Skip to Main Content
Forums

Oracle Database Discussions

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

auditing QRadar

RobeenNov 13 2017 — edited Nov 16 2017

Oracle Database 11g

Hello,

I am doing auditing for Oracle Database 11.2.0.4 on Red Hat Linux 6.8 (Santiago). I have made some configurations on the spfile to send DB logs to QRadar.

ftp://ftp.boulder.ibm.com/software/security/products/qradar/documents/7.2.1/QRadar/EN/b_dsm_guide.pdf

I see only OS logs being sent.

Please advise.

rsyslog.conf entried:

# The authpriv file has restricted access.

authpriv.*                                                    /var/log/secure

*.emerg;*.alert;*.crit;*.warning;*.err;*.notice;*.info /var/adm/messages

auth.info       @192.168.128.215

local0.info     @192.168.128.215

user.info       @192.168.128.215

# Log all the mail messages in one place.

mail.*                                                  -/var/log/maillog

Database spfile entries:

SQL> show parameter audit

NAME                                 TYPE        VALUE

------------------------------------ ----------- ------------------------------

audit_file_dest                      string      /data/oracle/app/oracle/admin/

                                                 MIGR/adump

audit_sys_operations                 boolean     TRUE

audit_syslog_level                   string      LOCAL0.INFO

audit_trail                          string      DB_EXTENDED

Regards,

Joe

Regards,
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Dec 14 2017
Added on Nov 13 2017
#general-database-discussions
13 comments
1,151 views