# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. oracle_audit = { plugin_version = "1.2.1" info.1.manfacturer = "Oracle Corporation" info.1.device = "Oracle Database" info.1.version.1 = "9i" info.1.version.2 = "10i" info.1.version.3 = "11i" # 2007-07-09 - 1.0 - KBB - Initial creation. # 2008-02-13 - 1.1 - gas - Added support for variant and comment_text field. # 2009-03-04 - 1.2 - KBB - Added support for versions 10i and 11i. Changed # processing of ora_info field to work with more variation in system section. # Made 9i processing more generic to support more variants with the same field names. # 2009-03-24 - 1.2.1 - KBB - Eliminated length field since there is no info on what it represents. # It should be numeric, but the type is unknown. Save and restore header info, since it is not clear # whether the header repeats with multiple data sections as in 9i. Added action_by_user_id report and # grouped reports. log.format.format_label = "Oracle Audit Log Format" log.miscellaneous.log_data_type = "generic" log.miscellaneous.log_format_type = "application" log.format.date_format = "auto" log.format.time_format = "auto" #Audit file /ORADATA/SWANBOAT/admin/audit/ora_10.aud log.format.autodetect_regular_expression = "^Audit file.*[Oo][Rr][Aa]" log.format.parse_only_with_filters = "true" # Log fields log.fields = { date = "" time = "" session_id = "" entry_id = "" statement = "" user_id = "" terminal = "" action = "" return_code = "" comment_text = "" obj_creator = "" obj_name = "" ses_actions = "" ses_tid = "" os_user_id = "" audit_file = "" oracle_release = "" jserver_release = "" oracle_home = "" system_name = "" oracle_node_name = "" release = "" version = "" machine = "" instance_name = "" redo_thread = "" oracle_pid = "" unix_pid = "" oracle_image = "" # new in 10i and 11i #client_user = "" # same as user_id (?) #client_terminal = "" # same as terminal database_user = "" # length = "" privilege = "" status = "" } # log.fields log.filter_initialization = ` bool found_date = false; bool found_audit_file = false; string ora_info = ''; ` log.parsing_filters.parse = ` v.line = current_log_line(); #Audit file /ORADATA/SWANBOAT/admin/audit/ora_10.aud #Oracle9i Enterprise Edition Release 9.2.0.1.0 - 64bit Production #With the Partitioning, OLAP and Oracle Data Mining options #JServer Release 9.2.0.1.0 - Production #ORACLE_HOME = /oracle9i/app/oracle/product/9.2.0.1 #System name: SunOS #Node name: SWANBOAT #Release: 5.8 #Version: Generic_117350-05 #Machine: sun4u #Instance name: SWANBOAT #Redo thread mounted by this instance: 1 #Oracle process number: 48 #Unix process pid: 10, image: oracle@SWANBOAT (TNS V1-V3) # A blank line marks the end if the info section or the event section if (v.line eq "") then ( if (found_date) then ( accept_collected_entry('', false); found_date = false; ); else if (found_audit_file) then ( set_collected_field('', 'oracle_release', ora_info); set_collected_field('save', 'oracle_release', ora_info); found_audit_file = false; ora_info = ""; ); ); #else if (found_audit_file and matches_regular_expression(v.line, '^JServer Release (.*)$')) then ( else if (matches_regular_expression(v.line, '^JServer Release (.*)$')) then ( set_collected_field('', 'jserver_release', $1); set_collected_field('save', 'jserver_release', $1); # set_collected_field('', 'oracle_release', ora_info); # found_audit_file = false; # ora_info = ''; ); else if (matches_regular_expression(v.line, "^Audit file (.*)$")) then ( found_audit_file = true; set_collected_field('', 'audit_file', $1); set_collected_field('save', 'audit_file', $1); ); else if (matches_regular_expression(v.line, "^Redo thread mounted by this instance: (.*)$")) then ( set_collected_field('', 'redo_thread', $1); set_collected_field('save', 'redo_thread', $1); ); else if (matches_regular_expression(v.line, "^Oracle process number: (.*)$")) then ( set_collected_field('', 'oracle_pid', $1); set_collected_field('save', 'oracle_pid', $1); ); else if (matches_regular_expression(v.line, "^Node name: (.*)$")) then ( set_collected_field('', 'oracle_node_name', $1); set_collected_field('save', 'oracle_node_name', $1); ); else if (matches_regular_expression(v.line, "^Unix process pid: ([^,]+), image: (.*)$")) then ( set_collected_field('', 'unix_pid', $1); set_collected_field('', 'oracle_image', $2); set_collected_field('save', 'unix_pid', $1); set_collected_field('save', 'oracle_image', $2); ); # 10i example #Mon Feb 9 00:08:15 2009 #LENGTH : '146' #ACTION :[7] 'CONNECT' #DATABASE USER:[1] '/' #PRIVILEGE :[6] 'SWANBOAT' #CLIENT USER:[6] 'oracle' #CLIENT TERMINAL:[13] 'Not Available' #STATUS:[1] '0' # 11i example - note that lines without '' will be processed with the system lines #Thu Feb 19 15:53:48 2009 #ACTION : 'CONNECT' #DATABASE USER: '/' #PRIVILEGE : SYSDBA #CLIENT USER: oracle #CLIENT TERMINAL: pts/1 #STATUS: 0 else if (matches_regular_expression(v.line, "^([^:]+[^ ]) ?:(\\\\[[0-9]+\\\\])?[ ]+'([^']+)'$")) then ( v.field = replace_all(lowercase($1), ' ', '_'); v.value = $3; if (matches_regular_expression(v.field, 'client_(.*)')) then ( v.field = $1; if (v.field eq 'user') then ( v.field = 'user_id'; ); ); #echo("found 11i line " . v.field . " " . v.value); set_collected_field('', v.field, v.value); ); # KBB - 2009/3/4 - Version field has timestamp in 11i, so need to be more flexible # here, but also look for 9i lines first to avoid catching them. #else if (matches_regular_expression(v.line, "^([^:]+):[ ]+([^:]+)$") or matches_regular_expression(v.line, "^([^=]+) = ([^=]+)$")) then ( # 9i examples #SESSIONID: "6149125" ENTRYID: "1" STATEMENT: "5" USERID: "DAISY_USER" TERMINAL: "DAISY" ACTION: "103" RETURNCODE: "0" OBJ$CREATOR: "DAISY_USER" OBJ$NAME: "KINDNAME" SES$ACTIONS: "----------S-----" SES$TID: "33820" OS$USERID: "daisy_access" #SESSIONID: "6020703" ENTRYID: "1" STATEMENT: "9" USERID: "DAISY_USER" TERMINAL: "W1" ACTION: "6" RETURNCODE: "0" OBJ$CREATOR: "OCAC_WEB" OBJ$NAME: "ML_UNIT2" OS$USERID: "daisy-access" #SESSIONID: "2060170" ENTRYID: "1" STATEMENT: "1" USERID: "USERNAME" TERMINAL: "pts/1" ACTION: "100" RETURNCODE: "1017" COMMENT$TEXT: "Authenticated by: DATABASE" OS$USERID: "oracle" else if (starts_with(v.line, 'SESSIONID:')) then ( v.line = replace_all(v.line, '$', '_'); # It appears that field names are not lowercased, so need to map all possible field names. #collect_listed_fields('', v.line, ' ', ': ', 'SESSIONID=session_id|ENTRYID=entry_id|USERID=user_id|RETURNCODE=return_code|OS_USERID=os_user_id'); collect_listed_fields('', v.line, ' ', ': ', 'ACTION=action|COMMENT_TEXT=comment_text|ENTRYID=entry_id|OBJ_CREATOR=obj_creator|OBJ_NAME=obj_name|OS_USERID=os_user_id|RETURNCODE=return_code|SESSIONID=session_id|SES_ACTIONS=ses_actions|SES_TID=ses_tid|STATEMENT=statement|TERMINAL=terminal|USERID=user_id'); #echo("modified v.line " . v.line); # Reset these because they will be cleared. We have to use false with # accept_collected_entry because not all event lines in the file are the # same and values may carry over. set_collected_field('', 'audit_file', get_collected_field('save', 'audit_file')); set_collected_field('', 'oracle_release', get_collected_field('save', 'oracle_release')); set_collected_field('', 'jserver_release', get_collected_field('save', 'jserver_release')); set_collected_field('', 'oracle_home', get_collected_field('save', 'oracle_home')); set_collected_field('', 'system_name', get_collected_field('save', 'system_name')); set_collected_field('', 'oracle_node_name', get_collected_field('save', 'oracle_node_name')); set_collected_field('', 'release', get_collected_field('save', 'release')); set_collected_field('', 'version', get_collected_field('save', 'version')); set_collected_field('', 'machine', get_collected_field('save', 'machine')); set_collected_field('', 'instance_name', get_collected_field('save', 'instance_name')); set_collected_field('', 'redo_thread', get_collected_field('save', 'redo_thread')); set_collected_field('', 'oracle_pid', get_collected_field('save', 'oracle_pid')); set_collected_field('', 'unix_pid', get_collected_field('save', 'unix_pid')); set_collected_field('', 'oracle_image', get_collected_field('save', 'oracle_image')); accept_collected_entry('', false); ); else if (matches_regular_expression(v.line, "^([^:]+):[ ]+([^ ]+.*)$") or matches_regular_expression(v.line, "^([^=]+) = ([^=]+)$")) then ( #set_collected_field('', replace_all(lowercase($1), ' ', '_'), $2); # todo: find a better way then to repeat this... v.field = replace_all(lowercase($1), ' ', '_'); v.value = $2; if (matches_regular_expression(v.field, 'client_(.*)')) then ( v.field = $1; if (v.field eq 'user') then ( v.field = 'user_id'; ); ); #echo("found generic line " . v.field . " " . v.value); set_collected_field('', v.field, v.value); set_collected_field('save', v.field, v.value); ); #Tue Apr 10 10:28:21 2007 #Mon Feb 9 00:08:15 2009 else if (matches_regular_expression(v.line, '^[A-Z][a-z][a-z] ([A-Z][a-z][a-z]) ([0-9 ][0-9]) ([0-9]{2}:[0-9]{2}:[0-9]{2}) ([0-9]{4})$')) then ( found_date = true; set_collected_field('', 'date', $2 . "/" . $1 . "/" . $4); set_collected_field('', 'time', $3); ); ###SESSIONID: "6149125" ENTRYID: "1" STATEMENT: "5" USERID: "DAISY_USER" TERMINAL: "DAISY" ACTION: "103" RETURNCODE: "0" OBJ$CREATOR: "DAISY_USER" OBJ$NAME: "KINDNAME" SES$ACTIONS: "----------S-----" SES$TID: "33820" OS$USERID: "daisy_access" ##else if (matches_regular_expression(v.line, '^SESSIONID: "([^"]*)" ENTRYID: "([^"]*)" STATEMENT: "([^"]*)" USERID: "([^"]*)" TERMINAL: "([^"]*)" ACTION: "([^"]*)" RETURNCODE: "([^"]*)" OBJ.CREATOR: "([^"]*)" OBJ.NAME: "([^"]*)" SES.ACTIONS: "([^"]*)" SES.TID: "([^"]*)" OS.USERID: "([^"]*)" $')) then ( ## ## set_collected_field('', 'session_id', $1); ## set_collected_field('', 'entry_id', $2); ## set_collected_field('', 'statement', $3); ## set_collected_field('', 'user_id', $4); ## set_collected_field('', 'terminal', $5); ## set_collected_field('', 'action', $6); ## set_collected_field('', 'return_code', $7); ## set_collected_field('', 'obj_creator', $8); ## set_collected_field('', 'obj_name', $9); ## set_collected_field('', 'ses_actions', $10); ## set_collected_field('', 'ses_tid', $11); ## set_collected_field('', 'os_user_id', $12); ## ## accept_collected_entry('', true); ##); ## ###SESSIONID: "6020703" ENTRYID: "1" STATEMENT: "9" USERID: "DAISY_USER" TERMINAL: "W1" ACTION: "6" RETURNCODE: "0" OBJ$CREATOR: "OCAC_WEB" OBJ$NAME: "ML_UNIT2" OS$USERID: "daisy-access" ##else if (matches_regular_expression(v.line, '^SESSIONID: "([^"]*)" ENTRYID: "([^"]*)" STATEMENT: "([^"]*)" USERID: "([^"]*)" TERMINAL: "([^"]*)" ACTION: "([^"]*)" RETURNCODE: "([^"]*)" OBJ.CREATOR: "([^"]*)" OBJ.NAME: "([^"]*)" OS.USERID: "([^"]*)" $')) then ( ## ## set_collected_field('', 'session_id', $1); ## set_collected_field('', 'entry_id', $2); ## set_collected_field('', 'statement', $3); ## set_collected_field('', 'user_id', $4); ## set_collected_field('', 'terminal', $5); ## set_collected_field('', 'action', $6); ## set_collected_field('', 'return_code', $7); ## set_collected_field('', 'obj_creator', $8); ## set_collected_field('', 'obj_name', $9); ## set_collected_field('', 'ses_actions', ''); # clear these or they will carry over ## set_collected_field('', 'ses_tid', ''); ## set_collected_field('', 'os_user_id', $10); ## ## accept_collected_entry('', true); ##); ## ###SESSIONID: "2060170" ENTRYID: "1" STATEMENT: "1" USERID: "USERNAME" TERMINAL: "pts/1" ACTION: "100" RETURNCODE: "1017" COMMENT$TEXT: "Authenticated by: DATABASE" OS$USERID: "oracle" ##else if (matches_regular_expression(v.line, '^SESSIONID: "([^"]*)" ENTRYID: "([^"]*)" STATEMENT: "([^"]*)" USERID: "([^"]*)" TERMINAL: "([^"]*)" ACTION: "([^"]*)" RETURNCODE: "([^"]*)" COMMENT.TEXT: "([^"]*)" OS.USERID: "([^"]*)" $')) then ( ## ## set_collected_field('', 'session_id', $1); ## set_collected_field('', 'entry_id', $2); ## set_collected_field('', 'statement', $3); ## set_collected_field('', 'user_id', $4); ## set_collected_field('', 'terminal', $5); ## set_collected_field('', 'action', $6); ## set_collected_field('', 'return_code', $7); ## set_collected_field('', 'comment_text', $8); ## set_collected_field('', 'ses_actions', ''); # clear these or they will carry over ## set_collected_field('', 'os_user_id', $9); ## ## accept_collected_entry('', true); ##); else if (v.line ne "") then ( #echo("found a non-blank line " . v.line); if (found_audit_file) then ( if (ora_info eq '') then ( ora_info = v.line; ); else ( ora_info .= ' ' . v.line; ); ); # Debug #else ( # echo("unmatched_line " . v.line); #); ); ` # Database fields database.fields = { date_time = "" session_id = "" entry_id = "" statement = "" user_id = "" terminal = "" action = "" return_code = "" comment_text = "" obj_creator = "" obj_name = "" ses_actions = "" ses_tid = "" os_user_id = "" audit_file = "" oracle_release = "" jserver_release = "" oracle_home = "" system_name = "" oracle_node_name = "" release = "" version = "" machine = "" instance_name = "" redo_thread = "" oracle_pid = "" unix_pid = "" oracle_image = "" # new in 10i and 11i database_user = "" # length = "" privilege = "" status = "" } # database.fields # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters database.numerical_fields = { events = { default = true requires_log_field = false entries_field = true } # events } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" system_group = { audit_file = true oracle_release = true jserver_release = true oracle_home = true system_name = true oracle_node_name = true release = true version = true machine = true instance_name = true redo_thread = true oracle_pid = true unix_pid = true oracle_image = true comment_text = true } # system_group users_group = { session_id = true entry_id = true statement = true user_id = true action_by_user_id = true terminal = true action = true ses_actions = true ses_tid = true os_user_id = true database_user = true privilege = true } # users_group other_group = { return_code = true obj_creator = true obj_name = true status = true } # other_group } # report_groups } # create_profile_wizard_options } # oracle_audit