Skip to main content
Question

Oracle Unified Audit trail with Google SecOps

  • October 2, 2025
  • 1 reply
  • 42 views
ram

Hi Team,

 

When setting up Unified Auditing (19c standard) - the detailed  database audit trail is stored into a write only table within the database - and a few limited fields are forwarded to syslog.
Looking at https://cloud.google.com/chronicle/docs/ingestion/default-parsers/oracle-db  is there an alternate option to setup ingestion a dump of detailed audit records from db into a csv/json and then ingest it into secops periodically ? If not is there any other solution available ?  

    1 reply

    geravaibhav
    • geravaibhav
    • New Member
    • October 3, 2025

    You can use Nxlog Enterprise edition that allows use of module im_odbc and run a db query from it as below 

    <Input in>
        Module  im_odbc
        #ConnectionString Driver={<Friendly Alias for Driver Name>};Dbq=<DB Server IP/HostName>:<DBPort>/<DBName>;Uid=<UserName>;Pwd=<Password>;
        #Example : ConnectionString Driver=/usr/lib/oracle/19.15/client64/lib/libsqora.so.19.1;Dbq=100.108.178.240:1521/orcl;Uid=SYSTEM;Pwd=lObO!190;

        IdType  timestamp
    	SQL SELECT /*+ USE_HASH(ACT,AOM) */          'Unified_Auditing' as Log_Type, (cast(EVENT_TIMESTAMP as date) - date '1970-01-01')*24*60*60*1000 AS id, OS_USER AS OS_USERNAME,          	   USERID AS USERNAME, HOST_NAME AS USERHOST,   TERMINAL AS TERMINAL,          	   OBJ_OWNER AS OWNER,          	   OBJ_NAME AS OBJ_NAME,          	  ACTION AS ACTION,          	    act.name as ACTION_NAME, NEW_OWNER AS NEW_OWNER,          	   NEW_NAME AS NEW_NAME,          	    OBJECT_PRIVILEGES AS OBJ_PRIVILEGE,          	  SYSTEM_PRIVILEGE_USED AS SYS_PRIVILEGE,      DV_GRANTEE AS GRANTEE, AUDIT_OPTION AS AUDIT_OPTION, 	   AUTHENTICATION_TYPE AS COMMENT_TEXT,          	   SESSIONID AS SESSIONID,          	   ENTRY_ID AS ENTRY_ID,          	   STATEMENT_ID AS STATEMENTID,          	   RETURN_CODE AS RETURNCODE,   SYSTEM_PRIVILEGE_USED AS PRIV_USED,          	   CLIENT_IDENTIFIER AS CLIENT_ID,  PROXY_SESSIONID AS PROXY_SESSIONID,          	   GLOBAL_USERID AS GLOBAL_UID,       INSTANCE_ID AS INSTANCE_NUMBER,          	   OS_PROCESS AS OS_PROCESS,   TRANSACTION_ID AS TRANSACTIONID,          	   SCN AS SCN,          	   to_nchar(substr(SQL_BINDS, 1, 2000)) AS SQL_BIND,          	   replace(to_nchar(substr(SQL_TEXT, 1, 2000)),'|',' ') AS SQL_TEXT  ,   (select HOST_NAME from v$instance) as HOST_ID   from AUDSYS.AUD$UNIFIED  	   LEFT JOIN audit_actions act USING(action) LEFT JOIN v$instance v USING(HOST_NAME)   where         EVENT_TIMESTAMP > ? AND rownum < 2000 order by EVENT_TIMESTAMP desc
    	Exec    parse_syslog();
    </Input>

    Then send over syslog, Google parser supports this log format.

    ram
    Terms & ConditionsCookie settingsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.