This discussion is archived
1 Reply Latest reply: Feb 6, 2013 4:55 AM by fmc RSS

Weblogic 10.3.5 - Server Lifecycle Auditing

fmc Newbie
Currently Being Moderated
Hi,

We're running a weblogic 10.3.5 domain (with soa) and received an audit requirement from our client.
What we need is to audit the following events:

- Managed Server stop/start
- Resource deployment/undeployment (datasources, jms servers, jms modules, etc...)
- Application deployment/undeployment (java and soa projects)
- Application start/stop
- Domain configuration changes (ie: changing a server port number, creating a cluster, modifying log severity, etc)

The audit records should show username, date and event that produce it.

We've configured WebLogic Auditing Provider (as described in http://docs.oracle.com/cd/E21764_01/web.1111/e13707/providers.htm#i1198787), however this provider generates really large amounts of data per day, some of the managed servers are generating 500/600mb a day only on auditing logs. The weblogic administration console does not have many options for the default audit provider, every managed server plus the admin server are writing info and we need a way to restrict what's being audited.

Is there a way to select which events should be audited? Is this the recommended method to achieve what we're looking for? How do you usually comply with a requirement like this? We've opened a case with oracle support but haven't received a solution yet.

We also tried activating FMW Audit Framework (http://docs.oracle.com/cd/E21764_01/core.1111/e10043/audpolicy.htm), we even configured the database store, but there are also an awful lot of entries on the tables and none of them seem to be useful for what we need.

Thanks!
  • 1. Re: Weblogic 10.3.5 - Server Lifecycle Auditing
    fmc Newbie
    Currently Being Moderated
    Hi,
    We followed the security guide to develop Audit providers. And it seems to work just fine. But we have some problems with the events published on the audit log. We found that the following events are logged:

    Start/stop Server:
    #### Audit Record Begin <04-feb-2013 15:32:35> <Severity =SUCCESS> <<<Event Type = Invoke Configuration Audit Event><Subject = Subject: 2
    Principal = class weblogic.security.principal.WLSUserImpl("weblogic")
    Principal = class weblogic.security.principal.WLSGroupImpl("Administrators")
    <Object = com.bea:Name=soa_server1,Type=ServerLifeCycleRuntime><Operation = start><Parameters = >>> Audit Record End ####
    #### Audit Record Begin <04-feb-2013 16:24:56> <Severity =SUCCESS> <<<Event Type = Invoke Configuration Audit Event><Subject = Subject: 2
    Principal = class weblogic.security.principal.WLSUserImpl("weblogic")
    Principal = class weblogic.security.principal.WLSGroupImpl("Administrators")
    <Object = com.bea:Name=soa_server1,Type=ServerLifeCycleRuntime><Operation = forceShutdown><Parameters = >>> Audit Record End ####
    Domain Configuration create/update/delete:
    Crear JMS Server / Managed server
    #### Audit Record Begin <04-feb-2013 15:51:08> <Severity =SUCCESS> <<<Event Type = Create Configuration Audit Event><Subject = Subject: 2
    Principal = class weblogic.security.principal.WLSUserImpl("weblogic")
    Principal = class weblogic.security.principal.WLSGroupImpl("Administrators")
    <Object = soa_domain:Name=JMSServer-0,Type=JMSServer>>> Audit Record End ####
    #### Audit Record Begin <04-feb-2013 15:55:49> <Severity =SUCCESS> <<<Event Type = Delete Configuration Audit Event><Subject = Subject: 2
    Principal = class weblogic.security.principal.WLSUserImpl("weblogic")
    Principal = class weblogic.security.principal.WLSGroupImpl("Administrators")
    <Object = com.bea:Name=TEST,Type=Server>>> Audit Record End ####
    Composite Start/stop:
    #### Audit Record Begin <04-feb-2013 16:09:04> <Severity =SUCCESS> <<<Event Type = Invoke Configuration Audit Event><Subject = Subject: 2
    Principal = class weblogic.security.principal.WLSUserImpl("weblogic")
    Principal = class weblogic.security.principal.WLSGroupImpl("Administrators")
    <Object = oracle.soa.config:Location=soa_server1,name=soa-infra,j2eeType=CompositeLifecycleConfig,Application=soa-infra><Operation = setCompositeState><Parameters = default/HelloWorld!1.0; on>>> Audit Record End ####
    However, the following events are not logged:

    1- Java application deploy/undeploy
    2- Java Application start/stop
    3- Composite deploy/undeploy

    For these tests, we activated the default auditor with all log levels selected, but still got no event. Does anyone knows if these events are logged?

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points