Oracle Audit Trail installed.
I keep getting below error in my searches
The oracle_actions.cvs can be foud as blow:
[root@CACTI lookups]# ll
total 8
-rw------- 1 root root 4499 Jul 9 11:14 oracle_actions.csv
[root@CACTI lookups]# pwd
/splunk/etc/apps/oracleaudit/lookups
props.conf
[root@CACTI default]# cat props.conf
[syslog]
TRANSFORMS-sourcetype = sourcetype_to_oracle_syslog[oracle_syslog]
EXTRACT-oracle_key_value_pair = (?i)(?<_KEY_1>\S+):[\d+]\s+"(?<_VAL_1>[^"]+)"
LOOKUP-action = oracle_actions ACTION OUTPUT oracle_actionname, oracle_eventtype, oracle_eventclass[oracle_key_value-pair]
transforms.conf
[root@CACTI default]# cat transforms.conf
[sourcetype_to_oracle_syslog]
SOURCE_KEY = _raw
DEST_KEY = MetaData:Sourcetype
REGEX = Audit[\d+]: LENGTH\s+:\s+\'\d+\'\s+ACTION\s+:[\d+]\s+
FORMAT = sourcetype::oracle_syslog[oracle_actions]
filename = oracle_actions.csv
max_matches = 1
min_matches = 1
I read link but it is not for me
How can I solve this issus?
The lookup table 'oracle_actions' does not exist. It is referenced by configuration 'oracle_syslog'.
I got it by myself.
Need change a little.
Manager » Lookups » Lookup table files
Find out "Oracle Audit"
Set oracle_actions.csv "sharing=Global"
I will get it.
On Oracle 10G, you need active audit in DB by yourself.
On Oracle 11G, audit has been actived by default.
Good Luck!
Hi Xuanyun, I have the same problem as you. Can you tell me how you removed the error you were getting
Sorry
It may a error of Oracle Audit Trail not Splunk for Orcle Weblogic Server.
Thank you anshu! I wait you for a long time. It is that I see a reb row message display "The lookup table 'oracle_actions' does not exist. It is referenced by configuration 'oracle_syslog'." on top when I installed Weblogic apps. How can I do for the red message?
i've tagged your question with the tag for the app i think you're talking about. this will notify the app's owner of your question.