Oracle send audit message to syslog server

本文的环境为Redhat Linux 6.5 + Oracle 11.2.0.4.

Linux客户端Rsyslog配置:
修改Linux主机rsyslog配置文件/etc/rsyslog.conf
增加如下内容

local1.warning /var/log/audit.log  
local1.warning  @192.168.2.74

重启rsyslog服务

Linux客户端数据库配置

alter system set audit_syslog_level='LOCAL1.WARNING' scope=spfile;
alter system set audit_trail=OS scope=spfile;

重启数据库

Linux Rsyslog服务端配置

$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" *
*.* ?RemoteLogs
& ~

审计日志格式

Dec 16 00:49:05 standby Oracle Audit[63874]: LENGTH: "379" SESSIONID:[5] "90004" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[6] "LTYWDB" USERHOST:[25] "WORKGROUP\PC-20161024TGGX" TERMINAL:[15] "PC-20161024TGGX" ACTION:[3] "100" RETURNCODE:[1] "0" COMMENT$TEXT:[99] "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.6.59)(PORT=55705))" OS$USERID:[13] "Administrator" DBID:[10] "4163596186" PRIV$USED:[1] "5"
此条目发表在DBaudit, Linux分类目录。将固定链接加入收藏夹。

发表评论

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / 更改 )

Twitter picture

You are commenting using your Twitter account. Log Out / 更改 )

Facebook photo

You are commenting using your Facebook account. Log Out / 更改 )

Google+ photo

You are commenting using your Google+ account. Log Out / 更改 )

Connecting to %s