Solved

Sending Oracle audit logs to syslog

Posted on 2009-05-11
9
5,028 Views
Last Modified: 2013-11-17
Some of my oracle audit logs are located in /optware/oracle/admin/logs/ , each log is generated as a file in this directory. How do I send each of these logs in to the syslog.

Couple days back I have asked the same question and I have received an answer to set the following parameters
AUDIT_TRAIL=OS
and
AUDIT_SYSLOG_LEVEL=[facility].[level] e.g. "local0.info"

But Looks like this is not forwarding anything, Am I missing anything


SQL> show parameter audit;
 

NAME                                 TYPE        VALUE

------------------------------------ ----------- ------------------------------

audit_file_dest                      string      /optware/oracle/admin/acceldev

                                                 /audit

audit_sys_operations                 boolean     FALSE

audit_syslog_level                   string      LOCAL0.INFO

audit_trail                          string      OS

SQL>

Open in new window

0
Comment
Question by:vishwakarmak
  • 5
  • 4
9 Comments
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24354075
Hi again,
if I remember well, it was me who told you to use the above parameters.
I don't know how familiar you are with syslog, so here are the steps to be taken at the AIX side -
- edit /etc/syslog.conf and add the line
local0.info /path/to/log/file
- issue  
touch /path/to/log/file
- issue
refresh -s syslogd
- verify the above by issuing
lssrc -ls syslogd
 Excuse me if you did that already, but I have to ask, as the ORACLE parameters should work as expected!
wmp
 
0
 

Author Comment

by:vishwakarmak
ID: 24354281
Thanks wmp, Let me try this....
0
 

Author Comment

by:vishwakarmak
ID: 24354826
Hello wmp,
Thanks again for your valueble solution. But here is the problem, The audit files are written to /optware/oracle/admin/logs/ as different files and syslog logs messages when written to a single file I guess. So what could be the solution in this scenario.

Also these is one imp thing I noticed, When I have set the Parameters I am no more seeing the /logs directory, So looks like it is trying to send the logs but its not knowing where...

So can you tell me how to set so that the audit logs are written to one single file

Thanks

0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24354962
Did you try what I suggested?
Syslog doesn't log files, but messages, and the messages go to the single file you specify in /etc/syslog.conf.
What's in there?
Syslog's log files can only be written if they exist (syslog doesn't create files), thus the 'touch' I suggested.
And, are you sure that you're talking about audit logs going to /optware/oracle/admin/logs/ ?
Where did you configure that directory? I can't see it in your post.
wmp
 
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:vishwakarmak
ID: 24357222
Hello WMP,

Continuing to what we are doing my audit is logging into  /optware/oracle/admin/s10dev/audit/ folder and I have many logs inside so I will go ahead and do

local0.info                                     /optware/oracle/admin/acceldev/audit/*.log  -> in my syslog conf

and will start/stop the syslog, Let me see if this works

Thanks
0
 

Author Comment

by:vishwakarmak
ID: 24357679
Hello wmp,

I dont think this will quite work as the syslog file should be something like

local0.info                                     /var/log/oracle.log

Since we have already told the audit logs to local0.info, I think it will route to oracle.log which I created

what do u think of this...???? As this approach also didnot quite work...
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24358381
Well,

first: no asterisks (*) in syslog.conf, only complete filenames!

second: If syslog.conf looks like in your last post, and if you created that file and restarted syslogd, yes, the audit logs will go to /var/log/oracle.log. What's wrong with that? What else do you try to achieve?

Existing old logs in  /optware/oracle/admin/acceldev/audit will not be changed, removed or moved to the syslog file. Those old logs will stay there as they are.

wmp



0
 

Author Comment

by:vishwakarmak
ID: 24359019
Hello WMP,

I am finally able to get the logs in oracle.log but they dont seem to make any sense as here is what I get in the syslog

May 11 15:02:04 sundev13 Oracle Audit[20364]: [ID 748625 local0.info] LENGTH: "220" SESSIONID:[8] "1 2759424" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[5] "DBMON" USERHOST:[8] "sundev13" ACTION:[3] "100" RETURNCODE:[1] "0" COMMENT$TEXT:[20] "Authenticated by: OS" OS$USERID:[5] "dbmon" PRIV$USED:[1] "5"

But if I cat my log in /optware/oracle/admin/acceldev/audit, Its totally different but I can see the fields, So is there anything on the oracle config that has to be changed to log in clear text

Thanks


0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
ID: 24359335
I'm afraid there is no chance to get clear text.
This is what ORACLE says:

9.5.4.4 Decoding Operating System Audit Trial Records
Oracle Database encodes the operating system audit trail records. You can decode this information by referring to the appropriate data dictionary tables and error messages.
Table 9-5 describes the information that is encoded and where you can find its decoded version.  
Table 9-5 Encoding Information in Audit Trail Records    Encoded Information How to Decode      
Action code  
Describes the operation performed or attempted, using codes listed in the AUDIT_ACTIONS data dictionary table, with their descriptions.    
Privileges used  
Describes any system privileges used to perform the operation, using codes listed in the SYSTEM_PRIVILEGE_MAP table, with their descriptions.    
Completion code  
Describes the result of the attempted operation, using codes listed in Oracle Database Error Messages, with their descriptions. Successful operations return a value of zero, and unsuccessful operations return an Oracle Database error code corresponding to the reason the operation was unsuccessful.

The complete text is here. Maybe you find some more/more useful information:

http://mis3nt.gsnu.ac.kr/PublicData/Oracle11gDoc/network.111/b28531/auditing.htm#BCGIICFE

wmp


0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

When you do backups in the Solaris Operating System, the file system must be inactive. Otherwise, the output may be inconsistent. A file system is inactive when it's unmounted or it's write-locked by the operating system. Although the fssnap utility…
I promised to write further about my project, and here I am.  First, I needed to setup the Primary Server.  You can read how in this article: Setup FreeBSD Server with full HDD encryption (http://www.experts-exchange.com/OS/Unix/BSD/FreeBSD/A_3660-S…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now