Documentation Center
AlienVault® USM Anywhere™

Oracle Audit Logs

When you configure Oracle Audit Logs integration to send log data to USM Anywhere, you can use the Oracle Audit Logs plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Oracle
Device type Operating system
Connection type syslog
Vendor link https://docs.oracle.com/cd/E36784_01/html/E37127/audittask-11.html

Integrating Oracle Audit Logs

Before you configure the integration, you must have the IP Address of the USM AnywhereUSM Appliance Sensor. This integration includes the following tasks:

You can instruct the audit service to copy some or all of the audit records in the audit queue to the syslog utility.

If you record both binary audit data and text summaries, the binary data provide a complete audit record, whereas the summaries filter the data for real-time review.

Configuring Audit Classes for the syslog Plugin

To configure audit classes for the syslog plugin

  1. Select audit classes to be sent to the audit_syslog plugin, and make the plugin active.

    # auditconfig -setplugin audit_syslog \

    active p_flags=lo,+as,-ss

    Note: You must preselect p_flags audit classes as either system defaults or in the audit flags of a user or a rights profile. Records are not collected for a class that is not preselected.

  2. Configure the syslog utility by adding an audit notice entry to the syslog.conf file.

    The entry includes the location of the log file.

    # cat /etc/syslog.conf

    audit.notice /var/adm/auditlog

  3. Create the log file:

    # touch /var/adm/auditlog

  4. Set the log file permissions to 640:

    # chmod 640 /var/adm/auditlog

  5. Verify which system-log service is running:

    # svcs system-log

    STATE STIME FMRI

    online Nov_27 svc:/system/system-log:default

    disabled Nov 27 svc:/system/system-log:rsyslog

  6. Refresh the configuration information for the active syslog service instance:

    # svcadm refresh system/system-log:default

  7. Refresh the audit service:

    # audit -s

    Note: The audit service reads the changes to the audit plugin when refreshed.

Specifying Audit Classes for syslog Output

In the following example, the syslog utility collects a subset of the preselected audit classes. The pf class is created in Example 3–15 of the vendor documentation.)

# auditconfig -setnaflags lo,na

# auditconfig -setflags lo,ss

# usermod -K audit_flags=pf:no jdoe

# auditconfig -setplugin audit_syslog \

active p_flags=lo,+na,-ss,+pf

The arguments to the auditconfig command instruct the system to collect all login/logout, non-attributable, and change-of-system-state audit records.

The audit_syslog plugin entry instructs the syslog utility to collect:

  • All logins
  • Successful, non-attributable events
  • Failed changes of system state

The binary utility collects successful and failed calls to the pfexec command.

The syslog utility collects successful calls to the pfexec command.

Putting syslog Audit Records on the USM Anywhere Sensor

You can change the audit.notice entry in the syslog.conf file to point to the USM Anywhere Sensor.

In this example, the name of the local system is sys1.1.

Visible after the ampersand (@), is the IP address of the USM Anywhere Sensor.

sys1.1 # cat /etc/syslog.conf

audit.notice @<IP_address_of_USMAnywhere_Sensor>

The audit.notice entry in the syslog.conf file on the USM Anywhere system points to the log file.

<IP_address_of_USMAnywhere_Sensor> # cat /etc/syslog.conf

audit.notice /var/adm/auditlog

Archiving syslog Audit Log Files

Because the audit service can generate extensive output, manage the logs as documented on the logadm(1M) man page.

Plugin Enablement

The Oracle Audit Logs plugin automatically processes all messages when the raw message contains the value "Oracle Audit".

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • authentication_mode
  • customfield_0
  • destination_user_privileges
  • destination_username
  • event_name
  • rep_device_address
  • rep_device_rule_id
  • session
  • source_address
  • source_port
  • source_process_user
  • source_username
  • transport_protocol

Troubleshooting

For troubleshooting, refer to the vendor documentation:

https://docs.oracle.com/cd/E36784_01/html/E37127/audittask-84.html