Re: Oracle and Splunk

The Splunk forwarder can pick up file path patterns, so for example you can specify "/u01/app/oracle/diag/rdbms/*/*/trace/alert*.log" and it will index all of the alert logs for every database on the node. Or for audit log files, something like "/path/to/audit/*.aud". This is really useful on servers and clusters that host multiple databases.

If you're using pure unified auditing this does not work, since those audit data are stored in a database table. Instead, you've got to use the Splunk DB Connect client to connect to each and every database individually.

On Mon, Sep 14, 2020 at 3:54 PM Andrew Kerber <andrew.kerber_at_gmail.com> wrote:

> I havent worked with splunk much, but I am pretty sure that you can tell
> Splunk to capture just about any file you want. What would you want to do
> rather than send it to syslog?
>
> On Mon, Sep 14, 2020 at 3:49 PM MacGregor, Ian A. <
> dmarc-noreply_at_freelists.org> wrote:
>
>> Otr security team wants Oreacle audit information for some databases to
>> be in Splunk. I have fulfilled this request by writing the audit
>> information to the server's"syslog" which is captured by or provided to
>> Splunk. This is less than ideal. I am curious if others have this
>> requirement, and what they are doing about it?
>>
>>
>> Ian A. MacGregor
>> SLAC National Accelerator Laboratory
>> Computing Division
>> To offer the best IT service at the lab and be the IT provider of choice.
>>
>
>
> --
> Andrew W. Kerber
>
> 'If at first you dont succeed, dont take up skydiving.'
>

--
http://www.freelists.org/webpage/oracle-l