15 Using Audit Analysis and Reporting
This chapter includes the following topics:
About Audit Reporting
The Oracle Fusion Middleware Audit Framework offers two approaches to audit reporting. The approach you adopt is determined by the audit model that components use at your site:
-
Dynamic Metadata Model
This model was introduced in 11g Release 1 (11.1.1.6.0). Oracle Fusion Middleware installations starting with 12c (12.1.2) use this mode. For information about this model, see Audit Reporting with the Dynamic Metadata Model.
-
Report Template Model
This earlier model is used by system components. When you upgrade, the Oracle Fusion Middleware Audit Framework continues to use this model.
Parent topic: Using Audit Analysis and Reporting
Audit Reporting with the Dynamic Metadata Model
Audit events are saved into the iau_common
common attribute table and the iau_custom_nnn
custom attribute tables. Oracle Platform Security Services Common Audit Framework generates SQL scripts to create Oracle Database views. Component reporting applications can use these views to query audit event data from audit database tables.
To set up audit reporting with the Dynamic Metadata Model:
See also:
createAuditDBView in WLST Command Reference for Infrastructure Security
Parent topic: Using Audit Analysis and Reporting
Audit Views Created at Registration
Starting with Release 12c (12.2.1), database views of your audit data can be created at registration. The views supported are:
-
Simple view - This view is based on the runtime database mappings of the component attributes against the columns in
IAU_COMMON
andIAU_CUSTOM_*
tables.A Simple database view is created in the
IAU VIEWER
schema when a component registers with audit. This view type is available for all supported databases. Note that a simple view is automatically generated for the component when you create the schema with Oracle Fusion Middleware Repository Creation Utility. -
Indexable view - A simple view that is indexable. This view leverages Oracle materialized views for improved performance of reporting queries. These views are supported ready-to-use for Oracle Databases only.
Use indexable views with care, as they can impact the audit loader performance. A component can switch to an indexable view with the
createIAUView
WebLogic Scripting Tool (WLST) command. Qualified event attributes must be present in the component audit definitions. For information about indexes, see Creating Indexes on Custom Table Attributes Using Materialized Views.
File audit repositories do not support views.
Parent topic: Audit Reporting with the Dynamic Metadata Model
Manually Created Audit Views
To create audit views manually, use the createAuditDBView
command. Here is the output that this command generated when it was called to create a view for the ApplicationAudit
component:
-- Audit View for Component CREATE VIEW ApplicationAudit_AUDITVIEW AS SELECT IAU_AUDITSERVICE.IAU_TRANSACTIONID AS AUDITSERVICE_TRANSACTIONID, IAU_COMMON.IAU_COMPONENTTYPE AS ComponentType, IAU_COMMON.IAU_MAJORVERSION AS MajorVersion, IAU_COMMON.IAU_MINORVERSION AS MinorVersion, IAU_COMMON.IAU_INSTANCEID AS InstanceId, IAU_COMMON.IAU_HOSTID AS HostId, IAU_COMMON.IAU_HOSTNWADDR AS HostNwaddr, IAU_COMMON.IAU_MODULEID AS ModuleId, IAU_COMMON.IAU_PROCESSID AS ProcessId, IAU_COMMON.IAU_ORACLEHOME AS OracleHome, IAU_COMMON.IAU_HOMEINSTANCE AS HomeInstance, IAU_COMMON.IAU_ECID AS ECID, IAU_COMMON.IAU_RID AS RID, IAU_COMMON.IAU_CONTEXTFIELDS AS ContextFields, IAU_COMMON.IAU_SESSIONID AS SessionId, IAU_COMMON.IAU_TARGETCOMPONENTTYPE AS TargetComponentType, IAU_COMMON.IAU_APPLICATIONNAME AS ApplicationName, IAU_COMMON.IAU_EVENTTYPE AS EventType, IAU_COMMON.IAU_EVENTCATEGORY AS EventCategory, IAU_COMMON.IAU_EVENTSTATUS AS EventStatus, IAU_COMMON.IAU_TSTZORIGINATING AS TstzOriginating, IAU_COMMON.IAU_THREADID AS ThreadId, IAU_COMMON.IAU_COMPONENTNAME AS ComponentName, IAU_COMMON.IAU_INITIATOR AS Initiator, IAU_COMMON.IAU_MESSAGETEXT AS MessageText, IAU_COMMON.IAU_FAILURECODE AS FailureCode, IAU_COMMON.IAU_REMOTEIP AS RemoteIP, IAU_COMMON.IAU_TARGET AS Target, IAU_COMMON.IAU_RESOURCE AS IAU_RESOURCE, IAU_COMMON.IAU_ROLES AS Roles, IAU_COMMON.IAU_DOMAINNAME AS DomainName, IAU_COMMON.IAU_COMPONENTDATA AS ComponentData, IAU_COMMON.IAU_AUDITUSER AS AuditUser, IAU_COMMON.IAU_TENANTID AS TenantId, IAU_COMMON.IAU_TRANSACTIONID AS TransactionId, IAU_COMMON.IAU_USERTENANTID AS UserTenantId, IAU_CUSTOM.IAU_INT_001 AS AccountNumber, IAU_CUSTOM.IAU_DATETIME_001 AS Date, IAU_CUSTOM.IAU_FLOAT_001 AS Amount, IAU_CUSTOM.IAU_STRING_002 AS Status, IAU_CUSTOM.IAU_FLOAT_002 AS Balance, IAU_USERSESSION.IAU_AUTHENTICATIONMETHOD AS AuthenticationMethod FROM IAU_AUDITSERVICE, IAU_COMMON, IAU_CUSTOM, IAU_USERSESSION WHERE IAU_COMMON.IAU_ID = IAU_AUDITSERVICE.IAU_ID AND IAU_COMMON.IAU_ID = IAU_CUSTOM.IAU_ID AND IAU_COMMON.IAU_ID = IAU_USERSESSION.IAU_ID AND IAU_COMMON.IAU_ComponentType = 'ApplicationAudit';
Parent topic: Audit Reporting with the Dynamic Metadata Model