Audit Data, Security, Artifact Changes, and LCM Events

17 Audit Data, Security, Artifact Changes, and LCM Events

Essbase auditing tracks changes to cube data, server-level security, LCM events, artifact changes, and MaxL statements that are run on the server, including imports.

Use cube-level data auditing to track updates made to data values, including changes to Linked Reporting Objects (LROs), such as adding notes, attaching files, and referencing URLs. You can export the audit log to an Excel spreadsheet.

Use server-level auditing to track security, LCM events, artifact changes, and executed MaxL statements including imports of data or dimensions. The tracking information is saved to a security audit log file. You configure what events to track by defining an auditing policy file.

Track Data Changes

Use an audit trail to track updates made to data values, including changes to Linked Reporting Objects (LROs), such as adding notes, attaching files, and referencing URLs. You can export the log to an Excel spreadsheet.

To view data audit trail records, you must be at least a power user with Database Update permission on the application. You can only view those records where your user name matches the user name registered in the audit records. To delete data audit trail records, you must be at least a power user with Application Manager permission on the application. See Understand Your Access Permissions in Essbase.

Turn on Data Audit Trail and View the Data Audit Trail

You turn on data audit trail by adding AUDITTRAIL DATA as an application level configuration setting.

See Set Application-Level Configuration Properties.

To turn on Data Audit Trail, add the following to the application configuration parameters: AUDITTRAIL DATA.
Perform ad hoc analysis through Smart View, make data changes through Smart View and click on Submit - this results in an audit record being stored.
When doing ad hoc analysis, there are many ways of getting a particular Point of View (POV) onto the grid. One of them is by using the POV toolbar, which allows you to zoom in on certain members in one or more dimensions. See these topics in Working with Oracle Smart View for Office
- Selecting Members from the POV Toolbar
- Displaying the POV Toolbar
- Selecting Members Using the Cell-Based POV
With Data Audit Trail enabled, you can view the audit trail in the connection Panel in Smart View. Under the connection information, click on the menu of operations under More and you will see a menu option titled Audit Trail. Click on Audit Trail to view the data audit trail records for a cube.
The audit trail record shows the date and time of the change in the first column, the new value or the linked reporting object in the second column, and the POV in the third column. The time corresponds to your time zone. Click on an item in the audit trail and you will see a description of the change at the bottom of the pane.
You can display a sheet with the new POV and refreshed data value by clicking Ad hoc below the Audit Trail pane. When you click on subsequent audit records and click this icon, you see a different sheet with the POV for that audit record and refreshed data for that POV. This way, you can do further analysis on targeted data.

Link a Reporting Object to a Cell

You can link a reporting object to a cell. When you do, this change displays in the data audit trail. You can add a note to a cell, attach a file, or reference a URL. When you make these changes, the cells are highlighted in your cube. See these topics in the Working with Oracle Smart View for Office on how to link reporting objects to cells:

Linked Reporting Objects
Attaching a Linked Reporting Object to a Data Cell
Launching a Linked Reporting Object from a Data Cell

Export Logs to a Sheet

You can easily export your logs to a new Excel sheet just by clicking an icon.

Export your log onto a new sheet using Export . Click this icon to export the logs with all the details for each entry onto a new sheet that looks like this:

Image of a log file exported to an Excel sheet.

Once exported, you can re-sort columns or remove them to show the information you want to analyze.

Refresh the Audit Log

You can refresh the audit log to see your latest changes at any time.

When you make more changes to your data, you can refresh the log view any time. Click Refresh .
Image of an Excel sheet showing the refreshed audit trail log.

View and Manage Audit Trail Data in the Essbase Web Interface

You can view audit trail data in the Essbase web interface. You can also export the data to an Excel sheet (in .csv format), purge the data before a specific date, or purge all of the audit trail data.

To view and manage audit trail data:

On the Applications page, expand the application.
Click the Actions menu to the right of the cube name and select Inspect.
On the Audit Trail tab, you can:
- View audit trail data.
- Export the data to a CSV file.
- Purge the audit trail data until a specific date.
- Purge all of the audit trail data.

To purge data audit trail records, you must be a power user with Application Manager permission on the application.

Audit Security, Artifact Changes, and LCM Events

Service administrators can enable security auditing to track changes made to the Essbase server.

Based on parameters you specify in an auditing policy file, Essbase gathers information about changes to system-level security, artifacts, LCM events, and executed MaxL statements (including imports). Essbase consolidates the tracked information into an audit log file. Tracked information about each event includes time, client, user, artifacts affected, and a description.

You enable server-level auditing of these events using the AUDITTRAIL SECURITY Essbase configuration setting.

Workflow for Auditing Security, Artifact Changes, and LCM Events

Use the following workflow to audit changes to security, artifacts, LCM events, and executed MaxL statements (including imports) for the Essbase server.

Set AUDITTRAIL SECURITY as a server-level configuration property.
Restart Essbase. See Start, Stop, and Check Servers.
The auditing policy file is created when Essbase restarts.
Open the file in a text editor.
Edit the auditing policy file to indicate what events you want to capture, the maximum file size, and how many audit log files you want to retain.
SSH to the security audit log on the Essbase server to view the recorded events.

Enable Security, Artifact Changes, and LCM Events Auditing

If you have the Service Administrator role, you can enable auditing of security, artifact changes, LCM events, and executed MaxL statements (including imports), by setting AUDITTRAIL SECURITY as a server-level Essbase configuration property.

See Set Server-Level Configuration Properties.

About the Auditing Policy File

The auditing policy is defined in an XML file that you can edit to suit your needs. In this file, you can specify which Essbase server events to track, as well as maximum file size and the number of security audit log files to keep.

Essbase creates EssbaseSecurityAuditLogPolicy.xml when you restart Essbase after enabling security auditing. You can then edit the file as needed to refine the auditing policy. The file is located in the application directory specified during the configuration phase of Essbase deployment. If you do not know where <Application Directory> is in your environment, refer to Environment Locations in the Essbase Platform for an explanation.

To edit the auditing policy file,

Navigate to EssbaseSecurityAuditLogPolicy.xml. The file is located in the application directory specified during the configuration phase of Essbase deployment.
Open it in a text editor.
Add the items that you want.
1. Optionally change the maximum file size using <max-file-size>n</max-file-size>, where n = the number of bytes . The default is 50000000 bytes.
2. Indicate how many security audit log CSV files to save using <roll-nos>n</roll-nos>, where n = the number of files.
3. Indicate which audit events you want to capture, using <audit_events_to_capture>events_list</audit_events_to_capture>.

The events that you indicate in the auditing policy file are tracked in a security audit log file.

You can indicate the following events to capture in the auditing policy file:

Event	Description
LOGIN	User [x] logged in successfully
LOGIN_AS	User [x] logged in as [y]
LOGOUT	User [x] logged out
LOGIN_FAIL	User [x] login failed
SERVICE_ROLE_ASSIGN	Assigned Essbase service role [x] to [y]
SERVICE_ROLE_REVOKE	Revoked Essbase service role [x] from [y]
APPLICATION_ROLE_ASSIGN	User/Group [x] has been provisioned the role [y] on the application [z]
APPLICATION_ROLE_REVOKE	User/Group [x] has been revoked from the role [y] on the application [z]
ARTIFACT_CREATE	Artifact [x] of type [y] created
ARTIFACT_UPLOADED	Artifact upload request called for application [a] database [b] object name [c] and object type [d]
ARTIFACT_MODIFIED	Artifact [x] of type [y] modified
ARTIFACT_DELETED	Artifact [x] of type [y] deleted
ARTIFACT_RENAMED	Artifact [x] of type [y] renamed to [z]
APPLICATION_DELETED	Application [x] deleted
APPLICATION_CREATE	Application [x] created
APPLICATION_RENAMED	Application [x] renamed to [y]
DATABASE_DELETED	Database [x] deleted in application [y]
DATABASE_CREATE	Database [x] created in application [y]
DATABASE_RENAMED	Database [x] renamed to [y] in application [z]
LCM_EXPORT_START	LCM export job started with file name [x]
LCM_EXPORT_END	LCM export job completed with file name [x] and job status [y]
LCM_IMPORT_START	LCM import started for application [x] with file name [y]
LCM_IMPORT_END	LCM import completed for application [x] with file name [y]
LCM_IMPORT_FAIL	LCM import failed for application [x] with file name [y]
DATA_LOAD_MAXL	The MaxL import data statement executed for application [x] and database [y] by user [z]
EXECUTE_MAXL	MaxL statement [x] executed from user [y]
LOAD_DATA_JOB_START	Data load job started using data file [x] and rule file [y]
LOAD_DATA_JOB_END	Data load job for data file [x] and rule file [y] completed with status [z]
LOAD_DATA_JOB_FAILED	Data load job failed due to [x]
DELETE_SESSION	Session [x] deleted

Example Auditing Policy File

<security-audit-policy>
   <audit_events_to_capture>SERVICE_ROLE_ASSIGN,LOGIN,LOGIN_FAIL,LOGOUT,SERVICE_ROLE_REVOKE,APPLICATION_ROLE_ASSIGN,APPLICATION_ROLE_REVOKE,ARTIFACT_UPLOADED,ARTIFACT_MODIFIED,ARTIFACT_DELETED,ARTIFACT_CREATE,ARTIFACT_RENAMED,LCM_EXPORT_START,LCM_EXPORT_END,LCM_IMPORT_START,LCM_IMPORT_END,LCM_IMPORT_FAIL,DATA_LOAD_MAXL,EXECUTE_MAXL</audit_events_to_capture>
   <audit_sinks>
      <audit_sink>
         <audit_sink_type>CSV</audit_sink_type>
         <max-file-size>50000000</max-file-size>
         <roll-nos>100</roll-nos>
      </audit_sink>

Review the Security Audit Log

The security audit log tracks information about each event defined in the auditing policy file.

To open the security audit log,

SSH to the Essbase server.
Navigate to <DOMAIN_HOME>/servers/serverName/logs/essbase/. If you do not know where <DOMAIN_HOME> is, see Environment Locations in the Essbase Platform.
Open and review the file, SecurityAuditLog_n.csv.

The security audit log includes the following information about each event:

Time - when the event occurred
Client - client IP address or hostname
Username - the user initiating the action
Session ID – the Essbase session ID
Event Type - the event type
Artifact Type - the type of artifact involved in the event
Artifact type examples:
- Artifact Type partition_file for Event Type ARTIFACT_UPLOADED
- Artifact Type Application for Event Type LCM_EXPORT_START
- Artifact Type User for Event Type APPLICATION_ROLE_ASSIGN
Artifact Name – the name of the artifact involved in the event. For example, a file name, username, or application name
Additional Info - additional information associated with the event
Description - description of the event
The description field is localized.