Saturday, May 5, 2012

WebLogic Configuration Audit Type, how to monitor configuration changes

See also http://www.javamonamour.org/2013/02/how-to-configure-weblogic-server-to.html

Please read first the Oracle internal Document "How to Configure WebLogic Server to Send a Notification When Its Configuration is Changed [ID 1377733.1]"

and also Jan's http://jvzoggel.wordpress.com/2011/09/26/weblogic-domain-audit/

It often happens that people make configuration changes to an environment, and they forget to let the team know.
The amount of time wasted in troubleshooting because of this, amounts to the trillions of hours.

At WebLogic domain level you can edit "Configuration Audit Type" to one of these levels (copy and paste from console help):

CONFIG_CHANGE_NONE

Configuration events will neither be written to the server log or directed to the Security Audit Framework.

CONFIG_CHANGE_LOG
Configuration events will be written to the server log.

CONFIG_CHANGE_AUDIT
Configuration events will be directed to the Security Audit Framework.

CONFIG_CHANGE_LOG_AND_AUDIT
Configuration events will be written to the server log and directed to the Security Audit Framework.


What is this mysterious "Security Audit Framework" ? KGB? CIA? Gestapo?
Here they tell you that AuditEvent is persisted.... where?

In Security/myrealm/Providers/Auditing create a securityEventAudit DefaultAuditor, then in "ProviderSpecific" select all events (actually you are interested in START_AUDIT. Enable all checkboxes.

Here an explanation of the "Configuring the WebLogic Auditing Provider" story, with specific details on the Configuration Change Audit.


http://docs.oracle.com/cd/E24329_01/web.1211/e24422/providers.htm#SECMG137

"

Configuration Auditing

You can configure the Administration Server to emit log messages and generate audit events when a user changes the configuration of any resource within a domain or invokes management operations on any resource within a domain. For example, if a user disables SSL on a Managed Server in a domain, the Administration Server emits log messages. If you have enabled the WebLogic Auditing provider, it writes the audit events to an additional security log. These messages and audit events provide an audit trail of changes within a domain's configuration (configuration auditing).
The Administration Server writes configuration auditing messages to its local log file. They are not written to the domain-wide message log by default.
Note that configuration audit information is contained in Authorization Events. As a result, another approach to configuration auditing is to consume Authorization Events. Note, however, that the information in an Authorization Event tells you whether access was allowed to perform a configuration change; it does not tell you whether the configuration change actually succeeded (for instance, it might have failed because it was invalid)."




This should create a DefaultAuditRecorder.log log file, marking each event between

#### Audit Record Begin

and

Audit Record End ####


"Configuration auditing messages are identified by message IDs that fall within the range of 159900-159910."

A configuration change will generate this:

#### Audit Record Begin <13-Feb-2013 21:38:14>  <Severity =SUCCESS>  <<<Event Type = Create Configuration Audit Event><Subject = Subject: 2
 Principal = class weblogic.security.principal.WLSUserImpl("weblogic")
 Principal = class weblogic.security.principal.WLSGroupImpl("Administrators")
><Object = base_domain:Name=JMSServer-0,Type=JMSServer>>> Audit Record End ####




and every operation we do on the console is traced:

#### Audit Record Begin <13-Feb-2013 21:38:14>  <Severity =SUCCESS>  <<<Event Type = SetAttribute Configuration Audit Event><Subject = Subject: 2
 Principal = class weblogic.security.principal.WLSUserImpl("weblogic")
 Principal = class weblogic.security.principal.WLSGroupImpl("Administrators")
><Object = com.bea:Name=JMSServer-0,Type=JMSServer><Attribute = PersistentStore><From = ><To = com.bea:Name=WseeFileStore,Type=FileStore>>> Audit Record End ####


and finally when I activate configuration:

#### Audit Record Begin <13-Feb-2013 21:38:14>  <Severity =SUCCESS>  <<<Event Type = Invoke Configuration Audit Event><Subject = Subject: 2
 Principal = class weblogic.security.principal.WLSUserImpl("weblogic")
 Principal = class weblogic.security.principal.WLSGroupImpl("Administrators")
><Object = com.bea:Name=ConfigurationManager,Type=weblogic.management.mbeanservers.edit.ConfigurationManagerMBean><Operation = save><Parameters = >>> Audit Record End ####




No comments: