Re: Oracle XE 10.2 event logs do not match the cur...

abarbieri · ‎01-05-2012

Hello Balazs,

I am trying to use your app to analyze syslog events generated by Oracle XE 10.2. I believe the extract pattern in props.conf seems not be able to cope (i.e. no results generated by a query index="oracleaudit" | top oracle_actionname) with payloads like the following two examples:


<134>Jan  5 14:37:57 localhost Oracle Audit[9261]: ACTION : 'ALTER DATABASE OPEN'#012DATABASE USER: '/'#012PRIVILEGE : SYSDBA#012CLIENT USER: oracle#012CLIENT TERMINAL: #012STATUS: 0

<134>Jan  5 14:37:49 localhost Oracle Audit[9255]: ACTION : 'SELECT DECODE(null,'','Total System Global Area','') NAME_COL_PLUS_SHOW_SGA,   SUM(VALUE), DECODE (null,'', 'bytes','') units_col_plus_show_sga FROM V$SGA    UNION ALL    SELECT NAME NAME_COL_PLUS_SHOW_SGA , VALUE,    DECODE (null,'', 'bytes','') units_col_plus_show_sga FROM V$SGA'#012DATABASE USER: '/'#012PRIVILEGE : SYSDBA#012CLIENT USER: oracle#012CLIENT TERMINAL: #012STATUS: 0

using the simple query index="oracleaudit" does return the expected events.

Any insight?

Thanks,
andrea

bvamos · ‎01-06-2012

This version of Oracle is not yet supported. I'll take a look at it and put it on my roadmap...

abarbieri · ‎01-05-2012

I just realised I should have used 'Review' rather than 'Ask a Question' for the Oracle Audit Trail app.

Oracle XE 10.2 event logs do not match the current extract pattern

What's New in Splunk Cloud Platform 9.3.2411?

Buttercup Games: Further Dashboarding Techniques (Part 6)

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!