Re: Oracle Auditing with SYSLOG
- From: David Robillard <david.robillard@xxxxxxxxx>
- To: Andy Klock <andy@xxxxxxxxxxxxxxx>
- Date: Wed, 6 Nov 2013 10:54:47 -0500
Hello Andy,
Thanks for the feedback Henry and David. I played with Splunk a bit
> yesterday and I have seen other tools that report off of syslog in the
> past. In a lot of the shops I've seen, the default 11.2 auditing to
> DB is the norm and more often than not, not really used for anything.
>
Indeed, most organizations don't know what to do nor care to check their
logs. Until they get hit by a security breach or they decide to comply to
something like PCI or ISO 27001. If you do nothing with your logs, then one
has to wonder why they log at all?
> I like the idea of moving audit info to syslog, but agree that for the
> purposes that I've used AUD$ will no longer be as readily available.
>
Maybe a word of advice : IMHO I don't like using OS as the audit
destination. I prefer to keep either DB or SYSLOG. If you use OS, you will
quickly fill up your file system with audit log files. Lots and lots of
them are generated rather fast. You then need OS level access to
compress/backup/delete them. And as you probably know, a file system is a
poor solution to handle lots of small files in the same directory. With DB,
you can stay within Oracle and manage them (i.e. purge the tables). But
with SYSLOG, you can then configure your syslog system to send them all to
a central syslog machine where you manage all your logs. Ideally not only
your Oracle audit logs, but every logs in your organization (i.e.
networking gear, storage systems, OS logs and application logs). Once on
that central syslog machine, you can beef up the disk space and have a
dedicated log management team and software solutions. One central place to
rule them all :)
Nice blog post David. Thanks for sharing that.
>
No problem, I'm glad you liked it.
Have fun with your audit logs!
HTH,
DA+
Other related posts:
