UDLA - Oracle 9i Audit Trail
Oracle Databases enable you to send audit records to the database audit trail or the operating system audit trail, when the operating system is capable of receiving them. The database audit records can also be written to operating system files in XML format. Writing audit trails to the operating system provides a way for a separate auditor who has root
privileges on the operating system to hold all DBAs (who don't have root access) accountable for their actions. These options, added to the broad selection of audit options and customizable triggers or stored procedures, give you the flexibility to implement an auditing scheme that suits your specific business needs.
Oracle 9i stores audit data in the SYS.AUD$ database audit table. The SYS.AUD$ table contains links to multiple tables within the database that have supporting information about the audit logs such as user names and object names. Therefore, LogRhythm is configured to pull data remotely or locally from DBA_COMMON_AUDIT_TRAIL database view via the LogRhythm Agents UDLA collection mechanism. The DBA_COMMON_AUDIT_TRAIL view pulls all relevant data about the audit records into one easy-to-understand record.
Prerequisites
The UDLA collection mechanism used by the agent makes ODBC connections to the database to collect the logs. The following information is required for UDLA to function properly and should be gathered prior to configuring collection:
- The IP Address and/or host name of the Oracle database server to be collected from.
- The database login credentials of the user account the LogRhythm Agent should use to connect to the database.
- The LogRhythm agent which will be used to collect the audit data from the Oracle database.
Configure Oracle 9i Auditing
Oracle allows fine-grained auditing of all database objects. Configuration of the Oracle database audit policy which determines what types of activities to audit and for whom should be completed by the Oracle Database Administrator.
To configure Oracle to write audit data to the SYS.AUD$ table, run one of the following SQL command against the database:
ALTER SYSTEM SET audit_trail=db SCOPE SPFILE
OR
ALTER SYSTEM SET audit_trail=true SCOPE SPFILE
Configure the ODBC Driver for Oracle 9i
Oracle 9i Audit Trail logs are accessed by LogRhythm via an ODBC driver. The recommended driver must already be installed on the System Monitor host and configured according to the information in Configure UDLA Log Collection.
- Name. Microsoft ODBC for Oracle
- Company Name. Microsoft Corporation
- Version. 2.576.3959.00
- Date. 2/18/2007
- Download Location. Pre-installed
Configure Oracle Data Access Components (ODAC)
Oracle data access components must be installed on the agent server. These components are supplied by Oracle Corporation. Oracle 11g (ODAC) 11.1.0.7.20 is the recommended version. Oracle 11g (ODAC) is required for a 64-bit OS.
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. A LogRhythm System Monitor Agent is used to collect Oracle logs. The System Monitor does not need to reside on the same host as Oracle 9i, but it does need to be able to establish a network ODBC connection.
Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
Before you begin, download the Oracle 9i Audit Trail XML Configuration File. You will import this file later to populate the UDLA configuration fields for the Log Source.
Instead of UDLA, you can configure Oracle 9i for flat file collection.
The name of the log message source is UDLA - Oracle 9i Audit Trail. In addition, when configuring this log source:
- For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
- On the UDLA Settings tab, enter the following:
Click Import, and then browse to and open the XML file that you downloaded from LogRhythm.
In the Connection String box, ensure that you change the placeholder values to those matching your deployment.
- If you want to validate the current settings, click Test.
If the test fails, verify the connection settings and that all values were entered correctly. - When the test passes, close the Test dialog box.