Re: Oracle and Splunk

From: Andy Wattenhofer <"Andy>
Date: Mon, 14 Sep 2020 16:42:57 -0500
Message-ID: <>

The Splunk forwarder can pick up file path patterns, so for example you can specify "/u01/app/oracle/diag/rdbms/*/*/trace/alert*.log" and it will index all of the alert logs for every database on the node. Or for audit log files, something like "/path/to/audit/*.aud". This is really useful on servers and clusters that host multiple databases.

If you're using pure unified auditing this does not work, since those audit data are stored in a database table. Instead, you've got to use the Splunk DB Connect client to connect to each and every database individually.

On Mon, Sep 14, 2020 at 3:54 PM Andrew Kerber <> wrote:

> I havent worked with splunk much, but I am pretty sure that you can tell
> Splunk to capture just about any file you want. What would you want to do
> rather than send it to syslog?
> On Mon, Sep 14, 2020 at 3:49 PM MacGregor, Ian A. <
>> wrote:
>> Otr security team wants Oreacle audit information for some databases to
>> be in Splunk. I have fulfilled this request by writing the audit
>> information to the server's"syslog" which is captured by or provided to
>> Splunk. This is less than ideal. I am curious if others have this
>> requirement, and what they are doing about it?
>> Ian A. MacGregor
>> SLAC National Accelerator Laboratory
>> Computing Division
>> To offer the best IT service at the lab and be the IT provider of choice.
> --
> Andrew W. Kerber
> 'If at first you dont succeed, dont take up skydiving.'

Received on Mon Sep 14 2020 - 23:42:57 CEST

Original text of this message