UDLA - Oracle 12c Unified Audit
Oracle 12c stores its audit data in the SYS.AUD$ database audit table. The SYS.AUD$ table contains links to multiple other tables within the database containing supporting information about the audit logs such as user names and object names. For this reason, LogRhythm is configured to pull data, either remotely or locally, from to DBA_COMMON_AUDIT_TRAIL database view via the LogRhythm Agents UDLA collection mechanism. The DBA_COMMON_AUDIT_TRAIL view pulls all relevant data about the audit records into one easy to understand record.
Alternatively, the audit trail can be collected to log to a flat file instead of logging the audit trail to a database view. Reference Oracle documentation and consult with your Database Administrator for the proper steps for configuring the audit trail to be written to a file.
Prerequisites
The UDLA collection mechanism used by the agent makes ODBC or OLE connections to the database to collect the logs. The following information is required for UDLA to function properly and should be gathered prior to configuring collection:
- The IP address or hostname of the Oracle 12c database from which you want to collect.
- The Oracle 12c database login credentials of the user account the LogRhythm Agent should use to connect to the database.
- The LogRhythm agent that will be used to collect the audit data from the Oracle 12c database.
Configure Oracle 12c Auditing
Oracle allows fine-grained auditing of all database objects. Configuration of the Oracle database audit policy—which determines what types of activities to audit and for whom—should be completed by the Oracle Database Administrator.
To configure Oracle to write audit data to the SYS.AUD$ table, run one of the following SQL commands against the database:
ALTER SYSTEM SET audit_trail=db SCOPE=SPFILE
OR
ALTER SYSTEM SET audit_trail=true SCOPE=SPFILE
Configure the ODBC or Oracle 12c ODAC OLE Driver
Oracle 12c Audit Trail logs are accessed by LogRhythm via a Microsoft ODBC driver or Oracle ODAC OLE driver. Before configuring the UDLA log source in LogRhythm, the recommended driver must already be installed on the System Monitor host and configured according to the information in Configure UDLA Log Collection.
Microsoft ODBC
- Version. 2.576.3959.00
- Date. 2/18/2007
- Download Location. Pre-installed
Oracle ODAC
- Oracle Provider for OLE DB.12.2.0.1.0
Download Location. Oracle Technology Network
Oracle 12c (ODAC) is required for a 64-bit operating system.
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. LogRhythm requires that you use a LogRhythm System Monitor Agent to collect the logs. The agent does not need to reside on the same host as Oracle 12c instance, but it does need to be able to establish a network ODBC or OLE connection. In addition, in order to utilize the “Test” functionality of the UDLA log source configuration in the Client Console, a Client Console needs to be installed on the same host as the Agent you are configuring. Although not recommended, due to troubleshooting limitations, you can configure a UDLA log source with an Agent on a host which does not have a Console installed locally.
Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
Before you begin, download the Oracle 12c Audit Trail XML Configuration File. You will import this file later to populate the UDLA configuration fields for the Log Source.
The name of the log message source is UDLA - Oracle 12C Unified Auditing. In addition, when configuring this log source:
- For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
- On the UDLA Settings tab, enter the following:
Click Import, and then browse to and open the XML file that you downloaded from LogRhythm.
If you are using an OLE connection, select OLE DB and change the connection string to: Provider=oraoledb.oracle;User ID=<username>;Password=<password>;Data Source=<server>/<instance>
For either connection type, ensure that you change the placeholder values in the Connection String box to those that match your deployment.
- If you want to validate the current settings, click Test.
If the test fails, verify the connection settings and that all values were entered correctly. - When the test passes, close the Test dialog box.