RE: [External] Moving from database to OS audit trail
Date: Wed, 16 Sep 2020 12:58:24 +0000
Message-ID: <BY5PR08MB6294E7A300A03EBD6BECB345FE210_at_BY5PR08MB6294.namprd08.prod.outlook.com>
We did some testing and I got some further clarification.
Apparently the requirement is that all auditing be logged to the syslog file. The DBA on the project tried various settings and could not get it to populate both syslog and v$xml_audit_trail (see below for test results). Is there some setting we missed trying or is this just not possible?
And if not possible, does anyone have an easy way to query the syslog file?
Thanks!
setting 1 -
setting 2 -
setting 3 -
From: oracle-l-bounce_at_freelists.org <oracle-l-bounce_at_freelists.org> On Behalf Of dmarc-noreply_at_freelists.org
Sent: Monday, September 14, 2020 1:26 PM
To: jbeckstrom_at_gcrta.org; oracle-l_at_freelists.org
Subject: RE: [External] Moving from database to OS audit trail
Thank you! We’ll test that out (and cross our fingers that the format is acceptable to the security folk).
From: oracle-l-bounce_at_freelists.org<mailto:oracle-l-bounce_at_freelists.org> <oracle-l-bounce_at_freelists.org<mailto:oracle-l-bounce_at_freelists.org>> On Behalf Of Jeffrey Beckstrom
Sent: Monday, September 14, 2020 11:39 AM
To: oracle-l-freelist <oracle-l_at_freelists.org<mailto:oracle-l_at_freelists.org>>; Miller, Jay <Jay.Miller_at_tdameritrade.com<mailto:Jay.Miller_at_tdameritrade.com>>
Subject: Re: [External] Moving from database to OS audit trail
We send our audit trail to xml audit trail files. We then query it from v$xml_audit_trail
Jeffrey Beckstrom
>>> "" (Redacted sender "Jay.Miller" forDMARC) <dmarc-noreply_at_freelists.org<mailto:dmarc-noreply_at_freelists.org>> 9/14/20 11:31 AM >>>
For example things like getting a histogram of login times to see if there was a sudden surge in connect activity or finding the name of an app server which is locking an account by sending invalid passwords. Really easy now but with OS files? How are other people handling this?
I’m told all the information will be available in Splunk though I have no idea how easy that will be to access.
TIA,
audit_file_dest string /app/oracle/diag/adump
audit_sys_operations boolean TRUE
audit_syslog_level string LOCAL7.INFO
audit_trail string XML
unified_audit_sga_queue_size integer 1048576
audit_file_dest string /app/oracle/diag/adump
audit_sys_operations boolean TRUE
audit_syslog_level string LOCAL7.INFO
audit_trail string XML, EXTENDED
unified_audit_sga_queue_size integer 1048576
audit_file_dest string /app/oracle/diag/adump
audit_sys_operations boolean TRUE
audit_syslog_level string LOCAL7.INFO
audit_trail string OS
unified_audit_sga_queue_size integer 1048576
Lead Database Administrator
Information Technology Department
Greater Cleveland Regional Transit Authority
1240 W. 6th Street
Cleveland, Ohio 44113
We have just been given the requirement to move our auditing from database to OS and I was wondering how other people have handled obtaining the data which is currently easily available from dba_audit_trail.
Jay Miller
--
http://www.freelists.org/webpage/oracle-l
Received on Wed Sep 16 2020 - 14:58:24 CEST