Help Document

Adding Oracle Server

Note: Ensure Log360 Cloud agent is installed on at least one Windows device in your network. To configure the agent, follow the steps provided here.
  • Log into your Log360 Cloud dashboard.
  • Navigate to Settings -> Configuration Settings -> Log source configuration -> Applications tab.
  • From the right panel, click on the General Applications tab to view the list of applications being monitored.
  • To add a new application, click on Add General Applications.
  • Adding SQL server
  • Select the Oracle from the drop down box.
  • Expand the list by clicking the "+" icon to add a new device.
  • Choose from the drop-down menu to add Configured devices, Workgroup devices, domain devices, etc.
  • Adding SQL server
  • To add new devices manually, click on Configure Manually and enter Log Source.
  • Adding SQL server
  • If the device type is syslog, check the Add as Syslog device box. If the device type is Windows, enter Username > Password > Verify Credentials.
  • Select an agent from the drop-down list and click Select.
  • Select the respective platforms, agent and click Add.
  • The applications will now be added for monitoring.

Oracle Server Configuration

Reference:

http://download.oracle.com/docs/cd/B28359_01/network.111/b28531/auditing.htm#CEGBIIJD

For Oracle server installed in Windows platform

  • Connect to SQL *Plus using the sqlplus command.
  • Execute the command given below to check whether the audit_trail is set to OS or not.
Copy to Clipboard

Show parameter AUDIT_TRAIL;

  • Change audit parameters using the below command:
Copy to Clipboard

Show parameter AUDIT_TRAIL;ALTER SYSTEM SET AUDIT_TRAIL=OS SCOPE=SPFILE;

  • Restart the Oracle server to let the changes take effect.
  • To disable AUDIT_TRAIL
Copy to Clipboard

ALTER SYSTEM SET audit_trail = NONE SCOPE=SPFILE ;

For Oracle Server installed in Unix platform

  • Execute the command given below to check whether the audit_trail is set to OS or not.
Copy to Clipboard

Show parameter AUDIT_TRAIL;

  • Change audit parameters using the below command:
Copy to Clipboard

ALTER SYSTEM SET AUDIT_TRAIL=OS SCOPE=SPFILE;

To enable Oracle syslog auditing, follow the procedure given below:

  1. Manually add and set the AUDIT_SYSLOG_LEVEL parameter in the initialization parameter file, initsid.ora.
  2. The AUDIT_SYSLOG_LEVEL parameter is set to specify a facility and priority in the format AUDIT_SYSLOG_LEVEL=facility.priority.
  3. facility: Describes the part of the operating system that is logging the message. Accepted values are user, local0–local7, syslog, daemon, kern, mail, auth, lpr, news, uucp, and cron.
  4. The local0–local7 values are predefined tags that enable you to sort the syslog message into categories. These categories can be log files or other destinations that the syslog utility can access. To find more information about these types of tags, refer to the syslog utility MAN page.
  5. priority: Defines the severity of the message. Accepted values are notice, info, debug, warning, err, crit, alert, and emerg.
  6. The syslog daemon compares the value assigned to the facility argument of the AUDIT_SYSLOG_LEVEL parameter with the syslog.conf file to determine where to log information.
  7. For example,the following statement identifies the facility as local1 with a priority level of warning:
  8. AUDIT_SYSLOG_LEVEL=local1.warning

    See Oracle Database Reference for more information about AUDIT_SYSLOG_LEVEL.

  9. Log in to the machine that contains the syslog configuration file, /etc/syslog.conf, with the superuser (root) privilege.
  10. Add the audit file destination to the syslog configuration file /etc/syslog.conf.
  11. For example: assuming you had set the AUDIT_SYSLOG_LEVEL to local1.warning, enter the following:
  12. Copy to Clipboard

    local1.warning /var/log/audit.log

  13. This setting logs all warning messages to the /var/log/audit.log file.
  14. Restart the syslog logger:
    Copy to Clipboard

    $/etc/rc.d/init.d/syslog restart

    Now, all audit records will be captured in the file /var/log/audit.log through the syslog daemon.

  15. Restart the Oracle server so that the changes take effect.

Note: When logged in as SYSDBA/SYSOPER, Oracle database provides limited information on database activity monitoring. Hence, to get the complete audit trail activities of Oracle database, we suggest that you log in as a user with privilege other than SYSDBA/SYSOPER.

Auditing statements

DDL

You can audit DDL activities of a selected user in the database.

  • To enable auditing of all privileges of users:
Copy to Clipboard

AUDIT ALL PRIVILEGES by user_name; (or)
AUDIT CREATE TABLE by user_name;

  • To enable auditing of specific privileges:
Copy to Clipboard

AUDIT CREATE TABLE by user_name;

Add your required auditing option near "CREATE TABLE".

  • Restart the Oracle server to let the changes take effect.
Note: To check the audit options that are enabled under any user, execute the statement given below.
Copy to Clipboard

SELECT user_name, audit_option, success, failure FROM DBA_STMT_AUDIT_OPTS;

DML

This auditing enables you to audit specific statements on a particular object. It always applies to all users of the database.

Copy to Clipboard

AUDIT SELECT, INSERT, UPDATE, DELETE on table_name

You can also add your required auditing option(s) here.

  • The following statement specifies default auditing options for objects that might be created in the future:
Copy to Clipboard

AUDIT SELECT, INSERT, UPDATE, DELETE on DEFAULT;

  • Restart the Oracle server to let the changes take effect.
Note: To check the audit options that are enabled under any object, simply execute the below statement.
Copy to Clipboard

SELECT OWNER, OBJECT_NAME, OBJECT_TYPE, INS, UPD, DEL FROM DBA_OBJ_AUDIT_OPTS;

To disable audit option, use NOAUDIT instead of AUDIT in same statement.

Details about the audit options are available here.