Oracle Audit Vault

The JSA DSM for Oracle Audit Vault collects events from an Oracle Audit Vault server.

The following table describes the specifications for the Oracle Audit Vault DSM:

To integrate Oracle Audit Vault with JSA, complete the following steps:

1. If automatic updates are not configured, download the most recent version of the following RPMs on your JSA console:

   • JDBC Protocol RPM

   • DSMCommon RPM

   • Oracle Audit Vault DSM RPM

2. Obtain the database information for your Oracle Audit Vault server and then configure your Oracle Audit Vault database to allow incoming TCP connections.

3. For each instance of Oracle Audit Vault, add an Oracle Audit Vault log source on the JSA Event Collector. The following table describes the parameters that require specific values to collect events from Oracle Audit Vault:

   Table 2: Oracle Audit Vault JDBC Log Source Parameters

   Parameter	Value
   Log Source type	Oracle Audit Vault
   Protocol Configuration	JDBC
   Log Source Identfier	Type a name for the log source. The name can't contain spaces and must be unique among all log sources of the log source type that is configured to use the JDBC protocol. If the log source collects events from a single appliance that has a static IP address or host name, use the IP address or host name of the appliance as all or part of the Log Source Identifier value; for example, 192.168.1.1 or JDBC192.168.1.1. If the log source doesn't collect events from a single appliance that has a static IP address or host name, you can use any unique name for the Log Source Identifier value; for example, JDBC1, JDBC2.
   Database Type	Oracle
   Database Name	The name of the Oracle Audit Vault database.
   IP or Hostname	The IP address or host name of the Oracle Audit Vault server.
   Port	The port from where the Oracle Audit Vault database is listening.
   Username	Any user with the AV_AUDITOR permission. For example, AVAUDITOR.
   Password	The password for the database user.
   Predefined Query	None
   Table Name	For Oracle Audit Vault Version 10.3, the Table Name value is AVSYS.AV$ALERT_STORE. For Oracle Audit Vault Version 12.2, the Table Name value is AVSYS.AV_ALERT_STORE_V.
   Select List	The list of fields to include when the table is polled for events. You can use a comma-separated list or type an asterisk (*) to select all fields from the table or view. If a comma-separated list is defined, the list must contain the field that is defined in the Compare Field.
   Compare Field	For Oracle Audit Vault Version 10.3, the Compare Field value is ALERT_SEQUENCE For Oracle Audit Vault Version 12.2, the Compare Field value is RECORD_ID.
   Use Prepared Statements	You must select the Use Prepared Statements option.
   Start Date and Time (Optional)	The initial date and time for the JDBC retrieval.
   Use Oracle Encryption	Oracle Encryption and Data Integrity settings is also known as Oracle Advanced Security. If selected, Oracle JDBC connections require the server to support similar Oracle Data Encryption settings as the client.

4. Verify that JSA is configured correctly.

   The following table shows a sample parsed audit event message from Oracle Audit Vault:

   Table 3: Oracle Audit Vault Sample Message

   Event name	Low level category	Sample log message
   LOGON-success	3075	ALERT_SEQUENCE: "25" AV_ALERT_TIME: "2010-01- 11 13:02:13.30702" ACTUAL_ALERT_TIME: "2010-01-11 12:19:36.0" TIME_CLEARED: "null" ALERT_NAME: "testing2" TARGET_OWNER: "null" TARGET_OBJECT: "null" ASSOCIATED_OBJECT_OW NER: "null" ASSOCIATED_OBJECT_NA ME: "null" ALERT_SEVERITY: "1" CLIENT_HOST: "host.domain.lab" CLIENT_HOSTIP:"<client_host_IP_address> ”SOURCE_HOST:"<source_host_IP_address>”SOURCE _HOSTIP:"<source_host_IP_address>”PROCESS#: "3428" OSUSER_NAME:"null" USERNAME: "<os_user_name>”INSTANCE_NAME: "null" INSTANCE_NUMBER: "null" EVENT_STATUS: "0" CONTEXTID: "1561" SUB_CONTEXTID: "null" PARENT_CONTEXTID: "null" SOURCE_NAME: "XE" RECORD_ID: "23960" MSG_NUMBER: "0" CAT_ID: "2" EVENT_ID: "95" MSG_ARG_1: "null" MSG_ARG2: "null" MSG_ARG3: "null" MSG_ARG4: "null" MSG_ARG5: "null"

Configuring Oracle Audit Vault to Communicate with JSA

If you are using Oracle Audit Vault V12.2, you must create a database view. If you are using Oracle Audit Vault V10.3, no further configuration is required.

1. Log in to your Oracle Audit Vault V12.2 database as the AVSYS user.
2. To create the database view, type the following query:

   create or replace view AVSYS.AV12_EVENT_LOG_V as select RECORD_ID, USER_NAME, SECURED_TARGET_ID, SECURED_TARGET_NAME, SECURED_TARGET_TYPE, EVENT_TIME, OSUSER_NAME, COMMAND_CLASS, nvl(to_number(decode(EVENT_STATUS,'SUCCESS','0','FAILURE','1','1')),1) EVENT_STATUS, EVENT_NAME EVENT_ID, nvl(ERROR_CODE,0) ERROR_CODE, ERROR_MESSAGE, AV_TIME, TARGET_TYPE, TARGET_OBJECT, TARGET_OWNER, CLIENT_HOST_NAME, CLIENT_IP, AUDIT_TRAIL_ID, MONITORING_POINT_ID, MARKER, ALERT_RAISED, ACTION_TAKEN, NETWORK_CONNECTION, LOGFILE_ID, SERVICE_NAME, POLICY_NAME, THREAT_SEVERITY, LOG_CAUSE, CLUSTER_ID, CLUSTER_TYPE, GRAMMAR_VERSION, CLIENT_PROGRAM, COMMAND_TEXT, COMMAND_PARAM, EXTENSION, SECURED_TARGET_CLASS, LOCATION, TERMINAL, CLIENT_ID from avsys.EVENT_LOG el where el.alert_raised = 1;

3. To allow a user that has AV_AUDITOR permission to read the view that you created, type the following query:

   grant select on AVSYS.AV_ALERT_STORE_V to AV_AUDITOR;