Integrating Oracle audit with SYSLOG
By using a standard audit, the resulting audit trails can be tampered with or deleted by database administrators or by an attacker who gained administrative privileges. This is a considerable security risk.
SYSLOG is a protocol (RFC5424) designed for transmitting event messages and alerts across an IP network. The messages are generated, for example, by an application (ftp, cron, or ssh), and a syslog daemon catches them and integrates them using a device or another remote daemon. In this recipe we will integrate the Oracle audit trails with rsyslog.
Getting ready
All steps will be performed on the nodeorcl1 and HACKDB database.
How to do it...
Integration with
syslogrequires the destination of audit trails to be placed externally. Change the audit trail toOSas follows:SQL> alter system set audit_trail=OS scope=spfile; System altered.
rsyslogis a more advanced variant ofsyslogand is the default in Red Hat 6. The configuration file is/etc/rsyslog...
