Send Oracle Audit to rsyslog

In our database there is turned on auditing on some operations and audit records go to OS.

SYS> show parameter audit_file_dest

NAME                TYPE        VALUE
------------------ ----------- ------------------------------
audit_file_dest  string       /u01_log/audit/orcl

SYS > show parameter audit_trail

NAME        TYPE         VALUE
------------- ----------- -----------
audit_trail string        OS

Our security administrators are using SIEM to monitor suspicious activities and they want database to send audit records to this third party tool.

I thought that I could somehow indicate directory “/u01_log/audit/orcl” from where *.aud files would be uploaded to SIEM, but I was wrong. Some tools may be able to use these *.aud files but not SIEM and let’s configure our database to be able to send audit records to it.

1. Connect to a database instance as sysdba user

SQL> connect / as sysdba

2. Set audit trail to OS

SQL> alter system set audit_trail=OS;

3. Enable auditing for system users if you need to audit activities of sys user(optional)

SQL> alter system set audit_sys_operations=TRUE;

4. Set rsyslog facility and severity(needs database restart)

SQL> alter system set audit_syslog_level=local5.info scope=spfile sid='*';

5.  Restart database

SQL> shutdown immediate;
SQL> startup;

6. Edit rsyslog.conf file

#Saving oracle database audit records
local5.info          /u01_log/audit/RSYSLOG/dbaudit.log
#Send oracle database audit trail to remote rsyslog server
local5.info          @192.168.0.15

7. Restart rsyslog service

# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]

8. It is better to limit the size for audit log, or it may fill the space:

# vi /etc/logrotate.d/oracle.audit

#Created by MariK

/u01_log/audit/RSYSLOG/dbaudit.log {
 rotate 3
 compress
 missingok
 notifempty
 size 40G
 postrotate
 service rsyslog restart
 endscript
}

To check the syntax run :

# logrotate /etc/logrotate.d/oracle.audit

It will say if you have an error. If syntax is ok then output is nothing.

Advertisements

Multipath configuration on RHEL6

1. Check if you have already installed device-mapper-multipath rpm, if not then install it.

rpm -qa device-mapper-multipath

2. If /etc/multipath.conf file doesn’t exist, then copy it from /usr/share/doc/device-mapper-multipath-*

cp /usr/share/doc/device-mapper-multipath-0.4.9/multipath.conf /etc/multipath.conf

3. Find WWIDs that should be added to multipath configuration.

# scsi_id -g -u /dev/sdb
36001438009b044d90000900000780000

4. Edit the /etc/multipath.conf configuration file

defaults {
        user_friendly_names yes
        path_grouping_policy    failover
}

blacklist {
        wwid "*"
}

blacklist_exceptions {
        wwid "36001438009b044d90000900000780000"
}

multipaths {
        multipath {
                wwid                    "36001438009b044d90000900000780000"
                alias                   asm1
        }
}

5.  Add module to the Linux kernel:

modprobe dm-multipath

6. Start multipath service:

service multipathd start

7. If you have any syntax errors or any parameters that do not work in your Linux version, the following command will show:

multipath -d

8. Commit the configuration:

multipath -v2

9. The following command must find the paths , or you have a bad configuration in multipath.conf file:

multipath -ll

10. Make devices configured after a reboot:

chkconfig multipathd on

If you have made any mistakes in multipath.conf file then correct them and do  the following steps to make changes take affect :

1. edit the /etc/multipath.conf

2.  Reload the multipath service:

service multipathd reload

3.  Remove all unused multipath devices

multipath -F

4.  Check again that syntax is correct:

multipath –d

5.  Commit the changes:

multipath –v2

Note that, this configuration is very simple, but it is working also perfectly.

For more multipath options and more sophisticated configuration, see the following documentation.