Oracle RDBMS OS Audit Record
The JSA for Oracle RDBMS OS Audit Record collects events from an Oracle device.
To integrate Oracle RDBMS OS Audit Record with JSA, complete the following steps:
-
If automatic updates are not enabled, RPMs are available for download from the Juniper Downloads. Download and install the most recent version of the following RPMs on your JSA Console:
-
DSM Common RPM
-
OracleOSAudit DSM RPM
-
-
Configure your Oracle RDBMS OS Audit Record device to send events to JSA. For more information, see #xd_afb073a421261e77--492ee453-17abe1ab785--7b85__section_skc_b1m_3qb.
-
If JSA does not automatically detect the log source, add an Oracle RDBMS OS Audit Record log source on the JSA Console by using the Syslog or Log File protocol. For more information, see Syslog Log Source Parameters for Oracle RDBMS OS Audit Record or Log File Log Source Parameters for Oracle RDBMS OS Audit Record.
Oracle RDBMS OS Audit Record DSM Specifications
When you configure the Oracle RDBMS OS Audit Record DSM, understanding the specifications for the Oracle RDBMS OS Audit Record DSM can help ensure a successful integration. For example, knowing what the supported version of Oracle RDBMS OS Audit Record is before you begin can help reduce frustration during the configuration process.
The following table describes the specifications for the Oracle RDBMS OS Audit Record DSM.
|
Specification |
Value |
|---|---|
|
Manufacturer |
Oracle |
|
DSM name |
Oracle RDBMS OS Audit Record |
|
RPM file name |
DSM-OracleOSAudit-JSA_version-build_number.noarch.rpm |
|
Supported versions |
9i, 10g, 11g |
|
Protocol |
Syslog Log File protocol |
|
Event format |
name-value pair (NVP) |
|
Recorded event types |
Oracle events |
|
Automatically discovered? |
Yes |
|
Includes identity? |
Yes |
|
Includes custom properties? |
No |
|
More information |
Oracle RDBMS OS Audit Record Command Parameters
When you use Oracle RDBMS OS Audit Record commands, there are specific parameters that you must use.
The following table describes the Oracle RDBMS OS Audit Record command parameters for Oracle RDBMS OS Audit Record:
|
Parameter |
|
|---|---|
|
-t |
Defines the remote host that receives the audit log files. |
|
-d |
Defines directory location of the DDL and DML log files. The directory location that you specify must be the absolute path from the root directory. |
|
-H |
Defines the host name or IP address for the syslog header. It is suggested that is the IP address of the Oracle server on which the script is running. |
|
-D |
The -D parameter defines that the script is to run in the foreground. The default is to run as a daemon (in the background) and log all internal messages to the local syslog service. |
|
-n |
Processes new logs, and monitors existing log files for changes to be processed. If the -n option string is absent, all existing log files are processed during script execution. |
|
-u |
Defines UDP. |
|
-f |
Defines the syslog facility.priority to be included at the beginning of the log. If you do not type a value, user.info is used. |
|
-r |
Defines the directory name where you want to create the .pid file. The default is /var/run. This parameter is ignored if -D is specified. |
|
-l |
Defines the directory name where you want to create the lock file. The default is /var/lock. This parameter is ignored if -D is specified. |
|
-h |
Displays the help message. |
|
-v |
Displays the version information for the script. |
When using the Oracle RDBMS OS Audit Record DSM for JSA, you can monitor the audit records that are stored in the local operating system file.
Syslog Log Source Parameters for Oracle RDBMS OS Audit Record
When you add an Oracle RDBMS OS Audit Record log source on the JSA Console by using the Syslog protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect Syslog events from Oracle RDBMS OS Audit Record:
|
Parameter |
Value |
|---|---|
|
Log Source type |
Oracle RDBMS OS Audit Record |
| Protocol Configuration |
Protocol Configuration |
|
Log Source Identifier |
Type the address that is specified when you use the -H option in Table 2. |
Log File Log Source Parameters for Oracle RDBMS OS Audit Record
If JSA does not automatically detect the log source, add an Oracle RDBMS OS Audit Record log source on the JSA Console by using the Log File protocol.
When using the Log File protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect Log File events from Oracle RDBMS OS Audit Record:
|
Parameter |
Value |
|---|---|
|
Log Source type |
Oracle RDBMS OS Audit Record |
|
Protocol Configuration |
Log File |
|
Log Source Identifier |
Type the address that is specified when you use the -H option in Table 2. |
Sample Event Message
Use this sample event message to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Oracle OS Audit Sample Event Message when you use the Syslog Protocol
The following sample event message shows that a DML procedure was run.
<14>Nov 07 18:57:35 oracle.osaudit.test AgentDevice=OracleOSAudit SourceFile=ora_1234567.aud DeviceTime=Thu Nov 7 18:57:33 2013 DatabaseUser='/' Privilege='SYSDBA' ClientUser='oracle' ClientTerminal='pts/2' Status='0' Action=LENGTH : '193''UPDATE user_type4.people set CREATE_DATE = sysdate WHERE NUM=1'
|
JSA field name |
Highlighted values in the event payload |
|---|---|
|
Event ID |
UPDATE |
|
Username |
oracle |
|
Device Time |
Thu Nov 7 18:57:33 2013 |