Re: Oracle Audit records and Splunk

From: Dragutin Jastrebic <orahawk_at_gmail.com>
Date: Mon, 23 Nov 2015 00:09:33 +0100
Message-ID: <CANGCQwn-Fw6ve_MiZGRevn-PDF56i7Qtd0rT_cjm_8yZ+k8+8g_at_mail.gmail.com>

Hello

On one of the my projects in the past I have faced a similar challenge, to transfert Oracle trace data to Splunk,
so here is what I did.

-Unix shell /AWK programming to exctract SYS trace .I did small adaption in
order to make it work with all
the versions from 8i until 11g. It was not so easy task, I must admit.

-For all the other users, I put audit_trail=DB_EXTENDED, so it was simple
to extract data from sys.aud$

(BTW audit_trail=XML is probably a good option as well , traces are written to the file system and not the database and then they can be extracted with sql statements, not with awk or other, but I did not test it myself)

-For windows systems, the SYS trace must be extracted from the event
viewer, I have installed the LogParser
tool to put event Viewer's the data into text files and I did the rest with some Java/Dos shell programming.

Dragutin

--

http://www.freelists.org/webpage/oracle-l Received on Mon Nov 23 2015 - 00:09:33 CET

This message: [ Message body ]
Next message: kathryn axelrod: "diff between incremental and archive backups"
Previous message: Ramnivas Chaurasia: "Re: "ORA-00270: error creating archive log" on Standby Database"
In reply to: John Jones: "Oracle Audit records and Splunk"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message