You'd like to think so wouldn't you. See *Truncated Audit Records when
using SYSLOG Auditing (Doc ID 1951759.1)* A couple of key items from that
note that meant we abandoned that approach.
1. 1 audit record can span multiple lines in syslog - this isn't
considered a bug
2. Oracle won't put any resource into syslog audit trails - unified
auditing in 12c is the strategic direction.
We also found that syslog audit records weren't necessarily consistent in
format. We've moved to XML as an audit trail format for audit trails that
we feed to splunk.
On Thu, Nov 19, 2015 at 8:31 AM, Stefan Knecht <knecht.stefan@xxxxxxxxx>
wrote:
Have you tried switching Oracle's auditing to write to SYSLOG? Those
should be easy to parse.
Stefan
On Thu, Nov 19, 2015 at 3:51 AM, John Jones <john.jones@xxxxxxxx> wrote:
Is there any one out there using Splunk to look at your Oracle Audit logs.
We are trying to set this up and running into problems with the way that
Oracle writes the audit files in different formats. We are mostly looking
at tracking Oracle Logins and notice that the format of the audit record
can change depending on the error encountered.
Any pointers or suggestions are welcome.
John Jones
