Why tail monitor configuration receiving dbconnect...

barrymcintosh · ‎07-16-2014

I am trying to setup a tail monitor on Oracle audit tables. Below is my configuration but I am receiving the dbconnect error Illegal pattern character "I" (full error below). Looking at previous posts I think it might be something with the timestamp formating. Someone must has gotten Oracle DB audit log table monitoring working from dbconnect rather than writing the audit logs out to a file

[dbmon-tail://AMS/P17-Audit]
host = P17
index = oracle_audit
interval = auto
output.format = kv
output.timestamp = 1
output.timestamp.column = TIMESTAMP
output.timestamp.format = YYYY-MM-DD HH24:MI:SS
query = select to_char(timestamp,'YYYY-MM-DD  HH24:MI:SS'), os_username,username,userhost,owner,obj_name,action,action_name,new_owner,new_name,obj_privilege,sys_privilege,admin_option,grantee,to_char(logoff_time,'YYYY-MM-DD HH24:MI:SS'), comment_text,sessionid,returncode,priv_used,sql_text from sys.dba_audit_trail {{WHERE $rising_column$ > to_date (?,'YYYY-MM-DD HH:MI:SS')}}
tail.rising.column = TIMESTAMP
table = P17-Audit

dbx8126:ERROR:Scheduler - Error while reloading database input=dbmon-tail://AMIS/PT11-Audit
com.splunk.config.SplunkConfigurationException: Error instantiating output format kv: java.lang.IllegalArgumentException: Illegal pattern character 'I'
    at com.splunk.dbx.monitor.output.OutputFormatFactory.createOutputFormat(OutputFormatFactory.java:62)
    at com.splunk.dbx.monitor.DatabaseMonitor.<init>(DatabaseMonitor.java:137)
    at com.splunk.dbx.monitor.scheduler.Scheduler.loadDatabaseMonitor(Scheduler.java:216)
    at com.splunk.dbx.monitor.scheduler.Scheduler.reloadDatabaseMonitor(Scheduler.java:196)
    at com.splunk.dbx.monitor.DatabaseMonitoringManager$Reloader.run(DatabaseMonitoringManager.java:133)
    at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
    at java.util.concurrent.FutureTask.run(Unknown Source)
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(Unknown Source)
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.IllegalArgumentException: Illegal pattern character 'I'
    at java.text.SimpleDateFormat.compile(Unknown Source)
    at java.text.SimpleDateFormat.initialize(Unknown Source)
    at java.text.SimpleDateFormat.<init>(Unknown Source)
    at java.text.SimpleDateFormat.<init>(Unknown Source)
    at com.splunk.dbx.monitor.output.impl.BaseOutputFormat.<init>(BaseOutputFormat.java:36)
    at com.splunk.dbx.monitor.output.impl.SingleLineFormat.<init>(SingleLineFormat.java:11)
    at com.splunk.dbx.monitor.output.impl.KeyValueFormat.<init>(KeyValueFormat.java:20)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
    at java.lang.reflect.Constructor.newInstance(Unknown Source)
    at com.splunk.util.Utils$Reflection.instantiate(Utils.java:880)
    at com.splunk.util.Utils$Reflection.instantiate(Utils.java:898)
    at com.splunk.dbx.monitor.output.OutputFormatFactory.createOutputFormat(OutputFormatFactory.java:58)

gkanapathy · ‎07-16-2014

output.timestamp.format needs to expressed as a Java SimpleDateFormat pattern, not a SQL date format. So your setting should be:

output.timestamp.format = yyyy-MM-dd HH:mm:ss

Why tail monitor configuration receiving dbconnect error Illegal pattern character "I"

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?