Oracle Enterprise Manager

The IBM QRadar DSM for Oracle Enterprise Manager collects events from an Oracle Enterprise Manager device. The Real-time Monitoring Compliance feature of Oracle Enterprise Manager generates the events.

The following table lists the specifications for the Oracle Enterprise Manager DSM:
Table 1. Oracle Enterprise Manager DSM specifications
Specification Value
Manufacturer Oracle
DSM name Oracle Enterprise Manager
RPM file name DSM-OracleEnterpriseManager-QRadar_version-Buildbuild_number.noarch.rpm
Supported versions Oracle Enterprise Manager Cloud Control 12c
Protocol JDBC
Recorded event types Audit

Compliance
Automatically discovered? No
Includes identity? Yes
Includes custom properties? No
More information Oracle Enterprise Manager (https://www.oracle.com/enterprise-manager/).

The original format of the events are rows in an Oracle Enterprise Manager database view (sysman.mgmt$ccc_all_observations). QRadar polls this view for new rows and uses them to generate events. For more information, see Compliance Views (http://docs.oracle.com/cd/E24628_01/doc.121/e57277/ch5_complianceviews.htm#BABBIJAA)
To collect events from Oracle Enterprise Manager, complete the following steps:
  1. If automatic updates are not enabled, download and install the most recent version of the Oracle Enterprise Manager DSM RPM from the IBM® Support Website onto your QRadar Console.
  2. Ensure that the Oracle Enterprise Manager system is configured to accept connections from external devices.
  3. Add an Oracle Enterprise Manager log source on the QRadar Console. The following table describes the parameters that require specific values for Oracle Enterprise Manager event collection:
    Table 2. Oracle Enterprise Manager JDBC log source parameters
    Parameter Description
    Log Source Name Type a unique name for the log source.
    Log Source Description (Optional) Type a description for the log source.
    Log Source type Oracle Enterprise Manager
    Protocol Configuration JDBC
    Database Type Oracle
    Database Name The Service Name of Oracle Enterprise Manager database.

    To view the available service names, run the lsnrctl status command on the Oracle host.

    IP or Hostname The IP address or host name of the Oracle Enterprise Manager database server.
    Port The port that is used by the Oracle Enterprise Manager database.
    Username The user name of the account that has rights to access the sysman.mgmt$ccc_all_observations table.
    Password The password that is required to connect to the database.
    Predefined Query (Optional) none
    Table Name sysman.mgmt$ccc_all_observations
    Select List *
    Compare Field ACTION_TIME
    Use Prepared Statements True
    Start Date and Time (Optional)

    Type the start date and time for database polling in the following format: yyyy-MM-dd HH:mm with HH specified by using a 24-hour clock. If the start date or time is clear, polling begins immediately and repeats at the specified polling interval.
    Polling Interval

    Enter the amount of time between queries to the event table. To define a longer polling interval, append H for hours or M for minutes to the numeric value

    The maximum polling interval is one week.
    EPS Throttle

    The maximum number of events per second that QRadar ingests.

    If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle.

    The valid range is 100 to 20,000.
    Use Oracle Encryption

    Oracle Encryption and Data Integrity settings is also known as Oracle Advanced Security.

    If selected, Oracle JDBC connections require the server to support similar Oracle Data Encryption settings as the client.

For more information about configuring JDBC parameters, see c_logsource_JDBCprotocol.html