Oracle RDBMS Audit Record

The IBM® Security QRadar® Log Insights data source type for Oracle RDBMS Audit Record collects logs from an Oracle database.

The following table describes the specifications for the Oracle RDBMS Audit Record data source type:
Table 1. Oracle RDBMS Audit Record data source type specifications
Specification Value
Manufacturer Oracle
Data source type Oracle RDBMS Audit Record
Supported versions 9i, 10g, 11g, 12c (includes unified auditing)
Connector JDBC, Syslog
Event format Name-Value Pair
Recorded event types Audit records
Automatically discovered? No
Includes identity? No
Includes custom properties? No
More information Oracle website (https://www.oracle.com)
To integrate Oracle RDBMS Audit Record with QRadar Log Insights, complete the following steps:
  1. Configure your Oracle RDBMS Audit Record device to write audit logs.
  2. If QRadar Log Insights does not automatically detect the data source, add an Oracle RDBMS Audit Record data source in QRadar Log Insights. The following tables describe the parameters that require specific values to collect audit events from Oracle RDBMS Audit Record:
    Table 2. Oracle RDBMS Audit Record Syslog data source parameters
    Parameter Value
    Data source type Oracle RDBMS Audit Record
    Connector type Syslog
    Data source identifier

    Type a unique identifier for the data source.
    Table 3. Oracle RDBMS Audit Record JDBC data source parameters
    Parameter Value
    Data source type Oracle RDBMS Audit Record
    Connector type JDBC
    Data source identifier

    Type a unique name for the data source.

    The Data source identifier can be any valid value and does not need to reference a specific server. It can also be the same value as the Data source name. If you have more than one configured JDBC data source, ensure that you give each one a unique name.
    Database Type Oracle
    Database Name The name of the database from where you collect audit logs.
    IP or Hostname The IP or host name of the Oracle database.
    Port

    Enter the JDBC port. The JDBC port must match the listener port that is configured on the remote database. The database must permit incoming TCP connections. The valid range is 1 - 65535.

    The defaults are:

    • MSDE - 1433
    • Postgres - 5432
    • MySQL - 3306
    • Sybase - 1521
    • Oracle - 1521
    • Informix® - 9088
    • DB2® - 50000

    If a database instance is used with the MSDE database type, you must leave the Port field blank.
    Username A user account to connect to the database. The user must have AUDIT_ADMIN or AUDIT_VIEWER permissions.
    Password The password that is required to connect to the database.
    Predefined Query

    Select a predefined database query for the data source. If a predefined query is not available for the data source type, administrators can select the none option.

    Table Name The name of the table or view that includes the event records. The table name can include the following special characters: dollar sign ($), number sign (#), underscore (_), en dash (-), and period (.).
    Select List The list of fields to include when the table is polled for events. You can use a comma-separated list or type an asterisk (*) to select all fields from the table or view. If a comma-separated list is defined, the list must contain the field that is defined in the Compare Field.
    Compare Field

    For Oracle 9i or Oracle 10g Release 1, type Qradar_time.

    For Oracle 10g Release 2, Oracle 11g, or Oracle 12c (non-unified auditing), type extended_timestamp.

    For Oracle 12c (unified auditing), type event_timestamp.
    Use Oracle Encryption

    Oracle Encryption and Data Integrity settings is also known as Oracle Advanced Security.

    If selected, Oracle JDBC connections require the server to support similar Oracle Data Encryption settings as the client.

    For more information about configuring JDBC parameters, see JDBC connector configuration options.

  3. Verify that QRadar Log Insights is configured correctly.
    Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
    The following table shows a sample normalized event message from Oracle RDBMS Audit Record:
    Table 4. Oracle RDBMS Audit Record sample message
    Event name Low level category Sample log message
    SELECT succeeded System Action Allow 

    OS_USERNAME: "os_username" USERNAME: "username" USERHOST: "userhost" TERMINAL: "terminal" TIMESTAMP: "2017-04-05 21:04:02.0" OWNER: "owner" OBJ_NAME: "PARTIAL_ALERT" ACTION: "3" ACTION_NAME: "SELECT" NEW_OWNER: "null" NEW_NAME: "null" OBJ_PRIVILEGE: "null" SYS_PRIVILEGE: "null" ADMIN_OPTION: "null" GRANTEE: "null" AUDIT_OPTION: "null" SES_ACTIONS: "null" LOGOFF_TIME: "null" LOGOFF_LREAD: "null" LOGOFF_PREAD: "null" LOGOFF_LWRITE: "null" LOGOFF_DLOCK: "null" COMMENT_TEXT: "null" SESSIONID: "xxxxxx" ENTRYID: "2" STATEMENTID: "2" RETURNCODE: "0" PRIV_USED: "null" CLIENT_ID: "null" ECONTEXT_ID: "null" SESSION_CPU: "null" EXTENDED_TIMESTAMP: "2017-04-05 21:04:02.318133 America/Halifax" PROXY_SESSIONID: "null" GLOBAL_UID: "null" INSTANCE_NUMBER: "0" OS_PROCESS: "9276" TRANSACTIONID: "null" SCN: "3842851" SQL_BIND: "null" SQL_TEXT: "null" OBJ_EDITION_NAME: "null" DBID: "xxxxxxxxxx"
    AUDIT failed Failed Configuration Modification 

    AUDIT_TYPE: "Standard" SESSIONID: "xxxxxxxxxx" PROXY_SESSIONID: "0" OS_USERNAME: "os_username" USERHOST: "userhost" TERMINAL: "terminal" INSTANCE_ID: "1" DBID: "xxxxxxxxxx" AUTHENTICATION_TYPE: "(TYPE=(DATABASE));" DBUSERNAME: "dbusername" DBPROXY_USERNAME: "null" EXTERNAL_USERID: "null" GLOBAL_USERID: "null" CLIENT_PROGRAM_NAME: "client_program_name" DBLINK_INFO: "null" XS_USER_NAME: "null" XS_SESSIONID: "000000000000000000000000000000000000000000000000000000000000000000" ENTRY_ID: "3" STATEMENT_ID: "11" EVENT_TIMESTAMP: "2017-04-05 20:44:21.29604" ACTION_NAME: "AUDIT" RETURN_CODE: "1031" OS_PROCESS: "1749" TRANSACTION_ID: "0000000000000000" SCN: "3841187" EXECUTION_ID: "null" OBJECT_SCHEMA: "null" OBJECT_NAME: "null" SQL_TEXT: "audit all" SQL_BINDS: "null" APPLICATION_CONTEXTS: "null" CLIENT_IDENTIFIER: "null" NEW_SCHEMA: "null" NEW_NAME: "null" OBJECT_EDITION: "null" SYSTEM_PRIVILEGE_USED: "null" SYSTEM_PRIVILEGE: "null" AUDIT_OPTION: "CREATE SESSION" OBJECT_PRIVILEGES: "null" ROLE: "null" TARGET_USER: "null" EXCLUDED_USER: "null" EXCLUDED_SCHEMA: "null" EXCLUDED_OBJECT: "null" ADDITIONAL_INFO: "null" UNIFIED_AUDIT_POLICIES: "null" FGA_POLICY_NAME: "null" XS_INACTIVITY_TIMEOUT: "0" XS_ENTITY_TYPE: "null" XS_TARGET_PRINCIPAL_NAME: "null" XS_PROXY_USER_NAME: "null" XS_DATASEC_POLICY_NAME: "null" XS_SCHEMA_NAME: "null" XS_CALLBACK_EVENT_TYPE: "null" XS_PACKAGE_NAME: "null" XS_PROCEDURE_NAME: "null" XS_ENABLED_ROLE: "null" XS_COOKIE: "null" XS_NS_NAME: "null" XS_NS_ATTRIBUTE: "null" XS_NS_ATTRIBUTE_OLD_VAL: "null" XS_NS_ATTRIBUTE_NEW_VAL: "null" DV_ACTION_CODE: "0" DV_ACTION_NAME: "null" DV_EXTENDED_ACTION_CODE: "0" DV_GRANTEE: "null" DV_RETURN_CODE: "0" DV_ACTION_OBJECT_NAME: "null" DV_RULE_SET_NAME: "null" DV_COMMENT: "null" DV_FACTOR_CONTEXT: "null" DV_OBJECT_STATUS: "null" OLS_POLICY_NAME: "null" OLS_GRANTEE: "null" OLS_MAX_READ_LABEL: "null" OLS_MAX_WRITE_LABEL: "null" OLS_MIN_WRITE_LABEL: "null" OLS_PRIVILEGES_GRANTED: "null" OLS_PROGRAM_UNIT_NAME: "null" OLS_PRIVILEGES_USED: "null" OLS_STRING_LABEL: "null" OLS_LABEL_COMPONENT_TYPE: "null" OLS_LABEL_COMPONENT_NAME: "null" OLS_PARENT_GROUP_NAME: "null" OLS_OLD_VALUE: "null" OLS_NEW_VALUE: "null" RMAN_SESSION_RECID: "0" RMAN_SESSION_STAMP: "0" RMAN_OPERATION: "null" RMAN_OBJECT_TYPE: "null" RMAN_DEVICE_TYPE: "null" DP_TEXT_PARAMETERS1: "null" DP_BOOLEAN_PARAMETERS1: "null" DIRECT_PATH_NUM_COLUMNS_LOADED: "0"