Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Oracle OS Audit

The Oracle OS Audit DSM for JSA allows monitoring of the audit records that are stored in the local operating system file.

When audit event files are created or updated in the local operating system directory, a Perl script detects the change, and forwards the data to JSA. The Perl script monitors the Audit log file, and combines any multi-line log entries in to a single log entry to make sure that the logs are not forwarded line-by-line, because this is the format in the log file. Then, the logs are sent by using syslog to JSA. Perl scripts that are written for Oracle OS Audit work on Linux/UNIX servers only. Windows based Perl installations are not supported.

To integrate the Oracle OS Audit DSM with JSA:

  1. Go to the following website to download the files that you need:

    https://support.juniper.net/support/downloads/

  2. From the Software tab, select Scripts.

  3. Download the Oracle OS Audit script:

    oracle_osauditlog_fwdr_5.3.tar.gz

  4. Type the following command to extract the file:

    tar -zxvf oracle_osauditlog_fwdr_5.3.tar.gz

  5. Copy the Perl script to the server that hosts the Oracle server.

    Note:

    Perl 5.8 must be installed on the device that hosts the Oracle server. If you do not have Perl 5.8 installed, you might be prompted that library files are missing when you attempt to start the Oracle OS Audit script. It is suggested that you verify that Perl 5.8 is installed before you continue.

  6. Log in to the Oracle host as an Oracle user that has SYS or root privilege.

  7. Make sure the ORACLE_HOME and ORACLE_SID environment variables are configured properly for your deployment.

  8. Open the following file:

    ${ORACLE_HOME}/dbs/init${ORACLE_SID}.ora

  9. For syslog, add the following lines to the file:

    *.audit_trail=os *.audit_syslog_level=local0.info

  10. Verify account has read/write permissions for the following directory:

    /var/lock/ /var/run/

  11. Restart the Oracle database instance.

  12. Start the OS Audit DSM script:

    oracle_osauditlog_fwdr_5.3.pl -t target_host -d logs_directory

    Table 1: Oracle OS Audit Command Parameters

    Parameters

    Description

    -t

    The -t parameter defines the remote host that receives the audit log files.

    -d

    The -d parameter defines directory location of the DDL and DML log files.

    The directory location that you specify should be the absolute path from the root directory.

    -H

    The -H parameter defines the host name or IP address for the syslog header. It is suggested that is the IP address of the Oracle server on which the script is running.

    -D

    The -D parameter defines that the script is to run in the foreground.

    Default is to run as a daemon (in the background) and log all internal messages to the local syslog service.

    -n

    The -n parameter processes new logs, and monitors existing log files for changes to be processed.

    If the -n option string is absent all existing log files are processed during script execution.

    -u

    The -u parameter defines UDP.

    -f

    The -f parameter defines the syslog facility.priority to be included at the beginning of the log.

    If you do not type a value, user.info is used.

    -r

    The -r parameter defines the directory name where you want to create the .pid file. The default is /var/run. This parameter is ignored if -D is specified.

    -l

    The -I parameter defines the directory name where you want to create the lock file. The default is /var/lock. This parameter is ignored if -D is specified.

    -h

    The -h parameter displays the help message.

    -v

    The -v parameter displays the version information for the script.

    If you restart your Oracle server you must restart the script:

    oracle_osauditlog_fwdr.pl -t target_host -d logs_directory

You can now configure the log sources within JSA.

Syslog Log Source Parameters for Oracle OS Audit

If JSA does not automatically detect the log source, add a Oracle OS Audit log source on the JSA Console by using the syslog protocol.

When using the syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect syslog events from Oracle OS Audit:

Table 2: Syslog IDS Log Source Parameters for the Oracle OS Audit DSM

Parameter

Value

Log Source Type

Oracle OS Audit

Protocol Configuration

Syslog

Log Source Identifier

Type the address that is specified by using the -H option.