Solved

Sending Oracle audit logs to syslog

Posted on 2009-05-11
9
5,160 Views
Last Modified: 2013-11-17
Some of my oracle audit logs are located in /optware/oracle/admin/logs/ , each log is generated as a file in this directory. How do I send each of these logs in to the syslog.

Couple days back I have asked the same question and I have received an answer to set the following parameters
AUDIT_TRAIL=OS
and
AUDIT_SYSLOG_LEVEL=[facility].[level] e.g. "local0.info"

But Looks like this is not forwarding anything, Am I missing anything


SQL> show parameter audit;
 
NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest                      string      /optware/oracle/admin/acceldev
                                                 /audit
audit_sys_operations                 boolean     FALSE
audit_syslog_level                   string      LOCAL0.INFO
audit_trail                          string      OS
SQL>

Open in new window

0
Comment
Question by:vishwakarmak
  • 5
  • 4
9 Comments
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24354075
Hi again,
if I remember well, it was me who told you to use the above parameters.
I don't know how familiar you are with syslog, so here are the steps to be taken at the AIX side -
- edit /etc/syslog.conf and add the line
local0.info /path/to/log/file
- issue  
touch /path/to/log/file
- issue
refresh -s syslogd
- verify the above by issuing
lssrc -ls syslogd
 Excuse me if you did that already, but I have to ask, as the ORACLE parameters should work as expected!
wmp
 
0
 

Author Comment

by:vishwakarmak
ID: 24354281
Thanks wmp, Let me try this....
0
 

Author Comment

by:vishwakarmak
ID: 24354826
Hello wmp,
Thanks again for your valueble solution. But here is the problem, The audit files are written to /optware/oracle/admin/logs/ as different files and syslog logs messages when written to a single file I guess. So what could be the solution in this scenario.

Also these is one imp thing I noticed, When I have set the Parameters I am no more seeing the /logs directory, So looks like it is trying to send the logs but its not knowing where...

So can you tell me how to set so that the audit logs are written to one single file

Thanks

0
Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24354962
Did you try what I suggested?
Syslog doesn't log files, but messages, and the messages go to the single file you specify in /etc/syslog.conf.
What's in there?
Syslog's log files can only be written if they exist (syslog doesn't create files), thus the 'touch' I suggested.
And, are you sure that you're talking about audit logs going to /optware/oracle/admin/logs/ ?
Where did you configure that directory? I can't see it in your post.
wmp
 
0
 

Author Comment

by:vishwakarmak
ID: 24357222
Hello WMP,

Continuing to what we are doing my audit is logging into  /optware/oracle/admin/s10dev/audit/ folder and I have many logs inside so I will go ahead and do

local0.info                                     /optware/oracle/admin/acceldev/audit/*.log  -> in my syslog conf

and will start/stop the syslog, Let me see if this works

Thanks
0
 

Author Comment

by:vishwakarmak
ID: 24357679
Hello wmp,

I dont think this will quite work as the syslog file should be something like

local0.info                                     /var/log/oracle.log

Since we have already told the audit logs to local0.info, I think it will route to oracle.log which I created

what do u think of this...???? As this approach also didnot quite work...
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24358381
Well,

first: no asterisks (*) in syslog.conf, only complete filenames!

second: If syslog.conf looks like in your last post, and if you created that file and restarted syslogd, yes, the audit logs will go to /var/log/oracle.log. What's wrong with that? What else do you try to achieve?

Existing old logs in  /optware/oracle/admin/acceldev/audit will not be changed, removed or moved to the syslog file. Those old logs will stay there as they are.

wmp



0
 

Author Comment

by:vishwakarmak
ID: 24359019
Hello WMP,

I am finally able to get the logs in oracle.log but they dont seem to make any sense as here is what I get in the syslog

May 11 15:02:04 sundev13 Oracle Audit[20364]: [ID 748625 local0.info] LENGTH: "220" SESSIONID:[8] "1 2759424" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[5] "DBMON" USERHOST:[8] "sundev13" ACTION:[3] "100" RETURNCODE:[1] "0" COMMENT$TEXT:[20] "Authenticated by: OS" OS$USERID:[5] "dbmon" PRIV$USED:[1] "5"

But if I cat my log in /optware/oracle/admin/acceldev/audit, Its totally different but I can see the fields, So is there anything on the oracle config that has to be changed to log in clear text

Thanks


0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
ID: 24359335
I'm afraid there is no chance to get clear text.
This is what ORACLE says:

9.5.4.4 Decoding Operating System Audit Trial Records
Oracle Database encodes the operating system audit trail records. You can decode this information by referring to the appropriate data dictionary tables and error messages.
Table 9-5 describes the information that is encoded and where you can find its decoded version.  
Table 9-5 Encoding Information in Audit Trail Records    Encoded Information How to Decode      
Action code  
Describes the operation performed or attempted, using codes listed in the AUDIT_ACTIONS data dictionary table, with their descriptions.    
Privileges used  
Describes any system privileges used to perform the operation, using codes listed in the SYSTEM_PRIVILEGE_MAP table, with their descriptions.    
Completion code  
Describes the result of the attempted operation, using codes listed in Oracle Database Error Messages, with their descriptions. Successful operations return a value of zero, and unsuccessful operations return an Oracle Database error code corresponding to the reason the operation was unsuccessful.

The complete text is here. Maybe you find some more/more useful information:

http://mis3nt.gsnu.ac.kr/PublicData/Oracle11gDoc/network.111/b28531/auditing.htm#BCGIICFE

wmp


0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
sed -- search an replace multiple pattern 11 76
auto mounter on solaris 1 59
Write an app 10 70
unix example issues 18 89
A metadevice consists of one or more devices (slices). It can be expanded by adding slices. Then, it can be grown to fill a larger space while the file system is in use. However, not all UNIX file systems (UFS) can be expanded this way. The conca…
FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now