Oracle OS Audit
The Oracle OS Audit DSM for JSA allows monitoring of the audit records that are stored in the local operating system file.
When audit event files are created or updated in the local operating system directory, a Perl script detects the change, and forwards the data to JSA. The Perl script monitors the Audit log file, and combines any multi-line log entries in to a single log entry to make sure that the logs are not forwarded line-by-line, because this is the format in the log file. Then, the logs are sent by using syslog to JSA. Perl scripts that are written for Oracle OS Audit work on Linux/UNIX servers only. Windows based Perl installations are not supported.
To integrate the Oracle OS Audit DSM with JSA:
- Go to the following website to download the files that you need:
- From the Software tab, select Scripts.
- Download the Oracle OS Audit script:
- Type the following command to extract the file:
tar -zxvf oracle_osauditlog_fwdr_5.3.tar.gz
- Copy the Perl script to the server that hosts the Oracle
Perl 5.8 must be installed on the device that hosts the Oracle server. If you do not have Perl 5.8 installed, you might be prompted that library files are missing when you attempt to start the Oracle OS Audit script. It is suggested that you verify that Perl 5.8 is installed before you continue.
- Log in to the Oracle host as an Oracle user that has SYS or root privilege.
- Make sure the ORACLE_HOME and ORACLE_SID environment variables are configured properly for your deployment.
- Open the following file:
- For syslog, add the following lines to the file:
- Verify account has read/write permissions for the following
- Restart the Oracle database instance.
- Start the OS Audit DSM script:
oracle_osauditlog_fwdr_5.3.pl -t target_host -d logs_directory
Table 1: Oracle OS Audit Command Parameters
The -t parameter defines the remote host that receives the audit log files.
The -d parameter defines directory location of the
The directory location that you specify should be the absolute path from the root directory.
The -H parameter defines the host name or IP address for the syslog header. It is suggested that is the IP address of the Oracle server on which the script is running.
The -D parameter defines that the script is to run in the foreground.
Default is to run as a daemon (in the background) and log all internal messages to the local syslog service.
The -n parameter processes new logs, and monitors existing log files for changes to be processed.
If the -n option string is absent all existing log files are processed during script execution.
The -u parameter defines UDP.
The -f parameter defines the syslog facility.priority to be included at the beginning of the log.
If you do not type a value,
The -r parameter defines the directory name where you want to create the
.pidfile. The default is
/var/run. This parameter is ignored if -D is specified.
The -I parameter defines the directory name where you want to create the lock file. The default is
/var/lock. This parameter is ignored if -D is specified.
The -h parameter displays the help message.
The -v parameter displays the version information for the script.
If you restart your Oracle server you must restart the script:
oracle_osauditlog_fwdr.pl -t target_host -d logs_directory
You can now configure the log sources within JSA.
Configuring the Log Sources Within JSA for Oracle OS Audit
You can configure the log sources within JSA.
- From the Log Source Type list, select Oracle RDBMS OS Audit Record.
- From the Protocol Configuration list, select syslog.
- From the Log Source Identifier field, type
the address that is specified by using the -H option in Oracle OS Audit.
For more information about your Oracle Audit Record, see your vendor documentation.
The JSA DSM for osquery receives JSON formatted events from devices that use a Linux operating system. The osquery DSM is available for JSA V7.3.0 and later.
The osquery DSM supports rsyslog and the following queries that are included in the qradar.pack.conf file for osquery V3.3.2:
The supported osquery queries run on a 10 second interval, and only capture data that is available at that moment. For example, if a new process starts and finishes between queries of container_processes, that information is not captured by osquery.
The following supported queries only capture data that is available at the 10 second querying interval:
To integrate osquery with JSA, complete the following steps: