Mario,
Yes, you were right. Thank you!
After speaking with our DBA's, I realized that they accidentally sent me a link to the wrong data in email and thats why the expected fields were missing. The data is actually being written to /var/log/messages! Which makes things much easier! Or at least I thought so...
But when testing this myself I found that it doesnt matter whether I use sourcetype = syslog or sourcetype = oracle_syslog, the results are still indexed without the field extractions defined in the Oracle Audit Trail app.
If I add sourcetype = syslog to the inputs.conf monitor stanza, shouldnt it recognize the data via the Oracle Audit Trails props.conf and feed it into the transforms.conf and automatically update the sourcetype and do the field extraction for me?
I am very curious whether you received the same error I did when you installed the Oracle Audit Trail app in Splunk?
“The lookup table 'oracle_actions' does not exist. It is referenced by configuration 'oracle_syslog'”
I get that error after installing the app on both my test and production instances of Splunk, even before importing the data. I suspect that once I get that error message resolved, I should be able to figure out how to get the fields extracted and then the rest of the app should work fine.
Here is a sample of the correct data... Any ideas?
Sep 19 10:14:39 stage01 ora Audit[8161]: LENGTH : '443' ACTION :[289] 'SELECT NAME NAME_COL_PLUS_SHOW_PARAM,DECODE(TYPE,1,'boolean',2,'string',3,'integer',4,'file',5,'number', 6,'big integer', 'unknown') TYPE,DISPLAY_VALUE VALUE_COL_PLUS_SHOW_PARAM FROM V$PARAMETER WHERE UPPER(NAME) LIKE UPPER(:NMBIND_SHOW_OBJ) ORDER BY NAME_COL_PLUS_SHOW_PARAM,ROWNUM' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'ora' CLIENT TERMINAL:[5] 'pts/2' STATUS:[1] '0' DBID:[10] '9234521554'
Sep 19 10:16:06 stage01 ora Audit[8313]: LENGTH : '159' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'ora' CLIENT TERMINAL:[5] 'pts/2' STATUS:[1] '0' DBID:[10] '9234521554'
Sep 19 10:16:06 stage01 ora Audit[8313]: LENGTH : '158' ACTION :[6] 'COMMIT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'ora' CLIENT TERMINAL:[5] 'pts/2' STATUS:[1] '0' DBID:[10] '9234521554'
Sep 19 10:16:06 stage01 ora Audit[8313]: LENGTH : '158' ACTION :[6] 'COMMIT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'ora' CLIENT TERMINAL:[5] 'pts/2' STATUS:[1] '0' DBID:[10] '9234521554'
Sep 19 10:33:15 stage01 ora Audit[9287]: LENGTH : '159' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'ora' CLIENT TERMINAL:[5] 'pts/3' STATUS:[1] '0' DBID:[10] '9234521554'
Sep 19 10:33:15 stage01 ora Audit[9287]: LENGTH : '158' ACTION :[6] 'COMMIT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'ora' CLIENT TERMINAL:[5] 'pts/3' STATUS:[1] '0' DBID:[10] '9234521554'
Sep 19 10:33:15 stage01 ora Audit[9287]: LENGTH : '158' ACTION :[6] 'COMMIT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'ora' CLIENT TERMINAL:[5] 'pts/3' STATUS:[1] '0' DBID:[10] '9234521554'
Sep 19 10:33:45 stage01 ora Audit[9287]: LENGTH : '189' ACTION :[36] 'select instance_name from v$instance' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'ora' CLIENT TERMINAL:[5] 'pts/3' STATUS:[1] '0' DBID:[10] '9234521554'
Sep 19 10:33:57 stage01 ora Audit[9287]: LENGTH : '197' ACTION :[44] 'BEGIN access_tracking_income_max; END;
Sep 19 10:37:59 stage01 ora Audit[9513]: LENGTH : '159' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'ora' CLIENT TERMINAL:[5] 'pts/3' STATUS:[1] '0' DBID:[10] '9234521554'
Sep 19 10:37:59 stage01 ora Audit[9513]: LENGTH : '158' ACTION :[6] 'COMMIT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'ora' CLIENT TERMINAL:[5] 'pts/3' STATUS:[1] '0' DBID:[10] '9234521554'
Sep 19 10:37:59 stage01 ora Audit[9513]: LENGTH : '158' ACTION :[6] 'COMMIT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'ora' CLIENT TERMINAL:[5] 'pts/3' STATUS:[1] '0' DBID:[10] '9234521554'
Sep 19 10:38:09 stage01 ora Audit[9513]: LENGTH : '189' ACTION :[36] 'select instance_name from v$instance' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'ora' CLIENT TERMINAL:[5] 'pts/3' STATUS:[1] '0' DBID:[10] '9234521554'
Sep 19 10:38:38 stage01 ora Audit[9513]: LENGTH : '181' ACTION :[28] 'BEGIN .update_; END;
... View more