Oracle Audit Trail

GambitK · June 19, 2017, 2:30pm

Hello, I'm trying to get oracle audit trail using logstash, what options I have that could help me achieve that.

I wanted to use audit trail to OS but the columns sql_bind, sql_text are not written so I only have two options: DB, EXTENDED and XML, EXTENDED has anyone here had any experience with getting audit logs out of oracle using logstash or another open source tool.

Thanks.

magnusbaeck · June 22, 2017, 5:25am

People here know Logstash but typically not Oracle. If you explain how Oracle audit logs are extracted in the general case we can help you figure out how to do it with Logstash.

GambitK · July 4, 2017, 12:45pm

This an example of the format of the file. I've been trying a combination of multiline with xml filter but haven't been able to.

gist.github.com

https://gist.github.com/GambitK/38c9894018672fef8f9d1955a962fb30

oracle.xml

<?xml version="1.0" encoding="UTF-8"?>
  <Audit xmlns="http://xmlns.oracle.com/oracleas/schema/dbserver_audittrail-10_2.xsd"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://xmlns.oracle.com/oracleas/schema/dbserver_audittrail-10_2.xsd">
   <Version>10.2</Version>
<AuditRecord><Audit_Type>1</Audit_Type><Session_Id>138011098</Session_Id><StatementId>1</StatementId><EntryId>1</EntryId><Extended_Timestamp>2012-11-28T12:53:34.816405</Extended_Timestamp><DB_User>CR</DB_User><OS_User>asoliz</OS_User><Userhost>svrdb11</Userhost><OS_Process>27047</OS_Process><Instance_Number>0</Instance_Number><Action>100</Action><TransactionId>0000000000000000</TransactionId><Returncode>0</Returncode>
<Comment_Text>Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.0.0.24)(PORT=54364))</Comment_Text>
</AuditRecord>
<AuditRecord><Audit_Type>1</Audit_Type><Session_Id>138011098</Session_Id><EntryId>2</EntryId><Extended_Timestamp>2012-11-28T12:53:44.985232</Extended_Timestamp><DB_User>CR</DB_User><OS_User>asoliz</OS_User><Userhost>svrdb11</Userhost><Instance_Number>0</Instance_Number><Action>101</Action><Returncode>0</Returncode>
</AuditRecord>

This file has been truncated. show original

magnusbaeck · July 4, 2017, 1:07pm

If you show us what you have so far it'll be easier to help.

GambitK · July 4, 2017, 1:12pm

Here is my current config:

input {
  file {
    type => "oracle_listener"
    path => "/opt/app/oracle/admin/tcrdj/adump/*.xml"

    codec => multiline {
      pattern => "<AuditRecord>"
      negate => true
      what => "previous"
    }

    start_position => "beginning"
    sincedb_path => "/opt/logstash/oracle_listener_sincedb"
  }
}

filter {
    mutate {
      gsub => ["message", "\u0000", ""]
      gsub => ["message", "\u0000\n", ""]
      #gsub => ["message", "\xD3N", "ON"]
      gsub => ["message", ">=", "GE"]
      gsub => ["message", "<>", "NE"]
      gsub => ["message", "<=", "LE"]
      gsub => ["message", " < ", "LT"]
      gsub => ["message", " > ", "GT"]
    }

    xml {
      source => "message"
      target => "xmlresult"
    }
}

output {
    stdout {
      codec => "rubydebug"
    }
}

magnusbaeck · July 4, 2017, 1:38pm

Okay, that doesn't look too bad. What do you get when you run that configuration?

GambitK · July 4, 2017, 2:00pm

Seems like sometimes there's an unwanted close tag that breaks standard xml, it happens because the files are generated and may be written again if the file exists.

Here's the output using the input and conf that I have already posted.

gist.github.com

https://gist.github.com/GambitK/850804b4e6827ab0034528583e2c3014

result.txt

[2017-07-04T13:57:33,664][WARN ][logstash.filters.xml     ] Error parsing xml with XmlSimple {:source=>"message", :value=>"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n  <Audit xmlns=\"http://xmlns.oracle.com/oracleas/schema/dbserver_audittrail-10_2.xsd\"\n   xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n   xsi:schemaLocation=\"http://xmlns.oracle.com/oracleas/schema/dbserver_audittrail-10_2.xsd\">\n   <Version>10.2</Version>", :exception=>#<REXML::ParseException: #<REXML::ParseException: No close tag for /Audit>
/opt/logstash/vendor/jruby/lib/ruby/1.9/rexml/parsers/treeparser.rb:28:in `parse'
/opt/logstash/vendor/jruby/lib/ruby/1.9/rexml/document.rb:249:in `build'
/opt/logstash/vendor/jruby/lib/ruby/1.9/rexml/document.rb:43:in `initialize'
/opt/logstash/vendor/bundle/jruby/1.9/gems/xml-simple-1.1.5/lib/xmlsimple.rb:971:in `parse'
/opt/logstash/vendor/bundle/jruby/1.9/gems/xml-simple-1.1.5/lib/xmlsimple.rb:164:in `xml_in'
/opt/logstash/vendor/bundle/jruby/1.9/gems/xml-simple-1.1.5/lib/xmlsimple.rb:203:in `xml_in'
/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-xml-4.0.2/lib/logstash/filters/xml.rb:182:in `filter'
/opt/logstash/logstash-core/lib/logstash/filters/base.rb:145:in `do_filter'
/opt/logstash/logstash-core/lib/logstash/filters/base.rb:164:in `multi_filter'

This file has been truncated. show original

magnusbaeck · July 4, 2017, 2:31pm

Yeah, I guess you're picking up the final at the end of each file. I suggest you parse each file in one swoop and use a split filter after the xml filter to splice the field containing the list of AuditRecord entries so you get one AuditRecord per event.

system · August 1, 2017, 2:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.