Oracle 10g stores audit data in the SYS.AUD$ database audit table. The SYS.AUD$ table contains links to multiple tables within the database that have supporting information about the audit logs such as user names and object names. Therefore, LogRhythm is configured to pull data remotely or locally from DBA_COMMON_AUDIT_TRAIL database view via the LogRhythm Agents UDLA collection mechanism. The DBA_COMMON_AUDIT_TRAIL view pulls all relevant data about the audit records into one easy-to-understand record.
The UDLA collection mechanism used by the agent makes ODBC connections to the database to collect the logs. The following information is required for UDLA to function properly and should be gathered prior to configuring collection:
- The IP Address and/or host name of the Oracle database server to be collected from.
- The database login credentials of the user account the LogRhythm Agent should use to connect to the database.
- The LogRhythm agent which will be used to collect the audit data from the Oracle database.
Configure Oracle 10g Auditing
Oracle allows fine-grained auditing of all database objects. Configuration of the Oracle database audit policy which determines what types of activities to audit and for whom should be completed by the Oracle Database Administrator.
To configure Oracle to write audit data to the SYS.AUD$ table, run the following SQL command against the database:
ALTER SYSTEM SET audit_trail=db SCOPE=SPFILE
ALTER SYSTEM SET audit_trail=true SCOPE=SPFILE
Configure the ODBC Driver for Oracle 10g
Oracle 10g Audit Trail logs are accessed by LogRhythm via an ODBC driver. The recommended driver must already be installed on the System Monitor host and configured according to the information in Configure UDLA Log Collection.
- Name. Microsoft ODBC for Oracle
- Company Name. Microsoft Corporation
- Version. 2.576.3959.00
- Date. 2/18/2007
- Download Location. Pre-installed
Configure Oracle Data Access Components (ODAC)
Oracle data access components must be installed on the agent server. These components are supplied by Oracle Corporation. Oracle 11g (ODAC) 126.96.36.199.20 is the recommended version.
Oracle 11g (ODAC) is required for a 64-bit OS.
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. A LogRhythm System Monitor Agent is used to collect Oracle logs. The System Monitor does not need to reside on the same host as Oracle 10g, but it does need to be able to establish a network ODBC connection.
Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
Before you begin, download the Oracle 10g Audit Trail XML Configuration File. You will import this file later to populate the UDLA configuration fields for the Log Source.
The name of the log message source is UDLA - Oracle 10g Audit Trail. In addition, when configuring this log source:
- For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
- On the UDLA Settings tab, enter the following:
Click Import, and then browse to and open the XML file that you downloaded from LogRhythm.
In the Connection String box, ensure that you change the placeholder values to those matching your deployment.
- If you want to validate the current settings, click Test.
If the test fails, verify the connection settings and that all values were entered correctly.
- When the test passes, close the Test dialog box.