Audit Activities of WebLogic Server in Enterprise Manager 13c

In Oracle Enterprise Manager 13c were introduced a nice new feature for auditing activities of Oracle WebLogic Server events.

Before you can audit your activities like Domain login, Domain logout and Domain updates, you have to enable them via a simple emcli command.

Logon to your server which is hosting your Oracle Management Server (OMS) and perform following steps:

[oracle@em13c]# emcli login -username=sysman
Enter Password:
Login successful
[oracle@em13c]# emcli update_audit_settings \
-operations_to_enable="WEBLOGIC_DOMAIN_UPDATE_INVOKE;WEBLOGIC_DOMAIN_LOGIN;WEBLOGIC_DOMAIN_LOGOUT"
Successfully updated the audit settings.

From now on all Domain login, logout and updates events will be monitored and can be inspected within Oracle Enterprise Manager 13c.

The Audit Data can be found under "Setup / Security / Audit Data"



Within the Audit Data you will find 3 main sections:

  • Search Section were you can define your searches
  • A list view of Audit Records according to your defined search
  • Audit Record Details for your marked Audit Record of the list view


For Audit Records concerning Oracle WebLogic Domain activities, you should redefine your search under the search field "Operation", so that you select only the 3 available Operations related to WebLogic Domain and afterwards click the button "Search"



Now you will see in your List View in the center just the Audit Records related to Oracle WebLogic Domain targets. When you select a Audit Record in the List View you will see below the Audit Record Details for the selected Audit Record. Here you can see different tabs:
  • General: Timestamp, Administrator, Operation Type, Status and so on
  • Client Information: Contains different client informations like browser, client IP and Session ID
  • OMS Information: Hostname and IP of the Oracle Management Server (OMS)
  • Operation Specific Information: Contains detailed informations about the underlying activity.



The Audit Record Details tab "Operation Specific Information" is quite interesting, as we can see here very detailed informations about the performed activity.
You will find here informations about the Object Name, Target Name, Target Type, Operations Type, Message, which contains in case of an update operations the MBean, Processing Time of the Operations and possible Input Parameters. In the "Input Parameters" you will find your modified values for the underlying operation, so you can track down what has been changed exactly. Really nice :-) but one thing you should consider, the Input Parameters will be displayed in plain text, even if you are changing the password within a Data Source, you can see for the corresponding Audit Record Detail in the field Input Parameters the value of your password :-( not really cool ....



But nevertheless, the Audit Data Feature for Oracle WebLogic Server is really cool :-)