Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Pulling Oracle Fine-Grained Audit logs from Oracle Database via DBConnect

adnankhan5133
Communicator
‎07-21-2020 06:07 AM

We are planning to ingest Oracle standard auditing and FGA logs (both stored in Oracle DB tables) via DBConnect into Splunk. Does anyone here know if Splunk updates the DBA_AUDIT_MGMT_LAST_ARCH_TS value for the audit trails after it collects the data? This value is a timestamp tells the source Oracle database that the audit data has been collected by the external tool, and allows the DBA's to know that the audit logs have been collected from the database. In turn, this let's the database purge jobs execute and delete the audit data from the database since it has already been collected by Splunk.

Labels (1)
Labels
0 Karma
Reply

altink
Builder
‎01-21-2022 09:31 AM

I do not think that Splunk will update the LAST_ARCHIVE_TIMESTAMP - not by itself.

However, in the doc Splunk says that it does support calling a procedure of an Oracle Database
https://docs.splunk.com/Documentation/DBX/3.7.0/DeployDBX/Commands

But I do not know if its only the case of procedures returning events as cursor to be pulled by DB Connect, or even the (your) case of a procedure just doing some actions and returning no rows.
If the second is true, I guess that calling

DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(
audit_trail_type IN PLS_INTEGER,
last_archive_time IN TIMESTAMP,
rac_instance_number IN PLS_INTEGER DEFAULT NULL,
container IN PLS_INTEGER DEFAULT CONTAINER_CURRENT,
database_id IN NUMBER DEFAULT NULL,
container_guid IN VARCHAR2 DEFAULT NULL);

https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/DBMS_AUDIT_MGMT.html#GUID-75EE6B...

... will set the right timestamp

0 Karma
Reply
Get Updates on the Splunk Community!

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering.  Because we’ve ...

How to Send Splunk Observability Alerts to Webex teams in Minutes

As a Developer Evangelist at Splunk, my team and I are constantly tinkering with technology to explore its ...