Fetshing Logs from Oracle DB on Redhat

Hi!

When trying to collect logs from Oracle, the redo logs are definitely not what you want because they are database transaction logs that are used for the integrity of the database and for rollbacks, backups etc. - they are not “logs” in the SIEM sense that would tell us about what is going on in the system.

So, the question would be what you actually want to know about your Oracle database, and the answer is probably audit logs - i.e. a list of activity that is performed against your database, deletes, configuration changes etc. 

I am not an Oracle DBA so my knowledge here is limited, but I understand that there are several different ways of writing audit logs with Oracle that have also changed over the various versions.

By default, “Mixed Mode Auditing” is active - which uses the older 11g audit facilities. Using the AUDIT_TRAIL parameters there are options for writing these to a file. This file could be collected via SCP, but this can also be configured to forward directly via Syslog to LogPoint, which is probably the better option. I understand that our prebuilt normalisers are targeted against this Mixed Mode audit log.

I believe we don’t support the newer “Unified Auditing” mode, which doesn’t store audit data in files but instead populates the AUDSYS schema. Although we have an Oracle fetcher that can read from Oracle database tables, I’ve been given to understand that it would need modification before it can fetch this audit table.

I did however find that it is possible to send a subset of fields from the Unified Audit Logs via Syslog - https://docs.oracle.com/en/database/oracle/oracle-database/21/dbseg/administering-the-audit-trail.html#GUID-9A2B93A7-4166-4F29-B406-4AE6C6141ADD

That might be an option if you are keen to use the Unified Audit Logs - I don’t know what the implications are of the missing fields compared to the AUDSYS Schema or indeed the old “mixed mode” logs. But once we have the data the worst case would be that we would have to write a different normaliser. I can see that you have already opened a Support ticket so they will hopefully be able to advise further.