Splunk Search

Oracle into Splunk

phelit
New Member

I am trying to get the login/logoff and failed login of oracle 10.2.0.4 installed on windows to be seen by splunk. I managed to get the info written in the windows event log by setting the following parameters:

AUDIT_SYS_OPERATIONS = TRUE

AUDIT_TRAIL=OS

I get the info on the windows logs...but the log is nearly unreadable. And the info I need to extract is not in clear but in the "message" field of the log.

Is there a way to get the info I need directly from oracle? I am gathering the needed info on the windows logs installing splunk on the clients and using it as a client to send the info to a splunk server.

Is there a direct/easy way to get the info from oracle?

Any help or hint is VERY welcome!

Thank you!

0 Karma

bvamos
Explorer

I've just uploaded a new App (Splunk for Oracle Audit Trails) what can parse and analyze Oracle Audit Trails sent via syslog. It is not yet visible on SplunkBase but hopefully will be soon...
Check out my profile later...

bvamos
Explorer

Splunk for Oracle Audit Trails app is available. Download from: http://splunk-base.splunk.com/apps/36943/oracle-audit-trail

0 Karma

joshd
Builder

There's a very good article on understanding/configuring auditing in oracle found here:

http://docs.oracle.com/cd/B28359_01/network.111/b28531/auditing.htm#autoId8

Using that you can configure oracle to audit the events you want, wether it be to a local file, database table, etc... As I had previously mentioned there are two ways I've used for doing it, either log to a local file using the "OS" AUDIT_TRAIL value and pickup the events using a universal forwarder on the machine or you can configure the "DB,EXTENDED" value for AUDIT_TRAIL which will cause it to log to the SYS.AUD$ table. Then you would need to write a script that will connect to the database as a user and dump out the contents of the SYS.AUD$ table and then implement this script as a scripted input running every X-mins. As also previously mentioned depending on the load on your database, etc.. one option may be better over the other for you.

0 Karma

e82than
Communicator

Joshd, can you please help me on doing up the script to connect to the DB and dump out the contents of the sys.aud$ or send me a sample of yours, please? my email is e82than@hotmail.com.

0 Karma

phelit
New Member

Let's put it simple:

I need splunk to connect to my Oracle DB and gather Logon, Logoff and Logon fail of every user that connects to the DB.

How do I do that?

PLEASE help me!

Thank you!

0 Karma

joshd
Builder

You can configure oracle to log to a flat file locally on the system and then setup a splunk forwarder to monitor that file and forward all events... thats what Im doing.

I know other people, for performance reasons, will have it just create the audit events natively within oracle and then use a scripted input to login to oracle and dump the events out.

0 Karma

horizonsecurity
Explorer

Hi joshd, when you talk about flat file, do you mean syslog flat file or standard ".aud" oracle file?

0 Karma

phelit
New Member

Thank you for the answer. Could you explain me how did you implement this solution. And do you have any idea on how to implement the other solution? We are in a testing phase and I need to try every possible solution. Also because I am pretty sure I might have performance problems!
Thank you again for the answer and for any other help you might give me!

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...