At a variety of Government agencies audit messages are sent to syslog or to
other logfiles. The log files are accessible by splunk only through extended
ACLs.
There are controls at the splunk level as to who can see what logs so they
are not just available to everyone.
Managers and sysadmins can see the access and audit logs in splunk whereas
DBAs cannot.
The DBAs can see the splunk consuming of the alert logs or trace files.
It is workable from a security perspective as long as security is
implemented at the splunk level on who can access what. If you don't have
that separation of duties then I would speak to who is in charge of security
that they are violating the very security protocols that they are trying to
enforce at the server level.
From: oracle-l-bounce@xxxxxxxxxxxxx <oracle-l-bounce@xxxxxxxxxxxxx> On
Behalf Of MacGregor, Ian A. (Redacted sender "ian" for DMARC)
Sent: Monday, September 14, 2020 1:47 PM
To: ORACLE-L (oracle-l@xxxxxxxxxxxxx) <oracle-l@xxxxxxxxxxxxx>
Subject: Oracle and Splunk
Otr security team wants Oreacle audit information for some databases to be
in Splunk. I have fulfilled this request by writing the audit information
to the server's"syslog" which is captured by or provided to Splunk. This
is less than ideal. I am curious if others have this requirement, and what
they are doing about it?
Ian A. MacGregor
SLAC National Accelerator Laboratory
Computing Division
To offer the best IT service at the lab and be the IT provider of choice.
