Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to set up a Query in Splunk to monitor Oracle database activity for users connecting to a database as SYSDBA?

jmyrand
New Member
‎04-19-2018 10:50 PM

Logs have already been forwarded to syslog.

I started with this query: 

index=syslog sourcetype=syslog (host="masked for security") NOT "CLIENT TERMINAL:[0]" "DBID" "SYSDBA"

which returned the following event:

<140>Apr 18 14:42:23 (host name masked for security) Audit[41355908]: LENGTH : '158' ACTION :[6] 'COMMIT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/6' STATUS:[1] '0' DBID:[10] '3032765733'

Is there a way to run a correlation search to match the username to the DATABASE USER?

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...