Audit Logs

The Oracle Enterprise Communications Broker (OECB) can record user actions in audit logs by way of the Web GUI. The audit logs record the creation, modification, and deletion of all user-accessible configuration elements, as well as attempted access to critical security data such as public keys. For each logged event, the system provides the associated user-id, date, time, event type, and success or failure data.

You can configure the system to record audit log information in either verbose mode or brief mode. Verbose mode captures the system configuration after every change, and displays both the previous settings and the new settings in addition to the event details. Brief mode displays only the event details. Although you can specify the recording mode, you cannot specify which actions the system records. The following list describes the actions that the system records.

Global	Log on and log off. Save a template configuration. Click Complete in a System Operation dialog.
Home tab	Add, reset, and save. Change Widget settings.
Configuration tab	Save and activate a configuration. Discard a configuration. Add, edit, delete, and copy configuration changes. Run the generate and import certificate commands.
System tab	Add audit entries to the system file management actions, such as upload, download, restore, backup, add, edit, and delete. Force an HA switch over. Run the Show Support Information command. Run the Upgrade Software System Operation. Download and view an audit log.
Monitoring tab	Export the summary. Export the session detail. Export from a Widget. Add a Widget to favorites. Clear, clear all on alarm, add, and delete license.

The system writes audit log events in Comma Separated Values (CSV) lists in the following format:

{TimeStamp,
src-user@address:port,Category,EventType,Result,Resource,Prev,
Detail}

The following list describes each value written to an audit log event.

TimeStamp	Shows the time when the system wrote the event to the audit log.
src-user@address:port	Identifies the system that wrote the audit log line.
Category	Classifies the event as: Configuration Security System
EventType	Identifies the action that caused the event as: Activate-config Acquire-config Create Data-access Delete Halt Login Logout Modify Reboot Save-config
Result	Identifies the outcome of the event as: Failure Success
Resource	Describes the action within the event. Some of the numerous actions that the system can log include: Authentication Banner (Means that someone edited the log on banner text.) Download <filename> Generate public key Reboot Upload <filename>
Prev—(verbose mode)	Displays the setting prior to this change.
Details—(verbose mode)	Displays additional information about the change, depending on the following event types: Create—displays “New = element added." Data-access—displays “Element = accessed element.” Delete—displays “Element = deleted element.” Modify—displays “Previous = oldValue New = newValue.”

As the OECB records audit log data, users with admin privileges can read, copy, and download that information from the Web GUI. No one can delete or edit the original log. You can View, Refresh, and Download audit logs by way of the System tab. Go to Audit Log under File Management.

You can configure the system to transfer audit log files to an SFTP server by way of secure FTP push, when conditions satisfy one of the following specifications.

• The specified amount of time since the last transfer elapsed.
• The size of the audit log reached the specified threshold. (Measured in Megabytes)
• The size of the audit log reached the specified percentage of the allocated storage space.

The OECB transfers the audit logs to a designated directory on the target SFTP server. The audit log file is stored on the target SFTP server with a filename in the following format: audit<timestamp>. The timestamp is a 12-digit string the YYYYMMDDHHMM format.

Use the following process to configure transferring audit logs to an SFTP server.

1. Configure secure FTP push. See "Secure FTP Push Configuration."
2. Configure audit logging. See "Configure Audit Logging."

Secure FTP Push Configuration

You can configure the Oracle Enterprise Communications Broker (OECB) to securely send audit log files to an SFTP push receiver for storage. Configure secure FTP push before you configure audit logging.

You can configure the Oracle Enterprise Communications Broker (OECB) to log on to a push receiver using one of the following authentication methods to create a secure connection.

Password

Configure a username and password, and leave the public-key parameter blank. Note that you must also import the host key from the SFTP server to the OECB for this type of authentication.

Public key

Set the public-key parameter to a configured public key record name including an account username, and configure the SFTP server with the public key pair from the OECB.

It is also common for the SFTP server to run the Linux operating system. For Linux, the command ssh-keygen-e creates the public key that you need to import to the OECB. The ssh-keygen-e command sequence requires you to specify the file export type, as follows.

[linux-vpn-1 ~]# ssh-keygen -e
Enter file in which the key is (/root/.ssh/id_rsa/): /etc/ssh/ssh_host_rsa_key.pub

If you cannot access the SFTP server directly, but you can access it from another Linux host, use the ssh-keyscan command to get the key. An example command line follows.

root@server:~$ssh-keyscan -t dsa sftp.server.com

Configure Secure FTP Push with Public Key Authentication

For increased security when sending files from the Oracle Enterprise Communications Broker (OECB) to an SFTP server, you can choose authentication by public key exchange rather than by password. To use a public key exchange, you must configure public key profiles on both devices and import the key from each device into the other.

The following list of tasks shows the process for configuring authentication by public key between the OECB and an SFTP server. For each step in the process, see the corresponding topic for detailed instructions.

1. Generate an RSA public key on the OECB. See "Generate an RSA Public Key."
2. Create a DSA public key on the SFTP server. See "Generate a DSA Public Key."
3. Import the DSA public key from the SFTP server into the OECB using the known-host option in the Import Key dialog. See "Import a DSA Public Key."
4. Add the RSA public key to the authorized_keys file in the .ssh directory on the SFTP server. See "Copy the RSA Public Key to the SFTP Server."

Generate an RSA Public Key

Add a public key profile on the Oracle Enterprise Communications Broker (OECB) and generate an RSA key. You will later import the RSA key into the SFTP server to enable authentication by way of public key exchange with the OECB.

1. Access the Public Key configuration object: Configuration tab, Security, Public key.
2. On the Public Key page, click Add.
3. In the Add Public Key dialog, do the following:

   Name	Enter the name of this profile.
   Type	Select RSA.
   Size	Enter one of the following: 512 1024 2048 4096

4. Click OK to create the public key profile.
   The system displays the Public Key list box including the new profile.
5. Save and activate the configuration.
6. Select the newly created profile, and in the Action column, click Generate.
   The OECB displays the key in the Generate Key text box for you to copy to the SFTP server.
7. Save the configuration.

• Generate a DSA public key.

Generate a DSA Public Key

Generate and save a DSA public key on the SFTP server. You will later import the DSA key into the Oracle Enterprise Communications Broker (OECB) to enable authentication by way of public key exchange with the SFTP server.

1. Run the following command on the SFTP server:

   ssh-keygen -e -f /etc/ssh/ssh_host_dsa_key.pub | tee sftp_host_dsa_key.pub

2. Save the key to the authorized_keys file in the .ssh directory on the SFTP server.

• Import the DSA key into the OECB.

Import a DSA Public Key

Import a DSA public key from the SFTP server into the Oracle Enterprise Communications Broker (OECB).

• Generate and save a DSA public key on the SFTP server.

Perform the following procedure on the OECB and select "known-host" for type.

1. Access the SSH file system on the SFTP server by way of a terminal emulation program.
2. On the SFTP server, copy the base64 encoded public file. Be sure to include the Begin and End markers, as specified by RFC 4716 The Secure Shell (SSH) Public Key File Format.

   For OpenSSH implementations host files are generally found at /etc/ssh/ssh_host_dsa_key.pub, or /etc/ssh/sss_host_rsa.pub. Other SSH implementations can differ.

3. On the OECB, click the Configuration tab, Security, Public Key.
4. On the Public key page, click the Import key button, and do the following.

   Type	Select known-host.
   Name	Enter a name for your profile, which the OECB displays in public key drop-down lists.
   SSH Public Key	Paste the DSA public key from the SFTP server into the text box. Ensure that the text of the key ends with a semi-colon.

5. Click Import.
   The OECB imports the key and makes it available for configuration as the public key on an external device.

Copy the RSA public key to the SFTP server.

Copy the RSA Public Key to the SFTP Server

Copy the RSA public key from the from the Oracle Enterprise Communications Broker (OECB) to the authorized_keys file in the .ssh directory on the SFTP server.

• Confirm that the .ssh directory exists on the SFTP server.
• Confirm the following permissions: Chmod 700 for .ssh and Chmod 600 for authorized_keys.

When adding the RSA key to the authorized_keys file, ensure that no spaces occur inside the key. Insert one space between the ssh-rsa prefix and the key. Insert one space between the key and the suffix. For example, ssh-rsa <key> root@1.1.1.1.

1. Access the SSH file system on a configured SFTP server with a terminal emulation program.
2. Copy the RSA key to the SFTP server, using a text editor such as vi or emacs, and paste the RSA key to the end of the authorized_keys file.

Configure Audit Logging

The Oracle Enterprise Communications Broker (OECB) provides a means of tracking user actions through Audit Logs. You can specify how the system records audit log information, and where to send the logs for archiving. You can configure the system to record in either brief or verbose mode. Verbose mode captures the system configuration after every change, and displays both the previous and new settings in addition to the event details. Brief mode displays only the event details.

• Configure one or more push receivers to receive the audit logs. See the documentation for the receiver.
• If you want to use public keys for authentication between the OECB and the push receiver, configure public key profiles on both devices before configuring audit logging. See "Configure Secure File Transfer with Public Keys."

1. Access the Audit Logging configuration object: Configuration tab, System Adminstration section, Security, Audit Logging.
2. On the Audit Logging page, do the following:

   State	Select to enable event recording in the audit log.
   Detail Level	Select brief (default) or verbose output.
   Audit Trail	Enables logging every command that is processed by the OECB. enabled: Logs all commands that the OECB can process. disabled: Logs only relevant information. Default: disabled
   Audit Record Output	Indicates how the OECB logs audit records. syslog: The OECB logs audit records over syslog. file: The OECB logs audit records to a file. both: The OECB logs audit records over both syslog and to a file. Default: file
   File Transfer Time	Specify the amount of time, in hours, from the completion of the last transfer to the beginning of the next transfer. This determines when a file transfer occurs unless the Max storage space or Max file size triggers the transfer first. Default: 720. Range: 0-65535. Note: 0 disables this parameter.
   Max Storage Space	Specify the maximum amount of space that the audit log can consume on the OECB in MB. Default: 32. Range: 0-32.
   Percentage Full	Use in conjunction with Max storage space to specify the percent of the Max storage space that triggers file transfer. This determines when a file transfer occurs unless the File transfer time or Max file size triggers the transfer first. Default: 75. Range: 0-99. Note: 0 disables this parameter.
   Max File Size	Set the maximum size in Mega Bytes that the audit log can be before the system transfers the file. This determines when a file transfer occurs unless the Max storage space or Max file size triggers the transfer first. Default: 5. Range 0-10. Note: 0 disables this parameter.
   Storage Path	Specifies the directory that houses the audit log. Default: /code/audit .
   Push Receiver	Add a push receiver and configure the following parameters for sending audit log files from the OECB to the receiver: Server—Enter the IP address of the FTP/SFTP server to which you want the OECB to push audit log files. Default: 0.0.0.0. Port—Enter the port number on the FTP/SFTP server to which the OECB will send audit log files. Default: 22 Range: 1-65535. Remote Path—Enter the pathname to send the audit log files to the push receiver. Files are placed in this location on the FTP/SFTP server. Value: <string> remote pathname. Filename Prefix—Enter the filename prefix to prepend to the audit log files that the OECB sends to the push receiver. The OECB does not rename local files. Values: <string> prefix for filenames. Username—Enter the username the OECB uses to connect to this push receiver. Auth Type—Select the authentication methodology. Password (default) or public key. Do one of the following: Password—When you set the Auth type to password, click Set to enter and confirm the password used to access this push receiver. Public Key—When you set the Auth type to public key, select the public key profile that you want from the drop-down list.

3. Click OK.
4. Save the configuration.