Logs have already been forwarded to syslog.
I started with this query:
index=syslog sourcetype=syslog (host="masked for security") NOT "CLIENT TERMINAL:[0]" "DBID" "SYSDBA"
which returned the following event:
<140>Apr 18 14:42:23 (host name masked for security) Audit[41355908]: LENGTH : '158' ACTION :[6] 'COMMIT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/6' STATUS:[1] '0' DBID:[10] '3032765733'
Is there a way to run a correlation search to match the username to the DATABASE USER?
... View more