Configuring Oracle Audit Vault to communicate with QRadar

If you are using Oracle Audit Vault V12.2, you must create a database view. If you are using Oracle Audit Vault V10.3, no further configuration is required.

Procedure

  1. Log in to your Oracle Audit Vault V12.2 database as the AVSYS user.
  2. To create the database view, type the following query:

    create or replace view AVSYS.AV_ALERT_STORE_V as select RECORD_ID, USER_NAME, SECURED_TARGET_ID, SECURED_TARGET_NAME, SECURED_TARGET_TYPE, EVENT_TIME, OSUSER_NAME, COMMAND_CLASS, nvl(to_number(decode(EVENT_STATUS,'SUCCESS','0','FAILURE','1','1')),1) EVENT_STATUS, EVENT_NAME EVENT_ID, nvl(ERROR_CODE,0) ERROR_CODE, ERROR_MESSAGE, AV_TIME, TARGET_TYPE, TARGET_OBJECT, TARGET_OWNER, CLIENT_HOST_NAME, CLIENT_IP, AUDIT_TRAIL_ID, MONITORING_POINT_ID, MARKER, ALERT_RAISED, ACTION_TAKEN, NETWORK_CONNECTION, LOGFILE_ID, SERVICE_NAME, POLICY_NAME, THREAT_SEVERITY, LOG_CAUSE, CLUSTER_ID, CLUSTER_TYPE, GRAMMAR_VERSION, CLIENT_PROGRAM, COMMAND_TEXT, COMMAND_PARAM, EXTENSION, SECURED_TARGET_CLASS, LOCATION, TERMINAL, CLIENT_ID from avsys.EVENT_LOG el where el.alert_raised = 1;

  3. To allow a user that has AV_AUDITOR permission to read the view that you created, type the following query:

    grant select on AVSYS.AV_ALERT_STORE_V to AV_AUDITOR;