RE: Oracle and Splunk

From: <>
Date: Mon, 14 Sep 2020 20:54:38 -0700
Message-ID: <2b2d01d68b13$ef779780$ce66c680$>

At a variety of Government agencies audit messages are sent to syslog or to other logfiles. The log files are accessible by splunk only through extended ACLs.

There are controls at the splunk level as to who can see what logs so they are not just available to everyone.

Managers and sysadmins can see the access and audit logs in splunk whereas DBAs cannot.

The DBAs can see the splunk consuming of the alert logs or trace files.  

It is workable from a security perspective as long as security is implemented at the splunk level on who can access what. If you don't have that separation of duties then I would speak to who is in charge of security that they are violating the very security protocols that they are trying to enforce at the server level.        

From: <> On Behalf Of MacGregor, Ian A. (Redacted sender "ian" for DMARC) Sent: Monday, September 14, 2020 1:47 PM To: ORACLE-L ( <> Subject: Oracle and Splunk  

Otr security team wants Oreacle audit information for some databases to be in Splunk. I have fulfilled this request by writing the audit information to the server's"syslog" which is captured by or provided to Splunk. This is less than ideal. I am curious if others have this requirement, and what they are doing about it?  

Ian A. MacGregor
SLAC National Accelerator Laboratory

Computing Division
To offer the best IT service at the lab and be the IT provider of choice.

Received on Tue Sep 15 2020 - 05:54:38 CEST

Original text of this message