive name for the new report by selecting the icon to the left of the report, and clicking Rename this report.
Now you are ready to customize the report. Click Edit from the menu choices under the report title.
The Edit page appears.
Two panels are displayed; on the main panel titled General Settings, you can control basic features like the report title and runtime controls. To the left of the main panel, a second panel displays two sets of information that you can use to create relevant content for your report:
List of Values shows the fields that are being used currently in the report. When you click on a field, the main panel automatically displays the name and the SQL query used to select the values to include for that field.
Parameters shows the available parameters from which you can choose the ones to include in the report. Notice that a subset of the parameters is already in the report; for example, userid (which is the initiator of the audit event) provides the Users data, while timeRange provides the Time Range data.
The palette of choices on the left panel is context-sensitive and provides information to help you build the report.
You can use the Query Builder to customize the data to include in your report. For example, to include only login events for a component, you can:
Select ComponentName
from the list of values and click Query Builder.
A table appears listing the available components. Select the component, say JPS
. A second table appears showing the component event fields:
In the JPS table select IAU_EVENTTYPE
.
Click Conditions, enter the condition login
and click Save.
The condition is now included in the report. Be sure to click Save again on the upper left corner to commit your changes to the report definition.
You can now return to the report in the Custom BI Reports folder and view the data.