Solved

Sending Oracle audit logs to syslog

Posted on 2009-05-11
9
5,093 Views
Last Modified: 2013-11-17
Some of my oracle audit logs are located in /optware/oracle/admin/logs/ , each log is generated as a file in this directory. How do I send each of these logs in to the syslog.

Couple days back I have asked the same question and I have received an answer to set the following parameters
AUDIT_TRAIL=OS
and
AUDIT_SYSLOG_LEVEL=[facility].[level] e.g. "local0.info"

But Looks like this is not forwarding anything, Am I missing anything


SQL> show parameter audit;
 

NAME                                 TYPE        VALUE

------------------------------------ ----------- ------------------------------

audit_file_dest                      string      /optware/oracle/admin/acceldev

                                                 /audit

audit_sys_operations                 boolean     FALSE

audit_syslog_level                   string      LOCAL0.INFO

audit_trail                          string      OS

SQL>

Open in new window

0
Comment
Question by:vishwakarmak
  • 5
  • 4
9 Comments
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24354075
Hi again,
if I remember well, it was me who told you to use the above parameters.
I don't know how familiar you are with syslog, so here are the steps to be taken at the AIX side -
- edit /etc/syslog.conf and add the line
local0.info /path/to/log/file
- issue  
touch /path/to/log/file
- issue
refresh -s syslogd
- verify the above by issuing
lssrc -ls syslogd
 Excuse me if you did that already, but I have to ask, as the ORACLE parameters should work as expected!
wmp
 
0
 

Author Comment

by:vishwakarmak
ID: 24354281
Thanks wmp, Let me try this....
0
 

Author Comment

by:vishwakarmak
ID: 24354826
Hello wmp,
Thanks again for your valueble solution. But here is the problem, The audit files are written to /optware/oracle/admin/logs/ as different files and syslog logs messages when written to a single file I guess. So what could be the solution in this scenario.

Also these is one imp thing I noticed, When I have set the Parameters I am no more seeing the /logs directory, So looks like it is trying to send the logs but its not knowing where...

So can you tell me how to set so that the audit logs are written to one single file

Thanks

0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24354962
Did you try what I suggested?
Syslog doesn't log files, but messages, and the messages go to the single file you specify in /etc/syslog.conf.
What's in there?
Syslog's log files can only be written if they exist (syslog doesn't create files), thus the 'touch' I suggested.
And, are you sure that you're talking about audit logs going to /optware/oracle/admin/logs/ ?
Where did you configure that directory? I can't see it in your post.
wmp
 
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:vishwakarmak
ID: 24357222
Hello WMP,

Continuing to what we are doing my audit is logging into  /optware/oracle/admin/s10dev/audit/ folder and I have many logs inside so I will go ahead and do

local0.info                                     /optware/oracle/admin/acceldev/audit/*.log  -> in my syslog conf

and will start/stop the syslog, Let me see if this works

Thanks
0
 

Author Comment

by:vishwakarmak
ID: 24357679
Hello wmp,

I dont think this will quite work as the syslog file should be something like

local0.info                                     /var/log/oracle.log

Since we have already told the audit logs to local0.info, I think it will route to oracle.log which I created

what do u think of this...???? As this approach also didnot quite work...
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24358381
Well,

first: no asterisks (*) in syslog.conf, only complete filenames!

second: If syslog.conf looks like in your last post, and if you created that file and restarted syslogd, yes, the audit logs will go to /var/log/oracle.log. What's wrong with that? What else do you try to achieve?

Existing old logs in  /optware/oracle/admin/acceldev/audit will not be changed, removed or moved to the syslog file. Those old logs will stay there as they are.

wmp



0
 

Author Comment

by:vishwakarmak
ID: 24359019
Hello WMP,

I am finally able to get the logs in oracle.log but they dont seem to make any sense as here is what I get in the syslog

May 11 15:02:04 sundev13 Oracle Audit[20364]: [ID 748625 local0.info] LENGTH: "220" SESSIONID:[8] "1 2759424" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[5] "DBMON" USERHOST:[8] "sundev13" ACTION:[3] "100" RETURNCODE:[1] "0" COMMENT$TEXT:[20] "Authenticated by: OS" OS$USERID:[5] "dbmon" PRIV$USED:[1] "5"

But if I cat my log in /optware/oracle/admin/acceldev/audit, Its totally different but I can see the fields, So is there anything on the oracle config that has to be changed to log in clear text

Thanks


0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
ID: 24359335
I'm afraid there is no chance to get clear text.
This is what ORACLE says:

9.5.4.4 Decoding Operating System Audit Trial Records
Oracle Database encodes the operating system audit trail records. You can decode this information by referring to the appropriate data dictionary tables and error messages.
Table 9-5 describes the information that is encoded and where you can find its decoded version.  
Table 9-5 Encoding Information in Audit Trail Records    Encoded Information How to Decode      
Action code  
Describes the operation performed or attempted, using codes listed in the AUDIT_ACTIONS data dictionary table, with their descriptions.    
Privileges used  
Describes any system privileges used to perform the operation, using codes listed in the SYSTEM_PRIVILEGE_MAP table, with their descriptions.    
Completion code  
Describes the result of the attempted operation, using codes listed in Oracle Database Error Messages, with their descriptions. Successful operations return a value of zero, and unsuccessful operations return an Oracle Database error code corresponding to the reason the operation was unsuccessful.

The complete text is here. Maybe you find some more/more useful information:

http://mis3nt.gsnu.ac.kr/PublicData/Oracle11gDoc/network.111/b28531/auditing.htm#BCGIICFE

wmp


0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

My previous tech tip, Installing the Solaris OS From the Flash Archive On a Tape (http://www.experts-exchange.com/articles/OS/Unix/Solaris/Installing-the-Solaris-OS-From-the-Flash-Archive-on-a-Tape.html), discussed installing the Solaris Operating S…
Installing FreeBSD… FreeBSD is a darling of an operating system. The stability and usability make it a clear choice for servers and desktops (for the cunning). Savvy?  The Ports collection makes available every popular FOSS application and packag…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now