Unified auditing and centralized logging solution (SPLUNK)

In this part, we will see one way of sending unified auditing data to a centralized logging solution outside the Oracle Database. We will not be looking at remote SYSLOG as there is many missing information when redirecting audit data to syslog (Missing Audit Infomation In The Unified Audit Trail Records Sent To SYSLOG (Doc ID 2520613.1))

Still for remote syslog auditing we can set the parameter “unified_audit_systemlog= ‘LOCAL5.INFO’”

In addition, add the following entry in “rsyslog.conf” to enabled Reliable Message forwarding (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/s1-working_with_queues_in_rsyslog) :

Capture syslog remote

On the remote audit server just uncomment the lines “$ModLoad imtcp $InputTCPServerRun 514”.

Ok but this is not the purpose of this blog post, here we are going to look at how we can integrate oracle unified audit data with SPLUNK using Splunk DB Connect and the oracle add-on.

Continue reading

Off-Cpu Analysis using pSnapper

Tanel Poder have just shared an awesome tool Linux Process Snapper 🙂 Which is as he described “a Linux /proc profiler that works by sampling Linux task states and other metrics from /proc/PID/task/TID pseudofiles” . What i like about the tool is the easy of use and also that it allow Off-Cpu  analysis  (For more info about Off-Cpu analysis please take a look at Brendan Gregg Blog )

Continue reading