Hi all,
I want to monitor Oracle db audit logs, the elastic agent installed on the host, i have added the Oracle db integration v1.31.0. and enabled it to receive the audit logs ,added the path to audit log file, the data received, but not parsed i see parsing error : Provided Grok expressions do not match field value , the path is correct
what can be the issue, is there any other requirements are missing ?, why the builtin Oracle DB integration can not parse the logs
Thanks
Hi @Alaeddine_khadraoui, Welcome to the community.
First What version of the Elastic Stack are you on, always include that in your question.
Good question but if you want help, you need to provide a sample of the logs that are not parsed correctly
First turn on preserve original event
Then will need to go to Kibana - Discover and find one of the messages that do not parse and copy the ENTIRE json here (redact any private information), but change as little as possible if you change it too much, we will not be able to tell.
HI @stephenb
Thanks for your replay
all coming docs not parsed
the path provided : /var/log/file_name.log
example of coming message : "Oct 8 14:26:38 HOSTNAME journal: Oracle Unified Audit[PID]: LENGTH: '191' TYPE:\"4\" DBID:\"XXXX\" SESID:\"XXXX\" CLIENTID:\"\" ENTRYID:\"59\" STMTID:\"4601\" DBUSER:\"USER\" CURUSER:\"USER\" ACTION:\"3\" RETCODE:\"0\" SCHEMA:\"USER\" OBJNAME:\"OBJECT_1\"\nOct 8 14:26:38 HOSTNAME journal: Oracle Unified Audit[PID]: LENGTH: '188' TYPE:\"4\" DBID:\"XXXX\" SESID:\"XXXX\" CLIENTID:\"\" ENTRYID:\"60\" STMTID:\"4601\" DBUSER:\"USER\" CURUSER:\"USER\" ACTION:\"3\" RETCODE:\"0\" SCHEMA:\"USER\" OBJNAME:\"OBJECT_2\"\nOct 8 14:26:38 HOSTNAME journal: Oracle Unified Audit[PID]: LENGTH: '187' TYPE:\"4\" DBID:\"XXXX\" SESID:\"XXXX\" CLIENTID:\"\" ENTRYID:\"61\" STMTID:\"4601\" DBUSER:\"USER\" CURUSER:\"USER\" ACTION:\"3\" RETCODE:\"0\" SCHEMA:\"USER\" OBJNAME:\"OBJECT_3\"\nOct 8 14:26:38 HOSTNAME journal: Oracle Unified Audit[PID]: LENGTH: '188' TYPE:\"4\" DBID:\"XXXX\" SESID:\"XXXX\" CLIENTID:\"\" ENTRYID:\"62\" STMTID:\"4601\" DBUSER:\"USER\" CURUSER:\"USER\" ACTION:\"3\" RETCODE:\"0\" SCHEMA:\"USER\" OBJNAME:\"OBJECT_4\"\nOct 8 14:26:40 HOSTNAME journal: Oracle Unified Audit[PID]: LENGTH: '191' TYPE:\"4\" DBID:\"XXXX\" SESID:\"XXXX\" CLIENTID:\"\" ENTRYID:\"63\" STMTID:\"4817\" DBUSER:\"USER\" CURUSER:\"USER\" ACTION:\"3\" RETCODE:\"0\" SCHEMA:\"USER\" OBJNAME:\"OBJECT_5\""
The path provided : /var/log/file_name.log
Your logs are completely different from the ones that the integration expects.
According to the integration test files, the audit logs needs to be in this format:
Wed Oct 21 11:58:08 2020 -04:00
LENGTH : '392'
ACTION :[151] 'select /*+ opt_param('parallel_execution_enabled',
'false') EXEC_FROM_DBMS_XPLAN */ * from gv$all_sql_plan where 1=0'
DATABASE USER:[1] '/'
PRIVILEGE :[4] 'NONE'
CLIENT USER:[0] ''
CLIENT TERMINAL:[7] 'UNKNOWN'
STATUS:[1] '0'
DBID:[10] '2824230686'
SESSIONID:[1] '0'
USERHOST:[13] 'testlab.local'
CLIENT ADDRESS:[0] ''
ACTION NUMBER:[1] '3'
I'm not sure how you configure Oracle to log in this way as I do not use it, but it seems that it may have multiple audit types and formats, unfortunately it is not clear on the integration documentation which one and how you need to configure.
These are different from the .aud files which have been (like me) around since the 1990s. They are also what the integrations expects (see screenshot from @stephenb).
As some point Oracle also introduced "Unified Auditng", and these styles continue to co-exist AFAIK.
has
-->
This integration is for ingesting Audit Trail logs and fetching performance, tablespace and sysmetric metrics from Oracle Databases. The integration expects an *.aud audit file that is generated from Oracle Databases by default. If this has been disabled then please see the Oracle Database Audit Trail Documentation.
-->
That link says:
Mixed mode auditing is the default auditing in a newly installed database.
Those docs give you ways to find out what you are currently using, and also how to change that configuration to generate .aud files if that is necessary, though obviously you would be wise to carefully consider all the side effects of doing so.
In short, using the integration to monitor your Oracle DB is probably not quite as "plug and play" as you had hoped.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.