Re: Oracle Auditing with SYSLOG

Thanks for the feedback Henry and David. I played with Splunk a bit
> yesterday and I have seen other tools that report off of syslog in the
> past. In a lot of the shops I've seen, the default 11.2 auditing to
> DB is the norm and more often than not, not really used for anything.
>

Indeed, most organizations don't know what to do nor care to check their logs. Until they get hit by a security breach or they decide to comply to something like PCI or ISO 27001. If you do nothing with your logs, then one has to wonder why they log at all?

> I like the idea of moving audit info to syslog, but agree that for the
> purposes that I've used AUD$ will no longer be as readily available.
>

Maybe a word of advice : IMHO I don't like using OS as the audit destination. I prefer to keep either DB or SYSLOG. If you use OS, you will quickly fill up your file system with audit log files. Lots and lots of them are generated rather fast. You then need OS level access to compress/backup/delete them. And as you probably know, a file system is a poor solution to handle lots of small files in the same directory. With DB, you can stay within Oracle and manage them (i.e. purge the tables). But with SYSLOG, you can then configure your syslog system to send them all to a central syslog machine where you manage all your logs. Ideally not only your Oracle audit logs, but every logs in your organization (i.e. networking gear, storage systems, OS logs and application logs). Once on that central syslog machine, you can beef up the disk space and have a dedicated log management team and software solutions. One central place to rule them all :)

Nice blog post David. Thanks for sharing that.
>

No problem, I'm glad you liked it.

Have fun with your audit logs!

HTH, DA+

--
http://www.freelists.org/webpage/oracle-l