Who Decommissioned My Enterprise Manager Agent?

I prefer to write blog posts about the interesting questions on OTN. This blog post is one of them. There are usually more than one EM admins managing the systems, and you may want to track other users’ activity. Enterprise Manager Cloud Control provides auditing mechanism called “comprehensive auditing”. It’s not enabled by default for all actions because it may consume a lot of disk space.

If you want to enable it for all actions, you should use “emcli” tool:

After you enable comprehensive auditing for all actions, you can go to “setup” >> “security” >> “audit data” to see all audited actions.

The audit data page, provides filtering on audit records so I can easily list who deleted a target from the system.

If you haven’t enabled comprehensive auditing for all actions on Enterprise Manager, auditing is enabled only for login/logouts and infrastructure operations (such as removing EM key from repository, applying an update, creating CA etc..).

What if you haven’t enabled comprehensive auditing and someone decommission/remove an agent from the system? In this case, you can still find who did it (at least narrow the possibilities) by searching the access logs of OHS (Oracle Httpd Server installed as a part of Weblogic and EM13c).

The access logs are located in EM_INSTANCE_BASE/user_projects/domains/GCDomain/servers/ohs1/logs/ folder. You can check my blog post about log locations of EM13c.

You may wonder which keywords you’ll search. If you want to find the agent decommission, try to do it on EM13c, check the URL of the page, you’ll see something like “/em/faces/agentDecommision?target=….”. The agentDecommision is the keyword we’re looking for.

When we run “grep agentDecommision access_log”, we’ll see an output similar to the below text:

We can easily say that the agent is decommissioned at 24/Jan/2017:23:29:28, by a Mac user whose IP is Now we can search for logins on audit data of EM (using the audit data page) and identify the EM user who took the action.

Please share

AWS Big Data Specialist. Oracle Certified Professional (OCP) for EBS R12, Oracle 10g and 11g. Co-author of "Expert Oracle Enterprise Manager 12c" book published by Apress. Awarded as Oracle ACE (in 2011) and Oracle ACE Director (in 2016) for the continuous contributions to the Oracle users community. Founding member, and vice president of Turkish Oracle User Group (TROUG). Presented at various international conferences including Oracle Open World.

Leave Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.