Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Dashboards & Visualizations
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Oracle 12c audit log in XML format on Windows serv...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oracle 12c audit log in XML format on Windows server -- parsing issues
oneshow
Engager
10-19-2017
08:11 AM
i'm try to collect oracle 12c audit log in XML format on windows server.
i have created this monitor in oracle server and (for test in splunk server and another w12 server)
[monitor://C:\OracleLogs\Audit\*.xml]
sourcetype = oracle:audit:xml
crcSalt = <SOURCE>
index = xx.oracle
i have configured this props.conf in Splunk server:
[oracle:audit:xml]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)<AuditRecord>
TIME_PREFIX= <Extended_Timestamp>
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N
KV_MODE = None
If I put an XML log file in the monitored folder onto Splunk server or the other test server the collection works fine and the event are parsed correctly
But if I put the same XML file in the Oracle server the collected event are parsed line by line (i think), only in Oracle server.
the universal forwarders are the same version.
this is an example of log file:
<?xml version="1.0" encoding="UTF-8"?>
<Audit xmlns="http://xmlns.oracle.com/oracleas/schema/dbserver_audittrail-11_2.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.oracle.com/oracleas/schema/dbserver_audittrail-11_2.xsd">
<Version>11.2</Version>
<AuditRecord><Audit_Type>4</Audit_Type><Session_Id>64104</Session_Id><StatementId>0</StatementId><EntryId>1</EntryId><Extended_Timestamp>2017-10-18T20:00:21.233000Z</Extended_Timestamp><DB_User>SYS</DB_User><Userhost>W2K8-ORACLE</Userhost><OS_Process>1516:3004</OS_Process><Terminal>W2K8-ORACLE</Terminal><Instance_Number>0</Instance_Number><Returncode>0</Returncode><Scn>0</Scn><OSPrivilege>NONE</OSPrivilege><DBID>1483776131</DBID>
<Sql_Text>select /*+ no_parallel(t) no_parallel_index(t) dbms_stats cursor_sharing_exact use_weak_name_resl dynamic_sampling(0) no_monitoring xmlindex_sel_idx_tbl no_substrb_pad */ substrb(dump("STARTUP_TIME",16,0,64),1,240) val,
rowidtochar(rowid) rwid from "SYS"."WRM$_PDB_INSTANCE" t where rowid in (chartorowid('AAACIEAADAAACCMAAA'),chartorowid('AAACIEAADAAACCNAAB')) order by "STARTUP_TIME"</Sql_Text>
</AuditRecord>
<AuditRecord><Audit_Type>4</Audit_Type><Session_Id>64104</Session_Id><StatementId>0</StatementId><EntryId>2</EntryId><Extended_Timestamp>2017-10-18T20:00:21.264000Z</Extended_Timestamp><DB_User>SYS</DB_User><Userhost>W2K8-ORACLE</Userhost><OS_Process>1516:3004</OS_Process><Terminal>W2K8-ORACLE</Terminal><Instance_Number>0</Instance_Number><Returncode>0</Returncode><Scn>0</Scn><OSPrivilege>NONE</OSPrivilege><DBID>1483776131</DBID>
<Sql_Text>select /*+ no_parallel(t) no_parallel_index(t) dbms_stats cursor_sharing_exact use_weak_name_resl dynamic_sampling(0) no_monitoring xmlindex_sel_idx_tbl no_substrb_pad */ substrb(dump("STARTUP_TIME",16,0,64),1,240) val,
rowidtochar(rowid) rwid from "SYS"."WRM$_PDB_INSTANCE" t where rowid in (chartorowid('AAACIEAADAAACCMAAA'),chartorowid('AAACIEAADAAACCNAAB')) order by "STARTUP_TIME"</Sql_Text>
</AuditRecord>
<AuditRecord><Audit_Type>4</Audit_Type><Session_Id>64104</Session_Id><StatementId>0</StatementId><EntryId>3</EntryId><Extended_Timestamp>2017-10-18T20:00:24.772000Z</Extended_Timestamp><DB_User>SYS</DB_User><Userhost>W2K8-ORACLE</Userhost><OS_Process>1516:3004</OS_Process><Terminal>W2K8-ORACLE</Terminal><Instance_Number>0</Instance_Number><Returncode>0</Returncode><Scn>0</Scn><OSPrivilege>NONE</OSPrivilege><DBID>1483776131</DBID>
<Sql_Text>select /*+ no_parallel(t) no_parallel_index(t) dbms_stats cursor_sharing_exact use_weak_name_resl dynamic_sampling(0) no_monitoring xmlindex_sel_idx_tbl no_substrb_pad */ substrb(dump("STARTUP_TIME",16,0,64),1,240) val,
rowidtochar(rowid) rwid from "SYS"."WRM$_DATABASE_INSTANCE" t where rowid in (chartorowid('AAACH0AADAAACALAAA'),chartorowid('AAACH0AADAAACALAAB'),chartorowid('AAACH0AADAAACALAAC')) order by "STARTUP_TIME"</Sql_Text>
</AuditRecord>
</Audit>
Why I have two different situation with the same configuration?
Thanks at all
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
htidore
Path Finder
07-15-2019
02:46 AM
How did you solve this problem?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gjanders
SplunkTrust
10-21-2017
05:15 AM
The props.conf related to SHOULD_LINEMERGE will apply on the first heavy forwarder or indexer that receives the data (at this point the data will be cooked).
Is the server ingesting the Oracle logs a universal forwarder? And is the props.conf settings configured on the indexer/heavy forwarder that it sends the data to?
If you don't see the logs on the indexer with the same sourcetype you expect you may wish to run (in a command prompt and admin):
splunk btool inputs list --debug
To confirm the sourcetype is been set correctly for the logs...
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...
Calling All Security Pros: Ready to Race Through Boston?
Hey Splunkers,
.conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...
