Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Pulling Oracle Fine-Grained Audit logs from Oracle Database via DBConnect

adnankhan5133
Communicator
‎07-21-2020 06:07 AM

We are planning to ingest Oracle standard auditing and FGA logs (both stored in Oracle DB tables) via DBConnect into Splunk. Does anyone here know if Splunk updates the DBA_AUDIT_MGMT_LAST_ARCH_TS value for the audit trails after it collects the data? This value is a timestamp tells the source Oracle database that the audit data has been collected by the external tool, and allows the DBA's to know that the audit logs have been collected from the database. In turn, this let's the database purge jobs execute and delete the audit data from the database since it has already been collected by Splunk.

Labels (1)
Labels
0 Karma
Reply

altink
Builder
‎01-21-2022 09:31 AM

I do not think that Splunk will update the LAST_ARCHIVE_TIMESTAMP - not by itself.

However, in the doc Splunk says that it does support calling a procedure of an Oracle Database
https://docs.splunk.com/Documentation/DBX/3.7.0/DeployDBX/Commands

But I do not know if its only the case of procedures returning events as cursor to be pulled by DB Connect, or even the (your) case of a procedure just doing some actions and returning no rows.
If the second is true, I guess that calling

DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(
audit_trail_type IN PLS_INTEGER,
last_archive_time IN TIMESTAMP,
rac_instance_number IN PLS_INTEGER DEFAULT NULL,
container IN PLS_INTEGER DEFAULT CONTAINER_CURRENT,
database_id IN NUMBER DEFAULT NULL,
container_guid IN VARCHAR2 DEFAULT NULL);

https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/DBMS_AUDIT_MGMT.html#GUID-75EE6B...

... will set the right timestamp

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...

Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!

Attention App Developers: Test Your Apps with the Splunk 10.0 Beta and Ensure Compatibility Before the ...

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
Top