Let’s suppose that we have activated our database auditing as recommended and put in place a centralized auditing solution so that the audit data can be sent to a remote server and protected (Like in my previous blog post) . Let’s now think like a hacker, can we hide our database activities (or some of it) ?
In this part, we will see one way of sending unified auditing data to a centralized logging solution outside the Oracle Database. We will not be looking at remote SYSLOG as there is many missing information when redirecting audit data to syslog (Missing Audit Infomation In The Unified Audit Trail Records Sent To SYSLOG (Doc ID 2520613.1))
Still for remote syslog auditing we can set the parameter “unified_audit_systemlog= ‘LOCAL5.INFO’”
In addition, add the following entry in “rsyslog.conf” to enabled Reliable Message forwarding (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/s1-working_with_queues_in_rsyslog) :
On the remote audit server just uncomment the lines “$ModLoad imtcp $InputTCPServerRun 514”.
Ok but this is not the purpose of this blog post, here we are going to look at how we can integrate oracle unified audit data with SPLUNK using Splunk DB Connect and the oracle add-on.