Configuring an Oracle database server to send audit logs to QRadar

Configure your Oracle device to send audit logs to IBM QRadar.

1. Log in to the Oracle host as an Oracle user.
2. Ensure that the ORACLE_HOME and ORACLE_SID environment variables are configured properly for your deployment.
3. Open the following file:

   ${ORACLE_HOME}/dbs/init${ORACLE_SID}.ora

4. Choose one of the following options:
   1. For database audit trails, type the following command:

      *.audit_trail='DB'

   2. For syslog, type the following commands:

      *.audit_trail='os'

      *.audit_syslog_level='local0.info'

      You must ensure that the syslog daemon on the Oracle host is configured to forward the audit log to QRadar. For systems that run Red Hat Enterprise, the following line in the /etc/syslog.conf file affects the forwarding:

      local0.info @ qradar.domain.tld

      Where qradar.domain.tld is the hostname of QRadar that receives the events. The syslog configuration must be reloaded for the command to be recognized. On a system that runs Red Hat Enterprise, type the following line to reload the syslog configuration:

      kill -HUP /var/run/syslogd.pid

5. Save and exit the file.
6. To restart the database, connect to SQLplus and log in as sysdba:
   Example: Enter user-name: sys as sysdba
7. Shut down the database by typing the following line:

   shutdown immediate

8. Restart the database by typing the following line:

   startup

9. If you are using Oracle v9i or Oracle v10g Release 1, you must create a view that uses SQLplus to enable the QRadar integration. If you are using Oracle 10g Release 2 or later, you can skip this step:

   CREATE VIEW qradar_audit_view AS SELECT CAST(dba_audit_trail.timestamp AS TIMESTAMP) AS qradar_time, dba_audit_trail.* FROM dba_audit_trail;

   If you are using the JDBC protocol, when you configure the JDBC protocol within QRadar, use the following specific parameters:

   Table 1. Configuring log source parameters

   Parameter Name	Oracle v9i or 10g Release 1 Values	Oracle v10g Release 2 and v11g Values
   Table Name	QRadar_audit_view	dba_audit_trail
   Select List	*	*
   Compare Field	QRadar_time	extended_timestamp
   Database Name	For all supported versions of Oracle, the Database Name must be the exact service name that is used by the Oracle listener. You can view the available service names by running the following command on the Oracle host: lsnrctl status

   Note: Ensure that the database user that QRadar uses to query events from the audit log table has the appropriate permissions for the Table Name object.
10. You can now configure QRadar to receive events from an Oracle database: From the Log Source Type list, select the Oracle RDBMS Audit Record option.