Collecting Oracle database events by using Perl

The Oracle Database Listener application stores logs on the database server. To forward these logs from the Oracle server to IBM QRadar, you must configure a Perl script on the Oracle server. The Perl script monitors the listener log file, combines any multi-line log entries in to a single log entry, and sends the logs, by using syslog (UDP), to QRadar.

About this task

Before the logs are sent to QRadar, they are processed and reformatted so that they are not forwarded line-by-line, as they are in the log file. All of the relevant information is retained.

Note: Perl scripts that are written for Oracle DB listener work on Linux®/UNIX servers only. Windows Perl script is not supported. You must make sure Perl 5.8 is installed on the device that hosts the Oracle server.

To install and configure the Perl script:

Procedure

  1. Go to the following website to download the files that you need:

    http://www.ibm.com/support

  2. From the Downloads list, click Fix Central.
  3. Click Select product tab.
  4. Select IBM Security from the Product Group list.
  5. Select IBM Security QRadar SIEM from the Select from IBM Security list.
  6. Select the Installed Version of QRadar.
  7. Select Linux from the Platform list and click Continue.
  8. Select Browse for fixes and click Continue.
  9. Select Script.
  10. Click <QRadar_version>-oracle_dblistener_fwdr-<version_number>.pl.tar.gz to download the Oracle DB Listener Script.
  11. Copy the Oracle DB Listener Script to the server that hosts the Oracle server.
  12. Log in to the Oracle server by using an account that has read/write permissions for the listener.log file and the /var/run directory.
  13. Extract the Oracle DB Listener Script file by typing the following command:

    tar -xvzf oracle_dblistener_fwdr-<version_number>.pl.tar.gz

  14. Type the following command and include any additional command parameters to start monitoring the Oracle DB Listener log file:

    oracle_dblistener_fwdr.pl -h <IP address> -t "tail -F <absolute_path_to_listener_log>/listener.log"

    where <IP address> is the IP address of your QRadar Console or Event Collector, and <absolute_path_to_listener_log> is the absolute path of the listener log file on the Oracle server.

    Table 1. Command parameters

    Parameters

    Description
    -D

    The -D parameter defines that the script is to run in the foreground.

    Default is to run as a daemon and log all internal messages to the local syslog service.
    -t

    The -t parameter defines that the command-line is used to tail the log file (monitors any new output from the listener). The location of the log file might be different across versions of the Oracle database. For examples,

    Oracle 9i: <install_directory>/product/9.2/network/log/listener.log

    Oracle 10g: <install_directory>/product/10.2.0/db_1/network/log /listener.log

    Oracle 11g: <install_directory>/diag/tnslsnr/qaoracle11/listener /trace/listener.log
    -f

    The -f parameter defines the syslog facility.priority to be included at the beginning of the log.

    If nothing is specified, user.info is used.
    -g
    The -g parameter defines the language pack file. For example,
    ./oracle_dblistener_fwdr.pl -h <IP_address> -g /root/OracleDBListener/languagepacks/localization.french -t "tail -f /root/smbtest/listener_vali.log"

    This parameter is optional.
    -H

    The -H parameter defines the host name or IP address for the syslog header. It is suggested that is the IP address of the Oracle server on which the script is running.
    -h

    The -h parameter defines the receiving syslog host (the Event Collector host name or IP address that is used to receive the logs).
    -p

    The -p parameter defines the receiving UDP syslog port.

    If a port is not specified, 514 is used.
    -r

    The -r parameter defines the directory name where you want to create the .pid file. The default is /var/run. This parameter is ignored if -D is specified.
    -l

    The -I parameter defines the directory name where you want to create the lock file. The default is /var/lock. This parameter is ignored if -D is specified.

    For example, to monitor the listener log on an Oracle 9i server with an IP address of 192.0.2.10 and forward events to QRadar with the IP address of 192.0.2.20, type the following code:

    oracle_dblistener_fwdr.pl -t "tail -f <install_directory>/product/9.2/network/log/listener.log" -f user.info -H 192.0.2.10 -h 192.0.2.20 -p 514

    A sample log from this setup would appear as follows:

    <14>Apr 14 13:23:37 192.0.2.10 AgentDevice=OracleDBListener Command=SERVICE_UPDATE DeviceTime=18-AUG-2006 16:51:43 Status=0 SID=qora9

    Note: The kill command can be used to stop the script if you need to reconfigure a script parameter or stop the script from sending events to QRadar. For example,

    kill -QUIT `cat /var/run/oracle_dblistener_fwdr.pl.pid`

    The example command uses the backquote character (`), which is located to the left of the number one on most keyboard layouts.

What to do next

You can now configure the Oracle Database Listener within QRadar.