Oracle 12c audit log in XML format on Windows server -- parsing issues

oneshow — Thu, 19 Oct 2017 15:11:41 GMT

i'm try to collect oracle 12c audit log in XML format on windows server.

i have created this monitor in oracle server and (for test in splunk server and another w12 server)

[monitor://C:\OracleLogs\Audit\*.xml]
sourcetype = oracle:audit:xml
crcSalt = <SOURCE>
index = xx.oracle

i have configured this props.conf in Splunk server:

[oracle:audit:xml]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)<AuditRecord>
TIME_PREFIX= <Extended_Timestamp>
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N
KV_MODE = None

If I put an XML log file in the monitored folder onto Splunk server or the other test server the collection works fine and the event are parsed correctly

But if I put the same XML file in the Oracle server the collected event are parsed line by line (i think), only in Oracle server.
the universal forwarders are the same version.

this is an example of log file:

<?xml version="1.0" encoding="UTF-8"?>
  <Audit xmlns="http://xmlns.oracle.com/oracleas/schema/dbserver_audittrail-11_2.xsd"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://xmlns.oracle.com/oracleas/schema/dbserver_audittrail-11_2.xsd">
   <Version>11.2</Version>
<AuditRecord><Audit_Type>4</Audit_Type><Session_Id>64104</Session_Id><StatementId>0</StatementId><EntryId>1</EntryId><Extended_Timestamp>2017-10-18T20:00:21.233000Z</Extended_Timestamp><DB_User>SYS</DB_User><Userhost>W2K8-ORACLE</Userhost><OS_Process>1516:3004</OS_Process><Terminal>W2K8-ORACLE</Terminal><Instance_Number>0</Instance_Number><Returncode>0</Returncode><Scn>0</Scn><OSPrivilege>NONE</OSPrivilege><DBID>1483776131</DBID>
<Sql_Text>select /*+  no_parallel(t) no_parallel_index(t) dbms_stats cursor_sharing_exact use_weak_name_resl dynamic_sampling(0) no_monitoring xmlindex_sel_idx_tbl no_substrb_pad  */ substrb(dump(&quot;STARTUP_TIME&quot;,16,0,64),1,240) val, 
                      rowidtochar(rowid) rwid from &quot;SYS&quot;.&quot;WRM$_PDB_INSTANCE&quot; t where rowid in (chartorowid(&apos;AAACIEAADAAACCMAAA&apos;),chartorowid(&apos;AAACIEAADAAACCNAAB&apos;)) order by &quot;STARTUP_TIME&quot;</Sql_Text>
</AuditRecord>
<AuditRecord><Audit_Type>4</Audit_Type><Session_Id>64104</Session_Id><StatementId>0</StatementId><EntryId>2</EntryId><Extended_Timestamp>2017-10-18T20:00:21.264000Z</Extended_Timestamp><DB_User>SYS</DB_User><Userhost>W2K8-ORACLE</Userhost><OS_Process>1516:3004</OS_Process><Terminal>W2K8-ORACLE</Terminal><Instance_Number>0</Instance_Number><Returncode>0</Returncode><Scn>0</Scn><OSPrivilege>NONE</OSPrivilege><DBID>1483776131</DBID>
<Sql_Text>select /*+  no_parallel(t) no_parallel_index(t) dbms_stats cursor_sharing_exact use_weak_name_resl dynamic_sampling(0) no_monitoring xmlindex_sel_idx_tbl no_substrb_pad  */ substrb(dump(&quot;STARTUP_TIME&quot;,16,0,64),1,240) val, 
                      rowidtochar(rowid) rwid from &quot;SYS&quot;.&quot;WRM$_PDB_INSTANCE&quot; t where rowid in (chartorowid(&apos;AAACIEAADAAACCMAAA&apos;),chartorowid(&apos;AAACIEAADAAACCNAAB&apos;)) order by &quot;STARTUP_TIME&quot;</Sql_Text>
</AuditRecord>
<AuditRecord><Audit_Type>4</Audit_Type><Session_Id>64104</Session_Id><StatementId>0</StatementId><EntryId>3</EntryId><Extended_Timestamp>2017-10-18T20:00:24.772000Z</Extended_Timestamp><DB_User>SYS</DB_User><Userhost>W2K8-ORACLE</Userhost><OS_Process>1516:3004</OS_Process><Terminal>W2K8-ORACLE</Terminal><Instance_Number>0</Instance_Number><Returncode>0</Returncode><Scn>0</Scn><OSPrivilege>NONE</OSPrivilege><DBID>1483776131</DBID>
<Sql_Text>select /*+  no_parallel(t) no_parallel_index(t) dbms_stats cursor_sharing_exact use_weak_name_resl dynamic_sampling(0) no_monitoring xmlindex_sel_idx_tbl no_substrb_pad  */ substrb(dump(&quot;STARTUP_TIME&quot;,16,0,64),1,240) val, 
                      rowidtochar(rowid) rwid from &quot;SYS&quot;.&quot;WRM$_DATABASE_INSTANCE&quot; t where rowid in (chartorowid(&apos;AAACH0AADAAACALAAA&apos;),chartorowid(&apos;AAACH0AADAAACALAAB&apos;),chartorowid(&apos;AAACH0AADAAACALAAC&apos;)) order by &quot;STARTUP_TIME&quot;</Sql_Text>
</AuditRecord>
</Audit>

Why I have two different situation with the same configuration?
Thanks at all

Re: Oracle 12c audit log in XML format on Windows server -- parsing issues

gjanders — Sat, 21 Oct 2017 12:15:49 GMT

The props.conf related to SHOULD_LINEMERGE will apply on the first heavy forwarder or indexer that receives the data (at this point the data will be cooked).

Is the server ingesting the Oracle logs a universal forwarder? And is the props.conf settings configured on the indexer/heavy forwarder that it sends the data to?

If you don't see the logs on the indexer with the same sourcetype you expect you may wish to run (in a command prompt and admin):

splunk btool inputs list --debug

To confirm the sourcetype is been set correctly for the logs...

Re: Oracle 12c audit log in XML format on Windows server -- parsing issues

htidore — Mon, 15 Jul 2019 09:46:51 GMT

How did you solve this problem?

topic Re: Oracle 12c audit log in XML format on Windows server -- parsing issues in Dashboards & Visualizations

Oracle 12c audit log in XML format on Windows server -- parsing issues

Re: Oracle 12c audit log in XML format on Windows server -- parsing issues

Re: Oracle 12c audit log in XML format on Windows server -- parsing issues