Audit  to syslog

Similar Messages

• Standard and sys audit to syslog

  Hello,
  I have question about enabling auditing to syslog.
  Is it possible to configure standard and sys auditing to local syslog in linux environment?
  I have read that from version 10.2 it is possible to add AUDIT_SYSLOG_LEVEL parameter to init.ora to send audit trail to syslog. But I need to have both auditings: standard auditing and sys operations auditing on a remote host using syslog.
  Regards
  Dominik

  Hi,
  I hope that the following document helps: http://www.springerlink.com/index/ut68j3652k06747j.pdf
  Regards,
  Naveed.

• Oracle auditing using syslogs

  Hello all....I am working on setting up the auditing to write to syslogs. I am having trouble understanding what to use for the facility and level. Can anyone point me in the right direction as to what these facilities and levels mean?
  TIA

  i believe those terms are related to syslog which is used on nix systems. if you are using nix then you should check the man page on syslog.conf.
  as the docs state, the facility indicates where the message is coming from (such as the kernel, cron, local0 - local 7), and there's the level, which indicates how urgent the message is (info, warning, critical...).
  i say this with never actually having used it though...
  if you're using windows, well, .... i can't say.

• RME (LMS 3.2) No detect Change Configuration automatically by Syslog Messages

  Hi,
  I have a problem with the "change audit" for Syslog messages trigger. I set all my devices to send Syslog messages to the CiscoWorks server. When I make any changes to syslog message is sent correctly for the CiscoWorks server, but it does not start automatically collects configuration (config fetch).
  Only when I start manually "sync archive" the configuration is stored and detected the change in configuration.
  Has not changed anything in config fetch "to" Automated actions Syslog ".
  Thanks

  Hi,
  You an check RME  > Tools > Syslog > Automated Actions to verify nothing was changed.
  Then display 'Config Fetch'. There is contextual help available:
  http://:1741/help/rme/fundamentals/index.html?syslog_Defining_Automatd_Actions.html#wp1211314
  Nick

• Show parameter audit

  Hi all,
  11.2.0.3.11
  aix6
  I am auditing my SYS using OS file as in:
  SQL> show parameter audit
  NAME                                 TYPE        VALUE
  audit_file_dest                      string      /var/log/oracle
  audit_sys_operations                 boolean     TRUE
  audit_syslog_level                   string      LOCAL0.INFO
  audit_trail                          string      OS
  But when I check my OS directory: ls -l /var/log/oracle
  :oracle[/var/log/oracle] ls -l /var/log/oracle
  total 0
  The is no audit log file created
  How do I troubleshoot this please.
  Thanks,
  mk

  Does oracle user have privileges to write into that path:
  touch aud.log
  See whether you can create a file.
  However, if you refer to the audit into syslog, the audit setup was fine, you must configure the /etc/syslog.conf - or - /etc/rsyslog.conf file for that path:
  You have to add the following line as :
  local0.info    /var/log/oracle/audit.log
  before this, create the audit.log file at /var/log/oracle ( touch audit.log )
  After you edit syslog.conf or rsyslog.conf restart the syslog:
  service rsyslog restart
  Check the file /var/log/oracle/audit.log:
  tail -300f /var/log/oracle/audit.log     for the audit records. If does not get written, restart the database with the first conviguration set from your first update

• Remote Log Targets not working in ACS

  Dear all
  I have 2 x ACS boxes configured as Primary & secondary.
  In ACS1 - In monitoring and reports-> option  I can see the User authentication, authorization and Accounting activities logs. I want to configure ACS2 as remote log server.
  For that in ACS1, in System administration->Log configuration-> remote log targets->new
  Added as - ACS2- 1.1.1.2 - in Advance options -
  Port-20514 (default is 514, need to change to 20514 , Instructions  from Cisco),
  Facility mode - Level6
  Maximum length -1024
  In logging categoris - in Global - Edit "AAA Audit" - remote syslog Targets - i have added - Logcollector (ACS1) and ACS2.
  In Log collector optin --> ACS1 is configured.
  After this , i  open ACS2 - Monitoring and reports optin to view the logs but when ever i click - it is diverting to ACS1.
  if i change log collector in ACS1 as ACS2, i can see the logs on ACS2. so at a time i can see logs only one ACS box.
  I would like to view the logs in both ACS boxes. can any one help me please.

  As per Cisco,  you can not able to User 2 ACS boxes simultanously to recevie log messages. Remote Log targets for Syslog Server.
  so, i can't use simultanously 2 x acs boxes , i need to go for syslog server.
  Chapter 19, "Understanding Logging"
  Configuring Remote Log Targets
  You can configure specific remote log targets (on a syslog server only) to receive the logging messages for a specific logging category. See Chapter 19, "Understanding Logging" for more information on remote log targets. See Configuring Logging Categories, page 18-25 for more information on the preconfigured ACS logging categories.
  Closing this ticket.. answered by Mohammed Feroz.

• [solved] errors in systemctl output

  $ sudo systemctl --all --no-pager | grep error
  auditd.service error inactive dead auditd.service
  syslog.target error inactive dead syslog.target
  $ pkgfile auditd.service
  community/audit
  $ pkgfile syslog.target
  $
  $ cat /usr/lib/systemd/system/systemd-update-utmp.service
  #  This file is part of systemd.
  #  systemd is free software; you can redistribute it and/or modify it
  #  under the terms of the GNU Lesser General Public License as published by
  #  the Free Software Foundation; either version 2.1 of the License, or
  #  (at your option) any later version.
  [Unit]
  Description=Update UTMP about System Reboot/Shutdown
  Documentation=man:systemd-update-utmp.service(8) man:utmp(5)
  DefaultDependencies=no
  RequiresMountsFor=/var/log/wtmp
  Conflicts=shutdown.target
  After=systemd-readahead-collect.service systemd-readahead-replay.service systemd-remount-fs.service systemd-tmpfiles-setup.service auditd.service
  Before=sysinit.target shutdown.target
  [Service]
  Type=oneshot
  RemainAfterExit=yes
  ExecStart=/usr/lib/systemd/systemd-update-utmp reboot
  ExecStop=/usr/lib/systemd/systemd-update-utmp shutdown
  There are some services that have
  After=syslog.target
  dbus.service, nscd.service, lm_sensors.service, svnserve.service.
  Should I do anything about these errors? syslog.target doesn't seem to exist at all ...
  Last edited by karol (2013-07-29 18:24:36)

  I get
  $ systemctl --all --no-pager | grep -i error
  auditd.service error inactive dead auditd.service
  plymouth-quit-wait.service error inactive dead plymouth-quit-wait.service
  plymouth-start.service error inactive dead plymouth-start.service
  syslog.target error inactive dead syslog.target
  If you boot to a display manager, I think you don't get the error for that one because enabling the relevant service sets up a symbolic link. For example:
  lrwxrwxrwx 1 root root 31 Aws 26 2012 /etc/systemd/system/display-manager.service -> /etc/systemd/system/kdm.service
  I remember reading complaints that systemd hard-coded dependencies on distro-specific stuff and that it shouldn't. (This was about the plymouth failures.) I tend to agree it is badly behaved in this respect. (As I've said before, I find the logging the biggest downside with systemd. It is the only thing which really bothers me and this, like journal, is part of that.) However, I believe it is harmless.
  Does anybody know what audit is good for or what the syslog.target is important for? I actually use syslog-ng and I still get this error.
  I take it that "masking" just involves the standard symlinking to /dev/null? I should probably do that for plymouth - the lack of a splash screen should not be highlighted as a boot error! I'd like to know more about the others, though...

• Log4j multiple loggers

  I was curious if anyone has been able to get multiple log4j loggers to work with weblogic? I have configured my domains
  to use log4j for logging and it appears to be functioning correctly. I am trying to use multiple loggers to send send system logs to the localhost and auditing log events to a remote host (using log4j syslogappender). A subset of my log4j.properties is shown below
  system.log.level=DEBUG
  log.dir=Logs
  max.filesize=10MB
  log4j.rootLogger=${system.log.level}, systemLogFile, stdout
  log4j.logger.audit=INFO, syslog
  log4j.additivity.audit=false
  log4j.appender.syslog=org.apache.log4j.net.SyslogAppender
  log4j.appender.syslog.SyslogHost=RemoteAuditRepositoryHost
  log4j.appender.syslog.layout=org.apache.log4j.EnhancedPatternLayout
  log4j.appender.syslog.layout.ConversionPattern=%d{${datestamp}} [%t] %-5p %c : %m%n
  log4j.appender.syslog.Facility=local2
  If I use this configuration the syslogd on my remote host receives nothing. I can get it too work if I move the syslog appender
  into the root logger but then it receives a lot of other logging Id rather not receive. I am using log4j 1.2.16 and Weblogic 10.3.

  Here's my test version that works correctly:class SubClass {
    private Logger log;
    public SubClass(String name) {
      // Create the appender
      RollingFileAppender appender = new RollingFileAppender();
      appender.setLayout(new PatternLayout("%d{DATE} %-5p [" + name
                      + "] - %m%n"));
      appender.setFile("C:/temp/" + name + ".txt");
      appender.activateOptions();
      // Create logger
      log = Logger.getLogger("SubClass." + name);
      log.addAppender(appender);
    public void writeToLog(String txt) {
      log.info(txt);
  }I don't have this "policy" business in my version of Log4J so I simplified your code a bit. My version produces two different log files with one line in each file.

• Trigger correlations from Javascript Actions

  Hi!
  I'm trying to use Javascript actions (as suggested here:
  http://forums.novell.com/novell-prod...ue-values.html)
  to detect port scans from a set of "drop" events generated by
  firewalls.
  For example I'd like to trigger a "Port sweep" correlated event
  everytime a single host (InitIP or InitHostName) tries to contact more
  than N distinct targets on the same TCP/UDP port and these connections
  are blocked by firewalls.
  I'm implementig this check by means of an action script that is
  triggered by a correlation rule, fired everytime a single host performs
  more than 100 drops in 1 minute. The script counts the number of
  distinct targets in the list of correlated events and evaluates to true
  if that number exceeds a given threshold (N).
  Now, I can verify the functionality of my script with the integrated
  Javascript debugger but I'm not able to generate a correlated event when
  the script evaluates to true. The documentation for developing custom
  Javascript actions available on http://www.novell.com/developer does not
  cover all SDK objects and methods (e.g.: CorrelatedEvent).
  How can I generate a correlated events from a JS action script
  triggered by a correlation? I tried to modify the triggering correlated
  event with
  this.corrEvent.setSeverity(5);
  this.corrEvent.setEvt(instance.CONFIG.params.scanT ype+" detected");
  but the modified event is not sent to DB or GUI.
  How can I trigger another action (such as Configure Correlated Event or
  Send Email) from a JavaScript Action?
  Any idea?
  m_gandolfi
  m_gandolfi's Profile: http://forums.novell.com/member.php?userid=53553
  View this thread: http://forums.novell.com/showthread.php?t=425156

  DCorlette;2044717 Wrote:
  >
  > As you say, you can't create a correlated event from your Action. The
  > only thing that can create correlated events is, in fact, the
  > correlation engine - and that all happens BEFORE the Action is
  > triggered.
  >
  Hi.
  Fortunately your statement was not completely correct . It is
  possible to trigger events using the provided java API. The main problem
  is the lack of documentation explaining objects and methods of the SDK.
  I didn't like the idea of sending an audit or syslog event and watching
  for it with another correlation rule. The new correlated event would be
  unlinked from the events triggering the correlation (the "view trigger
  events" functionality would become useless) and most of its fields would
  be empty, thus missing details for historical queries and reports. So,
  in my first implementation, I called the save() method of the correlated
  event object after modifying some of its fields:
  this.corrEvt.setSeverity(3);
  this.corrEvt.setEvt(evtName);
  this.corrEvt.setSubResource(scanType);
  this.corrEvt.setMessage(msg);
  this.corrEvt.save();
  This allowed me to submit changes to the DB but active views didn't
  notice the changes. So I added some code to send notifications through
  the email integrator.
  The main problem with this approach is that event summaries, which are
  run each hour on DAS component, don't populate some tables used for
  reporting (ESECDBA.EVT_NAME, ESECDBA.EVT_RSRC, etc.).
  Looking at correlation engine's logs and at ccsapp and ccsbase packages
  included in the SDK, I noticed that the correlation engine calls the
  sendEvents method of the EventPublisher interface to trigger events. I
  could reproduce this behaviour in my Javascript action as follows:
  importPackage(Packages.esecurity.base.ccs.services );
  // PUBLISH NEW CORRELATED EVENT
  //var channel = "correlation_binary_event_update" // with this
  channel, events are published to DB only
  var channel = "correlation_binary_event" // with this channel, events
  are published to DB and GUI
  var publisher = ComponentServices.instance().getEventPublisher();
  var evtList = new ArrayList(1);
  evtList.add(this.corrEvt);
  publisher.sendEvents(channel, evtList);
  Now correlated events are re-published to GUI and summary tables are
  correctly populated.
  m_gandolfi
  m_gandolfi's Profile: http://forums.novell.com/member.php?userid=53553
  View this thread: http://forums.novell.com/showthread.php?t=425156

• Fine Grained Audit records to syslog

  Hello experts,
  I am working on Standard Auditing and Fine Grained Auditing on 11.2.0.3 databases on Red Hat x86_64.
  I am trying to send Fine Grained Audit records to syslog as for my Standard Audit records with audit_trail set to OS, but can't find any appropriate option.
  When I create FGA policies with the ADD_POLICY procedure of the DBMS_FGA package, the audit_trail parameter can only be set to DB or XML, as stated in [PL/SQL Packages and Types Reference|http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_fga.htm#CDEIECAG].
  Does somebody know if it is possible to send FGA audit records to syslog directly:
  1. without using any additional product (e.g. Oracle Audit Vault)?
  2. without doing manual extraction from fga_log$ or DBA_COMMON_AUDIT_TRAIL?
  Thanks for any suggestion.

  Hi,
  Well, i did not used FGA yet.
  I used audit_Trail=db and the query SELECT username,extended_timestamp,owner,obj_name,action_name,sql_text FROM dba_audit_trail WHERE to_char(extended_timestamp, 'DD/MM/RR') = to_char(SYSDATE - 1, 'DD/MM/RR') ORDER BY timestamp)
  Then i wrote a procedure, and exported the results using utl_file .
  And i scheduled this procedure to run daily.
  It works pretty good, if you like the solution as ask for details.
  Hope that helps,
  Regards.

• Trying to configure syslog process, for Oracle auditing, Oracle 10gR2

  Folks,
  I am trying to use the OS (UNix Sun Solaris 10), syslog process. So I can write my Oracle db 10gR2 audit logs to a location, where Oracle userid on unix cannot modify/delete.
  For that I have set following values in the Oracle 10gR2 parameters :
  audit_file_dest string /flood/u01/app/oracle/product/
  10.2.0/db_1/rdbms/audit
  audit_sys_operations boolean TRUE
  audit_syslog_level string USER
  audit_trail string OS
  Actually I have set audit_syslog_level = 'user.notice' value in the database
  Also made following entry in the syslog.conf file
  ## oracle audit records
  user.notice /var/log/oraaudit.log
  # if a non-loghost machine chooses to have authentication messages
  # sent to the loghost machine, un-comment out the following line:
  #auth.notice ifdef(`LOGHOST', /var/log/authlog, @loghost)
  mail.debug ifdef(`LOGHOST', /var/log/syslog, @loghost)
  # non-loghost machines will use the following lines to cause "user"
  # log messages to be logged locally.
  ifdef(`LOGHOST', ,
  user.err /dev/sysmsg
  user.err /var/adm/messages
  user.alert `root, operator'
  user.emerg *
  It is still not logging the audit logs in that location.
  What am I missing here
  Thanks for your help.
  Ashish

  By chance did you restart the database and syslogd? ( I think that a "kill -1 syslogd" will work for that.)
  Your configuration looks very similar to what I did - and mine is working ok. One difference I noticed: when I do the "show parameter audit", I get the whole string of "audit_syslog_level string LOCAL5.NOTICE"
  Greg

• Trying to configure syslog process,to write the database audit logs

  Folks,
  Running Oracle 10g R2 on Sun Solaris v 10.
  I am trying to configure my database environment, so it will write all the database audit logs to a location, where Oracle userid on unix cannot modify/delete it.
  To accomplish my goal, so far I have done the following:
  I have set the following parameter with these values
  audit_file_dest /flood/u01/app/oracle/product/10.2.0/db_1/rdbms/audit
  audit_sys_operations TRUE
  audit_trail OS
  Also I asked my system administrator , to make an entry in the syslog.conf file at location /etc
  He made the following entry
  local3.notice /var/log/oraaudit.log
  and restarted the syslog process
  I also made the following entry
  alter system set audit_syslog_level='LOCAL3.NOTICE' scope=spfile and bounced the database.
  But after starting the database, i will don't see any oraaudit.log file at the location /var/log
  Any help will be much appreciated.
  Regards
  Ashish

  Hello Srini,
  I mentioned in my posting , that I already set AUDIT_SYSLOG_LEVEL=LEVEL3.NOTICE value.
  Also the permission on /var/log is such the Oracle unix userid cannot write to it and that is what I want. Since if Oracle userid can write, it can modify/delete the audit log also , which we are trying to prevent.
  Thanks
  Ashish

• SCOM 2012 collect Windows Audit logs and forward them to a Linux Syslog server

  Hello:
  1. We have a SCOM 2012 server.
  2. We have SNARE agents for PCI systems, but now we want to save money by gathering all events for all Windows servers using its native features.
  3. We also have a centralized Linux server running SYSLOG which aggregates the logs to our Dell LogVault retention appliance (for PCI purposes)
  Thus, my question:
  In effort to remove the SNARE agents from the windows servers, can we implement Audit Collections Services (ACS) in the windows environment so that they collect/forward audit/event logs to the SCOM 2012 server and then SCOM forwards the events to the centralized
  syslog Linux server? In which case they are aggregated to the Dell appliance.
  We prefer to use the Linux syslog as the centralized log server but would like to know how to go about implementing the solution above.
  Many thanks,
  Robert Perez-Corona

  Hi,
  Here is a thread about how to make SCOM 2012 work as a syslog server, hope this can be helpful for you:
  https://social.technet.microsoft.com/Forums/en-US/524ea527-c069-40f9-96ef-026a4aa06fe9/make-scom-2012-a-syslog-server?forum=operationsmanagergeneral
  Regards,
  Yan Li
  Regards, Yan Li

• Auditing dba to syslog

  Hi Hemant,
  11.2.0.1
  Aix 6.1
  I am still confused about sys logging.
  I configured sys logging already thru:
  editing pfile and add:
  *.audit_file_dest='/var/log/oracle/proddr'
  *.audit_sys_operations=TRUE
  *.audit_trail='OS'
  *.audit_syslog_level='LOCAL5.INFO'
  The auditor asked me to test login sys and drop the EMP table at scott;
  Then check if I was logged in OS syslog. But it was not there
  How do I include this sys activity in syslog?
  Thanks,
  zxy

  yxes2013 wrote:
  Hi Jg, can you spank Sybrand for me so he gets politeness lesson
  I really don't know who was impolite here, since when saying to someone to read doc is impolite ?
  You are trying to make funny post with your smiley, but it is not anymore long ago.
  Should I add that you marked the answer of smon as correct whereas it has nothing to do with your original question ? That's just a shame. Who's impolite ?
  -- Once more, and as long as your threads are slipping down, I'm gonna to lock them. That one too --
  Nicolas.

• Audit is enable in local zone

  Audit is enabled and working fine in Global zone.
  root@MMS11:/var/audit# uname -a
  SunOS MMS11 5.11 11.2 sun4v sparc sun4v
  root@MMS11:/var/audit#
  root@MMS11:/var/audit#
  root@MMS11:/var/audit# pkg info entire
            Name: entire
         Summary: entire incorporation including Support Repository Update (Oracle Solaris 11.2.3.4.1).
     Description: This package constrains system package versions to the same
                  build.  WARNING: Proper system update and correct package
                  selection depend on the presence of this incorporation.
                  Removing this package will result in an unsupported system.  For
                  more information see
                  https://support.oracle.com/rs?type=doc&id=1672221.1.
        Category: Meta Packages/Incorporations
           State: Installed
       Publisher: solaris
         Version: 0.5.11 (Oracle Solaris 11.2.3.4.1)
  Build Release: 5.11
          Branch: 0.175.2.3.0.4.1
  Packaging Date: October  2, 2014 10:39:23 PM
            Size: 5.46 kB
            FMRI: pkg://solaris/[email protected],5.11-0.175.2.3.0.4.1:20141002T223923Z
  root@MMS11:/var/audit#
  root@MMS11:/var/audit# ls -lhtr
  total 34343
  -rw-r-----   1 root     root        400K Apr  7 16:41 20150407134107.20150407134155.MMS11
  -rw-r-----   1 root     root         11M Apr  7 17:21 20150407134157.20150407142120.MMS11
  -rw-r-----   1 root     root        5.5M May  4 13:57 20150504103940.not_terminated.MMS11
  root@MMS11:/var/audit#
  root@MMS11:/var/audit# ls -lhtr /var/adm/auditlog
  -rw-r-----   1 root     root        1.0M May  4 13:57 /var/adm/auditlog
  root@MMS11:/var/audit# audit -s
  root@MMS11:/var/audit# zoneadm list -cv
    ID NAME             STATUS      PATH                         BRAND      IP   
     0 global           running     /                            solaris    shared
     5 MMS_NG         running     /zones/MMS_NG              solaris    shared
  =======================================================
  but I am unable to enable audit on local zone.
  I have following
  root@MMS11:/var/audit# zlogin MMS_NG
  [Connected to zone 'MMS_NG' pts/14]
  Oracle Corporation      SunOS 5.11      11.2    September 2014
  You have mail.
  root@MMS_NG:~#
  root@MMS_NG:~#
  root@MMS_NG:~# audit -s
  audit: Neither local nor remote auditing is configured in the non-global zone.
  root@MMS_NG:~#
  root@MMS_NG:~# audit -n
  audit: Neither local nor remote auditing is configured in the non-global zone.
  root@MMS_NG:~# cd /var/audit
  root@MMS_NG:/var/audit# ls -lhtr
  total 94399
  -rw-r-----   1 root     root        149M Apr  7 16:40 20150208124745.not_terminated.MMS_NG
  How I can enable audit in NG zone, I want to enable audit logs with syslog service. as enabled and configured on Global Zone.

  I'm not sure why Ur looking for /etc/system in zones..
  now in soalris 10u10 /soalrs 11..you can configure the kernel parameters as application/user specific
  you can use projadd command to add the resources like shared memory
  if you want add the parameters as global you can use
  zonecfg
  you can refer this doc what parameters u can add to zone with zonecfg
  http://docs.oracle.com/cd/E19455-01/817-1592/z.config.ov-1/index.html
  zone.cpu-shares (preferred: cpu-shares)
  zone.max-locked-memory
  zone.max-lwps (preferred: max-lwps)
  zone.max-msg-ids (preferred: max-msg-ids)
  zone.max-sem-ids (preferred: max-sem-ids)
  zone.max-shm-ids (preferred: max-shm-ids)
  zone.max-shm-memory (preferred: max-shm-memory)