Incorrect Alerts from Oracle Syslog


Hi guys,

For quite some time now I've been trying to get ossim to trigger alerts for certain events from oracle syslog logs. These alerts are to include events such as "alter user", "drop user" and "create user".

If I understand the oracle-syslog plugin correctly, alerts are defined on the translation table and they have numerical values. An alert is then triggered when its value in reflected in the ACTION field of the oracle-syslog.
This is a bit of a problem in my current setup because the value in the ACTION field keeps changing for select, alter user, drop user and other events. This ends up triggering the wrong alert most of the times.

Has anyone experienced this? Anyone got a fix for this? Any help would be greatly appreciated. Thanks.

Oh and I'm running alienvault 4.3.

  • I see the plugin has a translate table but no translate statements in any of the events.  Any chance you can send me some logs to test with?
