i need to send audit log from Oracle DB version 12c to my SIEM via syslog on IBM AIX. The problem is it not include the information i need. For exp:
<134>Mar 4 11:00:25 Message forwarded from abc: Oracle Audit[5374348]: LENGTH : '494' ACTION :[344] '9'),chartorowid('AAAAJCAABAAAA+nABn'),chartorowid('AAAAJCAABAAAA+nABv'),chartorowid('AAAAJCAABAAAisBAAP'),chartorowid('AAAAJCAABAAAisBAC9'),chartorowid('AAAAJCAABAAAisBADQ'),chartorowid('AAAAJCAABAAAisDACn'),chartorowid('AAAAJCAABAAAisEABG'),chartorowid('AAAAJCAABAAAisEABf'),chartorowid('AAAAJCAABAAAisEABn'),chartorowid('AAAAJCAABAAAisEACb'),' DATABASE USER:[3] 'SYS' PRIVILEGE :[4] 'NONE' CLIENT USER:[0] '' CLIENT TERMINAL:[7] 'UNKNOWN' STATUS:[1] '0' DBID:[10] '2346730987'
It not have the information about source IP which really needed to parsing log for security purpose. Is there possile for us to modify and include some information that we need into it ? Thank!
It is not possible to modify the information generated by Oracle's internal auditing. If you need to supplement the data going to your SIEM, then either
the SIEM tool needs to generate SQL queries to the audit trail and any other necessary tables within the database, instead of relying on syslog; or
you need to write a custom PL/SQL function to run the appropriate queries and use UTL_FILE to write the output to an external log file that the SIEM can read.
That said, it looks like your log sample is an audit of SYS actions, which may not even exist in the internal audit trail depending on your specific setup and version. If that is the case, what you see is all there is.