The audit logging feature of the Gateway provides audit information for four different categories of system events. The four categories are:
Outbound network connections: The Linux firewall service (iptables) triggers notifications for all outbound network traffic with the exception of traffic to Oracle managed hosts used for monitoring and management (for example, Oracle VPN end points, dts.oracle.com, support.oracle.com).
Outbound login activity: The Linux auditing service (auditd) triggers notifications for all outbound login attempts initiated from the Gateway. This is done by monitoring usage of the SSH/SCP system binaries. The Gateway sends a message that SSH/SCP has been used, by which user, and when. The destination is not provided. auditd logs contain that information. auditd logs are not directly accessible by the customer on the Gateway.
Inbound Gateway user login activity: The Linux auditing service (auditd) triggers notifications each time any of the system logs used for tracking logins is updated. This includes failed logins and successful login attempts. It also triggers a notification each time a user logs in from a remote system. These activities are monitored using auditd and forwarded to the customer's central logging system.
Enterprise Manager activity: The Enterprise Manager application logs any activity performed within the application to any of the targets or their credentials. The activity in Enterprise Manager is then forwarded to the customer's central logging system.
All audit notifications are delivered using standard syslog protocol. A central logging system must be provided to accept and process these messages.
The format of most of these messages is based on auditd. They can be managed using various auditd and related utilities.