We are evaluating options for tools to consume XML audit logs generated from enabling Oracles native auditing. It seems that SPLUNK has that capability but I am unable to find real world test cases of users who have this implemented in a production environment.
I am looking to identify the following:
- level of effort to configure SPLUNK to read the XML audit files
- How to translate audit_action and priv_used numbers to text values
- Any performance impact with SPLUNK agent monitoring many XML log files; is there a max# of sessions that can be spawned?
- Ease of reporting on the audit data once it is loaded into SPLUNK (a list of some of our reporting requirements)
Follow change request from logon to logoff
All users who logged in from 6am - 10am on a given day
Identify user who altered a given table at a specified time
List all change requests for a specified time frame
List of logons from Employee id's using generic database accounts
... View more