Send Oracle Audit to rsyslog

In our database there is turned on auditing on some operations and audit records go to OS.

SYS> show parameter audit_file_dest

NAME                TYPE        VALUE
------------------ ----------- ------------------------------
audit_file_dest  string       /u01_log/audit/orcl

SYS > show parameter audit_trail

NAME        TYPE         VALUE
------------- ----------- -----------
audit_trail string        OS

Our security administrators are using SIEM to monitor suspicious activities and they want database to send audit records to this third party tool.

I thought that I could somehow indicate directory “/u01_log/audit/orcl” from where *.aud files would be uploaded to SIEM, but I was wrong. Some tools may be able to use these *.aud files but not SIEM and let’s configure our database to be able to send audit records to it.

1. Connect to a database instance as sysdba user

SQL> connect / as sysdba

2. Set audit trail to OS

SQL> alter system set audit_trail=OS;

3. Enable auditing for system users if you need to audit activities of sys user(optional)

SQL> alter system set audit_sys_operations=TRUE;

4. Set rsyslog facility and severity(needs database restart)

SQL> alter system set audit_syslog_level=local5.info scope=spfile sid='*';

5.  Restart database

SQL> shutdown immediate;
SQL> startup;

6. Edit rsyslog.conf file

#Saving oracle database audit records
local5.info          /u01_log/audit/RSYSLOG/dbaudit.log
#Send oracle database audit trail to remote rsyslog server
local5.info          @192.168.0.15

7. Restart rsyslog service

# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]

8. It is better to limit the size for audit log, or it may fill the space:

# vi /etc/logrotate.d/oracle.audit

#Created by MariK

/u01_log/audit/RSYSLOG/dbaudit.log {
 rotate 3
 compress
 missingok
 notifempty
 size 40G
 postrotate
 service rsyslog restart
 endscript
}

To check the syntax run :

# logrotate /etc/logrotate.d/oracle.audit

It will say if you have an error. If syntax is ok then output is nothing.

Fix WAN Miniport problem windows 8

Windoooooowwws , it makes me crazy some times 🙂

Sometimes(it’s my third time) I have problems with windows vpn, getting error 720.

It has a “simple”(when you know(:) solution but every time I come across this problem I forget how I solved it before and decided to write solution here.

In Device Manager under “Network adapters” , there is yellow exclamation mark over “WAN Miniport (IP)” and “WAN Miniport(Network Monitor)

Let’s uninstall it.

Uninstalling these miniports are not allowed. So first of all you should change it with different driver.

Locate your mouse on these driver and right click -> Update Driver Software->Browse my computer for driver software->Let me pick from a list of …-> uncheck “Show compatible hardware” and then choose for example Philips ->

ChangeDriver

 

 

 

 

When instead of WAN Miniport (IP) there appears the above driver , you can uninstall it.

Do the same steps for Network Monitor driver.

Now we do not have these drivers with exclamation marks.. because we do not have them at all 🙂

Now we are going to install these drivers with devcon.exe utility.

Download devcon 64bit version from http://static.miklos.ca/devcon.zip

Run CMD with administrator privileges, go to the directory where devcon.exe file exist and run:

devcon.exe install c:\windows\inf\netrasa.inf MS_NDISWANIP

Good Luck, it should now be working.

Multipath configuration on RHEL6

1. Check if you have already installed device-mapper-multipath rpm, if not then install it.

rpm -qa device-mapper-multipath

2. If /etc/multipath.conf file doesn’t exist, then copy it from /usr/share/doc/device-mapper-multipath-*

cp /usr/share/doc/device-mapper-multipath-0.4.9/multipath.conf /etc/multipath.conf

3. Find WWIDs that should be added to multipath configuration.

# scsi_id -g -u /dev/sdb
36001438009b044d90000900000780000

4. Edit the /etc/multipath.conf configuration file

defaults {
        user_friendly_names yes
        path_grouping_policy    failover
}

blacklist {
        wwid "*"
}

blacklist_exceptions {
        wwid "36001438009b044d90000900000780000"
}

multipaths {
        multipath {
                wwid                    "36001438009b044d90000900000780000"
                alias                   asm1
        }
}

5.  Add module to the Linux kernel:

modprobe dm-multipath

6. Start multipath service:

service multipathd start

7. If you have any syntax errors or any parameters that do not work in your Linux version, the following command will show:

multipath -d

8. Commit the configuration:

multipath -v2

9. The following command must find the paths , or you have a bad configuration in multipath.conf file:

multipath -ll

10. Make devices configured after a reboot:

chkconfig multipathd on

If you have made any mistakes in multipath.conf file then correct them and do  the following steps to make changes take affect :

1. edit the /etc/multipath.conf

2.  Reload the multipath service:

service multipathd reload

3.  Remove all unused multipath devices

multipath -F

4.  Check again that syntax is correct:

multipath –d

5.  Commit the changes:

multipath –v2

Note that, this configuration is very simple, but it is working also perfectly.

For more multipath options and more sophisticated configuration, see the following documentation.

Installation problem of OEL6 on HP ProLiant DL360e Gen8 with HP Dynamic Smart Array B320i Controller

This post is dedicated to the Oracle Enterprise Linux 6.x installation on HP server with Dynamic Smart Array B320i Controller.

Brief description of the problem:

During OEL6 installation on HP server installer was not able to see local disks, on which system should be installed. Local disk specification was the following: Two 300GB disks involved into the RAID 1 and controller for RAID was Dynamic Smart Array B320i.

Installer was able to see multipath devices and any other external devices, like flash drive, but not local disks.

On HP site, there is written that the minimum supported Oracle Linux updates for HP  DL380e series are the following:

DL380e Gen8

  • Oracle Linux/UEK 6.2
  • Oracle Linux/UEK 5.8

Minimum support includes all future updates of the indicated release unless a maximum is listed. (Example: Oracle 6 implies support for Oracle 6.x, unless it’s specifically called out in the notes as "not supported with 6.x")”

And HP also declaims that it gives its drivers to the supported OSs manufacturers.

To tell the truth, I’ve tried Oracle Enterprise Linux 5.5, 6.0, 6.2 and 6.4 versions, but none of them was able to see the local storage.

After a lot of troubleshooting, I found the solution.

Solution:

The solution implies the HP Dynamic Smart Array SATA RAID Controller Driver for Red Hat Enterprise Linux 6 installation before OS installation.

1. Download drivers from the following link, click here.

Note: hpvsa-1.2.4-4.rhel6u1.x86_64.dd.gz is for RHEL6.1
hpvsa-1.2.4-4.rhel6u2.x86_64.dd.gz is for RHEL6.2
hpvsa-1.2.4-4.rhel6u3.x86_64.dd.gz is for RHEL6.3

Because of we are installing Oracle Enterprise Linux 6.2 which is based on RHEL6.2, we need hpvsa-1.2.4-4.rhel6u2.x86_64.dd.gz.

2. Extract gz file, you should have file with the extension of dd. Write this file to the flash drive and connect it to the server.

3. Put Oracle Enterprise Linux 6.2 installation disk and when the following window appears, press the TAB.

image

At the end of the command write install dd(separated from the previous command with space) and press Enter.

4. Choose the driver file, that we mentioned earlier and continue the installation.

Oracle EL should now see the local disk without any problem. Good Luck.