Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Pulling Oracle Fine-Grained Audit logs from Oracle Database via DBConnect

adnankhan5133
Communicator
‎07-21-2020 06:07 AM

We are planning to ingest Oracle standard auditing and FGA logs (both stored in Oracle DB tables) via DBConnect into Splunk. Does anyone here know if Splunk updates the DBA_AUDIT_MGMT_LAST_ARCH_TS value for the audit trails after it collects the data? This value is a timestamp tells the source Oracle database that the audit data has been collected by the external tool, and allows the DBA's to know that the audit logs have been collected from the database. In turn, this let's the database purge jobs execute and delete the audit data from the database since it has already been collected by Splunk.

Labels (1)
Labels
0 Karma
Reply

altink
Builder
‎01-21-2022 09:31 AM

I do not think that Splunk will update the LAST_ARCHIVE_TIMESTAMP - not by itself.

However, in the doc Splunk says that it does support calling a procedure of an Oracle Database
https://docs.splunk.com/Documentation/DBX/3.7.0/DeployDBX/Commands

But I do not know if its only the case of procedures returning events as cursor to be pulled by DB Connect, or even the (your) case of a procedure just doing some actions and returning no rows.
If the second is true, I guess that calling

DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(
audit_trail_type IN PLS_INTEGER,
last_archive_time IN TIMESTAMP,
rac_instance_number IN PLS_INTEGER DEFAULT NULL,
container IN PLS_INTEGER DEFAULT CONTAINER_CURRENT,
database_id IN NUMBER DEFAULT NULL,
container_guid IN VARCHAR2 DEFAULT NULL);

https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/DBMS_AUDIT_MGMT.html#GUID-75EE6B...

... will set the right timestamp

0 Karma
Reply
Get Updates on the Splunk Community!

Get Operational Insights Quickly with Natural Language on the Splunk Platform

In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...
Top