Oracle Advanced Support Gateway Audit Logging Feature

Language:

The Audit Logging Feature of Oracle Advanced Support Gateway provides audit information for three different categories of system events. The three categories are:

Outbound network connections: The Linux firewall service (iptables) triggers notifications for all outbound network traffic with the exception of traffic to Oracle managed hosts used for monitoring and management (for example, Oracle VPN end points, dts.oracle.com, support.oracle.com).
Outbound login activity: The Linux auditing service (auditd) triggers notifications for all outbound login attempts initiated from Oracle Advanced Support Gateway. This is done by monitoring usage of the ssh and telnet system binaries. Oracle Advanced Support Gateway sends a message that ssh or telnet has been used, by which user, and when. The destination is not provided. auditd logs contain that information. auditd logs are not directly accessible by the customer on Oracle Advanced Support Gateway.
Inbound Oracle Advanced Support Gateway user login activity: The Linux auditing service (auditd) triggers notifications each time any of the system logs used for tracking logins is updated. This includes failed logins and successful login attempts. It also triggers a notification each time a user logs in from a remote system. These activities are monitored using auditd and forwarded to the customer's central logging system.

All audit notifications are delivered using standard syslog protocol. A central logging system must be provided to accept and process these messages.

The format of most of these messages is based on auditd. They can be managed using various auditd and related utilities.

The audit logging feature is disabled by default, and must be explicitly enabled through the Oracle Advanced Support Gateway command line interface (CLI). The details of how to configure this feature are explained in the following section:

Implement Log Forwarding: Oracle Setup Task:

Use ssh to connect to Oracle Advanced Support Gateway.

Use the customer administrator account configured at installation time or any other user with the customer administrator role.
At the first (CLI or CLISH) prompt, enter the password.
At the next prompt enter configure terminal.
At the next prompt enter syslog.

You are now in the syslog-specific section of the Oracle Advanced Support Gateway CLI where you can configure forwarding.

Available Commands:

Command	Description
`help`	To display a list of available commands.
`?`	To display a brief explanation of how to enter commands in the CLI.
`stat`	To display the current configuration. This produces a display similar to the following: ------------- SyslogBroadcaster Configuration ------------ Message Forward Status = enabled Host IP Address = 1.2.3.4 Host Port Number = 514 Host Time Zone = GMT firewall Message Forward = enabled ssh Message Forward = enabled session Message Forward = enabled UID/GUID MapICMP Type 0 and 8 = enabled -----------------------------------------------------------
`forward enable`	To enable syslog forwarding.
`forward disable`	To disable syslog forwarding.
`ip` <`ip address`>	To enter the IP address of the remote syslog server (the one receiving the forwarded messages). You must enter a valid IP address, not a host name.
`port` <`port #`>	To change the port used for forwarding syslog messages.
`timezone` <`value`>	To set the time zone used in the forwarded syslog messages. Value must be -12 to +12 which is the offset from GMT.
`mapping enable` `mapping disable`	To convert the uid and guid contained in each message to the corresponding Unix user and group name.