3 Audit Logging Feature

The Audit Logging Feature of Oracle Advanced Services Gateway provides audit information for three different categories of system events. The three categories are:

  • Outbound Network Connections: The Linux firewall service (iptables) triggers notifications for all outbound network traffic with the exception of traffic to Oracle managed hosts used for monitoring and management (for example, Oracle VPN end points, dts.oracle.com, support.oracle.com).
  • Outbound Login Activity: The Linux auditing service (auditd) triggers notifications for all outbound login attempts initiated from Oracle Advanced Services Gateway. This is done by monitoring usage of the ssh and telnet system binaries. Oracle Advanced Services Gateway sends a message that ssh or telnet has been used, by which user, and when. The destination is not provided. auditd logs contain that information. auditd logs are not directly accessible by the customer on Oracle Advanced Services Gateway.
  • Inbound Oracle Advanced Services Gateway User Login Activity: The Linux auditing service (auditd) triggers notifications each time any of the system logs used for tracking logins is updated. This includes failed logins and successful login attempts. It also triggers a notification each time a user logs in from a remote system. These activities are monitored using auditd and forwarded to the customer's central logging system.

All audit notifications are delivered using standard syslog protocol. A central logging system must be provided to accept and process these messages.

The format of most of these messages is based on auditd. They can be managed using various auditd and related utilities.

The audit logging feature is disabled by default, and must be explicitly enabled through the Oracle Advanced Services Gateway command line interface (CLI). The details of how to configure this feature are explained in the following section:

Initial Login.

  1. Use ssh to connect to Oracle Advanced Services Gateway.

    Use the customer administrator account configured at installation time or any other user with the customer administrator role.

  2. At the first (CLI or CLISH) prompt, enter the password.
  3. At the next prompt enter configure terminal.
  4. At the next prompt enter syslog.

You are now in the syslog-specific section of the Oracle Advanced Services Gateway CLI where you can configure forwarding.

Table 3-1 Available Commands

Command Description
help To display a list of available commands.
? To display a brief explanation of how to enter commands in the CLI.
stat

To display the current configuration.

This produces a display similar to the following:

------------- SyslogBroadcaster Configuration------------
                Message Forward Status = enabled
                Host IP Address = 1.2.3.4
                Host Port Number = 514
                Host Time Zone = GMT
                firewall Message Forward = enabled 
                ssh Message Forward = enabled 
                session Message Forward = enabled
                UID/GUID MapICMP Type 0 and 8 = enabled
                -----------------------------------------------------------
forward enable To enable syslog forwarding.
forward disable To disable syslog forwarding.
ip <ip address>

To enter the IP address of the remote syslog server (the one receiving the forwarded messages).

You must enter a valid IP address, not a host name.
port <port #> To change the port used for forwarding syslog messages.
timezone <value>

To set the time zone used in the forwarded syslog messages.

Value must be -12 to +12 which is the offset from GMT.
mapping enable mapping disable To convert the uid and guid contained in each message to the corresponding Unix user and group name.