We have been tasked with obtaining audit log data from a vendor's cloud hosted application via a web service call. We have written Oracle PL/SQL to obtain the data and parse it. We now need a strategy for getting this data into a Splunk Enterprise instance. How can this be done in the simplest, most secure way with as few additional software add ins or components possible? We are looking into DB Connect and Universal Forwarder but need to be able to call the forwarder from PL/SQL or Linux based process or make the data available for Splunk Enterprise to come for it in tables or files via an automated process.
To send Data from Oracle (PL/SQL) to Splunk, in "push" mode, and with no third parties involved, on the Splunk side use Splunk TCP Data Input.
On the Oracle side (PL/SQL script or package/procedure) use Oracle package UTL_TCP. This package can be used to connect and write Oracle data to Splunk using Splunk's TCP Data Input.
At UTL_TCP the following subprograms are needed:
The Oracle "push" PL/SQL code logic can be implemented as PACKAGE/PROCEDURE that is called by an Oracle scheduler job. Must also take care for persisting the last processed value of the rising column (concept remains valid the same as for DB Connect).
If the data is stored in an Oracle DB, DB Connect is the best option and you will not be needing a UF, as you would install DB connect on a Heavy Forwarder instance (preferred) or indexer and retrieve the data. See this document
If the data is written to a file, you can setup a UF and modify the inputs.conf and outputs.conf.
- in the inputs, you specify a monitor stanza with the right sourcetype
- in the outputs, you specify the necessary certs and credentials to forward the data securely to the Splunk Indexer(s)