All Apps and Add-ons

What are the best practices to index Oracle database Audit Logs(.xml)?

A_Aswin
Engager

We are trying to index oracle database Audit Logs which is in .xml format in splunk. The docs section suggests it can be done through splunk universal forwarder and DB connect. But we're unable to see any templates in DB connect to query audit logs. We can see templates only for unified audit logs.

We are using DB Connect 3.1.3 with oracle add-on 3.7.0.

Is it possible to fetch logs through DB Connect or should we be using universal forwarders?

0 Karma
1 Solution

koshyk
Super Champion

Using UF you cannot collect data from Databases.

You can use two approaches
1. Collect directly from your Splunk Enterprise (Heavy Forwarder or Standalone SH or SH Cluster) using DBConnect. I prefer HF
2. Ask your Oracle DBA to dump the logs into the DB server in xml/json/csv format. Then the UF can pick these logs and send to your Splunk Enterprise Installation.

Both approach have pros & cons
1) Issue with DBconnect is, in large organisations other Ports/Firewall requests are required. Also may require read-only user per Database depending on how strict your organisation is. Also if the Table is altered your team needs to be part of those discussions. Hard to convince in some organisations. Advantage is, the ADDON has the logic to collect exactly as you need.
2) Dumping logs gives the responsibility completely to your Oracle DBA or application SME (You could give the SQL logic from the addon). But you need to tell them the format you require and permissions of file etc. The greatest advantage is SME can put any application specific Tables also into the files, so you don't have to bother with application specific tables.

View solution in original post

koshyk
Super Champion

Using UF you cannot collect data from Databases.

You can use two approaches
1. Collect directly from your Splunk Enterprise (Heavy Forwarder or Standalone SH or SH Cluster) using DBConnect. I prefer HF
2. Ask your Oracle DBA to dump the logs into the DB server in xml/json/csv format. Then the UF can pick these logs and send to your Splunk Enterprise Installation.

Both approach have pros & cons
1) Issue with DBconnect is, in large organisations other Ports/Firewall requests are required. Also may require read-only user per Database depending on how strict your organisation is. Also if the Table is altered your team needs to be part of those discussions. Hard to convince in some organisations. Advantage is, the ADDON has the logic to collect exactly as you need.
2) Dumping logs gives the responsibility completely to your Oracle DBA or application SME (You could give the SQL logic from the addon). But you need to tell them the format you require and permissions of file etc. The greatest advantage is SME can put any application specific Tables also into the files, so you don't have to bother with application specific tables.

A_Aswin
Engager

Thanks Koshyk, We have the audit files in .xml format now. Do we have any generic queries that can be used in DB Connect to read the files regularly.

0 Karma

koshyk
Super Champion

if you have data in .xml format, you can install UF in the SQL server and UF can send it to your Splunk Master servers. This is very simple. After you get the XML, please compare this with the sample data in "Splunk_TA_oracle" (oracle_xml_audit). If both are same, you are lucky 🙂

The extractions are all present in the Splunk_TA_oracle. Just put the sourcetype to:[oracle:audit:xml]

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...