Real-time Monitoring Facets
The real-time monitoring rule definition includes facets that are used to determine what is important to monitor for a given target type, target properties, and entity type. A facet is a collection of patterns that make up one attribute of a target type.
The following sections explain real-time monitoring facets in detail:
About Real-time Monitoring Facets
A target type has several facets to it. A target type will have a facet of which files are critical configuration files, which files are log files, which files are executables, which database tables have sensitive configuration data, and so on. The sum of all of these facets for a given target type makes up everything that is important to monitor for the given target type in terms of compliance.
For a given target type, you can create any number of facets. A facet is not only for a specific target type, but for a specific target type plus a combination of some number of target type properties. For instance, creating a facet for a Host Target Type on Windows is different than creating a facet for a Host Target type on Linux. A facet can have several target type properties or can be open to any target without specifying any properties.
Facets are reusable in many rules. The benefit is that you can add or remove entries from a facet without having to modify every rule. For instance, if today there are 5 log files you want to monitor, you can setup your rules to monitor a facet listing those 5 files. When a new log file should be added tomorrow, you only need to change the facet, not each rule.
Facets can be created on their own, or created inline with a Real-time Monitoring rule creation. No matter how they are created, they can be used again at a later time in any number of rules.
Real-time Monitoring facets based on target types are used to specify the entities to monitor in real-time monitoring rules. As an example, if monitoring a host for file changes, a facet can be a list of distinct single files, patterns with wildcards that would include many files, or simply an entire directory. These patterns can also include parameters that have a default, but can be overridden as needed for each target. Built-in parameters, such as ORACLE_HOME will be dynamically filled in for each target. If you wanted to specify monitoring the database configuration file tnsnames.ora, your pattern may be {ORACLE_HOME}/network/admin/tnsnames.ora.
Facets can be used in two totally distinct ways. Primarily, facets describe what to monitor. In the rule creation wizard, these facets are selected on the wizard step "Entities to Monitor". Facets also can be used to filter your monitoring results. These filtering facets are specified on the Filters step of the rule creation wizard. When monitoring an OS file entity type for instance, you can filter your results based on the user that made a file change, the time the file change happened, or the process used to make the file change.
When performing continuous real-time monitoring, it is important to scope your monitoring only to critical entities. Monitoring more activity than is important to the organization will result in higher CPU loads on the Management Agent as well as a very large amount of data to be processed/stored by the Oracle Enterprise Manager servers.
Facet Entity Types
Each facet has an entity type which defines what kind of entities the facet describes. For example, for OS level monitoring, there are OS File, OS Process, OS User, Windows Registry, and several Active Directory entity types. For database monitoring, the entity types include Table, View, Index, Procedure among others. The possible entity types are fixed by the continuous real-time configuration change monitoring capabilities available from the Management Agent.
Creation of facets is possible through the Facet Library screen. In this screen, you can add/edit patterns for facets, and see which facets are being consumed by rules.
Given below are the entity types Cloud Control supports for real-time monitoring:
-
OS File
-
OS Process
-
OS User
-
Microsoft Windows Registry
-
Microsoft Active Directory User
-
Microsoft Active Directory Computer
-
Microsoft Active Directory Group
-
Oracle Database Dimension
-
Oracle Database Synonym
-
Oracle Database Type
-
Oracle Database Table
-
Oracle Database View
-
Oracle Database Procedure
-
Oracle Database User
-
Oracle Database Index
-
Oracle Database Sequence
-
Oracle Database Function
-
Oracle Database Profile
-
Oracle Database Public Synonym
-
Oracle Database Role
-
Oracle Database Package
-
Oracle Database Library
-
Oracle Database Trigger
-
Oracle Database Tablespace
-
Oracle Database Materialized View
-
Oracle Database Cluster
-
Oracle Database Link
-
Oracle Database Public DB Link
-
Oracle Database Segment
-
Oracle Database SQL Query Statement
Facet Patterns
A facet contains one or more patterns. These patterns can express inclusion or exclusion filters. For instance, you may define a facet for critical configuration files that looks like the following:
Include c:\myapp1\config
Exclude c:\myapp1\config\dummy.cfg
In this case, everything under c:\myapp1\config will be considered to be a member of this facet except for the individual file c:\myapp1\config\dummy.cfg. In general there are some rules to how patterns work given the most common use cases listed below. Each entity type might have special cases or special formats of patterns.
-
Patterns of the same specificity with one being include and one being exclude, the include will win.
-
Patterns that are more specific override (like in the previous example, exclude dummy.cfg overrides the inherited include c:\dummy.cfg from the first pattern.)
-
If there are no patterns at all, exclude * is assumed (for example, no entities in the facet)
For each pattern that you add to a facet, an optional description field is available to let you document their patterns.
Operations on Facets
The following sections explain the operations you can perform on facets:
- Viewing the Facet Library
- Creating and Editing Facets
- Creating and Editing Facet Folders
- Deleting a Facet
- Using Create Like to Create a New Facet
- Importing and Exporting Facets
- Changing Base Facet Attributes Not Yet Used In a Rule
Ensure you have the privileges to create, delete, and modify facets as these configurations relate to the compliance monitoring. See Roles and Privileges Needed for Compliance Features for information.
Viewing the Facet Library
Any user who can view observation data is able to also view the facet library and see the facet history for any facet.
There are two ways to view the facet library, search mode and browse mode. In search mode, all facets meeting the search criteria are shown in a flat list. In browse mode, facets are shown along with a folder hierarchy that the facets belong to. This folder structure can help users manage a very large number of facets in Cloud Control.
To view the facet library in search mode, follow these steps:
-
From the Enterprise menu, select Compliance, then select Library.
-
Choose the Real-time Monitoring Facets Library tab.
Cloud Control displays the Facet Library page that lists all existing facets along with their target type, entity type, and other details about the facet. From this page you can perform administrative tasks such as create, create like, view, delete, import, and export if you have the audit author role.
-
Click the Search Facets tab.
The Facet Library page displays the Facet Name, Author, Target Type, Entity Type, Rules Using the facet, Description, and the Last Updated time of the facet. You can see the details of any facet by selecting it from the table and clicking Show Details.
-
You can choose which columns to display in the table by clicking View and then choosing Columns. You can either choose to Show All columns or you can select individually the columns you want to appear in the table. You can reorder the columns by clicking Reorder after you click View and then changing the order in which the columns appear by moving them up or down using the arrow keys.
-
You can expand the area of the page titled "Search" to choose the search criteria to apply to the view of facets.
-
You can view a history of a selected facet by choosing it from the table and then clicking History. The View History page appears.
To view the facet library in browse mode, follow these steps:
Creating and Editing Facets
When you create a facet and subsequently use a facet in a Real-time Monitoring Compliance Standard Rule, the compliance rule only references the facet. If the content changes, then the rule will use the new content automatically.
The content of the facet only begins being used when it is added to a rule that is part of a compliance standard that is associated to one more targets.
Each facet is assigned a description that allows you to document the facet. Each pattern also has an optional description field. only begins being used when it is added to a rule that is part of a compliance standard that is associated to one more targets.
To create or edit a facet, follow these steps:
Creating and Editing Facet Folders
When viewing the facets in Browse Facets mode, you will see two regions on the page. The left side will show the facet folders which exist. The right side will show the facets that exist in the currently selected folder.On the left side showing the folders, there are three actions available for folders.
-
Create: Allow you to create a new folder. A popup will display asking for the folder name to create. You will also have the choice of making this new folder a top level folder or adding it as a child to the currently selected folder.
-
Rename: Allows you to rename an existing user-defined folder
-
Delete: Allows you to delete a user-defined folder. You cannot delete a folder that has facets or other folders inside of it.
You cannot delete, rename or move out-of-the-box folders that are populated by Oracle.
There is a default folder that exists called Unfiled. Anytime a facet is created or imported without specifying a folder, it will go into this Unfiled folder.
You can move facets into folders by simply finding the facet you want to move in the right side, selecting it and dragging it to the folder on the left where you want to place it. The facet will move to that folder. A facet can only belong to one folder at a time and it always must belong to a folder (even if it is just the Unfiled folder). You can also click on the facet and click on the MOVE button. A popup window will appear letting you choose which folder to move the facet to.
Folders have no impact on observation analysis or compliance score. They are only used in the Real-Time Monitoring Facets library screen to make it easier to manage a very large number of facets that exist.
Deleting a Facet
Deleting a facet is not possible as long as the facet is in use either as a monitoring facet in a rule or as a filter facet in a rule. If this facet is not in use in any rules, then the facet can be deleted. If a facet is in use, the user is alerted to the current use and not allowed to delete the facet until the rules using it are modified to no longer include it.
When deleting a facet, any historic observation data will no longer be referenced to the facet and instead it will show "(Deleted Facet)" as the name of the facet to which it is related. This observation data will only be available through the Search Observations page, not the Browse pages.
For compliance-focused users, customers typically would want to keep the unused facet available so the compliance data is not lost. You can also remove the patterns as long as you keep the actual facet to maintain collected observations. Then only after the compliance data related to this old facet is no longer available, you can delete the facet without any data loss.
To delete a facet, follow these steps:
Using Create Like to Create a New Facet
Facets that ship with the product or with a plug-in cannot be changed. If you want to enhance or modify the Oracle provided content, you must use the create-like functionality to make your own copy of the facet which can then subsequently be edited.
An important limitation to the Create Like function is that you cannot change the target type or entity type. The patterns contained in the facet may be dependent on target type or entity type. If you want to use Create Like and change these attributes, you should use Export to export the original facet, edit the name, target type, entity type in the XML, and then import as a new facet.
To use create like to create a new facet, follow these steps:
Importing and Exporting Facets
You can select facets and export or import them. All selected facets will be exported into one output file.
On import, if a facet of the same name/target type/entity type combination already exists, the import fails with an error that the facet already exists. The user must change the import file to remove the duplicate name and retry the import.
The combination of name, target type, and entity type define a unique facet. You can have the same name facet across different target types and entity types.
To export a facet, follow these steps:
-
From the Enterprise menu, select Compliance, then select Library.
-
Choose the Real-time Monitoring Facets Library tab.
Cloud Control displays the Facet Library page that lists all existing facets along with their target type, entity type, and other details about the facet. From this page you can perform administrative tasks such as create, create like, view, delete, import, and export.
-
Select one or more facets from the list of facets on the Facet Library page that you want to export and then click Export.
-
On the Open dialog box, you can choose to open or save the facet xml file using an XML editor of your choice and then either edit or save the file to another location.
To import a facet, follow these steps:
Changing Base Facet Attributes Not Yet Used In a Rule
After a facet is in use in at least one rule (either as a monitoring facet or as a filter facet), you cannot change the facet name, target type, entity type, or target criteria of the facet since the rules that have been created are already bound to these attributes. The only attributes that can be changed are the facet patterns, parameters and description fields. Although the rule is not dependent on the facet name, users have used them in their rules based on the name of the facet. Allowing the name of the facet to change after consumption will only lead to confusion of the rule authors when analyzing compliance results and observations.of the rule authors.
If a facet is not currently in use but has been in use in the past, then it is treated the same as an in-use facet since the historic observation data will still be tied to the past facet.
You cannot make changes to the Oracle provided facets that ship with the Cloud Control product. If you want to use an Oracle provided facet with changes, you can perform a “Create Like" operation and then modify the newly created facet as needed.
To change base facet attributes, follow these steps: