Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5920
  • Last Modified:

Sending Oracle audit logs to syslog

Some of my oracle audit logs are located in /optware/oracle/admin/logs/ , each log is generated as a file in this directory. How do I send each of these logs in to the syslog.

Couple days back I have asked the same question and I have received an answer to set the following parameters
AUDIT_TRAIL=OS
and
AUDIT_SYSLOG_LEVEL=[facility].[level] e.g. "local0.info"

But Looks like this is not forwarding anything, Am I missing anything


SQL> show parameter audit;
 
NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest                      string      /optware/oracle/admin/acceldev
                                                 /audit
audit_sys_operations                 boolean     FALSE
audit_syslog_level                   string      LOCAL0.INFO
audit_trail                          string      OS
SQL>

Open in new window

0
vishwakarmak
Asked:
vishwakarmak
  • 5
  • 4
1 Solution
 
woolmilkporcCommented:
Hi again,
if I remember well, it was me who told you to use the above parameters.
I don't know how familiar you are with syslog, so here are the steps to be taken at the AIX side -
- edit /etc/syslog.conf and add the line
local0.info /path/to/log/file
- issue  
touch /path/to/log/file
- issue
refresh -s syslogd
- verify the above by issuing
lssrc -ls syslogd
 Excuse me if you did that already, but I have to ask, as the ORACLE parameters should work as expected!
wmp
 
0
 
vishwakarmakAuthor Commented:
Thanks wmp, Let me try this....
0
 
vishwakarmakAuthor Commented:
Hello wmp,
Thanks again for your valueble solution. But here is the problem, The audit files are written to /optware/oracle/admin/logs/ as different files and syslog logs messages when written to a single file I guess. So what could be the solution in this scenario.

Also these is one imp thing I noticed, When I have set the Parameters I am no more seeing the /logs directory, So looks like it is trying to send the logs but its not knowing where...

So can you tell me how to set so that the audit logs are written to one single file

Thanks

0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
woolmilkporcCommented:
Did you try what I suggested?
Syslog doesn't log files, but messages, and the messages go to the single file you specify in /etc/syslog.conf.
What's in there?
Syslog's log files can only be written if they exist (syslog doesn't create files), thus the 'touch' I suggested.
And, are you sure that you're talking about audit logs going to /optware/oracle/admin/logs/ ?
Where did you configure that directory? I can't see it in your post.
wmp
 
0
 
vishwakarmakAuthor Commented:
Hello WMP,

Continuing to what we are doing my audit is logging into  /optware/oracle/admin/s10dev/audit/ folder and I have many logs inside so I will go ahead and do

local0.info                                     /optware/oracle/admin/acceldev/audit/*.log  -> in my syslog conf

and will start/stop the syslog, Let me see if this works

Thanks
0
 
vishwakarmakAuthor Commented:
Hello wmp,

I dont think this will quite work as the syslog file should be something like

local0.info                                     /var/log/oracle.log

Since we have already told the audit logs to local0.info, I think it will route to oracle.log which I created

what do u think of this...???? As this approach also didnot quite work...
0
 
woolmilkporcCommented:
Well,

first: no asterisks (*) in syslog.conf, only complete filenames!

second: If syslog.conf looks like in your last post, and if you created that file and restarted syslogd, yes, the audit logs will go to /var/log/oracle.log. What's wrong with that? What else do you try to achieve?

Existing old logs in  /optware/oracle/admin/acceldev/audit will not be changed, removed or moved to the syslog file. Those old logs will stay there as they are.

wmp



0
 
vishwakarmakAuthor Commented:
Hello WMP,

I am finally able to get the logs in oracle.log but they dont seem to make any sense as here is what I get in the syslog

May 11 15:02:04 sundev13 Oracle Audit[20364]: [ID 748625 local0.info] LENGTH: "220" SESSIONID:[8] "1 2759424" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[5] "DBMON" USERHOST:[8] "sundev13" ACTION:[3] "100" RETURNCODE:[1] "0" COMMENT$TEXT:[20] "Authenticated by: OS" OS$USERID:[5] "dbmon" PRIV$USED:[1] "5"

But if I cat my log in /optware/oracle/admin/acceldev/audit, Its totally different but I can see the fields, So is there anything on the oracle config that has to be changed to log in clear text

Thanks


0
 
woolmilkporcCommented:
I'm afraid there is no chance to get clear text.
This is what ORACLE says:

9.5.4.4 Decoding Operating System Audit Trial Records
Oracle Database encodes the operating system audit trail records. You can decode this information by referring to the appropriate data dictionary tables and error messages.
Table 9-5 describes the information that is encoded and where you can find its decoded version.  
Table 9-5 Encoding Information in Audit Trail Records    Encoded Information How to Decode      
Action code  
Describes the operation performed or attempted, using codes listed in the AUDIT_ACTIONS data dictionary table, with their descriptions.    
Privileges used  
Describes any system privileges used to perform the operation, using codes listed in the SYSTEM_PRIVILEGE_MAP table, with their descriptions.    
Completion code  
Describes the result of the attempted operation, using codes listed in Oracle Database Error Messages, with their descriptions. Successful operations return a value of zero, and unsuccessful operations return an Oracle Database error code corresponding to the reason the operation was unsuccessful.

The complete text is here. Maybe you find some more/more useful information:

http://mis3nt.gsnu.ac.kr/PublicData/Oracle11gDoc/network.111/b28531/auditing.htm#BCGIICFE

wmp


0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now