Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
Al Wilson_2 Contributor.
Contributor.
303 views

Oracle monitoring: a primer?

I am working with an Oracle DBA to set up a test of the Arcsight connector.

What kind of events should be viewable, and what is the noise ratio of non-security related events that are recorded?

For example, I would be very interested in individual logins and their respective IP addresses, but can I discard information that I don't want as you can in the Microsoft connector?

I would be interested in large queries on certain tables such as salaries or credit card numbers, but not say, a table on how many pencils were purchased.

In short, I guess I am asking for comments on capabilities and examples of use cases, and hopefully get some impression so that I can set some goals/expectations.

Labels (4)
0 Likes
Reply
3 Replies
deathbywedgie1 Frequent Contributor.
Frequent Contributor.

Re: Oracle monitoring: a primer?

Personally, I can't speak to the noise ratio question as I'm no master of Oracle events, but I can tell you that every ArcSight connector can be filtered. The only question is whether the conditions you'd like to filter on exist in fields of events. If they do, then you can filter on it most of the time.

(I say "most of the time" because I've seen a few tricky requests that I don't believe can be done w/ connector filters, such as mathematical conditions [greater than, less than, range] on string fields that just happen to contain a number. But if you want to say equals/not equals/contains/null/not null on string fields or mathematical conditions on integer fields you definitely can.)

0 Likes
Reply
Al Wilson_2 Contributor.
Contributor.

Re: Oracle monitoring: a primer?

Thank you.  Your answer was very helpful.

I don't believe I was clear enough when I mentioned the filtering, and I wonder if we were talking about two different things.

Off course you can filter out in the Console or Reports - but for Microsoft, you can actually filter out at the collector level so it doesn't even get to ESM.

The equivalent in Oracle is the "Action codes" mentioned in the config guide.

Is that possible?  I wouldn't have thought so.

It isn't clear to me that changing the audit parameters is something that Arcsight could pick up.

The reason for the question about the noise ratio is that I have recent experience  with the a couple of products that are extremely chatty.

0 Likes
Reply
deathbywedgie1 Frequent Contributor.
Frequent Contributor.

Re: Oracle monitoring: a primer?

That's actually exactly what I was referring to... every connector type can be filtered so that certain events don't go to ESM at all. It's really easy with the console, but with a little more work you can do it directly on the connector too. (Since you do have ESM and the console, though, I would definitely take the easy route.) As I mentioned, though, I'm not that familiar with the Oracle connector (we do use it, but I haven't done much with it myself, personally), so can you tell me if the "Action codes" you mentioned do appear in Oracle events? If so, what field are they populated in, and are they numbers or text?
0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.