Configuring an Oracle database server to send audit logs to QRadar
Configure your Oracle device to send audit logs to IBM QRadar.
Procedure
- Log in to the Oracle host as an Oracle user.
- Ensure that the ORACLE_HOME and ORACLE_SID environment variables are configured properly for your deployment.
-
Open the following file:
${ORACLE_HOME}/dbs/init${ORACLE_SID}.ora
-
Choose one of the following options:
-
For database audit trails, type the following command:
*.audit_trail='DB'
-
For syslog, type the following commands:
*.audit_trail='os'
*.audit_syslog_level='local0.info'
You must ensure that the syslog daemon on the Oracle host is configured to forward the audit log to QRadar. For systems that run Red Hat Enterprise, the following line in the /etc/syslog.conf file affects the forwarding:
local0.info @ qradar.domain.tld
Where qradar.domain.tld is the hostname of QRadar that receives the events. The syslog configuration must be reloaded for the command to be recognized. On a system that runs Red Hat Enterprise, type the following line to reload the syslog configuration:
kill -HUP /var/run/syslogd.pid
-
For database audit trails, type the following command:
- Save and exit the file.
-
To restart the database, connect to SQLplus and log in as sysdba:
Example:
Enter user-name: sys as sysdba
-
Shut down the database by typing the following line:
shutdown immediate
-
Restart the database by typing the following line:
startup
-
If you are using Oracle v9i or Oracle v10g Release 1, you must create a view that uses SQLplus
to enable the QRadar
integration. If you are using Oracle 10g Release 2 or later, you can skip this step:
CREATE VIEW qradar_audit_view AS SELECT CAST(dba_audit_trail.timestamp AS TIMESTAMP) AS qradar_time, dba_audit_trail.* FROM dba_audit_trail;
If you are using the JDBC protocol, when you configure the JDBC protocol within QRadar, use the following specific parameters:
Table 1. Configuring log source parameters Parameter Name
Oracle v9i or 10g Release 1 Values
Oracle v10g Release 2 and v11g Values
Table Name QRadar_audit_view
dba_audit_trail
Select List *
*
Compare Field QRadar_time
extended_timestamp
Database Name For all supported versions of Oracle, the Database Name must be the exact service name that is used by the Oracle listener. You can view the available service names by running the following command on the Oracle host: lsnrctl status
Note: Ensure that the database user that QRadar uses to query events from the audit log table has the appropriate permissions for the Table Name object. - You can now configure QRadar to receive events from an Oracle database: From the Log Source Type list, select the Oracle RDBMS Audit Record option.