Hi Niall,
Thanks for sharing about your audit log setup. Could you share a bit about how
splunk helped in accessing the audit data?
What problem does it eliminate? We have splunk trying to see if it is worth it..
Thanks
-Upendra
Date: Thu, 19 Nov 2015 10:00:43 +0000
Subject: Re: Oracle Audit records and Splunk
From: niall.litchfield@xxxxxxxxx
To: knecht.stefan@xxxxxxxxx
CC: john.jones@xxxxxxxx; oracle-l@xxxxxxxxxxxxx
You'd like to think so wouldn't you. See Truncated Audit Records when using
SYSLOG Auditing (Doc ID 1951759.1) A couple of key items from that note that
meant we abandoned that approach.
1 audit record can span multiple lines in syslog - this isn't considered a
bugOracle won't put any resource into syslog audit trails - unified auditing in
12c is the strategic direction. We also found that syslog audit records weren't
necessarily consistent in format. We've moved to XML as an audit trail format
for audit trails that we feed to splunk.
On Thu, Nov 19, 2015 at 8:31 AM, Stefan Knecht <knecht.stefan@xxxxxxxxx> wrote:
Have you tried switching Oracle's auditing to write to SYSLOG? Those should be
easy to parse.
Stefan
On Thu, Nov 19, 2015 at 3:51 AM, John Jones <john.jones@xxxxxxxx> wrote:
Is there any one out there using Splunk to look at your Oracle Audit logs.
We are trying to set this up and running into problems with the way that Oracle
writes the audit files in different formats. We are mostly looking at tracking
Oracle Logins and notice that the format of the audit record can change
depending
on the error encountered.
Any pointers or suggestions are welcome.
John Jones
--
Niall Litchfield
Oracle DBA
http://www.orawin.info
