Saturday, January 19, 2013

Steps to Enable Audit Log and analyze it in OAM



STEP 1)RCU - Configuring the audit schema
For Oracle Access Manager, select the following:
- Enter a new prefix name OAM_DEV
- Identity Manager - Oracle Access Manager schema
- AS Common Schema - Audit Services schema
STEP 2.0)Change Audit Level from file perspective
go to OAM Console => system configuration => Common Settings and change "Audit level" to "ALL"


[Or just thru command line]:
========================================
HOW TO INCREASE LOG LEVEL OF OAM:
========================================
1
2
3
4
5
OAM_HOME/common/bin
 ./wlst.sh
connect()
user/pwd and t3 url.
setLogLevel(logger="oracle.oam", level="TRACE:32", persist="0", target="wls_oam2")
Then you can see more logs going to:
http://thiagoleoncio-server:7001/em (right click into OAM--> Logging).

STEP 2.1) Showing audit file details:
By default, if you go to 
$OAM_DOMAIN/servers/AdminServer/logs/auditlogs/OAM/audit.log
This red path does not exist.
 
 
<SHOW AUDIT CONF AS LOW PARAMETER>
 
Then go to OAM Console > System Configuration > Common Configuration > Common Settings > Change Filter Preset to ALL
Bounce OAM Server.
 
 
Now , audit.logs is showing these field values into OAM as well(at low level $DOMAIN_HOME/servers/oam_server1/logs[/auditlogs/OAM]). This [/auditlogs/OAM] part did not exists at low level:
Fields:Date Time Initiator EventType EventStatus MessageText AdditionalInfo AdminRoleName AgentID AgentType ApplicationDomainName ApplicationName AuthenticationMethod AuthenticationPolicyID AuthenticationSchemeID AuthorizationPolicyID AuthorizationScheme ClientIPAddress ConstraintType ContextFields DataSourceName DataSourceType ECID EventCategory FailureCode GenericAttribute1 GenericAttribute2 GenericAttribute3 GenericAttribute4 GenericAttribute5 HostIdentifierName IdentityDomain Impersonator InstanceName NewAttributes NewSettings OldAttributes OldSettings PolicyAdminContext PolicyName PolicyObjectID PolicyType ProtectionLevel RID ReadOnly RemoteIP RequestID Resource ResourceHost ResourceHostName ResourceID ResourceOperations ResourceTemplateName ResourceType ResourceURI ResponseType Roles SSOSessionID SchemeName ServiceIdentifier ServiceOperation ServiceURI SessionCreationTime SessionExpirationTime SessionId SessionLastAccessTime SessionLastUpdateTime Target TargetComponentType ThreadId UserDN UserID 
#Remark Values:ComponentType="OAM" Version="11.1.1.6.0"
 
STEP 2.2)Changes made into XMLs:
Also, now you will see into:$OAM_DOMAIN/config/fmwconfig/oam-config.xml these:
 
<Setting Name="oamAuditConfig" Type="htf:map">
                <Setting Name="auditbusstop" Type="xsd:string">%DOMAIN_HOME%/servers/%INSTANCE_NAME%/logs/auditlogs/OAM</Setting>
                <Setting Name="componentEventsFile" Type="xsd:string">%DOMAIN_HOME%/config/fmwconfig/component_events.xml</Setting>
                <Setting Name="AuditFactories" Type="htf:map">
                  <Setting Name="RuntimeFactory" Type="xsd:string">oracle.security.am.controller.audit.RuntimeAuditEventFactory</Setting>
                </Setting>
                <Setting Name="AuditEventsMap" Type="htf:map">
                  <Setting Name="RuntimeFactory" Type="htf:list">
                    <Setting Name="eventMap" Type="xsd:string">client_session.success|Login.success</Setting>
 
...
<Setting Name="FilterPreset" Type="xsd:string">All</Setting>
 
....
<Setting Name="auditbusstop" Type="xsd:string">%DOMAIN_HOME%/servers/%INSTANCE_NAME%/logs/auditlogs/OAM</Setting>
....
<Setting Name="componentEventsFile" Type="xsd:string">%DOMAIN_HOME%/config/fmwconfig/component_events.xml</Setting>
....
 
And Into component_events.xml search for FilterPresetDefinition
 
<FilterPresetDefinitions>
    <FilterPresetDefinition name="Low">ConsoleLogin,PolicyCreation,PolicyModification,PolicyDeletion,ResourceTypeCreation,ResourceTypeModification,ResourceTypeDeletion,ResourceCreation,ResourceModification,ResourceDeletion,SchemeCreation,SchemeModification,SchemeDeletion,AgentCreation,AgentModification,AgentDeletion,ServerDomainCreation,ServerDomainCreation,ServerDomainDeletion,ServerInstanceCreation,ServerInstanceModification,ServerInstanceDeletion,DataSourceCreation,DataSourceModification,DataSourceDeletion,HostIdentifierCreation,HostIdentifierModification,HostIdentifierDeletion,GenericAdminOperation,PluginCreation,PluginModification,PluginDeletion,GenericDelegatedAdminOperation,SuiteServiceEnabled,SuiteServiceDisabled,ServerPasswdMgmtOperation,ServerUpgradeStart,ServerUpgradeEnd,ServerUpgradeSubsystemStart,ServerUpgradeSubsystemEnd,ServerUpgradeGenericEvent,ServerMigrateEvent,AdminRoleCreation,AdminRoleModification,AdminRoleDeletion,LockAccount</FilterPresetDefinition>
 
STEP 2.3) Log info:
Into OAM audit.log file note there are bunch of information as:
 
1
2
3
4
5
ServerShutDown, Session validation, Check Authorization and ServerStartup:
2013-01-18 11:44:47.189  - "ServerShutDown" true "" "" - "" - - "oam_server(11.1.2.0.0)" - - - - - - - - - - "disabled" "Server" "-" - - - - - - - - "oam_server1" - - - - - - - - - "0" - "unknown" "2703459874020755045" - - - - - - - - - - - - - - - - - - - - - - "9" - -
2013-01-18 11:47:30.383  - "ServerStartup" true "" "" - "" - - "oam_server(11.1.2.0.0)" - - - - - - - - - - "0000JlDUy7I6iKS5UFDCic1GyJO^000003" "Server" "-" - - - - - - - - "oam_server1" - - - - - - - - - "0" - "unknown" "2364376157707829689" - - - - - - - - - - - - - - - - - - - - - - "12" - -
2013-01-18 11:47:53.796  - "SessionValidation" true "" "" - "IAMSuiteAgent" - - "oam_server(11.1.2.0.0)" - - - - - - - - - - "020eea9376ca2020:616c6b44:13c4d7b7dd0:-8000-0000000000000012" "Server" "-" - - - - - - "UserIdentityStore1" - "oam_server1" - - - - - - - - "2" "1:25853" - "" "-5731427128301666218" - "IAMSuiteAgent" - - - - - "" - - "bb5fc572-91a2-4abe-bedf-29d632422f8f" - - - - - - - - - - - "15" "uid=oamadmin,ou=people,ou=myrealm,dc=oam_domain" "oamadmin"
2013-01-18 11:47:53.819  "oamadmin" "CheckAuthorization" true "" - - "IAMSuiteAgent" - "IAM Suite" "oam_server(11.1.2.0.0)" - - - "Protected Resource Policy" - - - - - - "020eea9376ca2020:616c6b44:13c4d7b7dd0:-8000-0000000000000012" "Authorization" "-" - - - - - - - - "oam_server1" - - - - - - - - - "1:25853" - "" "-5731427128301666218" "HTTP::IAMSuiteAgent::/oamconsole/**::" "IAMSuiteAgent" - "HTTP::IAMSuiteAgent::/oamconsole/* 
So, go to your application. Login using OAM SSO Login Page and then return back to audit.log file that is ino $OAM_DOMAIN/servers/oam_server1/logs/auditlogs/
 
And just search for the user you tried, for example: thiagoleoncio (user)
 
1
2
3
4
5
6
7
8
9
10
11
2013-01-18 11:44:47.189  - "ServerShutDown" true "" "" - "" - - "oam_server(11.1.2.0.0)" - - - - - - - - - - "disabled" "Server" "-" - - - - - - - - "oam_server1" - - - - - - - - - "0" - "unknown" "2703459874020755045" - - - - - - - - - - - - - - - - - - - - - - "9" - -
2013-01-18 11:47:30.383  - "ServerStartup" true "" "" - "" - - "oam_server(11.1.2.0.0)" - - - - - - - - - - "0000JlDUy7I6iKS5UFDCic1GyJO^000003" "Server" "-" - - - - - - - - "oam_server1" - - - - - - - - - "0" - "unknown" "2364376157707829689" - - - - - - - - - - - - - - - - - - - - - - "12" - -
2013-01-18 11:47:53.796  - "SessionValidation" true "" "" - "IAMSuiteAgent" - - "oam_server(11.1.2.0.0)" - - - - - - - - - - "020eea9376ca2020:616c6b44:13c4d7b7dd0:-8000-0000000000000012" "Server" "-" - - - - - - "UserIdentityStore1" - "oam_server1" - - - - - - - - "2" "1:25853" - "" "-5731427128301666218" - "IAMSuiteAgent" - - - - - "" - - "bb5fc572-91a2-4abe-bedf-29d632422f8f" - - - - - - - - - - - "15" "uid=oamadmin,ou=people,ou=myrealm,dc=oam_domain" "oamadmin"
2013-01-18 11:47:53.819  "oamadmin" "CheckAuthorization" true "" - - "IAMSuiteAgent" - "IAM Suite" "oam_server(11.1.2.0.0)" - - - "Protected Resource Policy" - - - - - - "020eea9376ca2020:616c6b44:13c4d7b7dd0:-8000-0000000000000012" "Authorization" "-" - - - - - - - - "oam_server1" - - - - - - - - - "1:25853" - "" "-5731427128301666218" "HTTP::IAMSuiteAgent::/oamconsole/**::" "IAMSuiteAgent" - "HTTP::IAMSuiteAgent::/oamconsole/*
2013-01-18 12:00:42.645  - "Login" true "" "" - "oam11gr2_webgate_7777" - "rreg_inband_app_domain" "oam_server(11.1.2.0.0)" - "Protected Resource Policy" - - - - - - - - "020eea9376ca2020:616c6b44:13c4d7b7dd0:-8000-000000000000003a" "Server" "-" - - - - - - "OUD_Store" - "oam_server1" - - - - - - - - "2" "0" - "10.150.13.23" "-8677153607206731526" "HTTP::oam11gr2hostid::/example/internal/.../*::" "oam11gr2hostid" - "HTTP::oam11gr2hostid::/example/internal/.../*::" - - - "http://thiagoleoncio.server:7777/example/internal/employeeHome.html" - - "80171355-5220-4f80-ad51-33ebf17b3a17" "ThiagoLDAPScheme" - - - - - "" - - - - "39" "uid=thiagoleoncio,ou=people,dc=example,dc=com" "thiagoleoncio"
2013-01-18 12:00:42.669  - "SessionValidation" true "" "" - "oam11gr2_webgate_7777" - - "oam_server(11.1.2.0.0)" - - - - - - - - - - "020eea9376ca2020:616c6b44:13c4d7b7dd0:-8000-0000000000000012" "Server" "-" - - - - - - "OUD_Store" - "oam_server1" - - - - - - - - "2" "1:25956" - "10.150.13.23" "-262758080057988247" - "oam11gr2hostid" - - - - - "" - - "80171355-5220-4f80-ad51-33ebf17b3a17" - - - - - - - - - - - "15" "uid=thiagoleoncio,ou=people,dc=example,dc=com" "thiagoleoncio"
2013-01-18 12:00:42.685  "thiagoleoncio" "CheckAuthorization" true "" - - "oam11gr2_webgate_7777" - "rreg_inband_app_domain" "oam_server(11.1.2.0.0)" - - - "Protected Resource Policy" - - - - - - "020eea9376ca2020:616c6b44:13c4d7b7dd0:-8000-0000000000000012" "Authorization" "-" - - - - - - - - "oam_server1" - - - - - - - - - "1:25956" - "10.150.13.23" "-262758080057988247" "HTTP::oam11gr2hostid::/**::" "oam11gr2hostid" - "HTTP::oam11gr2hostid::/**::" - - - "" - - - "" - - - - - - - - - - "15" - -
  
2013-01-18 12:00:42.645  - "Login" true "" "" - "oam11gr2_webgate_7777" - "rreg_inband_app_domain" "oam_server(11.1.2.0.0)" - "Protected Resource Policy" - - - - - - - - "020eea9376ca2020:616c6b44:13c4d7b7dd0:-8000-000000000000003a" "Server" "-" - - - - - - "OUD_Store" - "oam_server1" - - - - - - - - "2" "0" - "10.150.13.23" "-8677153607206731526" "HTTP::oam11gr2hostid::/example/internal/.../*::" "oam11gr2hostid" - "HTTP::oam11gr2hostid::/example/internal/.../*::" - - - "http://thiagoleoncio.server:7777/example/internal/employeeHome.html" - - "80171355-5220-4f80-ad51-33ebf17b3a17" "ThiagoLDAPScheme" - - - - - "" - - - - "39" "uid=thiagoleoncio,ou=people,dc=example,dc=com" "thiagoleoncio"
2013-01-18 12:00:42.669  - "SessionValidation" true "" "" - "oam11gr2_webgate_7777" - - "oam_server(11.1.2.0.0)" - - - - - - - - - - "020eea9376ca2020:616c6b44:13c4d7b7dd0:-8000-0000000000000012" "Server" "-" - - - - - - "OUD_Store" - "oam_server1" - - - - - - - - "2" "1:25956" - "10.150.13.23" "-262758080057988247" - "oam11gr2hostid" - - - - - "" - - "80171355-5220-4f80-ad51-33ebf17b3a17" - - - - - - - - - - - "15" "uid=thiagoleoncio,ou=people,dc=example,dc=com" "thiagoleoncio"
2013-01-18 12:00:42.685  "thiagoleoncio" "CheckAuthorization" true "" - - "oam11gr2_webgate_7777" - "rreg_inband_app_domain" "oam_server(11.1.2.0.0)" - - - "Protected Resource Policy" - - - - - - "020eea9376ca2020:616c6b44:13c4d7b7dd0:-8000-0000000000000012" "Authorization" "-" - - - - - - - - "oam_server1" - - - - - - - - - "1:25956" - "10.150.13.23" "-262758080057988247" "HTTP::oam11gr2hostid::/**::" "oam11gr2hostid" - "HTTP::oam11gr2hostid::/**::" - - - "" - - - "" - - - - - - - - - - "15" - -
 
 
So, you are seeing words as Credentialvalidation, SessionCreation, Login, SessionValidation, Authorization,SessionDestroy,Logout and CheckAuthorization.....
 

STEP 3.0)OAM AUDIT from Database perspective:


[oracle@THIAGOLEONCIOSERVER ~]$ sqlplus / as sysdba

SQL*Plus: Release 11.2.0.3.0 Production on Fri Jan 18 12:50:19 2013

Copyright (c) 1982, 2011, Oracle.  All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Data Mining,
Oracle Database Vault and Real Application Testing options

SQL> connect DEV_IAU/welcome1
Connected.
SQL> select table_name from user_tables;

TABLE_NAME
------------------------------
IAU_BASE
WEBCACHECOMPONENT
OVDCOMPONENT
OIDCOMPONENT
OWSM_PM_EJB
OWSM_AGENT
DIP
OHSCOMPONENT
JPS
ADMINSERVER
REPORTSSERVERCOMPONENT

TABLE_NAME
------------------------------
WEBSERVICES
WS_POLICYATTACHMENT
OIF
OAAM
OAM
STS
SOA_B2B
SOA_HCFP
XMLPSERVER
IAU_DISP_NAMES_TL
IAU_LOCALE_MAP_TL

TABLE_NAME
------------------------------
IAU_COMMON
IAU_CUSTOM
IAU_AUDITSERVICE
IAU_USERSESSION

26 rows selected.



===========
SQL> describe IAU_BASE;
 Name                                    Null?    Type
 ----------------------------------------- -------- ----------------------------
 IAU_ID                                           NUMBER
 IAU_ORGID                                        VARCHAR2(255)
 IAU_COMPONENTID                                  VARCHAR2(255)
 IAU_COMPONENTTYPE                                VARCHAR2(255)
 IAU_INSTANCEID                                   VARCHAR2(255)
 IAU_HOSTINGCLIENTID                              VARCHAR2(255)
 IAU_HOSTID                                       VARCHAR2(255)
 IAU_HOSTNWADDR                                   VARCHAR2(255)
 IAU_MODULEID                                     VARCHAR2(255)
 IAU_PROCESSID                                    VARCHAR2(255)
 IAU_ORACLEHOME                                   VARCHAR2(255)
 IAU_HOMEINSTANCE                                 VARCHAR2(255)
 IAU_UPSTREAMCOMPONENTID                          VARCHAR2(255)
 IAU_DOWNSTREAMCOMPONENTID                        VARCHAR2(255)
 IAU_ECID                                         VARCHAR2(255)
 IAU_RID                                          VARCHAR2(255)
 IAU_CONTEXTFIELDS                                VARCHAR2(2000)
 IAU_SESSIONID                                    VARCHAR2(255)
 IAU_SECONDARYSESSIONID                           VARCHAR2(255)
 IAU_APPLICATIONNAME                              VARCHAR2(255)
 IAU_TARGETCOMPONENTTYPE                          VARCHAR2(255)
 IAU_EVENTTYPE                                    VARCHAR2(255)
 IAU_EVENTCATEGORY                                VARCHAR2(255)
 IAU_EVENTSTATUS                                  NUMBER
 IAU_TSTZORIGINATING                              TIMESTAMP(6)
 IAU_THREADID                                     VARCHAR2(255)
 IAU_COMPONENTNAME                                VARCHAR2(255)
 IAU_INITIATOR                                    VARCHAR2(255)
 IAU_MESSAGETEXT                                  VARCHAR2(2000)
 IAU_FAILURECODE                                  VARCHAR2(255)
 IAU_REMOTEIP                                     VARCHAR2(255)
 IAU_TARGET                                       VARCHAR2(255)
 IAU_RESOURCE                                     VARCHAR2(255)
 IAU_ROLES                                        VARCHAR2(255)
 IAU_AUTHENTICATIONMETHOD                         VARCHAR2(255)
 IAU_TRANSACTIONID                                VARCHAR2(255)
 IAU_DOMAINNAME                                   VARCHAR2(255)
 IAU_COMPONENTDATA    


SQL> select count(*) from iau_base;

  COUNT(*)
----------
         0

STEP 3.1)CONFIGURING JDBC DATA SOURCE:
High Level(description):
Go to WLS and configure JDBC datasource:
OAM_DOMAIN> Services> Data Sources > Domain Structure pane > Summary of JDBC Data Sources >
Select New > Generic DataSource > Create a New JDBC Data Source...
Detailed description:
Configure jdbc resource
1. Log into WLS Administrator Console
2. Under the Change Center, press Lock & Edit
3. In the Domain Structure tree, expand Services JDBC, then select Data Sources.
4. On the Summary of Data Sources page, click New.
5. On the JDBC Data Source Properties page, enter or select the following information:
Name: Audit
JNDI Name: jdbc/AuditDB
Database Type: Oracle
6. Click Next to continue.
7. Database Driver - Select the JDBC driver you want to use to connect to the database. The list includes common JDBC drivers for the selected DBMS. We choose:
*Oracle’s Driver(Thin XA)for Service connections; Versions:9.0.1,9.2.0,10,11
** Note:- You must install JDBC drivers before you can use them to create database connections. Some JDBC drivers are installed with WebLogic Server, but many are not installed.
8. Click Next
9. On Transaction Options click Next
10. On Connection Properties enter the following:
Database Name: orcl
Hostname: thiagoleoncio.server
Port: 1521
Db user name: DEV_IAU
Password: xxxx
11. Click Next
12. Click Test Configuration to ensure the connection completes successfully.
13. Click Finish
14. Click on the Data Source you just created
15. Click on the Targets tab
16. Select AdminServer
17. Select oam
18. Press Save
19. Click Activate Changes button

STEP 3.2)Now, go to OAM:7001/em
Farm_oam_domain >WebLogic Domain> oam_domain
Right click> WebLogic Domain > Security > Audit Store
NOTE: DOn't forget to add a target to your datasource, otherwise it will not show your JNDI here.

NOTE: If you want more control : go to OAM Console > System Configuration > Common Configuration > Common Settings > Audit Configuration Section
then you can navigate to WebLogic Domain > Security > Audit Policy menu option...



[Or from the file directly]:
STEP 3.3)Configure jdbc xml file
1. Edit File "<MW-HOME>/user_projects/domains/<domain-name>/config/fmwconfig/jps-config.xml ", and set the Audit Repository as Database instead of file and set the above JDBC resource.
2. Example : Following is a sample snippet of jps-config.xml where the change needs to be done:
<!-- JPS Audit Service Instance-->
<serviceInstance name="audit" provider="audit.provider">
<property name="audit.filterPreset" value="None"/>
<property name="audit.maxDirSize" value ="0"/>
<property name="audit.maxFileSize" value ="104857600"/>
<property name="audit.loader.jndi" value="jdbc/AuditDB"/>
<property name="audit.loader.interval" value="15" />
<property name="audit.loader.repositoryType" value="DB" />
</serviceInstance>
<!--[if !supportLineBreakNewLine]-->
<!--[endif]-->

STEP 3.4)***Bounce AdminServer and Managed Server of OAM***.

And start to test using your audit database feature....

Now, go to your application that has OAM protecting it and do some tasks there, also login where we have protected resources too, so we can go deeply into audit tables:

NOTE: The records are still being record into audit.logs + tables now.

STEP 3.5) Check the database again:
SQL> select count(*) from IAU_BASE;

  COUNT(*)
----------
       599

SQL> select distinct IAU_EVENTTYPE from IAU_BASE order by 1;

IAU_EVENTTYPE
--------------------------------------------------------------------------------
AgentCreation
Authentication
Authorization
CheckAuthorization
ConsoleLogin
CredentialChallenge
CredentialSubmit
CredentialValidation
DataSourceCreation
DataSourceModification
GenericAdminOperation

IAU_EVENTTYPE
--------------------------------------------------------------------------------
HostIdentifierCreation
HostIdentifierModification
Login
Logout
PolicyCreation
PolicyModification
ResourceCreation
ResourceModification
ResourceTypeCreation
SchemeCreation
SchemeModification

IAU_EVENTTYPE
--------------------------------------------------------------------------------
ServerDomainCreation
ServerShutDown
ServerStartup
SessionCreation
SessionDestroy
SessionValidation

28 rows selected.

STEP 4.0)MORE AUDIT OPTIONS:
Spy tool
http://ThiagoServer:7001/dms/Spy
user:weblogicuser
pwd:

 


Also you can use BI Publisher to grab more type of AUDIT reports than your own SQL analysis.

I hope this helps,
Thiago Leoncio.


Posted by at

4 comments:

  1. UnknownOctober 9, 2015 at 12:44 PM

    This comment has been removed by the author.

    ReplyDelete
  2. Prashant SahdevJanuary 12, 2016 at 1:57 AM

    Thanks Buddy :) . Very informative.

    ReplyDelete
  3. rathnagsFebruary 4, 2016 at 3:03 AM

    thanks a lot, too informative. Really helped me in configuring DB based auditing.

    thanks again

    ReplyDelete
  4. Aditya ADecember 5, 2016 at 3:45 AM

    Hi Thiago ,

    Can i use same port numbers of OID for two different machines.Any help is highly appreciated.

    Regards,
    Aditya.

    ReplyDelete

Subscribe to: Post Comments (Atom)