Oracle Database¶
About¶
Oracle Corporation is an American multinational computer technology corporation headquartered in Austin, Texas. The company was formerly headquartered in Redwood Shores, California, until December 2020 when it moved its headquarters to Texas.
Oracle offers a comprehensive and fully integrated stack of cloud applications and platform services.
Product Details¶
Vendor URL: Oracle | Integrated Cloud Applications and Platform Services
Product Type: Database
Product Tier: Tier III
Integration Method: Syslog
Integration URL: How to Configure syslog Audit Logs
Log Guide: Managing Log Files - Oracle Help Center
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 75%
Data Label: ORACLE_DB
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| vendor | metadata.vendor_name |
| product | metadata.product_name |
| product_event | metadata.product_event_type |
| GENERIC_EVENT/USER_LOGIN/USER_LOGOUT | metadata.event_type |
| length | additional.fields |
| file_name | src.file.full_path |
| src | principal.hostname |
| src | principal.ip |
| dst | target.hostname |
| dst | target.ip |
| dhost | target.hostname |
| dhost | target.ip |
| shost | principal.hostname |
| shost | principal.ip |
| suser | principal.user.userid |
| request | target.url |
| AUTHTYPE_UNSPECIFIED | extensions.auth.type |
| observer | target.hostname |
| observer | observer.hostname |
| observer | observer.ip |
Product Event Types¶
| type,subtype | severity | UDM Event Classification | alerting enabled |
|---|---|---|---|
| Default | GENERIC_EVENT | ||
| LOGOFF | USER_LOGOUT | ||
| LOGON | USER_LOGIN |
Log Sample¶
{"msg": "MACHINENAME|RLOG|John.DOE|1234567||||0|||0|12345||LOGON|100||02-DEC-21:05:01:29||\n","length": 84,"file_name": "oracle_audit.gz","product": "Oracle","vendor": "Oracle"}
Sample Parsing¶
metadata.event_timestamp = "2021-12-02T05:01:29Z"
metadata.event_type = "USER_LOGIN"
metadata.vendor_name = "Oracle"
metadata.product_name = "RLOG"
metadata.product_event_type = "LOGON"
additional.length = "84"
principal.user.userid = "John.Doe"
principal.namespace = "domain"
src.file.full_path = "oracle_audit.gz"
src.namespace = "COMPANYNAME"
target.hostname = "hostname2"
target.namespace = "domain"
target.asset.hostname = "hostname2"
observer.hostname = "hostname1"
observer.namespace = "domain"
Rules¶
Coming Soon