All Apps and Add-ons

Sending audit log data to Splunk from PL/SQL

mdmartinez
New Member

We have been tasked with obtaining audit log data from a vendor's cloud hosted application via a web service call. We have written Oracle PL/SQL to obtain the data and parse it. We now need a strategy for getting this data into a Splunk Enterprise instance. How can this be done in the simplest, most secure way with as few additional software add ins or components possible? We are looking into DB Connect and Universal Forwarder but need to be able to call the forwarder from PL/SQL or Linux based process or make the data available for Splunk Enterprise to come for it in tables or files via an automated process.

0 Karma

altink
Contributor

Hi @mdmartinez 

To send Data from Oracle (PL/SQL) to Splunk, in "push" mode, and with no third parties involved, on the Splunk side use Splunk TCP Data Input.

https://docs.splunk.com/Documentation/Splunk/8.2.3/Data/Monitornetworkports 

On the Oracle side (PL/SQL script or package/procedure) use Oracle package UTL_TCP. This package can be used to connect and write Oracle data to Splunk using Splunk's TCP Data Input.

https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/UTL_TCP.html#GUID-348AFFE8-78B2-... 

At UTL_TCP the following subprograms are needed:

utl_tcp.open_connection
utl_tcp.write_line
utl_tcp.write_text
utl_tcp.close_connection

The Oracle "push" PL/SQL code logic can be implemented as PACKAGE/PROCEDURE that is called by an Oracle scheduler job.  Must also take care for persisting the last processed value of the rising column (concept remains valid the same as for DB Connect).

regards
Altin

0 Karma

anmolpatel
Builder

If the data is stored in an Oracle DB, DB Connect is the best option and you will not be needing a UF, as you would install DB connect on a Heavy Forwarder instance (preferred) or indexer and retrieve the data. See this document
https://docs.splunk.com/Documentation/DBX/3.2.0/DeployDBX/Installdatabasedrivers#Oracle

If the data is written to a file, you can setup a UF and modify the inputs.conf and outputs.conf.
- in the inputs, you specify a monitor stanza with the right sourcetype
- in the outputs, you specify the necessary certs and credentials to forward the data securely to the Splunk Indexer(s)

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...