Writing a SPLUNK alert for SYSTEM logon to an Oracle database with oracle auditing turned on. Issue is that on the unix server box all users login with there id to the box and then "su - oracle" to connect to the id that runs the oracle instance. When you run the alert in SPLUNK it shows the user as ORACLE which is the correct command returned from "whoami". However what I would like is to have the command returned from "who am i" as this is the real user logged into the box that is the ORACLE account. Is this possible to do?
whoami
oracle
who am i
rjk5555 pts/10 May 13 13:50 (mypc.domain.com)
==============================================
(index=oracle OR index=dblogs)
sourcetype=oracle:audit
<DB_User>SYSTEM</DB_User>
("<Action>100</Action>" OR "<Action>129</Action>")
| xmlkv
| eval Rpt_Time = strftime (_time , "%Y/%m/%d %H:%M:%S %a")
| eval DB_Server = host
| eval empid = OS_User
| rename Action AS Action_ID
| lookup oracle-action-map Action_ID OUTPUT Action_Name
| TABLE OS_User, DB_User, oracle_sid, DB_Server, Userhost, Rpt_Time, Action_ID, Action_Name
... View more