Anonymous_User Absent Member.
Absent Member.
422 views

Sentinel - Pushing Event Source Log files to Sentinel


Hi,

I have connected DB with Sentinel and logs are coming up.
I want to know if there is any way we can push the old log files which
are existing prior to configuring DB with oracle.

Irrespective of the event sources, is there a generic way that we can
push the older log files which are present prior to configuring with
Sentinel, so that the customer can have the details and reports of the
previous logs also.

Appreciate any help in this.

Thanks and Regards,
Sids


--
sids99
------------------------------------------------------------------------
sids99's Profile: http://forums.novell.com/member.php?userid=29677
View this thread: http://forums.novell.com/showthread.php?t=452320

0 Likes
3 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Sentinel - Pushing Event Source Log files to Sentinel

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The Oracle DB collector's doc states that only a database connector is
supported. You could customize something, of course, but not sure what
kind of files you are talking about or how readable/parseable they will
be. Also keep in mind that importing old data may try to go to
partitions which no longer are online which means they'll go to P_MIN
and you will not like that.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPPeHBAAoJEF+XTK08PnB5+2cP/10Ks3AyvcnPo4Cs2PT+J+yK
9GJucQskbN34HmUDf5bEa48rI2rVsqPyRgmhGmYmT/Dh5qjUwhqMsg95gTO9kEnE
9q+5Z6FT0wISm8d0Pd+7QMGwcaPTRC+iA2wbyw755ZS7Bw/RF95HaEJCLn9ITgYe
+pj1eQ0sURUbHghtUx8A3I6IkG2qjIbI6lVlryDvpiv3Sm3rVxmknb0IrUPz7Wog
M3/fS4oi0t6U0Ex7ui0iUKqCneXhlJYUWy7W/ruyXJj/yx0OW+KsR6wNFha6kbJ/
Ga6q1nr6+Ape4wos9UEzLW+2dMaD1UKX0Z069N8ecOGgIrdzMdkRXpK79GpCeWmv
HVCr+Dg3w87Xc8foekF+cFRbncIu01WDTBQIcCYZQiyHwFkggiG8KHoL7L7eexG5
juaL5yhbzHziQP76UM11dt7CYceRJ9BDoxRb6ADvGcSFvo3zsscbciVQEv6s2797
gJ5bn6+3MX2DwX6wJ35v4LvJh+ga0GMt7ntB2mJObf6nuxHW/HkowCmrqNduMIlA
yVJ4ZZNsAG+4yUHVn9jRwOFmWTWxIfq9lPpbG4WaAmXeO6JUeg+/9SpfMHdTLLKP
TepyhupfL9CuCMMOxqJSVNkYLiNBwl29DVWiT0daqSHbjOM6qTncujD9lX5cXGbc
yCtXtnXNOdsrzu5kQ5ZQ
=V4l5
-----END PGP SIGNATURE-----
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Sentinel - Pushing Event Source Log files to Sentinel


Sorry for hijacking this thread. I am also having the same
issue/situation, so please bear me
ab;2176329 Wrote:
>
> You could customize something, of course, but not sure what
> kind of files you are talking about or how readable/parseable they
> will
> be.

for non SYSDBA users, Oracle writes auditing info to the SYS.AUD$
table. The Oracle Collector/Connector then fetch/collects logs/events
from SYS.AUD$ table.
But for users having SYSDBA roles, oracle writes the auditing info to
text/ascii files having .aud extension, and to get these logs in
Sentinel we then configure Oracle to use syslog, so that rather then
creating the .aud file Oracle writes the audit logs of SYSDBA into
/var/log/messages, and then configure the Host OS to send the logs to a
loghost(SLM) ..

source: 'How to audit sys into an OS file owned by root « The Oracle
Instructor'
(http://uhesse.wordpress.com/2010/02/02/how-to-audit-sys-into-an-os-file-owned-by-root/)
'Verifying Security Access with Auditing'
(http://docs.oracle.com/cd/B28359_01/network.111/b28531/auditing.htm#BCGEHHCA)

But we have configured Oracle to use syslog(/var/log/messages) just
now, and we have years of .aud files(default files for SYSDBA audit
logs), and we want to pull them in our slm system too.

ab;2176329 Wrote:
>
> Also keep in mind that importing old data may try to go to
> partitions which no longer are online which means they'll go to P_MIN
> and you will not like that.

as long as the logs are available and search-able in SLM , my customer
is happy.

I am copying a sample(old/legacy) .aud file that we want to make
available in SLM.

Code:
--------------------

Audit file /oracle/app/oracle/product/9.2.0/rdbms/audit/ora_11272.aud
Oracle9i Enterprise Edition Release 9.2.0.7.0 - 64bit Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.7.0 - Production
ORACLE_HOME = /oracle/app/oracle/product/9.2.0
System name: SunOS
Node name: finkhi-pri
Release: 5.10
Version: Generic_118833-36
Machine: sun4u
Instance name: v72
Redo thread mounted by this instance: 1
Oracle process number: 352
Unix process pid: 11272, image: oracle@finkhi-pri (TNS V1-V3)

Fri Jan 11 16:01:00 2008
ACTION : 'CONNECT'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL:
STATUS: 0

Audit file /oracle/app/oracle/product/9.2.0/rdbms/audit/ora_11272.aud
Oracle9i Enterprise Edition Release 9.2.0.7.0 - 64bit Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.7.0 - Production
ORACLE_HOME = /oracle/app/oracle/product/9.2.0
System name: SunOS
Node name: finkhi-pri
Release: 5.10
Version: Generic_118833-36
Machine: sun4u
Instance name: v72
Redo thread mounted by this instance: 1
Oracle process number: 1080
Unix process pid: 11272, image: oracle@finkhi-pri (TNS V1-V3)

Thu Feb 7 15:21:00 2008
ACTION : 'CONNECT'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL:
STATUS: 0

Audit file /oracle/app/oracle/product/9.2.0/rdbms/audit/ora_11272.aud
Oracle9i Enterprise Edition Release 9.2.0.7.0 - 64bit Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.7.0 - Production
ORACLE_HOME = /oracle/app/oracle/product/9.2.0
System name: SunOS
Node name: finkhi-pri
Release: 5.10
Version: Generic_118833-36
Machine: sun4u
Instance name: v72
Redo thread mounted by this instance: 1
Oracle process number: 26
Unix process pid: 11272, image: oracle@finkhi-pri (TNS V1-V3)

Sun Sep 14 21:01:00 2008
ACTION : 'CONNECT'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL:
STATUS: 0

Sun Sep 14 21:01:00 2008
ACTION : 'select 'alter system kill session '''||sid||','||serial#||''';' from v$session s where s.status='SNIPED''
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL:
STATUS: 0

Audit file /oracle/app/oracle/product/9.2.0/rdbms/audit/ora_11272.aud
Oracle9i Enterprise Edition Release 9.2.0.7.0 - 64bit Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.7.0 - Production
ORACLE_HOME = /oracle/app/oracle/product/9.2.0
System name: SunOS
Node name: finkhi-pri
Release: 5.10
Version: Generic_118833-36
Machine: sun4u
Instance name: v72
Redo thread mounted by this instance: 1
Oracle process number: 228
Unix process pid: 11272, image: oracle@finkhi-pri (TNS V1-V3)

Wed Jan 21 19:31:00 2009
ACTION : 'CONNECT'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL:
STATUS: 0

Wed Jan 21 19:31:00 2009
ACTION : 'select 'alter system kill session '''||sid||','||serial#||''';' from v$session s where s.status='SNIPED''
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL:
STATUS: 0

--------------------


--
sharfuddin
------------------------------------------------------------------------
sharfuddin's Profile: http://forums.novell.com/member.php?userid=63087
View this thread: http://forums.novell.com/showthread.php?t=452320

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Sentinel - Pushing Event Source Log files to Sentinel


Hi,
this code be done here is the script i write yesterday but it's not
efficent will fix it .it contains lot of bugs but check it

<?php
ob_start();

$logArray[0] = array(array());
require_once("functions/functions.php");
require_once("classes/classes.php");
showLog();
writeLog();




?>


<?php

function changeDateFormat($logDate){

$changeFormat = explode(" ",$logDate);
$sysLogDate = $changeFormat[1]." ".$changeFormat[2]."
".$changeFormat[3]." "."slmbox Oracle Audit[11017]:";
return $sysLogDate;
}
function writeLog() {
global $logArray;
$logMessage="";
for ($i=0;$i<(sizeof($logArray)-1);$i++){

$logMessage=$logArray[$i][0]." ".$logArray[$i][1]."
".$logArray[$i][2]." ".$logArray[$i][3]." ".$logArray[$i][4
]." ".$logArray[$i][5]." ".$logArray[$i][6];
openlog('mylog', LOG_PID | LOG_ODELAY,LOG_LOCAL4);
syslog(LOG_INFO, $logMessage);
closelog();
}
}

function showLog() {

//Show The Log File
//checking the line no
$noLine = 0;
$arrayRow =0;
$arrayCol=0;
$checkLine=0;
global $logArray;



$handle = @fopen("oracle.aud", "r");
if ($handle) {
while (($buffer = fgets($handle, 4096)) !== false) {
if($noLine>=15){

$checkLine++;
if($checkLine==8){
$checkLine=0;
continue;
}

if($arrayCol==0) {
$returnDate = changeDateFormat($buffer);
$logArray[$arrayRow][$arrayCol]=$returnDate;
}else {
$logArray[$arrayRow][$arrayCol]=$buffer;
}

$arrayCol++;

if($arrayCol>=7){
$arrayCol=0;
$arrayRow++;
$logArray[$arrayRow] = array(array());
}

}
$noLine++;
}

if (!feof($handle)) {
echo "Error: unexpected fgets() fail\n";
}
//echo $logArray[2][6];
fclose($handle);
}

}

?>


--
mumersidd
------------------------------------------------------------------------
mumersidd's Profile: http://forums.novell.com/member.php?userid=120194
View this thread: http://forums.novell.com/showthread.php?t=452320

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.