In this part, we will see one way of sending unified auditing data to a centralized logging solution outside the Oracle Database. We will not be looking at remote SYSLOG as there is many missing information when redirecting audit data to syslog (Missing Audit Infomation In The Unified Audit Trail Records Sent To SYSLOG (Doc ID 2520613.1))
Still for remote syslog auditing we can set the parameter “unified_audit_systemlog= ‘LOCAL5.INFO’”
In addition, add the following entry in “rsyslog.conf” to enabled Reliable Message forwarding (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/s1-working_with_queues_in_rsyslog) :
On the remote audit server just uncomment the lines “$ModLoad imtcp $InputTCPServerRun 514”.
Ok but this is not the purpose of this blog post, here we are going to look at how we can integrate oracle unified audit data with SPLUNK using Splunk DB Connect and the oracle add-on.
We first start by installing SPLUNK in our test server.
The second step will be to add two new applications:
- Splunk DB Connect
- Splunk Add-on for Oracle Database
Configure the JAVA environment parameters and add the oracle driver.
Configure a new Identity and then add a new connection for our target database (oracle 19C instance with unified auditing enabled) :
Configure a new data INPUT with the “oracle:audit:unified” Template :
That’s it we can now query our auditing data an build custom dashboard and reports :
That’s it 🙂