Skip to main content

Hi Team,

 

When setting up Unified Auditing (19c standard) - the detailed  database audit trail is stored into a write only table within the database - and a few limited fields are forwarded to syslog.
Looking at https://cloud.google.com/chronicle/docs/ingestion/default-parsers/oracle-db  is there an alternate option to setup ingestion a dump of detailed audit records from db into a csv/json and then ingest it into secops periodically ? If not is there any other solution available ?  

You can use Nxlog Enterprise edition that allows use of module im_odbc and run a db query from it as below 

<Input in>
    Module  im_odbc
    #ConnectionString Driver={<Friendly Alias for Driver Name>};Dbq=<DB Server IP/HostName>:<DBPort>/<DBName>;Uid=<UserName>;Pwd=<Password>;
    #Example : ConnectionString Driver=/usr/lib/oracle/19.15/client64/lib/libsqora.so.19.1;Dbq=100.108.178.240:1521/orcl;Uid=SYSTEM;Pwd=lObO!190;

    IdType  timestamp
	SQL SELECT /*+ USE_HASH(ACT,AOM) */          'Unified_Auditing' as Log_Type, (cast(EVENT_TIMESTAMP as date) - date '1970-01-01')*24*60*60*1000 AS id, OS_USER AS OS_USERNAME,          	   USERID AS USERNAME, HOST_NAME AS USERHOST,   TERMINAL AS TERMINAL,          	   OBJ_OWNER AS OWNER,          	   OBJ_NAME AS OBJ_NAME,          	  ACTION AS ACTION,          	    act.name as ACTION_NAME, NEW_OWNER AS NEW_OWNER,          	   NEW_NAME AS NEW_NAME,          	    OBJECT_PRIVILEGES AS OBJ_PRIVILEGE,          	  SYSTEM_PRIVILEGE_USED AS SYS_PRIVILEGE,      DV_GRANTEE AS GRANTEE, AUDIT_OPTION AS AUDIT_OPTION, 	   AUTHENTICATION_TYPE AS COMMENT_TEXT,          	   SESSIONID AS SESSIONID,          	   ENTRY_ID AS ENTRY_ID,          	   STATEMENT_ID AS STATEMENTID,          	   RETURN_CODE AS RETURNCODE,   SYSTEM_PRIVILEGE_USED AS PRIV_USED,          	   CLIENT_IDENTIFIER AS CLIENT_ID,  PROXY_SESSIONID AS PROXY_SESSIONID,          	   GLOBAL_USERID AS GLOBAL_UID,       INSTANCE_ID AS INSTANCE_NUMBER,          	   OS_PROCESS AS OS_PROCESS,   TRANSACTION_ID AS TRANSACTIONID,          	   SCN AS SCN,          	   to_nchar(substr(SQL_BINDS, 1, 2000)) AS SQL_BIND,          	   replace(to_nchar(substr(SQL_TEXT, 1, 2000)),'|',' ') AS SQL_TEXT  ,   (select HOST_NAME from v$instance) as HOST_ID   from AUDSYS.AUD$UNIFIED  	   LEFT JOIN audit_actions act USING(action) LEFT JOIN v$instance v USING(HOST_NAME)   where         EVENT_TIMESTAMP > ? AND rownum < 2000 order by EVENT_TIMESTAMP desc
	Exec    parse_syslog();
</Input>

Then send over syslog, Google parser supports this log format.

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.