RE: Oracle Audit records and Splunk
Date: Thu, 19 Nov 2015 10:11:37 -0500
Message-ID: <BLU181-W104DABAEC6E9C39C99C137D81B0_at_phx.gbl>
Hi Niall,
Thanks for sharing about your audit log setup. Could you share a bit about how splunk helped in accessing the audit data? What problem does it eliminate? We have splunk trying to see if it is worth it..
Thanks
-Upendra
Date: Thu, 19 Nov 2015 10:00:43 +0000
Subject: Re: Oracle Audit records and Splunk
From: niall.litchfield_at_gmail.com
To: knecht.stefan_at_gmail.com
CC: john.jones_at_duke.edu; oracle-l_at_freelists.org
You'd like to think so wouldn't you. See Truncated Audit Records when using SYSLOG Auditing (Doc ID 1951759.1) A couple of key items from that note that meant we abandoned that approach. 1 audit record can span multiple lines in syslog - this isn't considered a bugOracle won't put any resource into syslog audit trails - unified auditing in 12c is the strategic direction. We also found that syslog audit records weren't necessarily consistent in format. We've moved to XML as an audit trail format for audit trails that we feed to splunk. On Thu, Nov 19, 2015 at 8:31 AM, Stefan Knecht <knecht.stefan_at_gmail.com> wrote: Have you tried switching Oracle's auditing to write to SYSLOG? Those should be easy to parse. Stefan
On Thu, Nov 19, 2015 at 3:51 AM, John Jones <john.jones_at_duke.edu> wrote:
Is there any one out there using Splunk to look at your Oracle Audit logs. We are trying to set this up and running into problems with the way that Oracle writes the audit files in different formats. We are mostly looking at tracking Oracle Logins and notice that the format of the audit record can change depending on the error encountered. Any pointers or suggestions are welcome. John Jones
--
Niall Litchfield
Oracle DBA
http://www.orawin.info
--
http://www.freelists.org/webpage/oracle-l
Received on Thu Nov 19 2015 - 16:11:37 CET