-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Oracle Database Audit - OracleDatabaseAuditEvent function is looking for "Oracle Unified Audit" in Syslog messages but does not match logs produced #9325
Comments
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal. |
Hi @PCNZ , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 07Nov23. Thanks! |
@PCNZ I am unable to replicate exact machine for this issue ,could you please confirm the exact configuration using to set up the oracle db?please find below screen shot for reference is it the same configuration? |
@PCNZ Could you please help me with above details on this issue,so will proceed further |
Hi @PCNZ , Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive response by the given date, we will close this issue. |
Yes this was SUSE 15 SP4, it was installed on prem not using an Azure template though. |
@PCNZ ,Sure will check on it and work on the analysis and come back with an update |
@PCNZ Unable to set up the environment as having windows machine,meanwhile checking internally,Could you please share email id and convenient time ,so can understand more about the issue and work for a solution,Thanks |
@PCNZ , Gentle reminder, Could you please check the above comment and share email id and convenient time for teams meeting for further trouble shooting issue. |
No way to share email id privately here. |
Hi @PCNZ ,Please share convenient time slots to this email id v-muuppugund@microsoft.com,Thanks. |
Hi @PCNZ , Gentle Reminder: Please share convenient time slots to this email id v-muuppugund@microsoft.com,Thanks. |
Hi @PCNZ , received email not the time slots, Gentle Reminder: Please share convenient time slots to this email id v-muuppugund@microsoft.com,Thanks. |
You got my first email but are you saying you haven't seen my subsequent emails? |
Hi @PCNZ ,I have replied your email on 23Nov23 for convenient time slots,Could you please share convenient time slots,Thanks,Please find below screen shot for reference. |
Hi @PCNZ, could you please have a look at above comment and share your convenient time with @v-muuppugund Thanks! |
We caught up yesterday, v-muuppugund had tested using OMS not AMA and DCR. So is going to retest and compare with example provided in OP. |
Hi @PCNZ, Noted. Thanks! |
Hi @PCNZ ,As discussed over teams ,I am working on this ,will share updates from next week by 21Dec23 |
Hi @PCNZ ,Still working on set up ,once data ingested, will work on further analysis of the issue and share updates to you. |
Hi @PCNZ ,As discussed over teams, working on data ingestion, will update you. |
Hi @PCNZ ,Yesterday blocked your calendar to explain the status,I have resolved the issues and working on issue replication,will get back to you with an update |
Hi @PCNZ , Still need some time to replicate the issue,will try to update by Wednesday i.e. 24/1/2024 for status updates,Please join the meeting and let me know this time isn't conveninet. |
@PCNZ ,As discussed yesterday, working on replication of issue with other options and blocked calendar for wednesday ,trying my best to replicate the issue and have a e2e demo session ,will post updates over teams |
@PCNZ ,As discussed over call today,Showed demo for environment configured, as noticed there are certain logs not updated in linux VM ,so will be working on it and will update you ,we can have a teams meeting for a demo. |
@PCNZ ,updated the configuration for enabling missing logs ,working on it, once ready ,will block some time this week or early next week for e2e demo. |
@PCNZ ,As discussed over teams, due to VM complicance and its been deleted,so set up again, once setup completed, will schedule call for demo. |
@PCNZ ,as discussed over teams, set up done, working on data in oracle, once done, will do configurations test it and then block your time for e2e demo session. |
Hi @PCNZ ,as discussed over email,The following is the status and worked on this week,will update you I am having an issue with logging the audit records from oracle and working on it ,please find below screen shot for reference,Once issue resolved ,will schedule call for demo, |
Hi @PCNZ , I have fixed the issue and replicate the issue and please find below screen shot for reference,will discuss in detail on call |
Hi @PCNZ ,As discussed over teams/email,I am able to replicate the issue and please let me know we can connect ,will update the Documentation need to change the code and Work book code for fetching the results and share the doc link here |
Thank you, I will watch the PR for updates. This can be closed, thank you for you work investigating this fully. |
Describe the bug
This line does not parse the syslog correctly with default Oracle Database Audit configuration.
Syslog
| where SyslogMessage contains "Oracle Unified Audit"
https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleDatabaseAudit/Parsers/OracleDatabaseAuditEvent.yaml
When logs are ingested by AMA, part of the Oracle syslog message is mapped into the ProcessName field so the parser does not match.
Changing it to this resolves the problem.
Syslog
| where SyslogMessage contains "Unified Audit" and ProcessName == "Oracle"
Here is an example of a RAW syslog message.
2023-10-26T03:07:34.040652-04:00 acmeproddb1 Oracle Unified Audit[15149]: LENGTH: '150' TYPE:"4" DBID:"816595110" SESID:"1215445" CLIENTID:"" ENTRYID:"0" STMTID:"0" DBUSER:"PIMSDB" CURUSER:"" ACTION:"102" RETCODE:"0" SCHEMA:"" OBJNAME:""
acmeproddb1 is mapped to Syslog\Computer
Oracle is mapped to Syslog\ProcessName
The rest of the message is mapped to Syslog\SyslogMessage
To Reproduce
Steps to reproduce the behavior:
UNIFIED_AUDIT_SYSTEMLOG = ‘LOCAL7.INFO’
UNIFIED_AUDIT_COMMON_SYSLOG = TRUE
Syslog
| where SyslogMessage contains "Oracle Unified Audit"
Expected behavior
Default configuration of Oracle Database Audit using AMA should return results when using the function "OracleDatabaseAuditEvent" included with the Content Hub solution.
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: