Who Decommissioned My Enterprise Manager Agent?

I prefer to write blog posts about the interesting questions on OTN. This blog post is one of them. There are usually more than one EM admins managing the systems, and you may want to track other users’ activity. Enterprise Manager Cloud Control provides auditing mechanism called “comprehensive auditing”. It’s not enabled by default for all actions because it may consume a lot of disk space.

If you want to enable it for all actions, you should use “emcli” tool:

After you enable comprehensive auditing for all actions, you can go to “setup” >> “security” >> “audit data” to see all audited actions.

The audit data page, provides filtering on audit records so I can easily list who deleted a target from the system.

If you haven’t enabled comprehensive auditing for all actions on Enterprise Manager, auditing is enabled only for login/logouts and infrastructure operations (such as removing EM key from repository, applying an update, creating CA etc..).

What if you haven’t enabled comprehensive auditing and someone decommission/remove an agent from the system? In this case, you can still find who did it (at least narrow the possibilities) by searching the access logs of OHS (Oracle Httpd Server installed as a part of Weblogic and EM13c).

The access logs are located in EM_INSTANCE_BASE/user_projects/domains/GCDomain/servers/ohs1/logs/ folder. You can check my blog post about log locations of EM13c.

You may wonder which keywords you’ll search. If you want to find the agent decommission, try to do it on EM13c, check the URL of the page, you’ll see something like “/em/faces/agentDecommision?target=….”. The agentDecommision is the keyword we’re looking for.

When we run “grep agentDecommision access_log”, we’ll see an output similar to the below text:

We can easily say that the agent is decommissioned at 24/Jan/2017:23:29:28, by a Mac user whose IP is 192.168.16.225. Now we can search for logins on audit data of EM (using the audit data page) and identify the EM user who took the action.

Please share this post Share on Facebook0Share on Google+0Share on LinkedIn0Share on Reddit0Tweet about this on Twitter

Gokhan Atil is a database architect who has hands-on experience with both RDBMS and noSQL databases (Oracle, PostgreSQL, Microsoft SQL Server, Sybase IQ, MySQL, Cassandra, MongoDB and ElasticSearch), and strong background on software development. He is certified as Oracle Certified Professional (OCP) and is awarded as Oracle ACE (in 2011) and Oracle ACE Director (in 2016) for his continuous contributions to the Oracle users community.

Leave Comment

Your email address will not be published. Required fields are marked *