29 Managing Oracle WebCenter Portal Audit Logs

This chapter provides an introduction to managing audit logging for WebCenter Portal.

This chapter includes the following sections:

Permissions:

To perform the tasks in this chapter, you must be granted the WebLogic Server Admin role through the Oracle WebLogic Server Administration Console. Users with the Monitor or Operator roles can view security information but cannot make changes.

See also, Section 1.8, "Understanding Administrative Operations, Roles, and Tools."

29.1 Introduction to Managing Audit Logs

When enabled, audit logging tracks Portal-related events as part of the Fusion Middleware Audit Service. Audit log events are stored in a file (the Audit Bus-stop) by default, but can also be uploaded to a database for persistency (for more information, see Section 29.2.2, "Configuring the Audit Store Database"). The Audit Bus-stop file has a limited capacity so storing log information in a database where events can be queried long after their occurrence is recommended.

Note:

If you enable WebCenter Portal Impersonation, it is highly recommended that you also enable audit logging. When Impersonation is enabled, audit logging tracks the impersonator, impersonatee, and the context surrounding an event.

Audit logging provides the following key benefits:

  • Events that alter the security settings of Portal, Portal Server, and major Portal Server artifacts are traceable

  • Definable logging levels

  • Events logged are available in perpetuity when uploaded to a database

  • Reports on audit events are available through the Audit Service

For more information about the Audit Service and configuring the Audit Service, see "Introduction to Oracle Fusion Middleware Audit Framework" in the Oracle Fusion Middleware Application Security Guide. For information about configuring the Audit Service to use a database, see "Configuring and Managing Auditing" in the Oracle Fusion Middleware Application Security Guide. For information about out-of-the-box Audit Service reports, see "Pre-built Audit Reports" in the Oracle Fusion Middleware Application Security Guide.

29.2 Configuring Audit Logging

This section describes how to turn logging on and off for WebCenter Portal, how to set the log level, and how to set up the Audit Store Database.

This section contains the following subsections:

29.2.1 Setting the Logging Level

By default, audit logging for WebCenter Portal is turned off (that is, set to None). To turn it on, set the logging level to a value other than None (for example, Low) as shown in the examples below. For the details of which logging categories are included for each logging level, see Section 29.3.1, "Using WebCenter Portal Audit Logs."

Use the following WLST commands to modify the audit logging level for WebCenter Portal audit events:

To set the logging level to Low:

setAuditPolicy(componentType="webcenter#11.1.1.4.0",filterPreset="Low")

Set the logging level to Medium:

setAuditPolicy(componentType="webcenter#11.1.1.4.0",filterPreset="Medium")

To turn logging off for WebCenter Portal:

setAuditPolicy(componentType="webcenter#11.1.1.4.0",filterPreset="None") 

Successful execution does not throw any error and completes silently. Restart the WC_Spaces server to complete the logging level change.

For information about additional WLST commands you can use to manage and configure audit logging, see "WLST Commands for Auditing" in the Oracle Fusion Middleware Application Security Guide.

29.2.2 Configuring the Audit Store Database

The audit store is a database that contains a pre-defined Oracle Fusion Middleware Audit Framework schema created by the Repository Creation Utility (RCU). By default, audit logs are stored as files in the auditlogs directory as shown in the following example:

DOMAIN_HOME/servers/WC_Spaces/logs/auditlogs/webcenter#11.1.1.4.0/audit_1_0.log

Once database persistence has been configured, the Audit loader picks up data from this file and puts it in the Audit Framework schema. For information about configuring the Audit Service to use a database, see "Configuring and Managing Auditing" in the Oracle Fusion Middleware Application Security Guide.

You will need to know the name of the audit schema (the suffix is always IAU). You will also need to set the audit repository to the database as shown below:

setAuditRepository(switchToDB='true',dataSourceName='jdbc/AuditDB',interval='15') 

Note:

The audit data in the store is expected to be cumulative and will grow over time. Ideally, the database should not be an operational database used by any other applications, and should be a standalone RDBMS used for audit purposes only.

29.3 Viewing WebCenter Portal Audit Events

This section describes the WebCenter Portal Impersonation events that are available in the audit log, and shows a simple SQL statement that you can use to query the audit schema for impersonation events.

This section includes the following subsections:

29.3.1 Using WebCenter Portal Audit Logs

Table 29-1 lists the WebCenter Portal audit events that appear in the audit log depending on the log level that is set. The various WebCenter Portal tools (such as documents, announcements, discussions, wiki and blog, forum, forum message, forum topic, forum category) are identified in the log by their corresponding ToolArtifactID and ToolType.

When the log level is set to Low, events in the following categories will be logged:

  • PortalLifeCycle

  • PortalRoleManagement

  • PortalRoleMemberManagement

  • PortalToolAccessManagement

  • ImpersonationSessionMgmt

When the log level is set to Medium, events in the following additional categories will be logged:

  • PortalToolsManagement

  • PortalPagesManagement

Table 29-1 WebCenter Portal Audit Events

Event Category Event Name Event Payload

PortalLifeCycle

LoginPortalServer,
CreatePortal, DeletePortal,
ImportPortal, ExportPortal, DeployPortal, PropagatePortal

InitiatorUID, InitiatorMail, InitiatorDisplayName, ImpersonatorUID, PortalID, PortalName, PotalDisplayName, PortalURL, PortalTemplate, PortalOldState, PortalNewState, TargetPortalConnection

PortalRoleManagement

CreateRole
DeleteRole
PermissionUpdate

InitiatorUID, InitiatorMail, InitiatorDisplayName, ImpersonatorUID, PortalID, PortalName, RoleName, RoleTemplate, PermissionClass, PermissionName, PermissionActionsGranted, PermissionActionsRevoked

PortalRoleMemberManagement

AddMemberToRole
RemoveMemberFromRole

InitiatorUID, InitiatorMail, InitiatorDisplayName, ImpersonatorUID, PortalID, PortalName, RoleName, MemberType, MemberUID, ServiceID

ImpersonationSessionMgmt

GrantImpersonationAccess
RevokeImpersonationAccess
BeginImpersonation
EndImpersonation

InitiatorUID, InitiatorMail, InitiatorDisplayName, ImpersonatorUID, ImpersonateeUID, PortalID, PortalName, ImpersonationStartTime, ImpersonationEndTime, ImpersonationGrantStartTime, ImpersonationEndTime, ImpersonationRightRevokeTime

PortalToolsManagement

CreateTool, DeleteTool
ModifyTool

InitiatorUID, InitiatorMail, InitiatorDisplayName, ImpersonatorUID, PortalID, PortalName, ToolArtifactID, ToolName, ToolType

PortalToolAccessManagement

ToolAccessPermissionUpdate
GrantToolAccess
RevokeToolAccess

InitiatorUID, InitiatorMail, InitiatorDisplayName, ImpersonatorUID, PortalID, PortalName, ToolName, ToolType, ToolArtifactID, MemberUID, MemberType, PermissionActionsGranted, PermissionActionsRevoked, PermissionClass, PermissionName

PortalPagesManagement

CreatePage
DeletePage

InitiatorUID, InitiatorMail, InitiatorDisplayName, ImpersonatorUID, PortalID, PortalName, PageID, PageName


29.3.2 Querying the Audit Schema

Once you've configured the audit schema and the audit repository is set to database, you can create reports based on this generated audit data. Follow the steps below to create a report:

  1. Generate a view based on audit tables by running the following command to generate a SQL file that can then be used to create a view for the WebCenter Portal component-specific data from audit DB tables:

    createAuditDBView(fileName="/tmp/WCPortalAuditView.sql", componentType="webcenter#11.1.1.4.0")
    

    The IAU schema owner (for example, TEST_IAU) will need to have 'create view' privileges. To create the view, run the WCPortalAuditView.sql file or run the following SQL command as a system DBA:

    grant create view to TEST_IAU
    

    The created view will have name like 'webcenter#11_1_1_4_0_AUDITVIEW'.

  2. Use the view to query the audit database using WebCenter Portal tool audit attribute names as table column name as shown in the following examples. Open the WCPortalAuditView.sql file to see the mapping of table column names with WebCenter Portal attributes.

    • The following SQL statement returns all the attributes of WebCenter Portal tools that are logged with the event types BeginImpersonation and EndImpersonation:

      select * from webcenter#11_1_1_4_0_AUDITVIEW where EventType like '%Impersonation';
      
    • The following SQL statement lists all users who have deleted any portal along with the deleted portal information:

      select InitiatorUID,InitiatorMail,PortalID,PortalName,PortalURL from webcenter#11_1_1_4_0_AUDITVIEW where EventType = 'DeletePortal';
      
    • The following SQL statement returns all audit data for WebCenter Portal:

       select * from webcenter#11_1_1_4_0_AUDITVIEW;
      

If you want to regularly monitor WebCenter Portal activities you can create a SQL data control using SQL queries and drop the data control as a table or other visualization onto a portal page. For more information about SQL data controls, see "Working with Data Presenter" in the Oracle Fusion Middleware Building Portals with Oracle WebCenter Portal.