Configuring Oracle RDBMS OS Audit Record to communicate with QRadar

When using the Oracle RDBMS OS Audit Record DSM for IBM® QRadar®, you can monitor the audit records that are stored in the local operating system file.

About this task

When audit event files are created or updated in the local operating system directory, a Perl script detects the change and then forwards the data to QRadar. The Perl script monitors the Audit log file, and combines any multi-line log entries into a single log entry to make sure that the logs are not forwarded line-by-line. This format matches the format in the log file. The logs are then sent by using Syslog to QRadar. Perl scripts that are written for Oracle RDBMS OS Audit Record work only on Linux® or UNIX servers. Windows - based Perl installations are not supported.

Procedure

  1. Go to the IBM Support website (https://www.ibm.com/support/fixcentral) and download the following script:
    QRadar 7.4.0 - 7.4.0-QRADAR-SCRIPT-oracle_osauditlog_fwdr_5.3.tar.gz (https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=All&platform=All&function=fixId&fixids=7.4.0-QRADAR-SCRIPT-oracle_osauditlog_fwdr_5.3.tar.gz&includeSupersedes=0)
  2. Type the following command to extract the file:

    tar -zxvf oracle_osauditlog_fwdr_5.3.tar.gz

  3. Copy the Perl script to the server that hosts the Oracle server.
    Note: Perl 5.8 must be installed on the device that hosts the Oracle server. If you don't have Perl 5.8 installed, you might be prompted that library files are missing when you attempt to start the Oracle OS Audit script. Verify that Perl 5.8 is installed before you continue.
  4. Log in to the Oracle host as an Oracle user that has SYS or root privilege.
  5. Make sure the ORACLE_HOME and ORACLE_SID environment variables are configured properly for your deployment.
  6. Open the following file:

    ${ORACLE_HOME}/dbs/init${ORACLE_SID}.ora

  7. For syslog, add the following lines to the file:

    *.audit_trail=os *.audit_syslog_level=local0.info

  8. Verify that account has read/write permissions for the following directory:

    /var/lock/ /var/run/

  9. Restart the Oracle database instance.
  10. Start the OS Audit DSM script:

    oracle_osauditlog_fwdr_5.3.pl -t target_host -d logs_directory

    If you restart your Oracle server, you must restart the script:

    oracle_osauditlog_fwdr.pl -t target_host -d logs_directory

    For more information about Oracle OS Audit command parameters, see Oracle RDBMS OS Audit Record command parameters.

What to do next

Configure a log source in QRadar. For more information about Oracle OS Audit log source parameters, see Syslog log source parameters for Oracle RDBMS OS Audit Record or Log File log source parameters for Oracle RDBMS OS Audit Record.