22 Managing WebCenter Portal Audit Logs

Configure, manage, and interpret audit logging for WebCenter Portal.

Note:

Oracle WebCenter Portal has deprecated the support for Jive features (announcements and discussions). If you have upgraded from a prior release to Release 12c (12.2.1.4.0), Jive features remain available in your upgraded instance but Oracle support is not provided for these features. In the next release, Jive features will not be available even in the upgraded instances

Permissions:

To perform the tasks in this chapter, you must be granted the WebLogic Server Admin role through the Oracle WebLogic Server Administration Console. Users with the Monitor or Operator roles can view security information but cannot make changes.

See also Understanding Administrative Operations, Roles, and Tools.

Topics:

• Introduction to Managing Audit Logs

• Configuring Audit Logging

• Viewing WebCenter Portal Audit Events

Introduction to Managing Audit Logs

When enabled, audit logging tracks portal-related events as part of the Fusion Middleware Audit Service. Audit log events are stored in a file (the Audit Bus-stop) by default, but can also be uploaded to a database for persistency (for more information, see Configuring the Audit Store Database). The Audit Bus-stop file has a limited capacity so storing log information in a database where events can be queried long after their occurrence is recommended.

Note:

If you enable WebCenter Portal Impersonation, it is highly recommended that you also enable audit logging. When Impersonation is enabled, audit logging tracks the impersonator, impersonatee, and the context surrounding an event.

Audit logging provides the following key benefits:

• Events that alter the security settings of portal, portal server, and major portal server artifacts are traceable

• Definable logging levels

• Events logged are available in perpetuity when uploaded to a database

• Reports on audit events are available through the Audit Service

For more information about the Audit Service and configuring the Audit Service, see Introduction to Oracle Fusion Middleware Audit Framework in Securing Applications with Oracle Platform Security Services. For information about configuring the Audit Service to use a database, see Configuring and Managing Auditing in Securing Applications with Oracle Platform Security Services.

Configuring Audit Logging

This section describes how to turn logging on and off for WebCenter Portal, how to set the log level, and how to set up the Audit Store Database.

This section includes the following topics:

• Setting the Logging Level

• Configuring the Audit Store Database

Setting the Logging Level

By default, audit logging for WebCenter Portal is turned off (that is, set to None). To turn it on, set the logging level to a value other than None (for example, Low) as shown in the examples below. For the details of which logging categories are included for each logging level, see Using WebCenter Portal Audit Logs.

Use the following WLST commands to modify the audit logging level for WebCenter Portal audit events:

To set the logging level to Low:

setAuditPolicy(componentType="webcenter",filterPreset="Low")

Set the logging level to Medium:

setAuditPolicy(componentType="webcenter",filterPreset="Medium")

To turn logging off for WebCenter Portal:

setAuditPolicy(componentType="webcenter",filterPreset="None") 

Successful execution does not throw any error and completes silently. Restart the WC_Portal server to complete the logging level change.

For information about additional WLST commands you can use to manage and configure audit logging, see WLST Commands for Auditing in Securing Applications with Oracle Platform Security Services.

Configuring the Audit Store Database

The audit store is a database that contains a pre-defined Oracle Fusion Middleware Audit Framework schema created by the Repository Creation Utility (RCU). By default, audit logs are stored as files in the auditlogs directory as shown in the following example:

DOMAIN_HOME/servers/WC_Portal/logs/auditlogs/webcenter#11.1.1.4.0/audit_1_0.log

Once database persistence has been configured, the Audit loader picks up data from this file and puts it in the Audit Framework schema. For information about configuring the Audit Service to use a database, see Configuring and Managing Auditing in Securing Applications with Oracle Platform Security Services.

You will need to know the name of the audit schema (the suffix is always IAU). You will also need to set the audit repository to the database as shown below:

setAuditRepository(switchToDB='true',dataSourceName='jdbc/AuditDB',interval='15') 

Note:

The audit data in the store is expected to be cumulative and will grow over time. Ideally, the database should not be an operational database used by any other applications, and should be a standalone RDBMS used for audit purposes only.

Viewing WebCenter Portal Audit Events

This section describes the WebCenter Portal audit events that are available in the audit log, and shows a simple SQL statement that you can use to query the audit schema for impersonation events.

This section includes the following subsections:

• Using WebCenter Portal Audit Logs

• Querying the Audit Schema

Using WebCenter Portal Audit Logs

Table 22-1 lists the WebCenter Portal audit events that appear in the audit log depending on the log level that is set. The various WebCenter Portal tools (such as documents, announcements, discussions, wikis and blogs, forum, forum message, forum topic, forum category) are identified in the log by their corresponding ToolArtifactID and ToolType.

When the log level is set to Low, events in the following categories are logged:

• PortalLifeCycle

• PortalRoleManagement

• PortalRoleMemberManagement

• PortalToolAccessManagement

• ImpersonationSessionMgmt

When the log level is set to Medium, events in the following additional categories are logged:

• PortalToolsManagement

• PortalPagesManagement

Table 22-1 WebCenter Portal Audit Events

Event Category	Event Name	Event Payload
PortalLifeCycle	LoginPortalServer, CreatePortal, DeletePortal, ImportPortal, ExportPortal, DeployPortal, PropagatePortal	InitiatorUID, InitiatorMail, InitiatorDisplayName, ImpersonatorUID, PortalID, PortalName, PotalDisplayName, PortalURL, PortalTemplate, PortalOldState, PortalNewState, TargetPortalConnection
PortalRoleManagement	CreateRole DeleteRole PermissionUpdate	InitiatorUID, InitiatorMail, InitiatorDisplayName, ImpersonatorUID, PortalID, PortalName, RoleName, RoleTemplate, PermissionClass, PermissionName, PermissionActionsGranted, PermissionActionsRevoked
PortalRoleMemberManagement	AddMemberToRole RemoveMemberFromRole	InitiatorUID, InitiatorMail, InitiatorDisplayName, ImpersonatorUID, PortalID, PortalName, RoleName, MemberType, MemberUID, ServiceID
ImpersonationSessionMgmt	GrantImpersonationAccess RevokeImpersonationAccess BeginImpersonation EndImpersonation	InitiatorUID, InitiatorMail, InitiatorDisplayName, ImpersonatorUID, ImpersonateeUID, PortalID, PortalName, ImpersonationStartTime, ImpersonationEndTime, ImpersonationGrantStartTime, ImpersonationEndTime, ImpersonationRightRevokeTime
PortalToolsManagement	CreateTool, DeleteTool ModifyTool	InitiatorUID, InitiatorMail, InitiatorDisplayName, ImpersonatorUID, PortalID, PortalName, ToolArtifactID, ToolName, ToolType
PortalToolAccessManagement	ToolAccessPermissionUpdate GrantToolAccess RevokeToolAccess	InitiatorUID, InitiatorMail, InitiatorDisplayName, ImpersonatorUID, PortalID, PortalName, ToolName, ToolType, ToolArtifactID, MemberUID, MemberType, PermissionActionsGranted, PermissionActionsRevoked, PermissionClass, PermissionName
PortalPagesManagement	CreatePage DeletePage	InitiatorUID, InitiatorMail, InitiatorDisplayName, ImpersonatorUID, PortalID, PortalName, PageID, PageName

Querying the Audit Schema

Once you've configured the audit schema and the audit repository is set to database, you can create reports based on this generated audit data. Follow the steps below to create a report:

1. Generate a view based on audit tables by running the following command to generate a SQL file that can then be used to create a view for the WebCenter Portal component-specific data from audit DB tables:

   createAuditDBView(fileName="/tmp/WCPortalAuditView.sql", componentType="webcenter")
   

   The IAU schema owner (for example, TEST_IAU) will need to have 'create view' privileges. To create the view, run the WCPortalAuditView.sql file or run the following SQL command as a system DBA:

   grant create view to TEST_IAU
   

   The created view will have name like 'webcenter_AUDITVIEW'.

2. Use the view to query the audit database using WebCenter Portal tool audit attribute names as table column name as shown in the following examples. Open the WCPortalAuditView.sql file to see the mapping of table column names with WebCenter Portal attributes.

   • The following SQL statement returns all the attributes of WebCenter Portal tools that are logged with the event types BeginImpersonation and EndImpersonation:

     select * from webcenter_AUDITVIEW where EventType like '%Impersonation';
     

   • The following SQL statement lists all users who have deleted any portal along with the deleted portal information:

     select InitiatorUID,InitiatorMail,PortalID,PortalName,PortalURL from webcenter_AUDITVIEW where EventType = 'DeletePortal';
     

   • The following SQL statement returns all audit data for WebCenter Portal:

      select * from webcenter_AUDITVIEW;
     

If you want to regularly monitor WebCenter Portal activities you can create a SQL data source using SQL queries and drop the data source as a table or other visualization onto a portal page. For more information about SQL data sources, see Working with Data Sources in Building Portals with Oracle WebCenter Portal.