Hello,
Currently I am ongoing with Oracle db 12c integration with Splunk, actually I don't know what the needed audit file the splunk will need to in this integration.
Any suggestions ?
BR,
Haytham
If you are using Oracle Unified Audit (starting with Oracle 12c R1), you can use the following
Oracle Unified Audit App for Splunk:
https://splunkbase.splunk.com/app/6172/
best regards
Altin
Hi @hmostafa , you can use Splunk Add-on for Oracle Database to connect oracle with Splunk.
https://splunkbase.splunk.com/app/1910
It collect and ingest data from the Oracle Database Server. This add-on can import data directly by monitoring the standard and fine-grained audit trails, trace files, incident, alert, listener, and other logs on the operating system where the Oracle Database Server is installed. Through log file monitoring and field extraction, the database administrator can create alerts and dashboards to track what errors, problems, or incidents happen to the database in real time.
Adding a link of steps to configure this Add-on.
https://docs.splunk.com/Documentation/AddOns/released/Oracle/Configuremonitorinputs
--------------------------------------------------------
If this helps your like will be appreciated😀
Hi,
Not sure what you are exactly trying to achieve (or ask).
But if you are trying to ingest the audit logging with the Splunk Add-on for Oracle Database I suggest you read the following:
https://docs.splunk.com/Documentation/AddOns/released/Oracle/Configuremonitorinputs
An example for Oracle 12c inputs:
[monitor:///u01/app/oracle/admin/*/adump/*.xml] sourcetype = oracle:audit:xml crcSalt = <SOURCE> [monitor:///u01/app/oracle/admin/*/adump/*.aud] sourcetype = oracle:audit:text crcSalt = <SOURCE> [monitor:///u01/app/oracle/diag/rdbms/*/*/alert/log.xml*] sourcetype = oracle:alert:xml crcSalt = <SOURCE> [monitor:///u01/app/oracle/diag/tnslsnr/*/listener/alert/log.xml*] sourcetype = oracle:listener:xml crcSalt = <SOURCE> [monitor:///u01/app/oracle/diag/rdbms/*/*/trace/*.trc] sourcetype = oracle:trace crcSalt = <SOURCE> [monitor:///u01/app/oracle/diag/rdbms/*/*/incident/incdir*/*.trc] sourcetype = oracle:incident crcSalt = <SOURCE