Oracle Database is a relational database with object and Extensible Markup Language (XML) capabilities. In a relational database, all data is stored in tables that are composed of rows and columns. Oracle Database enables you to store data, update it, and efficiently retrieve it, with a high degree of performance, reliability, and scalability.
Entity | Particulars |
|---|---|
Vendor Name | Oracle |
Product Name | Database |
Type of Device | Hosted |
Log Type | Ingestion label | Preferred Logging Protocol - Format | Log collection method |
|---|---|---|---|
Oracle | ORACLE_DB | Syslog - KV | CyberHub |
Oracle | ORACLE_DB | DB - KV | CyberHub |
Source | Destination | Port |
|---|---|---|
Oracle Database | CyberHub | 6514 (TCP) |
To facilitate secure communication and align with our best practice, we strongly encourage the use of Transport Layer Security (TLS) between your security devices and our Adaptive MxDR platform for event forwarding.
While we understand that TLS support may not be available on all devices, if your devices do support TLS communication, we recommend utilizing port 6514 for seamless integration.
In some cases, the upgraded version of the device might incorporate TLS support without prior notice. If you come across such a scenario or for further assistance in configuring TLS, we kindly ask you to reach out to your dedicated Adaptive MxDR Service Delivery Lead.
We support three Integration Methods with Oracle DB.
Oracle DB Integration with NXLog Enterprise Edition: In this integration we use NXLog Enterprise Edition to Query the Oracle Database’s Audit Table and forward logs to Chronicle SIEM.
Oracle DB Integration with NXLog Community Edition: In this integration Oracle DB writes OS (Linux) level log files which can then be forwarded by NXLog Community Edition to Chronicle SIEM. (Only Linux OS is supported)
Oracle DB Integration directly from Cyberhub: We pull the data from Database via our Database Query and then forward it to Chronicle SIEM.
Prerequisites
Enable Unified_Auditing on DB.
ODBC Driver Installation on Windows and Linux
After Installation for Linux devices go to Installed location of the NXLog and then look for the ODBC module and install it via Rpm -ivh <NXLOG-<Version>-<ODBC>.rpm>. This step is not required for Windows as it gets pre-installed by default.
After Installation for Linux devices go to Installed location of the NXLog and then look for the ODBC module and install it via Rpm -ivh <NXLOG-<Version>-<ODBC>.rpm>. This step is not required for Windows as it gets pre-installed by default.
Create Read Only User.
NXLog Enterprise Edition Configuration
A central NXLog server has to be created by the customer before following below Steps.
A central NXLog server has to be created by the customer before following below Steps.
To Enable Unified Auditing on Database.
Login into Oracle
[oracle@ip-172-31-18-18 ~]$ SQLPLUS / nolog SQL> connect username/password:<sid> as sysdba SQL> SHUTDOWN IMMEDIATE SQL> exit |
Now stop the listener.
lsnrctl stop |
Now go to OMS folder.
cd $ORACLE_HOME/middleware/oms export OMS_HOME=/u01/app/oracle/product/middleware/oms $OMS_HOME/bin/emctl stop oms |
If you don’t have middleware folder, go to step 14 directly.
If you don’t have middleware folder, go to step 14 directly.
Relink Oracle with the uniaud_on option.
cd $ORACLE_HOME/rdbms/lib make -f ins_rdbms.mk uniaud_on ioracle |
The above command will enable the Unified Auditing on the DB.
Restart all the Oracle Services.
sqlplus / as sysdba startup mount exit |
Start the listener service.
lsnrctl start |
Now again login into Oracle
sqlplus / as sysdba |
Run the below Query.
SQL> ALTER DATABASE OPEN; |
Now run the Query.
SQL> select * from vsoption where PARAMETER = 'Unified Auditing'; PARAMETER VALUE CON ID Unified Auditing. TRUE |
Now the Unified auditing is enabled.
ODBC Driver Installation
Windows:
Download the ODBC driver/instant client for Oracle Server. Go to link to download the file https://www.oracle.com/database/technologies/instant-client/downloads.html . Select the OS and click the link.
Another window will open as https://www.oracle.com/database/technologies/instant-client/winx64-64-downloads.html
Download three packages instantclient-basic-windows.x64-21.6.0.0.0dbru.zip, instantclient-sdk-windows.x64-21.6.0.0.0dbru.zip and instantclient-odbc-windows.x64-21.6.0.0.0dbru.zip.
Now create a folder named as instantclient_21_3 and unzip all three zip files under this.
When you extract these three packages it will extract all the content in its own folder name. Copy the content of these folders into the folder instantclient_21_3 which was created in above steps.
When you extract these three packages it will extract all the content in its own folder name. Copy the content of these folders into the folder instantclient_21_3 which was created in above steps.
Now we need to add our Oracle Client directory to the Windows PATH environment. Right-click My Computer > Advanced System Settings > Environment Variables
In System Variables, click New and then enter the following details:
Change C:\Program Files\Oracle\Product\Client\instantclient_21_3 with your actual Oracle Client folder.
Change C:\Program Files\Oracle\Product\Client\instantclient_21_3 with your actual Oracle Client folder.
Now open the folder instantclient_21_3, in your Oracle Client folder created on the Step 1 and double click the file odbc_install.
Now go to run with Windows + R and type regedit. Now go to HKEY_LOCAL_MACHINE > SOFTWARE > ODBC > ODBCINST.INI you will find name as Oracle in instantclient_21_3 as below
Copy this name and paste it in connection string in nxlog.conf.
LINUX (Redhat and CentOS)
Download the ODBC driver/instant client for Oracle Server. Go to link to download the file https://www.oracle.com/database/technologies/instant-client/downloads.html . Select the OS and click the link.
A page will open https://www.oracle.com/database/technologies/instant-client/linux-x86-64-downloads.html Download oracle-instantclient-basic-21.6.0.0.0-1.el8.x86_64.rpm, oracle-instantclient-odbc-21.6.0.0.0-1.el8.x86_64.rpm
Now login into your Linux box and go to /tmp/ and create a directory oracle as mkdir oracle.
Go under this directory via cd oracle.
Copy the above package under this location.
Now run the command yum install unixODBC.
Now run the command yum install <package name> one by one.
After the installation go to /etc/odbcinst.ini and see the content of the file via cat /etc/obdcinst.ini the content of the file should looks like below:
[Oracle 19c Driver] Description = Oracle ODBC driver for Oracle 21c Driver = /usr/lib/oracle/21.6/client64/lib/libsqora.so.21.1 Setup = FileUsage = CPTimeout = CPReuse = Driver Logging = 7 |
Now another file should be created as odbc.ini if not created create one via vi /etc/odbc.ini
Under this fie add content as below:
[root@ip-100-108-177-17 etc]# cat /etc/odbc.ini [Oracle] Description = ODBC Driver for Oracle 21c AggregateSQLType = FLOAT Application Attributes = T Attributes = W BatchAutocommitMode = IfAllSuccessful BindAsFLOAT = F CacheBufferSize = 20 CloseCursor = F DisableDPM = F DisableMTS = T DisableRULEHint = T Driver = ODBC Driver for Oracle 21c DSN = ORCL EXECSchemaOpt = EXECSyntax = T Failover = T FailoverDelay = 10 FailoverRetryCount = 10 FetchBufferSize = 64000 ForceWCHAR = F LobPrefetchSize = 8192 Lobs = T Longs = T MaxLargeData = 0 MaxTokenSize = 8192 MetadataIdDefault = F QueryTimeout = T ResultSets = T ServerName = SQLGetData extensions = F SQLTranslateErrors = F StatementCache = F Translation DLL = Translation Option = 0 UseOCIDescribeAny = F UserID = Password = |
Now add LD_LIBRARY_PATH for above locations as below:
export ORACLE_HOME=/usr/lib/oracle/21.6/client64 export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib |
Now copy the path /usr/lib/oracle/21.6/client64/lib/libsqora.so.21.1 and paste it under nxlog.conf file connection string.
To Create Read Only User
To start SQLPlus without logging in to a database, at a command prompt, type the following: sqlplus /nolog;
To connect as a system database administrator, at the SQLPlus prompt, type the following command: connect sys/password@SID as sysdba;
To create a read-only user, at the SQLPlus prompt, type the following commands:create user read_only_user identified by password;grant connect to read_only_user;
To grant select privileges for the database user, type the following commands:
grant select on AUDSYS.AUD$UNIFIED to read_only_user; GRANT SELECT ON v$instance TO read_only_user; grant select on sys.audit_actions to read_only_user; |
Type the following commands:
grant create session to read_only_user; |
NXLOG Enterprise Edition Configuration
Download and Install the NXLOG Enterprise Edition.
After installation find the attached files nxlog.conf.21c
Download this file.
Now go to your NXLog installed directory.
Windows: C:\Program Files\nxlog\conf
Linux: /opt/nxlog/etc/
Copy the file under these directories.
Rename the file to nxlog.conf
Provide proper permission.
Provide CyberHub_IP in output section.
Restart the nxlog service.
The log flow will start.
For multiple Databases add multiple inputs.
For multiple Databases add multiple inputs.
Prerequisites:
Enable Unified Auditing on OS Level Syslog.
NXLog Community Edition Configuration
All the audit files should be in same directory.
All the audit files should be in same directory.
Enable Unified Auditing on OS Level Syslog
Login to Your System with root permissions.
Switch to Oracle User.
su - oracle |
Provide the password for oracle user.
Go to Oracle “dbs“ directory. Below is the example:
cd $ORACLE_HOME/dbs |
Under dbs edit the init<SID>.ora file.
vim initORCL.ora |
Under the file add two configurations
#UNIFIED_AUDIT_SYSTEMLOG = '<FACILITY.SEVERITY>' #UNIFIED_AUDIT_COMMON_SYSTEMLOG = '<FACILITY.SEVERITY>' Example: UNIFIED_AUDIT_SYSTEMLOG = 'local0.info' UNIFIED_AUDIT_COMMON_SYSTEMLOG = 'local0.info' |
Facility can be from LOCAL0 to LOCAL7. You can choose any according to the logs you wish to monitor. SEVERITY can be chosen from DEBUG to Emergency according to the log monitoring.
Facility can be from LOCAL0 to LOCAL7. You can choose any according to the logs you wish to monitor. SEVERITY can be chosen from DEBUG to Emergency according to the log monitoring.
Save the file.
Now edit the spfile<SID>.ora
unified_audit_common_systemlog='local0.info' |
Add the above configuration at the End. Please note you need to add the same <FACILITY.SEVERITY> as you mentioned in the init<SID>.ora
Save the file.
Configure rsyslog on your system.
sudo vi /etc/rsyslog.conf # Unified Audit Rules local0.info /var/log/oracle_common_audit_records.log local1.info /var/log/oracle_audit_records.log |
Restart the rsyslog service
systemctl restart rsyslog |
Login into Oracle
[oracle@ip-172-31-18-18 ~]$ SQLPLUS / nolog SQL> connect username/password:<sid> as sysdba SQL> SHUTDOWN IMMEDIATE SQL> exit |
Now stop the listener.
lsnrctl stop |
Now go to OMS folder.
cd $ORACLE_HOME/middleware/oms export OMS_HOME=/u01/app/oracle/product/middleware/oms $OMS_HOME/bin/emctl stop oms |
If you don’t have middleware folder go to step 16 directly.
If you don’t have middleware folder go to step 16 directly.
Relink Oracle with the
uniaud_on option.
cd $ORACLE_HOME/rdbms/lib make -f ins_rdbms.mk uniaud_on ioracle |
The above command will enable the Unified Auditing on the DB.
Restart all the Oracle Services.
sqlplus / as sysdba startup mount exit |
Start the listener service.
lsnrctl start |
Now again login into Oracle
sqlplus / as sysdba |
Run the below Query.
SQL> ALTER DATABASE OPEN; |
Now run the Query.
SQL> select * from vsoption where PARAMETER = 'Unified Auditing'; PARAMETER VALUE CON ID Unified Auditing. TRUE |
Now the Unified auditing is enabled.
NXLog Community Edition Configuration
NXLog Community Edition will read logs from the audit file created in section. “Enable Unified Auditing on OS Level Syslog“. The logs will have very less security value in comparison to Oracle DB Audit Log Read from CyberHub or From NXLog EnterPrise Edition Read as we are reading data via DB Query. In this case NXLog will only read data from the file which Oracle has generated.
NXLog Community Edition will read logs from the audit file created in section. “Enable Unified Auditing on OS Level Syslog“. The logs will have very less security value in comparison to Oracle DB Audit Log Read from CyberHub or From NXLog EnterPrise Edition Read as we are reading data via DB Query. In this case NXLog will only read data from the file which Oracle has generated.
Download and Install the NXLOG Community Edition.
After installation find the attached files nxlog.conf
Download this file.
Now go to your NXLog installed directory.
Windows: C:\Program Files\nxlog\conf
Linux: /opt/nxlog/etc/
Copy the file under these directories.
Rename the file to nxlog.conf
Provide proper permission.
Provide Filepath in Input section and CyberHub_IP in output section.
Restart the nxlog service.
The log flow will start.
Prerequisites:
Enable Unified Auditing on Database.
Create Read Only User.
Enable Unified Auditing on Database
To enable unified auditing on Windows/Linux:
Log in to SQL*Plus as user SYS with the SYSDBA administrative privilege.
sqlplus sys as sysdba Enter password: password |
Run the following query to find out if your database has been migrated to use unified auditing. Enter Unified Auditing in the case shown here.
SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Unified Auditing'; |
If the output for the VALUE column is FALSE, then complete the remaining steps in this section to migrate to unified auditing. If the output is TRUE, then unified auditing is enabled by default.
Stop the database.
For single-instance installations, enter the following commands from SQL*Plus:
SHUTDOWN IMMEDIATE EXIT |
For Windows systems, stop the Oracle service:
net stop OracleService%ORACLE_SID% |
For Oracle Real Application Clusters (Oracle RAC) installations, shut down each database instance as follows:
srvctl stop database -db db_name |
Stop the listener. (Stopping the listener is not necessary for Oracle RAC and Grid Infrastructure listeners.)
lsnrctl stop listener_name |
You can find the name of the listener by running the lsnrctl status command. The name is indicated by the Alias setting.
Go to the $ORACLE_HOME/rdbms/lib directory.
Enable the unified auditing executable.
UNIX: Run the following command:
make -f ins_rdbms.mk uniaud_on ioracle ORACLE_HOME=$ORACLE_HOME |
Windows: Rename the %ORACLE_HOME%/bin/orauniaud12.dll.option file to %ORACLE_HOME%/bin/orauniaud12.dll.
Restart the listener.
lsnrctl start listener_name |
Restart the database. Log in to SQL*Plus and then enter the STARTUP command as follows:
sqlplus sys as sysoper Enter password: password SQL> STARTUP |
For Windows systems, start the Oracle service again.
net start OracleService%ORACLE_SID% |
For Oracle RAC installations, from a command line, restart the database as follows:
srvctl setenv database -db orcl |
To Create Read Only User
To start SQLPlus without logging in to a database, at a command prompt, type the following: sqlplus /nolog;
To connect as a system database administrator, at the SQLPlus prompt, type the following command: connect sys/password@SID as sysdba;
To create a read-only user, at the SQLPlus prompt, type the following commands:
create user read_only_user identified by password; grant connect to read_only_user; |
To grant select privileges for the database user, type the following commands:
grant select on AUDSYS.AUD$UNIFIED to read_only_user; GRANT SELECT ON v$instance TO read_only_user; grant select on sys.audit_actions to read_only_user; |
Type the following commands:
grant create session to read_only_user; |
Parameters required from customer for Integration.
Oracle DB Syslog Integration(Via NXLog)
Property | Default Value | Description |
|---|---|---|
IP Address | Oracle Database interface IP address | Hostname or IP address of the device which forwards logs to the CyberHub |
Oracle DB Integration (via DB)
Property | Default Value | Description |
|---|---|---|
JDBC Drivers Directory | <Database Driver Location on Cyberhub> | JDBC Drivers Directory |
Database URL | jdbc:oracle:thin:@<Host_ip>:<Port>:<SID> | Database URL |
User Name | <username> | User Name |
Password | <password> | Password |
Start Reading From |
| Start Reading From END |
