Oracle Audit Trail

Hello, I'm trying to get oracle audit trail using logstash, what options I have that could help me achieve that.

I wanted to use audit trail to OS but the columns sql_bind, sql_text are not written so I only have two options: DB, EXTENDED and XML, EXTENDED has anyone here had any experience with getting audit logs out of oracle using logstash or another open source tool.


People here know Logstash but typically not Oracle. If you explain how Oracle audit logs are extracted in the general case we can help you figure out how to do it with Logstash.

This an example of the format of the file. I've been trying a combination of multiline with xml filter but haven't been able to.

If you show us what you have so far it'll be easier to help.

Here is my current config:

input {
  file {
    type => "oracle_listener"
    path => "/opt/app/oracle/admin/tcrdj/adump/*.xml"

    codec => multiline {
      pattern => "<AuditRecord>"
      negate => true
      what => "previous"

    start_position => "beginning"
    sincedb_path => "/opt/logstash/oracle_listener_sincedb"

filter {
    mutate {
      gsub => ["message", "\u0000", ""]
      gsub => ["message", "\u0000\n", ""]
      #gsub => ["message", "\xD3N", "ON"]
      gsub => ["message", ">=", "GE"]
      gsub => ["message", "<>", "NE"]
      gsub => ["message", "<=", "LE"]
      gsub => ["message", " < ", "LT"]
      gsub => ["message", " > ", "GT"]

    xml {
      source => "message"
      target => "xmlresult"

output {
    stdout {
      codec => "rubydebug"

Okay, that doesn't look too bad. What do you get when you run that configuration?

Seems like sometimes there's an unwanted close tag that breaks standard xml, it happens because the files are generated and may be written again if the file exists.

Here's the output using the input and conf that I have already posted.

Yeah, I guess you're picking up the final at the end of each file. I suggest you parse each file in one swoop and use a split filter after the xml filter to splice the field containing the list of AuditRecord entries so you get one AuditRecord per event.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.