11 Viewing the Healthcare User Audit Trail

This chapter describes how to enable and configure an audit trail of user activity for healthcare integration components and applications. Oracle SOA Suite for healthcare integration uses Oracle's Common Audit Framework to log user activity against healthcare integration components.

This chapter contains the following topics:

11.1 Introduction to the Audit Trail

The Oracle auditing framework collects and stores information about events affecting configured components, providing an audit log of activity for those components to help support your compliance requirements. Auditing for each SOA Suite component is defined by an audit policy that defines which components and which activities are captured in the audit log.

You can configure the audit policy to only capture the information you require and ignore the rest. This is done on the Audit Policy page of Oracle Enterprise Manager. See "Managing Audit Policies" in the Oracle Fusion Middleware Application Security Guide for more information.

The set of auditable events for each application and component is defined by the audit policy and differs between each application. When you expand the list of events for a component, only those events that can be audited for that component appear in the list. For each event, you can further specify whether to only log successful attempts or failed attempts (currently Oracle SOA Suite for healthcare integration only logs successful attempts).

When you configure auditing, you can select from the following audit levels:

  • Low: This option selects a subset of events from all auditable components in the audit policy list, including a subset of Oracle SOA Suite for healthcare integration events. It does not allow custom filters to be created.

  • Medium: This option selects a larger subset of events from all auditable components in the audit policy list, including all Oracle SOA Suite for healthcare integration events. It does not allow custom filters to be created.

  • Custom: This options lets you select only those components, events, and conditions that you want to audit. This is the recommended level for Oracle SOA Suite for healthcare integration. You must select this level in the Oracle Enterprise Manager console to enable Oracle Healthcare auditing.

You can also specify a list of users whose activity is audited regardless of the actions performed or the component used. Auditing occurs for these users no matter what audit level or filters are defined.

For more information about audit policies, see Configuring and Managing Auditing in the Oracle Fusion Middleware Application Security Guide.

11.1.1 Oracle SOA Suite for Healthcare Integration Auditing Options

The components and events available for auditing are listed on the Audit Policy page of Oracle Enterprise Manager (Weblogic domain > Security > Audit Policy). To view or configure the these options, select Oracle SOA Suite for healthcare integration from the Audit Component Name list, Custom from the Audit Level list, and click the check boxes adjacent to the events.

Figure 11-1 Healthcare Integration Components on the Audit Policy Page

Description of Figure 11-1 follows
Description of "Figure 11-1 Healthcare Integration Components on the Audit Policy Page"

Note:

Currently only the SUCCESS events are audited. You should not select FAILURE events.

Currently, the following components and events are supported for audit in Oracle SOA Suite for healthcare integration (note that additional events appear in the list, but they are not currently logged):

  • User Session

    • User Login

    • User Logout

  • Endpoint Management

    • Enable Endpoint

    • Disable Endpoint

  • Document Management

    • Resubmit Message

    • Purge Message

    • Read Payload

  • Configuration

    • Import

    • Export

11.1.2 Using Filter Conditions for Auditing

For each event, you can define filters for the success condition. Filters use rule-based expressions that are based on the attributes of the event. For most Oracle SOA Suite for healthcare integration user access auditing, you can use the following attributes in your filter expressions:

  • Host ID

  • Host Network Address

  • Initiator

  • Client IP Address

  • Resource

  • Domain Name

  • Target User

  • Roles

  • Audit User

Expressions can include AND and OR operators, as well as a variety of comparison functions, such as equals, starts with, contains, does not equal, and so on.

11.2 Configuring the Healthcare Integration Audit Trail

You configure audit policies in Oracle Enterprise Manager by selecting the events or components to include in the audit log. Currently, Oracle B2B components and events are not included in the audit trail.

There are two default configurations, Low and Medium audit levels, that select a predefined subset of components or events. These are not recommended for Oracle SOA Suite for healthcare integration because they affect all auditable components, not just the components of Oracle SOA Suite for healthcare integration. Selecting either of these options can result in extraneous audit entries and unnecessarily large audit logs. Additionally, these two options do not allow you to define any filters.

The following instructions apply to custom-level audit policy configuration.

To configure auditing for healthcare integration

  1. Login to Oracle Enterprise Manager.
  2. In the navigation panel on the left, expand WebLogic Domain and then right-click the name of the domain for which you want to enable user auditing.
  3. In the context menu that appears, point to Security and then select Audit Policy.

    Figure 11-2 Security Context Menu for a WebLogic Domain

    Description of Figure 11-2 follows
    Description of "Figure 11-2 Security Context Menu for a WebLogic Domain"
  4. In the Audit Component Name list, select Oracle SOA Suite for Healthcare.
  5. In the Audit Level list, select Custom.

    Check boxes appear in the Select for Audit column so you can select which healthcare integration components and events to audit.

  6. Click event categories such as User Session to display the list of events pertaining to that category below.
  7. Do any of the following:

    • To enable auditing for all Oracle SOA Suite for healthcare integration components and events, click the Audit All Events button.

    • To enable auditing for all events for a specific component, select the check box in the Select for Audit column next to the component name.

      For example, to audit all actions taken against endpoints, select the check box for Endpoint Management.

      Figure 11-3 Endpoint Management Component With All Events Selected

      Description of Figure 11-3 follows
      Description of "Figure 11-3 Endpoint Management Component With All Events Selected"

    • To enable auditing of a specific event for a component, expand the component and select the check box in the Enable Audit column next to the event name under that component.

  8. To define a filter for a success condition, select Enable Audit for the success condition, and then click its Edit Filter button. Define the filter on the dialog that appears, and then click OK.

    For more information about filters, see Using Filter Conditions for Auditing and the online help available from the Edit Filter dialog. Note that filters can only be defined for success conditions at this time.

  9. To specify a list of users whose activity is always audited regardless of the component configuration, enter a list of user accounts in the Users to Always Audit section. Separate the account names with commas.
  10. When you are done configuring auditing, click Apply.
  11. Restart the server in order for the changes to take effect.

11.3 Viewing User Audit Logs

When an event triggers an audit log entry, the event information is written to the audit log file.

The audit log captures the following information. Depending on the type of event that triggered the entry, several of these fields might be empty.

  • Date and time

  • Initiator of the event

  • Event type

  • Event status

  • Message text (indicating what occurred)

  • ECID

  • RID

  • Context fields

  • Session ID

  • Target component type

  • Application name

  • Event category

  • Thread ID

  • Failure code

  • Remote IP address

  • Target

  • Resource

  • Roles

  • Authentication method

  • Reason

You can view the audit log file directly. It is written to the following location:

fmw_home/user_projects/domains/domain_name/servers/managed_server_name/logs/auditlogs/SOA-HCFP/audit.log