Hello Team,
Not able to parser the required fields from the oracle database audit logs.
Sample log - <13>1 20**-0*-**T14:51:00+05:30 md****1 journal 3491695 - [meta sequenceId="2"] Oracle Audit[3491695]: LENGTH : '240' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[0] '' STATUS:[1] '0' DBID:[0] '' SESSIONID:[10] '4294**7295' USERHOST:[7] 'md****1' CLIENT ADDRESS:[0] '' ACTION NUMBER:[3] '100'
Not able to parser fields ACTION, DATABASE USER. etc
We are getting Grok error, so we took the field DATABASE USER, and wrote grok for the particular field, refering the default parser, but still getting grok error.
grok {
match => {
"message" => [
".*DATABASE\sUSER:(?<DATABASE_USER>.*)\sPRIVILEGE.*"
]
}
overwrite => ["DATABASE_USER"]
on_error => "grok_dbuser_fail"
}
if [DATABASE_USER] not in ["", "/"] {
mutate {
replace => {
"event.idm.read_only_udm.principal.user.user_display_name" => "%{DATABASE_USER}"
}
}
}
LinkedIn
Twitter
