Oracle database audit log forwarding to wazuh

97 views
Skip to first unread message

Gokul Suresh

unread,
Jan 20, 2025, 11:23:25 PMJan 20
to Wazuh | Mailing List
Hi Team,

Wazuh has been set up and need audit logs from database to be forwarded to wazuh.
I would like to know the steps that has to be done on database side to enable auditing.
The databases are installed on Solaris OS, so I would like to get some help regarding forwarding audit log from oracle database to wazuh in syslog format.

1. Steps to enable auditing in oracle database.
2.Syslog configuration to be done to forward logs to wazuh.

I have been in this for a while but could not get this done.

hasitha.u...@wazuh.com

unread,
Jan 21, 2025, 5:50:07 AMJan 21
to Wazuh | Mailing List

Hi Gokul,


I believe you can enable audit logs by following these Oracle official sites.

https://docs.oracle.com/en/cloud/paas/management-cloud/collect-database-audit-logs/index.html

https://docs.oracle.com/cd/E11882_01/server.112/e10575/tdpsg_auditing.htm


I have attached the Oracle site about how to configure syslog audit logs. I suggest you to follow this.

https://docs.oracle.com/cd/E36784_01/html/E37127/audittask-11.html


You can configure syslog in the Wazuh server and collect logs directly from the Wazuh manager. To that you can follow this.

https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html


Alternatively, If your Oracle DB logs are written to a specific log file, you can install the Wazuh agent on the endpoint and configure to the log collection in agent's ossec.conf file.

Wazuh agent on Solaris: https://documentation.wazuh.com/current/installation-guide/wazuh-agent/wazuh-agent-package-solaris.html


You can follow this guide to learn about how to configure the collection on the endpoint.

https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/monitoring-log-files.html#monitoring-basic-log-files


Further, if your logs do not match any decoder and rules, you need to create custom decoders and rules to extract the event details to fields and generate alerts.

You can the logs using Wazuh-logtest to match any decoders and rules.

Simply copy the log and paste the log after executing this command.

/var/ossec/bin/wazuh-logtest


If no decoders and rules, you can learn from these official sites to create custom decoders and rules.

https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html

https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#custom-rules

https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/


Let me know if this helps.


Gokul Suresh

unread,
Jan 21, 2025, 7:59:14 AMJan 21
to Wazuh | Mailing List
Thank you Hasitha for your reply.
I will test and check the steps you provided.
Reply all
Reply to author
Forward
0 new messages