Oracle Audit Vault
The IBM QRadar DSM for Oracle Audit Vault collects events from an Oracle Audit Vault server.
Specification | Value |
---|---|
Manufacturer | Oracle |
DSM name | Oracle Audit Vault |
RPM file name | DSM-OracleAuditvault-QRadar_version-build_number.noarch.rpm |
Supported versions | 10.3 and 12.2 |
Protocol | JDBC |
Event format | name-value pair (NVP) |
Recorded event types |
All audit records from the AVSYS.AV$ALERT_STORE table for V10.3, or from the custom AVSYS.AV_ALERT_STORE_V view for V12.2. For more information about audit records, see Configuring Oracle Audit Vault to communicate with QRadar®. |
Automatically discovered? | No |
Includes identity? | No |
Includes custom properties? | No |
More information | Oracle website (https://www.oracle.com/index.html) |
- If automatic updates are not enabled, download and install the most recent version of the
following RPMs from the IBM® Support Website onto your QRadar
Console:
- JDBC Protocol RPM
- DSMCommon RPM
- Oracle Audit Vault DSM RPM
- Obtain the database information for your Oracle Audit Vault server and then configure your Oracle Audit Vault database to allow incoming TCP connections.
- For each instance of Oracle Audit Vault, add an Oracle Audit Vault log source on the QRadar
Event Collector. The following
table describes the parameters that require specific values to collect events from Oracle Audit
Vault:
Table 2. Oracle Audit Vault JDBC log source parameters Parameter Value Log Source type Oracle Audit Vault Protocol Configuration JDBC Log Source Identifier Type a name for the log source. The name can't contain spaces and must be unique among all log sources of the log source type that is configured to use the JDBC protocol.
If the log source collects events from a single appliance that has a static IP address or host name, use the IP address or host name of the appliance as all or part of the Log Source Identifier value; for example, 192.168.1.1 or JDBC192.168.1.1. If the log source doesn't collect events from a single appliance that has a static IP address or host name, you can use any unique name for the Log Source Identifier value; for example, JDBC1, JDBC2.
Database Type Oracle Database Name The name of the Oracle Audit Vault database. IP or Hostname The IP address or host name of the Oracle Audit Vault server. Port The port from where the Oracle Audit Vault database is listening. Username Any user with the AV_AUDITOR permission. For example, AVAUDITOR. Password The password for the database user. Predefined Query None Table Name For Oracle Audit Vault Version 10.3, the Table Name value is AVSYS.AV$ALERT_STORE.
For Oracle Audit Vault Version 12.2, the Table Name value is AVSYS.AV_ALERT_STORE_V.
Select List The list of fields to include when the table is polled for events. You can use a comma-separated list or type an asterisk (*) to select all fields from the table or view. If a comma-separated list is defined, the list must contain the field that is defined in the Compare Field. Compare Field For Oracle Audit Vault Version 10.3, the Compare Field value is ALERT_SEQUENCE For Oracle Audit Vault Version 12.2, the Compare Field value is RECORD_ID.
Use Prepared Statements You must select the Use Prepared Statements option. Start Date and Time (Optional) The initial date and time for the JDBC retrieval. Use Oracle Encryption Oracle Encryption and Data Integrity settings is also known as Oracle Advanced Security.
If selected, Oracle JDBC connections require the server to support similar Oracle Data Encryption settings as the client.
For more information about configuring JDBC protocol parameters, see c_logsource_JDBCprotocol.html.
- Verify that QRadar is
configured correctly.The following table shows a sample parsed audit event message from Oracle Audit Vault:Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Table 3. Oracle Audit Vault sample message Event name Low level category Sample log message LOGON-success 3075 ALERT_SEQUENCE: "25" AV_ALERT_TIME: "2010-01-11 13:02:13.30702" ACTUAL_ALERT_TIME: "2010-01-11 12:19:36.0" TIME_CLEARED: "null" ALERT_NAME: "testing2" TARGET_OWNER: "null" TARGET_OBJECT: "null" ASSOCIATED_OBJECT_OWNER: "null" ASSOCIATED_OBJECT_NAME: "null" ALERT_SEVERITY: "1" CLIENT_HOST: "host.domain.lab" CLIENT_HOSTIP: "<client_host_IP_address>" SOURCE_HOST: "<source_host_IP_address>" SOURCE_HOSTIP: "<source_host_IP_address>" PROCESS#: "3428" OSUSER_NAME: "null" USERNAME: "<os_user_name>" INSTANCE_NAME: "null" INSTANCE_NUMBER: "null" EVENT_STATUS: "0" CONTEXTID: "1561" SUB_CONTEXTID: "null" PARENT_CONTEXTID: "null" SOURCE_NAME: "XE" RECORD_ID: "23960" MSG_NUMBER: "0" CAT_ID: "2" EVENT_ID: "95" MSG_ARG_1: "null" MSG_ARG2: "null" MSG_ARG3: "null" MSG_ARG4: "null" MSG_ARG5: "null"