Getting Data In

How to set up a Query in Splunk to monitor Oracle database activity for users connecting to a database as SYSDBA?

New Member

Logs have already been forwarded to syslog.

I started with this query:

index=syslog sourcetype=syslog (host="masked for security") NOT "CLIENT TERMINAL:[0]" "DBID" "SYSDBA"

which returned the following event:

<140>Apr 18 14:42:23 (host name masked for security) Audit[41355908]: LENGTH : '158' ACTION :[6] 'COMMIT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/6' STATUS:[1] '0' DBID:[10] '3032765733' 

Is there a way to run a correlation search to match the username to the DATABASE USER?

0 Karma