Configuring the Audit Log

Access the audit-logging configuration element.

ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# admin-security
ORACLE(admin-security)# audit-logging
ORACLE(audit-logging)#

state—Enables or disables audit logging.

Use enabled to enable audit logging. Retain the default value (disabled) to disable the log.

detail-level—Specifies the level of detail associated with audit log entries.

Retain the default value (brief) to write succinct log entries; use verbose to generate more detailed entries.

audit-trail—Enables logging every command that is successfully processed by the OCSBC.

Use enabled to enable the audit logging all successful commands. Retain the default value (disabled) to log only relevant information. The value of state must be set to enabled for audit-trail to work.

Note:

When enabled, the OCSBC logs only commands that the SBC is able to process. For example, if a command is entered incorrectly, it will not be logged.

file-transfer-time—Specifies the maximum interval (in hours) between audit-log transfers to a previously-configured SFTP server or servers.

Allowable values are integers within the range 0 through 65535.

The value 0 disables time-based-transfer of the audit log. Consequently, upload to an SFTP server is triggered only by exceeding the percentage-based or absolute-size-based thresholds established by the percentage-full and max-file-size properties, or by manual SFTP file transfer performed by a properly privileged admin-level user.

Retain the default value (720 hours/30 days), or provide an alternate value to trigger time-based-transfer. With time-based-transfer enabled, automatic upload of the audit file to an SFTP server or servers is triggered when the interval decrements to 0. At that time the audit log is transferred, an alarm alerting the recipient to the transfer is generated, and the timer re-sets to its configured value. Assuming the file transfer succeeds, the audit log is deleted. If the file transfer fails, the audit log is retained until it exceeds the value specified by max-storage-space.

Note:

The file-transfer-time interval is reset to its configured value with any audit log transfer regardless of cause.

max-storage-space—Specifies the maximum disk space (measured in Megabytes) available for audit log storage.

Allowable values are integers within the range 1 through 32.

Allocate space for the audit log by retaining the default value, or by selecting a new value from within the allowable range.

percentage-full—Specifies a file size threshold (expressed as a percentage of max-storage-space) that triggers audit file transfer to a previously-configured SFTP server or servers.

Allowable values are integers within the range 0 through 99.

The value 0 disables percentage-based-transfer of the audit log. Consequently, upload to an SFTP server is triggered only by exceeding the time-based and absolute-size-based thresholds established by the file-transfer-time and max-file-size properties, or by manual SFTP file transfer performed by a properly privileged admin-level user.

Retain the default value (75 percent), or provide an alternate value to trigger percentage-based-transfer. With percentage-based-transfer enabled, automatic upload of the audit file to an SFTP server or servers is triggered when audit log size exceeds the value max-storage-space x (percentage-full/100). At that time the audit log is transferred, and an alarm alerting the recipient to the transfer is generated. Assuming the file transfer succeeds, the audit log is deleted. If the file transfer fails, the audit log is retained until it exceeds the value specified by max-storage-space.

max-file-size—Specifies a file size threshold (expressed as an absolute file size measured in Megabytes) that triggers audit file transfer to a previously-configured SFTP server or servers.

Allowable values are integers within the range 0 through 10.

The value 0 disables absolute-size-based-transfer of the audit log. Consequently, upload to an SFTP server is triggered only by exceeding the time-based and percentage-based thresholds established by the file-transfer-time and percentage-full properties, or by manual SFTP file transfer performed by a properly privileged admin-level user.

Retain the default value (5 Megabytes), or provide an alternate value to trigger absolute-size-based-transfer. With absolute-size-based-transfer enabled, automatic upload of the audit file to an SFTP server or servers is triggered when audit log size exceeds the value max-file-size. At that time the audit log is transferred and an alarm alerting the recipient to the transfer is generated. Assuming the file transfer succeeds, the audit log is deleted. If the file transfer fails, the audit log is retained until it exceeds the value specified by max-storage-space.

storage-path—Specifies the directory that houses the audit log.

Retain the default value (/code/audit), or identify another local directory.

audit-trail—Enables logging every command that is processed by the OCSBC.

Use enabled to enable the audit logging all commands. Retain the default value (disabled) to log only relevant information.

Note:

When enabled, the OCSBC logs only commands that the SBC is able to process. For example, if a command is entered incorrectly, it will not be logged.

audit-record-output—Indicates how the OCSBC logs audit records.

syslog—The OCSBC logs audit records over syslog.
file—The OCSBC logs audit records to a file. This is the default value.
both—The OCSBC logs audit records over both syslog and to a file.

A sample audit log configuration appears below:

ORACLE(admin-security)# admin-state enabled
ORACLE(admin-security)# file-transfer-time 1
ORACLE(admin-security)# percentage-full 0
ORACLE(audit-logging)# max-file-size 0

This configuration allocates 32MB (the default value) for audit logging, which is enabled in brief mode. Audit log transfer to a configured SFTP server or servers occurs on an hourly schedule.; other transfer triggers are disabled.

Type done to save your configuration.