Pageviews

Showing posts with label Auditing. Show all posts
Showing posts with label Auditing. Show all posts

Tuesday, January 28, 2014

Logging, Auditing, and Monitoring the Directory, Enable Audit Logging in OID 11g, Audit Logs in OID, Configure OID Audit Logs, OID logs, Auditting in OID 11g

Logging, Auditing, and Monitoring the Directory

Managing and Enabling Audit Logging in OID 11g

In Oracle Fusion Middleware 11g Release 1 (11.1.1), auditing provides a measure of
accountability and answers the "who has done what and when" types of questions.


Prerequisites:

  • OID 11g is installed in Environment.
  • OID instances must be Up and Running.
  • OID managed Servers must be Up and Running.
Here are the Steps, that an individual should follow to Enable Audit Logs in OID 11g:

  1. Checking the Configurations. 
  2. Checking the output file.
  3. Preparing LDIF file.
  4. Enabling the Audit Logging using Command Prompt.
  5. Re-Checking the Configurations. 
  6. Testing Audit Logging.
1. Checking the Configurations 

This step will help us to check the configuration of OID instance whether OID Audit Logging is Enabled or not .

Run the below Command in Command Prompt(Windows) or Terminal(Linux) where OID instance is installed.

Note: To run this command you may have to set the Environment Variables based on your server configurations. Normally In Windows we dont have to set the environment variables to run the below command.

Syntax:
ldapsearch -p <oid_port> -h <hostname> -D <username> -q \ -b "cn=oid2,cn=osdldapd,cn=subconfigsubentry" \ -s base "objectclass=*" > <filepath>

Example:

In Windows:
ldapsearch -p 3060 -h localhost -D cn=orcladmin -q \ -b "cn=oid2,cn=osdldapd,cn=subconfigsubentry" \ -s base "objectclass=*" > C:\Oracle\Middleware\c5.txt

Provide  Password and Hit Enter

In Linux:
ldapsearch -p 3060 -h localhost -D cn=orcladmin -q \ -b "cn=oid2,cn=osdldapd,cn=subconfigsubentry" \ -s base "objectclass=*" > /u01/app/Oracle\Middleware\c5.txt

Provide  Password and Hit Enter

2. Checking the output File.

Open file c5.txt  from the location 

Windows:
 C:\Oracle\Middleware\ 

Linux:
/u01/app/Oracle\Middleware\

Search for the ObjectClass "orclaudcustevents" and check the value Against this ObjectClass. If the value is blank then the configuration is not enabled for Audit Logging and we have to Enable logging which is given in next step.


3.Preparing LDIF file:

We will set the "orclaudcustevents" value using LDIF file.

Open any text editor and enter the values below:

dn: cn=oid2,cn=osdldapd,cn=subconfigsubentry
changetype: modify
replace: orclaudFilterPreset
orclaudFilterPreset: Custom
-
replace: orclaudcustevents
orclaudcustevents: UserLogin 

Save this file as LDIF file (for e.g. : aud.ldif)

Here OID2 is the component name, check the instance home for your component name and  UserLogin is the event for which we are enabling the Audit Logs. There are different types of events for which you can enable Audit Logging simultaneously. Some events are listed below which can be used with UserLogin.

UserLogin.FAILURESONLY, UserLogout, CheckAuthorization,
ModifyDataItemAttributes, CompareDataItemAttributes, ChangePassword.FAILURESONLY
orclaudfilterpreset=custom

4.Enabling the Audit Logs using Command Prompt.

LDAP Modify command is used  to Enable the Audit Logs and modify the value of orclaudcustevents

Run the command below:

Syntax:

ldapmodify -D <username> -q -p <port> -h <hostname> -f <filelocation>

Example:

ldapmodify -D cn=orcladmin -q -p 3060 -h localhost -f C:\Oracle\Middleware\aud.ldif

Enter Password when prompted:

5. Re-Checking the Configurations:

Rerun the LDAP Search command to check new Configurations.

Do the steps 1 and 2 from above. This time in Step 2 the output must show the below result:












6. Testing Audit Logging:

Open the ODSM page in browser using the URL below: 

http://<hostname>:<port>/odsm

In my case http://localhost:7005/odsm

Try to Log-in using any User say cn=orcladmin with Correct password:

If user logs in correctly, log out and re-log-in with different user say cn=testuser and with Incorrect Password this time.

Now we will see the Audit Logs whether Our UserLogin Events are captured or not:

Open Location 

INSTANCE_HOME/AuditLogs/component-name/

In my case : C:\Oracle\Middleware\asinstance1\auditlogs\OID\oid2\

and open the latest audit log file 

for e.g: file with name audit_pid3924.txt

You must receive the logs with events captured for UserLogin as below example. Click the image below to see results:






The Other way to check the Audit Logging in OID is, using EM console : http://onlineappsdba.com/index.php/2012/08/28/how-to-findaudit-failed-login-attempts-in-oid-11g/

*********************************************************************************