We have been using QRadar for many years with 11g, and it was efficiently
querying the DBA_AUDIT _TRAIL view to fetch audit trail rows. These databases
have all been migrated to 19c (19.19) single-tenant. Interfacing QRadar with
19c's Unified Auditing has been a challenge. IBM does not yet support 19c or
multi-tenant (no surprise there), so no help from them.
Wondering if anyone can share a success story using their SIEM tool to query
Oracle to scrape rows from the unified audit trail in a single or multi-tenant
scenario.
- Do you pull CDB and PDB records together? My experience with this has
resulted in expensive parallel execution plans. Looks like the best bet is to
query the CDB and PDB separately.
- Do you pull from the unified audit table directly or from the audit trail
view?
- As recommended by Oracle, the partition interval on the audit table has been
changed from 1 month to 1 day. Have you also set up a local index on the
partition key (event_timestamp) column?
- Any other configuration changes that we should be aware of?
To further complicate matters, our security team wants to filter logs through
Cribl and then pass on to QRadar, but it seems that this is a square peg /
round hole solution when it comes to Oracle. Cribl does not have built-in
Oracle database connectivity. I am trying to avoid having to write the audit
trail out to disk, losing the ability to query it in the database.
Regards,
Doug