I prefer to write blog posts about the interesting questions on OTN. This blog post is one of them. There are usually more than one EM admins managing the systems, and you may want to track other users’ activity. Enterprise Manager Cloud Control provides auditing mechanism called “comprehensive auditing”. It’s not enabled by default for all actions because it may consume a lot of disk space.
If you want to enable it for all actions, you should use “emcli” tool:
./emcli login -username=SYSMAN
After you enable comprehensive auditing for all actions, you can go to “setup” >> “security” >> “audit data” to see all audited actions.
The audit data page, provides filtering on audit records so I can easily list who deleted a target from the system.
If you haven’t enabled comprehensive auditing for all actions on Enterprise Manager, auditing is enabled only for login/logouts and infrastructure operations (such as removing EM key from repository, applying an update, creating CA etc..).
What if you haven’t enabled comprehensive auditing and someone decommission/remove an agent from the system? In this case, you can still find who did it (at least narrow the possibilities) by searching the access logs of OHS (Oracle Httpd Server installed as a part of Weblogic and EM13c).
The access logs are located in EM_INSTANCE_BASE/user_projects/domains/GCDomain/servers/ohs1/logs/ folder. You can check my blog post about log locations of EM13c.
You may wonder which keywords you’ll search. If you want to find the agent decommission, try to do it on EM13c, check the URL of the page, you’ll see something like “/em/faces/agentDecommision?target=….”. The agentDecommision is the keyword we’re looking for.
When we run “grep agentDecommision access_log”, we’ll see an output similar to the below text:
grep agentDecommision access_log
access_log:192.168.16.225 - - [24/Jan/2017:23:29:28 +0300] "POST /em/faces/agentDecommision?target=xxxxx.com%3A3872&type=oracle_emd
HTTP/1.1" 200 78 [ecid: 1.005Hhnt2eRP9HfGayxzW6G0001BT001tIp;kXjE] [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36]
We can easily say that the agent is decommissioned at 24/Jan/2017:23:29:28, by a Mac user whose IP is 192.168.16.225. Now we can search for logins on audit data of EM (using the audit data page) and identify the EM user who took the action.