All Apps and Add-ons

What are the best practices to index Oracle database Audit Logs(.xml)?

Engager

We are trying to index oracle database Audit Logs which is in .xml format in splunk. The docs section suggests it can be done through splunk universal forwarder and DB connect. But we're unable to see any templates in DB connect to query audit logs. We can see templates only for unified audit logs.

We are using DB Connect 3.1.3 with oracle add-on 3.7.0.

Is it possible to fetch logs through DB Connect or should we be using universal forwarders?

0 Karma
1 Solution

Super Champion

Using UF you cannot collect data from Databases.

You can use two approaches
1. Collect directly from your Splunk Enterprise (Heavy Forwarder or Standalone SH or SH Cluster) using DBConnect. I prefer HF
2. Ask your Oracle DBA to dump the logs into the DB server in xml/json/csv format. Then the UF can pick these logs and send to your Splunk Enterprise Installation.

Both approach have pros & cons
1) Issue with DBconnect is, in large organisations other Ports/Firewall requests are required. Also may require read-only user per Database depending on how strict your organisation is. Also if the Table is altered your team needs to be part of those discussions. Hard to convince in some organisations. Advantage is, the ADDON has the logic to collect exactly as you need.
2) Dumping logs gives the responsibility completely to your Oracle DBA or application SME (You could give the SQL logic from the addon). But you need to tell them the format you require and permissions of file etc. The greatest advantage is SME can put any application specific Tables also into the files, so you don't have to bother with application specific tables.

View solution in original post

Super Champion

Using UF you cannot collect data from Databases.

You can use two approaches
1. Collect directly from your Splunk Enterprise (Heavy Forwarder or Standalone SH or SH Cluster) using DBConnect. I prefer HF
2. Ask your Oracle DBA to dump the logs into the DB server in xml/json/csv format. Then the UF can pick these logs and send to your Splunk Enterprise Installation.

Both approach have pros & cons
1) Issue with DBconnect is, in large organisations other Ports/Firewall requests are required. Also may require read-only user per Database depending on how strict your organisation is. Also if the Table is altered your team needs to be part of those discussions. Hard to convince in some organisations. Advantage is, the ADDON has the logic to collect exactly as you need.
2) Dumping logs gives the responsibility completely to your Oracle DBA or application SME (You could give the SQL logic from the addon). But you need to tell them the format you require and permissions of file etc. The greatest advantage is SME can put any application specific Tables also into the files, so you don't have to bother with application specific tables.

View solution in original post

Engager

Thanks Koshyk, We have the audit files in .xml format now. Do we have any generic queries that can be used in DB Connect to read the files regularly.

0 Karma

Super Champion

if you have data in .xml format, you can install UF in the SQL server and UF can send it to your Splunk Master servers. This is very simple. After you get the XML, please compare this with the sample data in "Splunk_TA_oracle" (oracle_xml_audit). If both are same, you are lucky 🙂

The extractions are all present in the Splunk_TA_oracle. Just put the sourcetype to:[oracle:audit:xml]

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!