Auditing Administrative and Run-time Events

8 Auditing Administrative and Run-time Events

In Oracle Fusion Middleware, auditing refers to the process of collecting review specific information related to administrative, authentication, and run-time events. Auditing can help you evaluate adherence to polices, user access controls, and risk management procedures, and provides a measure of accountability and answers to the "who has done what and when" types of questions.

Audit data can be used to create dashboards, compile historical data, and assess risks. Analyzing recorded audit data allows compliance officers to perform periodic reviews of compliance policies. (Analyzing and using audit data is outside the scope of this chapter.)

The following topics describe the administrative and run-time events that can be audited for Oracle Access Management services as well as information on configuring common auditing settings and validating your auditing configuration:

8.1 Introduction to Oracle Fusion Middleware Auditing

Auditing provides a measure of accountability and records the data of who has done what and when.

Review the following topics in the Securing Applications with Oracle Platform Security Services to gain an understanding of auditing and the Audit Framework in Oracle Fusion Middleware:

Introduction to Oracle Fusion Middleware Audit Framework
Oracle Business Intelligence Publisher
Customizing Audit Reports
Oracle Fusion Middleware Audit Framework Reference for details about how the Audit database is laid out

Note:

There is nothing specific or separate related to auditing Identity Context. Unless explicitly stated, information is the same for all Oracle Access Management services.

8.2 Oracle Access Management Auditing

Many businesses must now be able to audit identity information and user access on applications and devices.

Compliance audits help an enterprise conform with regulatory requirements—Sarbanes-Oxley or the Health Insurance Portability and Accountability Act (HIPAA) are two examples.

The following topics provide information about:

8.2.1 Understanding Oracle Access Management Auditing

Oracle Access Management uses the Oracle Fusion Middleware Common Audit Framework to support auditing for a large number of user authentication and authorization run-time events, and administrative events (changes to the system). The Oracle Fusion Middleware Common Audit Framework provides uniform logging and exception handling and diagnostics for all audit events.

Auditing is based on configuration parameters set using the Oracle Access Management Console which enables data capture for a user or set of users. While auditing can be enabled or disabled, it is normally enabled in production environments. Audit data can be written to either a single, centralized Oracle Database instance or to flat files known as bus-stop files.

Note:

The Oracle Fusion Middleware Common Audit Framework database audit store does not include Access Manager policy or session-data and is not configured through the Oracle Access Management Console.

Auditing has minimal performance impact, and the information captured by auditing can be useful (even mission-critical). The audit log file helps the audit Administrator track errors and diagnose problems if the audit framework is not working properly.

8.2.2 About Oracle Access Management Auditing Configuration

An Administrator controls certain auditing parameters using the Oracle Access Management Console.

Additional auditing configuration is required through the Common Audit Framework.

Note:

Oracle recommends that you use only the Oracle Access Management Console or WebLogic Scripting Tool (WLST) commands for changes. See Updating OAM Configuration

Event configuration (mapping events to levels) occurs in the component_events.xml file. An audit record contains a sequence of items that can be configured to meet particular requirements.

Within the Oracle Access Management Console, you can set the maximum log file and log directory size. Audit policies (known as Filter Presets declare the types of events to be captured by the audit framework for particular components.

Audit policies cannot be configured using Fusion Middleware Control. Oracle Access Management does not use JPS infrastructure to configure the audit configuration. There are no WebLogic Scripting Tool (WLST) commands for auditing.

See Also:

Access Manager Events You Can Audit.

8.2.3 About Audit Record Storage

Audit data can be written to either a single, centralized Oracle Database instance or to flat files known as bus-stop files. By default, audit data is recorded to the file but administrators can change the configuration to log audit data to a database. Although the formats differ, audit data content is identical in both the flat file and the database.

Audit Bus-stop: Local files containing audit data records before they are pushed to the audit data store. In the event that no audit data store is configured, audit data remains in these bus-stop files. The bus-stop files are simple text files that can be queried easily to look up specific audit events. When an audit data store is in place, the bus-stop acts as an intermediary between the component and the audit data store. The local files are periodically uploaded to the audit data store based on a configurable time interval.

Bus-stop files for Java components are located in:
```
$DOMAIN_HOME/servers/$SERVER_NAME/logs/auditlogs/OAM/audit.log 
```
Bus-stop files for system components are located in:
```
$ORACLE_INSTANCE/auditlogs/OAM/oam_server1/audit.log
```
Database Logging: Implements the Common Auditing Framework across a range of Oracle Fusion Middleware products. The benefit is audit-function commonality at the platform level.
Database Audit Store: In production environments, Oracle recommends using a database audit store to provide scalability and high-availability for the Common Audit Framework. A key advantage of the audit data store is that audit data from multiple components can be correlated and combined in reports; for example, authentication failures in all Middleware components and instances. Audit data is cumulative and grows over time so ideally this is a stand-alone RDBMS database for audit data only and not used by other applications.

Note:

The preferred mode in production environments is writing audit records to a stand-alone RDBMS database for audit data only.

To switch to a database as the permanent store for your audit records, you must first use the Repository Creation Utility (RCU) to create a database schema for audit data. The RCU seeds that database store with the schema required to store audit records in a database. After the schema is created, configuring a database audit store involves:
- Creating a data source that points to the audit schema you created
- Configuring the audit store to point to the data source
As previously documented, the Oracle Fusion Middleware Audit Framework schema is provided by the RCU.

Figure 8-1 provides a simplified view of the audit architecture with a supported database.

Figure 8-1 Audit to Database Architecture

Description of "Figure 8-1 Audit to Database Architecture"
See Also:
- See Managing Audit in the Securing Applications with Oracle Platform Security Services.
- See Setting Up the Audit Database Store.
An independent audit loader process reads the flat log file and inserts records in the log table of the Oracle database. The audit store allows Administrators to expose audit data with Oracle Business Intelligence Publisher using a variety of out-of-the-box reports.

8.2.4 About Audit Reports and Oracle Business Intelligence Publisher

Oracle Access Management integrates with Oracle Business Intelligence Publisher, which provides a pre-defined set of compliance reports through which the data in the database audit store is exposed. These reports allow you to drill down the audit data based on various criteria, such as user name, time range, application type, and execution context identifier (ECID).

Out-of-the-box, there are several sample audit reports available with Oracle Access Management and accessible with Oracle Business Intelligence Publisher. You can also use Oracle Business Intelligence Publisher to create your own custom audit reports.

8.2.5 Oracle BI Enterprise Edition (Oracle BI EE)

Oracle BI Enterprise Edition (Oracle BI EE) is a comprehensive set of enterprise business intelligence tools and infrastructure, including a scalable and efficient query and analysis server, an ad-hoc query and analysis tool, interactive dashboards, proactive intelligence and alerts, real-time predictive intelligence, and an enterprise reporting engine.

The components of Oracle BI EE share a common service-oriented architecture, data access services, analytic and calculation infrastructure, metadata management services, semantic business model, security model and user preferences, and administration tools. Oracle BI EE provides scalability and performance with data-source specific optimized analysis generation, optimized data access, advanced calculation, intelligent caching services, and clustering.

See Also:

Using Audit Analysis and Reporting in the Securing Applications with Oracle Platform Security Services.

You may need to prepare Oracle BI EE for use with auditing reports for Oracle Access Management.

See Preparing Oracle Business Intelligence Publisher EE.

Oracle BI EE reports contain enumerated fields, the data fields and labels of which are self-explanatory. Content of reports is described in Table 8-1 (taken from Knowledge Base Doc ID 1495333.1 on My Oracle Support.

Table 8-1 Oracle Business Intelligence Enterprise Edition Reports for OAM

Report Type	Description
Account Management	User ID \| Timestamp \| Component/ Application Name \| Event Details
Authentication_Statistics	Authentication_statistics Failure \| Userid \| Number of Events AuthenticationFromIPByUser IP Address \| Distinct User Count \| Total Attempts \| Users AuthenticationPerIP IP Address \| Distinct Users \| Total Number of Attempts AuthenticationStatisticsPerServer Server Instance Name \| Success Count \| Failure Count
Errors_and_Exceptions	All_Errors_and_Exceptions User ID \| Timestamp \| Component/Application Name \| Client IP Address \| Message Event \| Event Details Authentication_Failures User ID \| Timestamp \| Component/ Application Name \| Client IP Address \| Authentication Method \| Message Event Details \| Authorization_Failures Users_Activities Authentication_History User ID \| Timestamp \| Component/ Application Name \| Client IP Address \| Authentication Method \| Message Event Details \| Authorization_Failures Multiple_Logins_From_Same_IP IP Address \| Usernames Used

Report Type

Description

Account Management

User ID | Timestamp | Component/ Application Name | Event Details

Authentication_Statistics

Authentication_statistics

Failure | Userid | Number of Events

AuthenticationFromIPByUser

IP Address | Distinct User Count | Total Attempts | Users

AuthenticationPerIP

IP Address | Distinct Users | Total Number of Attempts

AuthenticationStatisticsPerServer

Server Instance Name | Success Count | Failure Count

Errors_and_Exceptions

All_Errors_and_Exceptions

Authentication_Failures

Users_Activities

Authentication_History

Multiple_Logins_From_Same_IP

IP Address | Usernames Used

See the following topics:

8.2.6 About the Audit Log and Data

An audit log file helps the audit administrator track errors and diagnose problems when the audit framework is not working properly. An audit log file records several fields including (but not limited to) Date, Time, Initiator, EventType, EventStatus, MessageText, ECID, RID ContextFields, SessionId, TargetComponentType, ApplicationName, and EventCategory.

See Also:

Managing Audit in the Securing Applications with Oracle Platform Security Services.

8.3 Access Manager Events You Can Audit

The following topics describe how to audit Access Manager events:

See Also:

Identity Federation Events You Can Audit

8.3.1 Access Manager Administrative Events You Can Audit

Administrative events are those generated when the Oracle Access Management Console is used.

The Access Manager-specific administrative events that can be audited and the details captured for them are listed in Table 8-2. These event definitions and configurations are implemented as part of the audit service in Oracle Platform Security Services.

Note:

The amount and type of information that is logged is controlled by choosing a filter preset from the Audit Configuration section. Auditable events for each filter preset are fixed in the read-only component_events.xml file. Editing or customizing this file is not supported.

Table 8-3lists the details that have been captured.

Table 8-2 Access Manager Administrative Audit Events

Administrative Event	Event Data Include
Oracle Access Management Console Login success/failure	User name Remote IP Roles
Authentication Policy Creation	Policy name Authentication scheme details Resource details Policy type (authentication or authorization)
Authentication Policy Modification	Policy name Authentication scheme details Resource details Policy type (authentication or authorization Old Policy name Old Authentication scheme details Old Resource details
Authentication Policy Removal	Policy name Authentication scheme details Resource details Policy type (authentication or authorization
Resource Creation	Resource name URI Operation Resource type
Resource Modification	Resource name URI Operation Resource type Old Resource name Old URI Old Operation
Resource Removal	Resource name URI Operation Resource type
Authentication Scheme Creation	Scheme name Authentication modules Level
Authentication Scheme Modification	Scheme name Authentication modules Level Old Scheme name Old Authentication modules Old Level
Authentication Scheme Removal (Delete)	Scheme name Authentication modules Level
Response Creation	Response name Response key Data source Response Type
Response Modification	Response name Response key Data source Response Type Old Response name Old Response key Old Data source
Response Removal (Delete)	Response name Response key Data source Response Type
Partner Addition	Partner name Partner ID Partner URL Logout URL
Partner Modification	Partner name Partner ID Partner URL Logout URL Old Partner name Old Partner URL Old Logout URL
Partner Removal	Partner name Partner ID Partner URL Logout URL
Conditions creation	Condition Name Condition type Condition data
Conditions Modification	Condition Name Condition type Condition data Old Condition name Old Condition type Old Condition data
Conditions Removal	Condition Name Condition type Condition data
Server Domain creation	Domain Name
Server Domain Modification	Domain Name Old Domain Name
Server Domain Removal	Domain Name
Server configuration change	New details Old details Instance Name Application Name User Name Remote ID Roles Date and time

8.3.2 Access Manager Run-time Events You Can Audit

Run-time events are those generated by some of the events the Access Manager component engines issue when interacting with one another. The run-time events that can be audited, when they are issued. These event definitions and configurations are implemented as part of the audit service in Oracle Platform Security Services.

Note:

The amount and type of information that is logged is controlled by choosing a filter preset in the Audit Configuration. Auditable events for each filter preset are fixed in the read-only component_events.xml file. Editing or customizing this file is not supported.

Table 8-3 Access Manager Run-time Audit Events

Run-time Event	Issued When	Event Details Include
Authentication Attempt	A user attempts to access a protected resource and the request arrives at the SSO server; this event might be followed by the events credential submit and authentication success or failure.	Remote IP Resource ID Partner ID Resource ID Authentication scheme ID Authentication Policy ID
Authentication Success	A client submits credentials and credential validation is successful.	Remote IP User Name User DN Resource ID Authentication scheme ID Authentication Policy ID Partner ID
Authentication Failure	A client submits credentials and credential validation fails.	Remote IP User Name User DN Resource ID Authentication Scheme ID Failure Error Code Retry count Authentication Policy ID Partner ID
Session Creation	Authentication succeeds.	SSO Session ID User Name User DN Remote IP Resource ID Authentication scheme ID Authentication Policy ID
Session Destroy	Authentication succeeds.	SSO Session ID User Name User DN Partner ID
Login success	A client finishes the login procedure and it is forwarded to the agent.	Remote IP User Name User DN Authentication level Resource ID Authentication scheme ID Authentication Policy ID Partner ID
Login failure	A client fails to login; this event is issued only when all the retry authentication attempts allowed have failed or when the account is locked.	Remote IP User Name Authentication level Resource ID Authentication scheme ID Authentication Policy ID Partner ID
Logout success	A client finishes the logout procedure and is forwarded to the agent.	Remote IP User DN Authentication level SSO Session ID Partner ID
Logout failure	A client fails to logout.	Remote IP User DN SSO Session ID Failure details Partner ID
Credential Collection	A client is redirected to the credential collection page.	Remote IP Resource Name Resource ID Authentication scheme ID Authentication Policy ID
Credential Submit	A client submits credentials.	Remote IP User Name Resource ID Authentication scheme ID Authentication Policy ID
Authorization Success	A client has been authorized to access a resource.	Remote IP User DN Resource ID Authorization Policy ID
Authorization Failure	A client has not been authorized to access a resource.	Remote IP User DN Resource ID Authorization Policy ID
Server Start Up	The server starts up.	Date and time Instance Name Application Name User Name
Server Shut Down	The server shuts down.	Date and time Instance Name Application Name User Name

8.3.3 Auditing Authentication Events

Auditing events during authentication can help Administrators scrutinize security weaknesses in their systems.

The events that an Administrator can configure for auditing during authentication are:

Authentication success
Authentication failure
Create, modify, delete, or view Authentication Policy data

Information related to the user being authenticated may include the following:

IP address
Browser type
User Login ID
Time of Access

Note:

Oracle recommends that you avoid auditing, logging, or tracing sensitive user attributes, such as user passwords.

Information about users requesting authentication or brute force attacks can be stored in the file system or in a back-end database.

8.4 Identity Federation Events You Can Audit

The Identity Federation service also uses the Fusion Middleware Audit Framework for auditing.

The following data is part of each audit record, regardless of the event or event type that is audited:

timestamp - Date and time the audit event occurred
initiator - the initiator of the audit event (for some events this attribute may be empty)
ECID - the execution context ID

The Fusion Middleware Audit Framework supports the following audit levels:

None
Low
Medium
Custom

Events can be audited in different categories and audit levels.

Table 8-4 lists the event categories.

Table 8-4 Categories of Audit Events for Identity Federation

Category	Described in ...
Session Management	Session Management Events for Identity Federation
Protocol Flow	Protocol Flow Events for Identity Federation
Server Configuration	Server Configuration Events for Identity Federation
Security	Security Events for Identity Federation

The following section contain more information.

8.4.1 Session Management Events for Identity Federation

Session Management events for this Identity Federation release, include a subset of auditable events for the previous release.

Table 8-5 Identity Federation Session Management Events

Auditable Events	Auditing Not Supported in This Release for ...
CreateUserSession – Creation of a session after a successful login	CreateUserFederation – Creation of a user federation between two remote servers
DeleteUserSession – Deletion of a session after logout	UpdateUserFederation - Updating the user federation between two remote servers
CreateActiveUserFederation – Creation of an active federation after successful login	DeleteUserFederation – Deletion of a user federation between two remote servers
CreateActiveUserFederation – Creation of an active federation after successful login
DeleteActiveUserFederation - Deletion of an active federation after logout
LocalAuthentication – Authentication of a user at OIF
LocalLogout - Logout of a user at Identity Federation

Auditable Events

Auditing Not Supported in This Release for ...

CreateUserSession –

Creation of a session after a successful login

CreateUserFederation –

Creation of a user federation between two remote servers

DeleteUserSession –

Deletion of a session after logout

UpdateUserFederation -

Updating the user federation between two remote servers

CreateActiveUserFederation –

Creation of an active federation after successful login

DeleteUserFederation –

Deletion of a user federation between two remote servers

CreateActiveUserFederation –

Creation of an active federation after successful login

DeleteActiveUserFederation -

Deletion of an active federation after logout

LocalAuthentication –

Authentication of a user at OIF

LocalLogout - Logout of a user at Identity Federation

8.4.2 Protocol Flow Events for Identity Federation

Protocol flow events for this Identity Federation release, include a subset of auditable events for the previous Identity Federation release.

Table 8-6 Protocol Flow Events for Identity Federation

Auditable Events	Auditing Not Supported in This Release for ...
IncomingMessage Message being received by Identity Federation	AssertionCreation Creation of an assertion by Identity Federation (Success only
OutgoingMessage Message being sent by Identity Federation (Success only)
AssertionConsumption Consumption of an assertion by Identity Federation (Success only)

Auditable Events

Auditing Not Supported in This Release for ...

IncomingMessage

Message being received by Identity Federation

AssertionCreation

Creation of an assertion by Identity Federation (Success only

OutgoingMessage

Message being sent by Identity Federation (Success only)

AssertionConsumption

Consumption of an assertion by Identity Federation (Success only)

8.4.3 Server Configuration Events for Identity Federation

Auditable Server configuration events for this Identity Federation release, include a subset of auditable events for the previous Identity Federation release.

Table 8-7 Server Configuration Identity Federation

Auditable Events	Auditing Not Supported in This Release for ...
CreateConfigProperty Adding a new configuration property (Success only)	SetDataStoreType Changing the type of a data store (Success only)
ChangeConfigProperty Changing the value of an existing configuration property (Success only)	ChangeDataStore Setting of the federation data store (Success only)
DeleteConfigProperty Deleting a configuration property (Success only)
CreatePeerProvider Adding a new provider to the list of trusted providers (Success only)
UpdatePeerProvider Updating the information on an existing provider in the list of trusted providers (Success only) PeerProviderID
DeletePeerProvider Deleting a provider from the list of trusted providers (Success only)
LoadMetadata Loading of metadata (Success only)
ChangeFederation Changing of the trusted providers (Success only)
ChangeServerProperty Changing of a server configuration property (Success only)

Auditable Events

Auditing Not Supported in This Release for ...

CreateConfigProperty

Adding a new configuration property (Success only)

SetDataStoreType

Changing the type of a data store (Success only)

ChangeConfigProperty

Changing the value of an existing configuration property (Success only)

ChangeDataStore

Setting of the federation data store (Success only)

DeleteConfigProperty

Deleting a configuration property (Success only)

CreatePeerProvider

Adding a new provider to the list of trusted providers (Success only)

UpdatePeerProvider

Updating the information on an existing provider in the list of trusted providers (Success only) PeerProviderID

DeletePeerProvider

Deleting a provider from the list of trusted providers (Success only)

LoadMetadata

Loading of metadata (Success only)

ChangeFederation

Changing of the trusted providers (Success only)

ChangeServerProperty

Changing of a server configuration property (Success only)

8.4.4 Security Events for Identity Federation

Auditable security events for this Identity Federation release, include all auditable events for the previous Identity Federation release.

Table 8-8 Security Events for Identity Federation

Auditable Events	Auditing Not Supported in This Release for ...
CreateSignature Creation of a digital signature by Identity Federation	n/a
VerifySignature Verification of a digital signature by Identity Federation
EncryptData Encryption of data by Identity Federation
DecryptData Decryption of data by Identity Federation

8.5 Setting Up Auditing for Oracle Access Management

Before you perform auditing for Oracle Access Management, ensure to set up the audit data store and set up publishing for audit reports.

The following overview provides a list of the tasks that must be performed before auditing:

Set up the audit data store.

See Setting Up the Audit Database Store.
Set up publishing for audit reports.

See Preparing Oracle Business Intelligence Publisher EE.
Edit the Audit Configuration in the Oracle Access Management Console, as described in:
- Using the Oracle Access Management Console for Audit Configuration
- Adding, Viewing, or Editing Audit Settings

See Validating Auditing and Reports for details on how to test and validate the audit configuration.

8.5.1 Setting Up the Audit Database Store

Here is an overview of the tasks required to create the audit database and extend the schema using the Repository Creation Utility (RCU).

This task is required before you can audit events for Oracle Access Management if you choose a database store for audit data.

See Also:

Managing the audit Store in the Securing Applications with Oracle Platform Security Services.
Oracle Fusion Middleware Repository Creation Utility User's Guide

To create an audit database store:

Create an audit database, version 11.1.0.7 or later.

See Audit Database Administration in the Securing Applications with Oracle Platform Security Services.
Run the RCU against the database.

See "Create the Audit Schema using RCU" in the Oracle Fusion Middleware Repository Creation Utility User's Guide.
Set up audit data sources for the audit loader and configure it for the OAM Server.
See About Audit Data Sources in the Securing Applications with Oracle Platform Security Services:
- Use the Java EE audit loader configuration for WebLogic Server.
- Use the JNDI name of the data source jdbc/AuditDB that points to the database that was set up in step 2 above.

In the service instance specified in the domain file ($DOMAIN_HOME/config/fmwconfig/jps-config.xml), enable database auditing by changing the value of the property audit.loader.repositoryType to DB_ORACLE. For example:

<serviceInstance name="audit.db" provider="audit.provider">
         <property name="audit.loader.repositoryType" value="DB_ORACLE"/>
         <property name="audit.timezone" value="utc"/>
         <property name="audit.loader.interval" value="15"/>
         <property name="audit.maxFileSize" value="104857600"/>
         <property name="audit.reports.jndi" value="jdbc/AuditViewDataSource"/>
         <property name="audit.filterPreset" value="None"/>
         <property name="audit.loader.jndi" value="jdbc/AuditAppendDataSource"/>
         <propertySetRef ref="props.db.1"/>
</serviceInstance>

Restart the WebLogic Server.
Ensure that the audit loader is configured for the OAM Server and that it points to the proper database, as described in Audit Terminology in the Securing Applications with Oracle Platform Security Services.
Maintain the bus-stop files, as described in Managing the bus-stop files in the Securing Applications with Oracle Platform Security Services.

8.5.2 Preparing Oracle Business Intelligence Publisher EE

You must prepare Oracle Business Intelligence Publisher Enterprise Edition (EE) for use with Oracle Access Management audit reports.

Here is an outline of the procedure to prepare Oracle Business Intelligence Publisher EE.

See Also:

Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition
Oracle Fusion Middleware Developer's Guide for Oracle Business Intelligence Enterprise Edition
Securing Applications with Oracle Platform Security Services

To prepare Oracle Business Intelligence Publisher:

Install Oracle BI Publisher.

See the Oracle Business Intelligence Enterprise Edition Installation and Upgrade Guide.

Note:
While configuring BI domain in the Configuration Assistant, select only Business Intelligence Publisher to ensure OAM reports can be viewed by performing the following steps. If you integrate Business Intelligence Publisher with Business Intelligence Enterprise Edition, or select only Business Intelligence Enterprise Edition, you must upload the reports from the BI Publisher admin console only and the following steps are not applicable.
Perform the following tasks:
See Oracle Business Intelligence Publisher Time Zone in the Securing Applications with Oracle Platform Security Services:
- Unjar the common report AuditReportTemplates.jar to $BI_DOMAIN/bidata/components/bipublisher/repository/Reports/ from the location $OAM_MW_HOME/oracle_common/modules/oracle.iau/reports.
- Unzip the oam-specific reports oam_audit_reports.zip into $BI_DOMAIN_HOME/bidata/components/bipublisher/repository/Reports/Oracle_Fusion_Middleware_Audit/Component_Specific from the location $OAM_ORACLE_HOME/oam/server/reports.
- Set up the JNDI connection for the audit data source or the JDBC connection the audit database.
  
  The datasource name must be "Audit".
Set up audit report templates. See About Audit Reporting in the Securing Applications with Oracle Platform Security Services.
Set up audit report filters, as described in Managing Audit Policies with Fusion Middleware Control in the Securing Applications with Oracle Platform Security Services.
View reports from the following path: Reports/Oracle_Fusion_Middleware_Audit_Reports/Component_Specific/OAM.

See Also:

Validating Auditing and Reports

8.5.3 Using the Oracle Access Management Console for Audit Configuration

Within Oracle Access Management, certain Audit Configuration settings are accessible as Common Settings under the System Configuration. These settings are not required when you audit to a database.

Figure 8-2 shows the Audit Configuration section of the Common Settings page.

Figure 8-2 Common Settings: Auditing Configuration

Description of "Figure 8-2 Common Settings: Auditing Configuration"

The Auditing section provides settings for the Log Directory, Filter Settings, and Audit Configuration Users.

Note:

The actual log directory cannot be configured using the Oracle Access Management Console. It is the default directory for the Common Audit Framework audit loader. Changing the directory impacts the audit loader and is not supported.

Table 8-9 describes the elements in the Audit Configuration page.

Table 8-9 Audit Configuration Elements

Elements	Description
Maximum Directory Size	The maximum size, in MBs, of the directory that contains audit output files. For example, assuming that the maximum file size is 10, a value of 100 for this parameter implies that the directory allows a maximum of 10 files. Once the maximum directory size is reached, the audit logging stops. For example, a value of 100 specifies a maximum of 10 files if the file size is 10 MB. If the size exceeds this, the creation of audit logs stops. This is configured using the `max.DirSize` property described in the configuration file`jps-config.xml`. This property controls the maximum size of a bus-stop directory for Java components as described in the About Audit in Java SE Applications in the Securing Applications with Oracle Platform Security Services.
Maximum File Size	The maximum size, in MBs, of an audit log file. Once the size of a file reaches the maxi mum size, a new log file is created. For example, specifying 10 directs file rotation when the file size reaches 10 MB. This is configured using the `max.fileSize` property described in the configuration file`jps-config.xml`. This property controls the maximum size of a bus-stop file for Java components as described inAbout Audit in Java SE Applications in the Securing Applications with Oracle Platform Security Services..
Filter Enabled	Check this box to enable event filtering.
Filter Preset	Defines the amount and type of information that is logged when the filter is enabled. The default value is Low. All: captures and records all auditable OAM events Low: captures and records a specific set of auditable OAM events Medium: captures and records events covered by the Low setting plus a number of other auditable OAM events None: no OAM events are captured and recorded Events for each filter preset are fixed in the read-only component_events.xml file. Editing or customizing this file is not supported for Oracle Access Management. Only items that are configured for auditing at the specified filter preset can be audited.
Users	Specifies the list of users whose actions are included only when the filter is enabled. All actions of the special users are audited regardless of the filter preset. Administrators can add, remove or edit special users from this table.

8.5.4 Adding, Viewing, or Editing Audit Settings

The Administrator controls the amount and type of information that is logged by choosing a filter preset from the Audit Configuration tab on the OAM Server Common Properties page.

Note:

Auditable events for each filter preset are fixed in the read-only component_events.xml file. Editing or customizing this file is not supported.

The following procedure describes how to add, view, or edit OAM Server Common Audit Configuration settings. Individual audit policies cannot be configured using Fusion Middleware Control. Oracle Access Management does not use JPS infrastructure to configure the audit configuration. There are no WebLogic Scripting Tool (WLST) commands for auditing.

In the Oracle Access Management Console, click Configuration at the top of the window.
In the Settings section, select Common Settings from the View menu.
In the Audit Configuration section, enter appropriate details for your environment See Table 8-9:
- Maximum Log directory size
- Maximum Log file size
- Filter Enabled
- Filter Preset (to define verbosity of audit data)
- Users to include specific users from the audit by clicking the Add (+) button above the Users table and entering a value in the field.
Click Apply to submit the Audit Configuration (or close the page without applying changes).

8.6 Validating Auditing and Reports

The run-time event auditing configuration can be tested.

Before you begin:

Configure auditing parameters.

See Setting Up Auditing for Oracle Access Management.
Ensure the Agents and Servers are running.
Prepare BI EE Publisher.

SeePreparing Oracle Business Intelligence Publisher EE.

To validate an Authentication Event: Audit Console login success/failure as described here or any administrative event.

See Table 8-2.
1. Sign out of Oracle Access Management Console.
2. Sign in to Oracle Access Management Console with invalid user (not Administrator) credentials.
3. Sign in to Oracle Access Management Console using the proper Administrator credentials.
4. Review Log File: Open the audit.log file and search for the last Administrative event entries:
```
$DOMAIN_HOME/servers/$ADMINSERVER_NAME/logs/auditlogs/OAM/audit.log 
```
5. Review Database Log:
  1. Perform the following tasks.
    
    See Setting Up the Audit Database Store.
  2. Generate an Authentication event as described in Step 1.
  3. Connect to the database and connecting to the database and reviews audit events under IAU_BASE table.
To validate a Runtime Event: Audit Authorization success/failure as described here or any runtime event that is described as follows:

See Table 8-3.
1. In a browser window, enter the URL of a protected resource for which you are not authorized.
2. Review Log File: Open the audit.log file and search for the last Administrative event entries:
```
$DOMAIN_HOME/servers/$RUNTIMESERVER_NAME/logs/auditlogs/OAM/audit.log 
```
3. Review Database Log:
  1. Perform the following tasks.
    
    See Setting Up the Audit Database Store.
  2. Generate and Authentication event as described in Step 1.
  3. Connect to the database and connecting to the database and reviews audit events under IAU_BASE table.
To validate Audit Configuration Changes:

See Also Adding, Viewing, or Editing Audit Settings.
1. From the Oracle Access Management Console, System Configuration tab, Common Configuration, modify Maximum Directory Size (MB) and Maximum File Size (MB) parameters.
2. Repeat Steps here to confirm auditing is working.
To View Reports:
1. Sign in to Oracle BI EE. For example:
  
  http://host:port/xmlpserver
  
  Here, host is the computer hosting Oracle BI Publisher; port is the listening port for BI Publisher; xmlpserver is the login page for BI Publisher.
2. In Oracle BI Publisher Enterprise, locate the desired reports. For example:
  
  Click Shared Folders, the component that contains the report you would like to view and then select the desired report.
3. Perform any analysis as desired, or edit your auditing configuration as needed.
```
$MW_HOME/user_projects/domains/base_domain/servers/oam_server1/logs/ 
auditlogs/OAM/
```
Archive and manage audit logs according to your company policies.