Real-time Monitoring Facets

The real-time monitoring rule definition includes facets that are used to determine what is important to monitor for a given target type, target properties, and entity type. A facet is a collection of patterns that make up one attribute of a target type.

The following sections explain real-time monitoring facets in detail:

• About Real-time Monitoring Facets

• Operations on Facets

About Real-time Monitoring Facets

A target type has several facets to it. A target type will have a facet of which files are critical configuration files, which files are log files, which files are executables, which database tables have sensitive configuration data, and so on. The sum of all of these facets for a given target type makes up everything that is important to monitor for the given target type in terms of compliance.

For a given target type, you can create any number of facets. A facet is not only for a specific target type, but for a specific target type plus a combination of some number of target type properties. For instance, creating a facet for a Host Target Type on Windows is different than creating a facet for a Host Target type on Linux. A facet can have several target type properties or can be open to any target without specifying any properties.

Facets are reusable in many rules. The benefit is that you can add or remove entries from a facet without having to modify every rule. For instance, if today there are 5 log files you want to monitor, you can setup your rules to monitor a facet listing those 5 files. When a new log file should be added tomorrow, you only need to change the facet, not each rule.

Facets can be created on their own, or created inline with a Real-time Monitoring rule creation. No matter how they are created, they can be used again at a later time in any number of rules.

Real-time Monitoring facets based on target types are used to specify the entities to monitor in real-time monitoring rules. As an example, if monitoring a host for file changes, a facet can be a list of distinct single files, patterns with wildcards that would include many files, or simply an entire directory. These patterns can also include parameters that have a default, but can be overridden as needed for each target. Built-in parameters, such as ORACLE_HOME will be dynamically filled in for each target. If you wanted to specify monitoring the database configuration file tnsnames.ora, your pattern may be {ORACLE_HOME}/network/admin/tnsnames.ora.

Facets can be used in two totally distinct ways. Primarily, facets describe what to monitor. In the rule creation wizard, these facets are selected on the wizard step "Entities to Monitor". Facets also can be used to filter your monitoring results. These filtering facets are specified on the Filters step of the rule creation wizard. When monitoring an OS file entity type for instance, you can filter your results based on the user that made a file change, the time the file change happened, or the process used to make the file change.

When performing continuous real-time monitoring, it is important to scope your monitoring only to critical entities. Monitoring more activity than is important to the organization will result in higher CPU loads on the Management Agent as well as a very large amount of data to be processed/stored by the Oracle Enterprise Manager servers.

Facet Entity Types

Each facet has an entity type which defines what kind of entities the facet describes. For example, for OS level monitoring, there are OS File, OS Process, OS User, Windows Registry, and several Active Directory entity types. For database monitoring, the entity types include Table, View, Index, Procedure among others. The possible entity types are fixed by the continuous real-time configuration change monitoring capabilities available from the Management Agent.

Creation of facets is possible through the Facet Library screen. In this screen, you can add/edit patterns for facets, and see which facets are being consumed by rules.

Given below are the entity types Cloud Control supports for real-time monitoring:

• OS File

• OS Process

• OS User

• Microsoft Windows Registry

• Microsoft Active Directory User

• Microsoft Active Directory Computer

• Microsoft Active Directory Group

• Oracle Database Dimension

• Oracle Database Synonym

• Oracle Database Type

• Oracle Database Table

• Oracle Database View

• Oracle Database Procedure

• Oracle Database User

• Oracle Database Index

• Oracle Database Sequence

• Oracle Database Function

• Oracle Database Profile

• Oracle Database Public Synonym

• Oracle Database Role

• Oracle Database Package

• Oracle Database Library

• Oracle Database Trigger

• Oracle Database Tablespace

• Oracle Database Materialized View

• Oracle Database Cluster

• Oracle Database Link

• Oracle Database Public DB Link

• Oracle Database Segment

• Oracle Database SQL Query Statement

Facet Patterns

A facet contains one or more patterns. These patterns can express inclusion or exclusion filters. For instance, you may define a facet for critical configuration files that looks like the following:

Include c:\myapp1\config

Exclude c:\myapp1\config\dummy.cfg

In this case, everything under c:\myapp1\config will be considered to be a member of this facet except for the individual file c:\myapp1\config\dummy.cfg. In general there are some rules to how patterns work given the most common use cases listed below. Each entity type might have special cases or special formats of patterns.

• Patterns of the same specificity with one being include and one being exclude, the include will win.

• Patterns that are more specific override (like in the previous example, exclude dummy.cfg overrides the inherited include c:\dummy.cfg from the first pattern.)

• If there are no patterns at all, exclude * is assumed (for example, no entities in the facet)

For each pattern that you add to a facet, an optional description field is available to let you document their patterns.

Operations on Facets

The following sections explain the operations you can perform on facets:

• Viewing the Facet Library
• Creating and Editing Facets
• Creating and Editing Facet Folders
• Deleting a Facet
• Using Create Like to Create a New Facet
• Importing and Exporting Facets
• Changing Base Facet Attributes Not Yet Used In a Rule

Ensure you have the privileges to create, delete, and modify facets as these configurations relate to the compliance monitoring. See Roles and Privileges Needed for Compliance Features for information.

Viewing the Facet Library

Any user who can view observation data is able to also view the facet library and see the facet history for any facet.

There are two ways to view the facet library, search mode and browse mode. In search mode, all facets meeting the search criteria are shown in a flat list. In browse mode, facets are shown along with a folder hierarchy that the facets belong to. This folder structure can help users manage a very large number of facets in Cloud Control.

To view the facet library in search mode, follow these steps:

1. From the Enterprise menu, select Compliance, then select Library.

2. Choose the Real-time Monitoring Facets Library tab.

   Cloud Control displays the Facet Library page that lists all existing facets along with their target type, entity type, and other details about the facet. From this page you can perform administrative tasks such as create, create like, view, delete, import, and export if you have the audit author role.

3. Click the Search Facets tab.

   The Facet Library page displays the Facet Name, Author, Target Type, Entity Type, Rules Using the facet, Description, and the Last Updated time of the facet. You can see the details of any facet by selecting it from the table and clicking Show Details.

4. You can choose which columns to display in the table by clicking View and then choosing Columns. You can either choose to Show All columns or you can select individually the columns you want to appear in the table. You can reorder the columns by clicking Reorder after you click View and then changing the order in which the columns appear by moving them up or down using the arrow keys.

5. You can expand the area of the page titled "Search" to choose the search criteria to apply to the view of facets.

6. You can view a history of a selected facet by choosing it from the table and then clicking History. The View History page appears.

To view the facet library in browse mode, follow these steps:

1. From the Enterprise menu, select Compliance, then select Library.
2. Choose the Real-time Monitoring Facets Library tab.

   Cloud Control displays the Facet Library page that lists all existing facets along with their target type, entity type, and other details about the facet. From this page you can perform administrative tasks such as create, create like, view, delete, import, and export if you have the audit author role.

3. Click the Browse Facets tab.

   The Facet Library page that is shown is split into two views, The left side shows the facet folder hierarchy. The right side lists facets in the folder that is selected on the left. The table on the left displays the Facet Name, Author, Target Type, Entity Type, Rules Using the facet, Description, and the Last Updated time of the facet. You can see the details of any facet by selecting it from the table and clicking Show Details.

4. You can choose which columns to display in the table by clicking View and then choosing Columns. You can either choose to Show All columns or you can select individually the columns you want to appear in the table. You can reorder the columns by clicking Reorder after you click View and then changing the order in which the columns appear by moving them up or down using the arrow keys.
5. The only filtering allowed on this screen is by selecting a different folder. You will always see the facets that are in the selected folder only.
6. You can view a history of a selected facet by choosing it from the table and then clicking History. The View History page displays.

Creating and Editing Facets

When you create a facet and subsequently use a facet in a Real-time Monitoring Compliance Standard Rule, the compliance rule only references the facet. If the content changes, then the rule will use the new content automatically.

The content of the facet only begins being used when it is added to a rule that is part of a compliance standard that is associated to one more targets.

Each facet is assigned a description that allows you to document the facet. Each pattern also has an optional description field. only begins being used when it is added to a rule that is part of a compliance standard that is associated to one more targets.

To create or edit a facet, follow these steps:

1. From the Enterprise menu, select Compliance, then select Library.
2. Choose the Real-time Monitoring Facets Library tab.

   Cloud Control displays the Facet Library page that lists all exiting facets along with their target type, entity type, and other details about the facet. From this page you can perform administrative tasks such as create, create like, view, delete, import, and export. There are two views when looking at this page, search or browse. In the search view, all facets are listed in a flat list. In the browse view, facets are grouped in folders to make it easier to find facets.

3. Click Create to create a new facet.
4. Choose which facet folder this facet should belong to. If you have not yet created the folder for it, you can add it to the Unfiled folder. This folder always exists and cannot be remove. Later you can move the facet to a new folder you create using drag-and-drop in the UI from the Unfiled folder to the new folder.
5. Enter the name you want to assign to the facet in the Facet Name field, then choose the target type for the facet you are creating from the drop-down list in the Target Type field. Once you choose the Target Type, you can enter values in the Target Property Filter fields.

   The target properties you add here limit which targets to which this facet can ultimately be assigned. For instance, you could define a facet to work only for Linux version 5 on 64-bit servers.

6. Choose the Entity Type from the drop-down. This list will be limited depending on the target type chosen previously.
7. Enter a description for the facet in the Description field.
8. The Create Facet page contains two tabs you can use to enter the patterns and parameters for the facet you create. Use the Patterns tab to add patterns to be either Included or Excluded. Use the Add or Delete buttons to add additional patterns or to remove a selected pattern from the facet definition. There is a bulk add button which will bring up a popup window where you can paste text listing patterns rather than entering each in the UI manually.
9. If you are defining a facet for the OS File entity type, there is an optional ability to browse a host to find the files you want to monitor. The right side of the page has an area where you can choose the host to use as the basis for looking for files. In the pattern area, you can click the Browse button to interactively browse the files on the selected host and select the files to include in the pattern. After selecting patterns from a host, you can continue to manually add more or edit existing ones.
10. Use the Parameters tab to view parameters that are part of the new facet. Oracle provides a set of predefined parameters based on target parameters (such as ORACLE_HOME) that are defined out of the box. These parameters do not require a default value and are always set according to the target's value. Parameters will appear under this tab when they are used in a pattern. To start using a new parameter, simply add the parameter to the pattern by enclosing it in curly brackets {}. For instance, a pattern of {INSTALL_DIR}\config\main.conf would result in a parameter of INSTALL_DIR being listed under this tab. All parameters must have a default value that will be automatically used for all targets against which this facet is used. This value can be overridden when associating a compliance standard containing a real-time monitoring rule to one or more targets. The Parameters tab displays the Parameter Name, Default Value, Used in Pattern, and Description. Used in Pattern indicates that the parameter is currently in use. This parameter may have been defined at some point in a pattern and then removed. The pattern will still be available for use again at a later time even if the pattern is not currently in use. If the entity for which you are adding a pattern includes a "{" or "}", you can escape these characters by using "{{}" and "{}}" in the pattern respectively. These will not be counted as parameters.
11. A third tab, Time Window is only available if the facet being created/edited is of entity type Time Window. A facet of this entity type is only usable as a filter in a Real-time monitoring rule. For instance, you can specify in the rule that you only want to monitor a facet during a specific time, for example, "Production Hours". In the Duration section, choose either a 24 Hour Interval or Limit Hours to, which allows you to enter a Start time and an Interval in Hours and Minutes. In the Repeating section, you can choose either All the time or you can select Repeat and then choose which days of the week to repeat the operation.
12. Choose OK to create the facet.

Creating and Editing Facet Folders

When viewing the facets in Browse Facets mode, you will see two regions on the page. The left side will show the facet folders which exist. The right side will show the facets that exist in the currently selected folder.On the left side showing the folders, there are three actions available for folders.

• Create: Allow you to create a new folder. A popup will display asking for the folder name to create. You will also have the choice of making this new folder a top level folder or adding it as a child to the currently selected folder.

• Rename: Allows you to rename an existing user-defined folder

• Delete: Allows you to delete a user-defined folder. You cannot delete a folder that has facets or other folders inside of it.

You cannot delete, rename or move out-of-the-box folders that are populated by Oracle.

There is a default folder that exists called Unfiled. Anytime a facet is created or imported without specifying a folder, it will go into this Unfiled folder.

You can move facets into folders by simply finding the facet you want to move in the right side, selecting it and dragging it to the folder on the left where you want to place it. The facet will move to that folder. A facet can only belong to one folder at a time and it always must belong to a folder (even if it is just the Unfiled folder). You can also click on the facet and click on the MOVE button. A popup window will appear letting you choose which folder to move the facet to.

Folders have no impact on observation analysis or compliance score. They are only used in the Real-Time Monitoring Facets library screen to make it easier to manage a very large number of facets that exist.

Deleting a Facet

Deleting a facet is not possible as long as the facet is in use either as a monitoring facet in a rule or as a filter facet in a rule. If this facet is not in use in any rules, then the facet can be deleted. If a facet is in use, the user is alerted to the current use and not allowed to delete the facet until the rules using it are modified to no longer include it.

When deleting a facet, any historic observation data will no longer be referenced to the facet and instead it will show "(Deleted Facet)" as the name of the facet to which it is related. This observation data will only be available through the Search Observations page, not the Browse pages.

For compliance-focused users, customers typically would want to keep the unused facet available so the compliance data is not lost. You can also remove the patterns as long as you keep the actual facet to maintain collected observations. Then only after the compliance data related to this old facet is no longer available, you can delete the facet without any data loss.

To delete a facet, follow these steps:

1. From the Enterprise menu, select Compliance, then select Library.
2. Choose the Real-time Monitoring Facets Library tab.

   Cloud Control displays the Facet Library page that lists all exiting facets along with their target type, entity type, and other details about the facet. From this page you can perform administrative tasks such as create, create like, view, delete, import, and export.

3. Select the facet from the list of facets in the table on the page.
4. Click Delete to delete the facet. You will be prompted to confirm that you want to delete the facet.

Using Create Like to Create a New Facet

Facets that ship with the product or with a plug-in cannot be changed. If you want to enhance or modify the Oracle provided content, you must use the create-like functionality to make your own copy of the facet which can then subsequently be edited.

An important limitation to the Create Like function is that you cannot change the target type or entity type. The patterns contained in the facet may be dependent on target type or entity type. If you want to use Create Like and change these attributes, you should use Export to export the original facet, edit the name, target type, entity type in the XML, and then import as a new facet.

To use create like to create a new facet, follow these steps:

1. From the Enterprise menu, select Compliance, then select Library.
2. Choose the Real-time Monitoring Facets Library tab.

   Cloud Control displays the Facet Library page that lists all exiting facets along with their target type, entity type, and other details about the facet. From this page you can perform administrative tasks such as create, create like, view, delete, import and export.

3. Choose the facet from the facet table that you want to use as the basis for the new facet you want to create.
4. Click Create Like.

   Cloud Control displays the Create Facet page. All the values that were applicable to the facet you want to clone are entered. Use the page to edit the values for the new facet and click OK.

   It is important to understand that if the original base facet you used in the create like activity is changed, that change will not be reflected in the newly created facet. There is no relationship maintained when using Create Like.

5. For more information about using the Create Facet page, see Creating and Editing Facets.

Importing and Exporting Facets

You can select facets and export or import them. All selected facets will be exported into one output file.

On import, if a facet of the same name/target type/entity type combination already exists, the import fails with an error that the facet already exists. The user must change the import file to remove the duplicate name and retry the import.

The combination of name, target type, and entity type define a unique facet. You can have the same name facet across different target types and entity types.

To export a facet, follow these steps:

1. From the Enterprise menu, select Compliance, then select Library.

2. Choose the Real-time Monitoring Facets Library tab.

   Cloud Control displays the Facet Library page that lists all existing facets along with their target type, entity type, and other details about the facet. From this page you can perform administrative tasks such as create, create like, view, delete, import, and export.

3. Select one or more facets from the list of facets on the Facet Library page that you want to export and then click Export.

4. On the Open dialog box, you can choose to open or save the facet xml file using an XML editor of your choice and then either edit or save the file to another location.

To import a facet, follow these steps:

1. From the Enterprise menu, select Compliance, then select Library.
2. Choose the Real-time Monitoring Facets Library tab.

   Cloud Control displays the Facet Library page that lists all existing facets along with their target type, entity type, and other details about the facet. From this page you can perform administrative tasks such as create, create like, view, delete, import, and export.

3. Click Import and choose the facet XML file you want to import into the Facet Library.
4. Cloud Control imports all facets specified in the imported XML file. You can then edit the facet or use any other action on it as you would any other facet in the library.

Changing Base Facet Attributes Not Yet Used In a Rule

After a facet is in use in at least one rule (either as a monitoring facet or as a filter facet), you cannot change the facet name, target type, entity type, or target criteria of the facet since the rules that have been created are already bound to these attributes. The only attributes that can be changed are the facet patterns, parameters and description fields. Although the rule is not dependent on the facet name, users have used them in their rules based on the name of the facet. Allowing the name of the facet to change after consumption will only lead to confusion of the rule authors when analyzing compliance results and observations.of the rule authors.

If a facet is not currently in use but has been in use in the past, then it is treated the same as an in-use facet since the historic observation data will still be tied to the past facet.

You cannot make changes to the Oracle provided facets that ship with the Cloud Control product. If you want to use an Oracle provided facet with changes, you can perform a “Create Like" operation and then modify the newly created facet as needed.

To change base facet attributes, follow these steps:

1. From the Enterprise menu, select Compliance, then select Library.
2. Choose the Real-time Monitoring Facets Library tab.

   Cloud Control displays the Facet Library page that lists all exiting facets along with their target type, entity type, and other details about the facet. From this page you can perform administrative tasks such as create, create like, view, delete, import and export.

3. Choose the facet from which you want to create a new facet with modified attributes. Click Create Like.
4. Enter a new Facet Name and change whatever attributes to create a new facet based on the previous facet.