OBIEE Security: Usage Tracking, Logging and Auditing for SYSLOG or Splunk
Enabling OBIEE Usage Tracking and Logging is a key part of most any security strategy. More information on these topics can be found in the whitepaper references below. It is very easy to setup logging such that a centralized logging solution such as SYSLOG or Splunk can receive OBIEE activity.
Usage Tracking
Knowing who ran what report, when and with what parameters is helpful not only for performance tuning but also for security. OBIEE 11g provides a sample RPD with a Usage Tracking subject area. The subject area will report on configuration and changes to the RPD as well as configuration changes to Enterprise Manager. To start using the functionality, one of the first steps is to copy the components from the sample RPD to the production RPD.
Usage tracking can also be redirected to log files. The STORAGE_DIRECTORY setting is in the NQSConfig.INI file. This can be set if OBIEE usage logs are being sent, for example, to a centralized SYSLOG database.
The User Tracking Sample RPD can be found here:
{OBIEE_11G_Instance}/bifoundation/OracleBIServerComponent/coreapplication_obis1/sample/usagetracking
Logging
OBIEE offers standard functionality for application level logging. This logging should be considered as one component of the overall logging approach and strategy. The operating system and database(s) supporting OBIEE should be using a centralized logging solution (most likely syslog) and it is also possible to parse the OBIEE logs for syslog consolidation.
For further information on OBIEE logging refer to the Oracle Fusion Middleware System Administrator’s Guide for OBIEE 11g (part number E10541-02), chapter eight.
To configure OBIEE logging, the BI Admin client tool is used to set the overall default log level for the RPD as well as identify specific users to be logged. The log level can differ among users. No logging is possible for a role.
Logging Levels are set between zero and seven.
Level 0 - No logging
Level 1 - Logs the SQL statement issued from the client application.
Level 2 - All level 1 plus OBIEE infrastructure information and query statisics
Level 3 - All level 2 plus Cache information
Level 4 - All level 3 plus query plan execution
Level 5 - All level 4 plus intermediate row counts
Level 6 & 7 - not used
OBIEE log files
|
BI Component |
Log File |
Log File Directory |
|
OPMN |
debug.log |
|
|
OPMN |
opmn.log |
|
|
BI Server |
nqserver.log |
|
|
BI Server Query |
nquery<n>.log <n>=data and timestamp for example nqquery-20140109-2135.log |
Oracle BI Server query Log
|
|
BI Cluster Controller |
nqcluster.log |
|
|
Oracle BI Scheduler |
nqscheduler.log |
|
|
Useage Tracking |
NQAcct.yyymmdd.hhmmss.log |
STORAGE_DIRECTORY parameter in the Usage Tracking section of the NQSConfig.INI file determines the location of usage tracking logs |
|
Presentation Services |
sawlog*.log (for example, sawlog0.log) |
The configuration of this log (e.g. the writer setting to output to syslog or windows event log) is set in instanceconfig.xml |
|
BI JavaHost |
jh.log |
|
If you have questions, please contact us at info@integrigy.com
-Michael Miller, CISSP-ISSMP
References
- OBIEE Security Examined - Webinar and Presentation: OBIEE Security Examined Webinar
- OBIEE Security Examined - Whitepaper: OBIEE Security Examined
