Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Oracle Audit Vault

 

The Oracle Audit Vault DSM for JSA accepts events on Oracle v10.2.3.2 and later using Java Database Connectivity (JDBC) to accesses alerts on the JDBC protocol.

JSA records Oracle Audit Vault alerts from the source database and captures events as configured by the Oracle Audit Policy Setting. When events occur, the alerts are stored in avsys.av$alert_store table. Customized events are created in Oracle Audit Vault by a user with AV_AUDITOR permissions.

See your vendor documentation about configuration of Audit Policy Settings in Oracle Audit Vault.

In Oracle Audit Vault, alert names are not mapped to a JSA Identifier (QID). Using the Map Event function in the JSA Events interface a normalized or raw event can be mapped to a high-level and low-level category (or QID). Using the Oracle Audit Vault DSM, category mapping can be done by mapping your high or low category alerts directly to an alert name (ALERT_NAME field) in the payload. For information about the Events interface, see the Juniper Secure Analytics Users Guide.

Configuring a Log Source

You can configure a JSA log source to access the Oracle Audit Vault database by using the JDBC protocol:

  1. Log in to JSA.
  2. Click the Admin tab.
  3. On the navigation menu, click Data Sources.

    The Data Sources pane is displayed.

  4. Click the Log Sources icon.

    The Log Sources window is displayed.

  5. Click Add.
  6. Using the Log Source Type list, select Oracle Audit Vault.
  7. Using the Protocol Configuration list, select JDBC.
  8. Configure the following values:
    1. Database Type: Oracle

    2. Database Name: <Audit Vault Database Name>

    3. Table Name: avsys.av$alert_store

    4. Select List: *

    5. Compare Field: ALERT_SEQUENCE

    6. IP or Hostname: <Location of Oracle Audit Vault Server>

    7. Port: <Default Port>

    8. Username: <Database Access Username having AV_AUDITOR role>

    9. Password: <Password>

    10. Polling Interval: <Default Interval>

    Verify that the AV_AUDITOR password is entered correctly before the JDBC protocol configuration is saved. Oracle Audit Vault might lock the user account because of repeated failed login attempts.

    When the AV_AUDITOR account is locked, data in the avsys.av$alert_store cannot be accessed. To unlock this user account, first, it is necessary to correct the password entry in the protocol configuration. Then, log in to Oracle Audit Vault through the Oraclesqlplus prompt as the avadmindva user to complete an alter user <AV_AUDITOR USER> account unlock command.

  9. Click Save.
  10. On the Admin tab, click Deploy Changes.

    The local time zone conversion-dependent Oracle time stamps are not supported in earlier versions of the JDBC protocol for JSA so fields AV_ALERT_TIME, ACTUAL_ALERT_TIME, and TIME_CLEARED in the payload display only object identifiers until your JDBC protocol is updated.