Skip to main content
Skip table of contents

Create a Sample Oracle 10g Audit Trail UDLA Log Source

LogRhythm utilizes its extensive knowledge of log formats from various vendors to process logs. Processing is based on LogRhythm rules which dictate is a log is elevated to an event or to an alarm. Because UDLA log collection users define the log format, the following sample should be used so that LogRhythm can process this UDLA log type. Oracle 10g writes its audit data to the COMMON_AUDIT_TRAIL table.

For the MPE Policy Processing rules provided by LogRhythm for Oracle Audit Trail to parse the logs correctly, use the following configuration, making adjustments for the deployment environment.

Cutting-and-pasting the following Settings into a UDLA configuration in the LogRhythm Client Console may produce characters that are not supported by UDLA.

Parameter NameSetting
ODBC/OLE DBSelect ODBC connection.

Connection String

Driver={Oracle in OraDb10g_home1};Server=myServer;Uid=myUserID;Pwd=myPassword;

Be sure to replace the variables myServer, myUserID, and myPassword with the appropriate settings for the current environment.

Query
Statement

SELECT * FROM (SELECT TO_CHAR(EXTENDED_TIMESTAMP, 'YYYYMMDDHH24MISSXFF') AS EXTENDED_TIMESTAMP, AUDIT_TYPE, STATEMENT_TYPE, RETURNCODE,AUDIT_OPTION, PRIV_USED, OS_USER, DB_USER, USERHOST, TERMINAL, OBJECT_SCHEMA, OBJECT_NAME, POLICY_NAME, NEW_OWNER, NEW_NAME, EXT_NAME, SQL_TEXT, COMMENT_TEXT, SES_ACTIONS, GLOBAL_UID, SESSION_ID, PROXY_SESSIONID, STATEMENTID, ENTRYID, CLIENT_ID, ECONTEXT_ID, TRANSACTIONID, OS_PROCESS, INSTANCE_NUMBER, ACTION, SQL_BIND, OBJ_PRIVILEGE, SYS_PRIVILEGE, OS_PRIVILEGE, SCN, GRANTEE, LOGOFF_TIME, LOGOFF_LREAD, LOGOFF_PREAD, LOGOFF_LWRITE, LOGOFF_DLOCK, SESSION_CPU FROM SYS.DBA_COMMON_AUDIT_TRAIL ORDER BY EXTENDED_TIMESTAMP) WHERE ROWNUM<= <Max_Message_Count>

Output Format

<EXTENDED_TIMESTAMP> AUDIT_TYPE=<AUDIT_TYPE> STATEMENT_TYPE=
<STATEMENT_TYPE> RETURNCODE=<RETURNCODE> AUDIT_OPTION=
<AUDIT_OPTION> PRIV_USED=<PRIV_USED> OS_USER=<OS_USER> DB_USER=
<DB_USER> UHOST=<USERHOST> TERM=<TERMINAL> OBJECT_SCHEMA=
<OBJECT_SCHEMA> OBJECT_NAME=<OBJECT_NAME> POLICY_NAME=
<POLICY_NAME> NEW_OWNER=<NEW_OWNER> NEW_NAME=
<NEW_NAME> EXT_NAME=<EXT_NAME> SQL_TEXT=<SQL_TEXT> COMMENT_TEXT=
<COMMENT_TEXT> SES_ACTIONS=<SES_ACTIONS> GLOBAL_UID=
<GLOBAL_UID> SESSION_ID=<SESSION_ID> PROXY_SESSIONID=<PROXY_SESSIONID> STATEMENTID=<STATEMENTID> ENTRYID=<ENTRYID> CLIENT_ID=
<CLIENT_ID> ECONTEXT_ID=<ECONTEXT_ID> TRANSACTIONID=<TRANSACTIONID>
OS_PROCESS=<OS_PROCESS> INSTANCE_NUMBER=<INSTANCE_NUMBER> ACTION=<ACTION> SQL_BIND=<SQL_BIND> OBJ_PRIVILEGE=<OBJ_PRIVILEGE>
SYS_PRIVILEGE=<SYS_PRIVILEGE> OS_PRIVILEGE=<OS_PRIVILEGE> SCN=
<SCN> GRANTEE=<GRANTEE> LOGOFF_TIME=<LOGOFF_TIME> LOGOFF_LREAD=
<LOGOFF_LREAD> LOGOFF_PREAD=<LOGOFF_PREAD> LOGOFF_LWRITE=
<LOGOFF_LWRITE> LOGOFF_DLOCK=<LOGOFF_DLOCK> SESSION_CPU=
<SESSION_CPU>

Unique Identifier Field

SESSION_ID,ENTRYID

Message Date Field

EXTENDED_TIMESTAMP

State Field Type

Timestamp

State Field

EXTENDED_TIMESTAMP

State Field
Conversion

‘<UDLA_State_Field>’

Get UTC Date Statement

SELECT SYS_EXTRACT_UTC(CURRENT_TIMESTAMP) FROM dual

OR

SELECT TO_DATE(TO_CHAR(SYS_EXTRACT_UTC(CURRENT_TIMESTAMP),'YYYY-MM-DD HH24:MI:SS'),'YYYY-MM-DD HH24:MI:SS') FROM dual

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close