All Apps and Add-ons

DB Connect Does Not Connect to Oracle Audit Vault


I am setting up a connection from our Splunk test instance (single server, v7.1.2) so that I can use DB Connect (v3.1.3) to pull data from Oracle Audit Vault (OAV). We've created an account in OAV for this and we can log into OAV using that account. I have configured DB Connect to use that same account as the Identity but when I try to save the configuration for the connection string (Configuration > Connection > Settings) with the correct host name, port and database. I've tried using both "Oracle" and "Oracle Service" as the connection type.

Splunk Answers provided several references to other Oracle issues and one did seem like mine -- Splunk DB Connect: How to connect to Oracle DB? I tried what was suggested but it too did not work.

No matter what I try, I get the following error message:

Database connection OAV is invalid
IO Error: The Network Adapter could not establish the connection

There is nothing more in the Splunk logs about this than this same message and the call to get the Identity info. We have not found any error messages (yet) in the Oracle logs. The only thing I can think of that is causing this is:

  1. There is a firewall between our Splunk server and the OAV server. We're checking on that.
  2. For some reason, the network adapter is rejecting our requests. Not sure how that would happen, but it was suggested by another team member. IDK

Has anyone experienced something like this and what was done to resolve the issue? Does anyone have any suggestions of what else to look for or other considerations that we have overlooked?

0 Karma

Path Finder

Hello @RickCurry 
I have the same problem. Were you able to resolve the integration of Audit Vault logs with Splunk?



0 Karma


Yes and it was a combination of things.  First was using the correct port and selecting the correct connection type (Oracle Service). The DBA also had to make a change on the DB side to allow DB Connect to open a connection. Specifically what was done I do not have available. Your local DBA can likely figure that out. I believe a change was needed for the Listener service.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...