The following paragraphs show the commands to enable and disable logging messages, and provide examples of the resulting messages.
In the examples below, user mapping is enabled: uid=#(username) and gid=#(groupname). In the event that user mapping is disabled, all instances of uid=# and gid=# are replaced with uid=0 and gid=0.
Any combination of the following three categories can be enabled or disabled.
Outbound Network Connectivity.
To enable or disable this type of message forwarding:
firewall enable
firewall disable
These messages are generated by iptables and represent all outbound network traffic with the exception of traffic to known addresses used for Oracle monitoring.
The following example shows messages as they are seen on the system that receives the forwarded syslog messages.
Result from an nslookup command:
Jul 31 15:10:01 Jul-31 15: 10:01 GMT+00:00 0:0:0:0:0:0:0:1 NA: sample-host kernel: iptables: IN= OUT=eth0 SRC=nn.nn.nn.nn DST=nn.nn.nn.nn LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=33101 DF PROTO=UDP SPT=30849 DPT=53 LEN=39 UID=jsmith GID=admin
Result from an ssh command:
Jul 31 15:13:22 Jul-31 15: 13:22 GMT+00:00 0:0:0:0:0:0:0:1 NA: sample-host kernel: iptables: IN= OUT=eth0 SRC=nn.nn.nn.nn DST=nn.nn.nn.nn LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=46937 DF PROTO=TCP SPT=54842 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0 UID=jsmith GID=admin
Outbound Login Activity
To enable or disable this type of message forwarding:
ssh enable
ssh disable
The following example shows a message as it is seen on the system that receives the forwarded syslog messages.
Result from an ssh command:
Jul 31 15:22:15 Jul-31 15: 22:14 GMT+00:00 0:0:0:0:0:0:0:1 NA: sample-host audispd: node=sample-host type=SYSCALL msg=audit(1437567767.027:17839321): arch=c000003e syscall=59 success=yes exit=0 a0=124e030 a1=123d7f0 a2=1246d90 a3=10 items=2 ppid=22614 pid=25252 auid=54373 uid=jsmith gid=admin euid=54373 suid=54373 fsuid=54373 egid=501 sgid=501 fsgid=501 tty=pts4 ses=90594 comm="ssh" exe="/usr/bin/ssh" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="gateway_audit"
Oracle Advanced Support Gateway User Login Activity.
To enable or disable this type of message forwarding:
session enable
session disable
The following examples show messages as they are seen on the system that receives the forwarded Syslog messages.
Example of ssh being invoked on Oracle Advanced Support Gateway:
Aug 1 21:37:02 Aug-01 17: 37:02 GMT-04:00 0:0:0:0:0:0:0:1 NA: sample-host audispd: node=sample-host type=SYSCALL msg=audit(1375393022.626:187186): arch=c000003e syscall=59 success=yes exit=0 a0=7fa860e69380 a1=7fa860e697e0 a2=7fa860e69ca0 a3=0 items=2 ppid=1428 pid=12967 auid=4294967295 uid=jsmith gid=admin euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key="SESSION"
Result from an su command on Oracle Advanced Support Gateway:
Aug 1 21:42:49 Aug-01 17: 42:49 GMT-04:00 0:0:0:0:0:0:0:1 NA: sample-host audispd: node=sample-host type=SYSCALL msg=audit(1437567906.700:17840209): arch=c000003e syscall=2 success=yes exit=3 a0=7f691418c518 a1=2 a2=7f691418c760 a3=fffffffffffffff0 items=1 ppid=22614 pid=25811 auid=54373 uid=54373 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=pts4 ses=90594 comm="su" exe="/bin/su" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="SESSION"