IBM Support

QRadar: Using Oracle ORA Codes to Debug Oracle Log Source Issues in QRadar

Troubleshooting


Problem

The purpose of this troubleshooting document is to inform administrators of Oracle ORA codes from the QRadar logs that can point to the source of issues Oracle log sources errors.

Symptom

An Oracle log source fails to properly retrieve events or displayed an error.

Cause

The issue can be either an error on the QRadar side or from the Oracle side, but the ORA code can help identify the root cause.

Diagnosing The Problem

When administrators review the QRadar logs, the QRadar appliance that manages the log source can record the ORA code returned by the Oracle appliance. The error codes can be found in /var/log/qradar.log file.

This can appear as either an error that is related to QRadar or as an Oracle issue displayed by an ORA-<number>. These codes are searchable and can help resolve connection or configuration issues.

Resolving The Problem

To locate the ORA number, the administrator should review the logs of the QRadar appliance that manages the Oracle log source.

How to determine what QRadar appliance is managing a log source

  1. Log in to the QRadar Console.
  2. Click the Admin tab.
  3. Click the Log Sources icon. A list of the configured log sources is displayed for the deployment.
  4. Select the Oracle log source and review the Target Event Collector column.
    The appliance listed in the Target Event Collector column is the QRadar appliance that is managing the log source.

How to review the QRadar log files for Oracle ORA codes

  1. Using SSH, log in to the QRadar Console as the root user.
  2. Optional. Using SSH, open a session from the Console to the QRadar appliance that is managing the Oracle log source.
  3. Review the logs in /var/log/qradar.log to search for ORA-number values.
    To quickly search for a specific error message, administrators can type the following command:

    grep -i ora /var/log/qradar.log or grep -i ora /var/log/qradar.error.

    The system should return all individual lines matching ORA or ora from the QRadar logs. For example ORA-01729.

  4. The ORA-number can then be searched online or through the Oracle Community to determine the root cause of the connection or configuration issue.

    In this case, ORA-01729 indicates that the database link name does not follow the at sign (@) in a reference table in a remote database. This solution would indicate that the administrator should review the log source configuration to ensure that the values and correct syntax (username.table_name@database_name) for denoting a table in a remote database is used in the log source.



Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Log Activity","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21672188