IN THIS PAGE
Oracle Audit Vault
The Oracle Audit Vault DSM for JSA accepts events on Oracle v10.2.3.2 and later using Java Database Connectivity (JDBC) to accesses alerts on the JDBC protocol.
JSA records Oracle Audit Vault alerts
from the source database and captures events as configured by the
Oracle Audit Policy Setting. When events occur, the alerts are stored
avsys.av$alert_store table. Customized
events are created in Oracle Audit Vault by a user with AV_AUDITOR
See your vendor documentation about configuration of Audit Policy Settings in Oracle Audit Vault.
In Oracle Audit Vault, alert names are not mapped to a JSA Identifier (QID). Using the Map Event function in the JSA Events interface a normalized or raw event can be mapped to a high-level and low-level category (or QID). Using the Oracle Audit Vault DSM, category mapping can be done by mapping your high or low category alerts directly to an alert name (ALERT_NAME field) in the payload. For information about the Events interface, see the Juniper Secure Analytics Users Guide.
Configuring a Log Source
You can configure a JSA log source to access the Oracle Audit Vault database by using the JDBC protocol:
- Log in to JSA.
- Click the Admin tab.
- On the navigation menu, click Data Sources.
The Data Sources pane is displayed.
- Click the Log Sources icon.
The Log Sources window is displayed.
- Click Add.
- Using the Log Source Type list, select Oracle Audit Vault.
- Using the Protocol Configuration list, select JDBC.
- Configure the following values:
Database Type: Oracle
Database Name: <Audit Vault Database Name>
Table Name: avsys.av$alert_store
Select List: *
Compare Field: ALERT_SEQUENCE
IP or Hostname: <Location of Oracle Audit Vault Server>
Port: <Default Port>
Username: <Database Access Username having AV_AUDITOR role>
Polling Interval: <Default Interval>
Verify that the AV_AUDITOR password is entered correctly before the JDBC protocol configuration is saved. Oracle Audit Vault might lock the user account because of repeated failed login attempts.
When the AV_AUDITOR account is locked, data in the
avsys.av$alert_storecannot be accessed. To unlock this user account, first, it is necessary to correct the password entry in the protocol configuration. Then, log in to Oracle Audit Vault through the Oracle
sqlplusprompt as the avadmindva user to complete an alter user <AV_AUDITOR USER> account unlock command.
- Click Save.
- On the Admin tab, click Deploy Changes.
The local time zone conversion-dependent Oracle time stamps are not supported in earlier versions of the JDBC protocol for JSA so fields AV_ALERT_TIME, ACTUAL_ALERT_TIME, and TIME_CLEARED in the payload display only object identifiers until your JDBC protocol is updated.