Send Oracle Audit to rsyslog
December 16, 2016 2 Comments
In our database there is turned on auditing on some operations and audit records go to OS.
SYS> show parameter audit_file_dest NAME TYPE VALUE ------------------ ----------- ------------------------------ audit_file_dest string /u01_log/audit/orcl SYS > show parameter audit_trail NAME TYPE VALUE ------------- ----------- ----------- audit_trail string OS
Our security administrators are using SIEM to monitor suspicious activities and they want database to send audit records to this third party tool.
I thought that I could somehow indicate directory “/u01_log/audit/orcl” from where *.aud files would be uploaded to SIEM, but I was wrong. Some tools may be able to use these *.aud files but not SIEM and let’s configure our database to be able to send audit records to it.
1. Connect to a database instance as sysdba user
SQL> connect / as sysdba
2. Set audit trail to OS
SQL> alter system set audit_trail=OS;
3. Enable auditing for system users if you need to audit activities of sys user(optional)
SQL> alter system set audit_sys_operations=TRUE;
4. Set rsyslog facility and severity(needs database restart)
SQL> alter system set audit_syslog_level=local5.info scope=spfile sid='*';
5. Restart database
SQL> shutdown immediate;
SQL> startup;
6. Edit rsyslog.conf file
#Saving oracle database audit records
local5.info /u01_log/audit/RSYSLOG/dbaudit.log
#Send oracle database audit trail to remote rsyslog server
local5.info @192.168.0.15
7. Restart rsyslog service
# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
8. It is better to limit the size for audit log, or it may fill the space:
# vi /etc/logrotate.d/oracle.audit #Created by MariK /u01_log/audit/RSYSLOG/dbaudit.log { rotate 3 compress missingok notifempty size 40G postrotate service rsyslog restart endscript }
To check the syntax run :
# logrotate /etc/logrotate.d/oracle.audit
It will say if you have an error. If syntax is ok then output is nothing.