Skip to content

Commit

Permalink
[Filebeat][New Module] Adding support for Oracle Audit logs (#21991) (#…
Browse files Browse the repository at this point in the history
…22556)

Oracle module, with a audit log fileset

(cherry picked from commit 8af7145)

Co-authored-by: Marius Iversen <pillus@chasenet.org>
  • Loading branch information
leehinman and P1llus authored Nov 19, 2020
1 parent 1a37171 commit eda3e7a
Show file tree
Hide file tree
Showing 54 changed files with 26,583 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -499,6 +499,7 @@ from being added to events by default. {pull}18159[18159]
- New juniper.srx dataset for Juniper SRX logs. {pull}20017[20017]
- Adding support for Microsoft 365 Defender (Microsoft Threat Protection) {pull}21446[21446]
- Adding support for FIPS in s3 input {pull}21446[21446]
- Adding support for Oracle Database Audit Logs {pull}21991[21991]
- Add max_number_of_messages config into s3 input. {pull}21993[21993]
- Update Okta documentation for new stateful restarts. {pull}22091[22091]
- Add SSL option to checkpoint module {pull}19560[19560]
Expand Down
152 changes: 152 additions & 0 deletions filebeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ grouped in the following categories:
* <<exported-fields-nginx>>
* <<exported-fields-o365>>
* <<exported-fields-okta>>
* <<exported-fields-oracle>>
* <<exported-fields-osquery>>
* <<exported-fields-panw>>
* <<exported-fields-postgresql>>
Expand Down Expand Up @@ -108278,6 +108279,157 @@ type: geo_point

--

[[exported-fields-oracle]]
== Oracle fields

Oracle Module



[float]
=== oracle

Fields from Oracle logs.



[float]
=== database_audit

Module for parsing Oracle Database audit logs



*`oracle.database_audit.status`*::
+
--
Database Audit Status.


type: keyword

--

*`oracle.database_audit.session_id`*::
+
--
Indicates the audit session ID number.


type: keyword

--

*`oracle.database_audit.client.terminal`*::
+
--
If available, the client terminal type, for example "pty".


type: keyword

--

*`oracle.database_audit.client.address`*::
+
--
The IP Address or Domain used by the client.


type: keyword

--

*`oracle.database_audit.client.user`*::
+
--
The user running the client or connection to the database.


type: keyword

--

*`oracle.database_audit.database.user`*::
+
--
The database user used to authenticate.


type: keyword

--

*`oracle.database_audit.privilege`*::
+
--
The privilege group related to the database user.


type: keyword

--

*`oracle.database_audit.entry.id`*::
+
--
Indicates the current audit entry number, assigned to each audit trail record. The audit entry.id sequence number is shared between fine-grained audit records and regular audit records.


type: keyword

--

*`oracle.database_audit.database.host`*::
+
--
Client host machine name.


type: keyword

--

*`oracle.database_audit.action`*::
+
--
The action performed during the audit event. This could for example be the raw query.


type: keyword

--

*`oracle.database_audit.action_number`*::
+
--
Action is a numeric value representing the action the user performed. The corresponding name of the action type is in the AUDIT_ACTIONS table. For example, action 100 refers to LOGON.


type: keyword

--

*`oracle.database_audit.database.id`*::
+
--
Database identifier calculated when the database is created. It corresponds to the DBID column of the V$DATABASE data dictionary view.


type: keyword

--

*`oracle.database_audit.length`*::
+
--
Refers to the total number of bytes used in this audit record. This number includes the trailing newline bytes (\n), if any, at the end of the audit record.


type: long

--

[[exported-fields-osquery]]
== Osquery fields

Expand Down
77 changes: 77 additions & 0 deletions filebeat/docs/modules/oracle.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
////
This file is generated! See scripts/docs_collector.py
////

[[filebeat-module-oracle]]
[role="xpack"]

:modulename: oracle
:has-dashboards: false


== Oracle module
beta[]

This is a module for ingesting Audit Trail logs from Oracle Databases.

The module expects an *.aud audit file that is generated from Oracle Databases by default. If this has been disabled then please see the https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/introduction-to-auditing.html#GUID-8D96829C-9151-4FA4-BED9-831D088F12FF[Oracle Database Audit Trail Documentation].



include::../include/gs-link.asciidoc[]


[float]
=== Compatibility

This module has been tested with Oracle Database 19c, and should work for 18c as well though it has not been tested.

include::../include/configuring-intro.asciidoc[]

:fileset_ex: database_audit

include::../include/config-option-intro.asciidoc[]

[float]
==== `database_audit` fileset settings

Example config:

[source,yaml]
----
- module: oracle
database_audit:
var.input: file
var.paths: /home/user/oracleauditlogs/*/*.aud
----

include::../include/var-paths.asciidoc[]

*`var.tags`*::

A list of tags to include in events. Including `forwarded` indicates that the
events did not originate on this host and causes `host.name` to not be added to
events. Defaults to `[oracle-database-audit]`.

[float]
==== Oracle Database fields

Oracle Database fields are mapped to the current ECS Fields:
[options="header"]
|==============================================================
| Oracle Fields | ECS Fields |
| privilege | host.user.roles |
| client_user | client.user.name |
| userhost | client.ip/domain |
| database_user | server.user.name |
|==============================================================

:modulename!:


[float]
=== Fields

For a description of each field in the module, see the
<<exported-fields-oracle,exported fields>> section.

2 changes: 2 additions & 0 deletions filebeat/docs/modules_list.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ This file is generated! See scripts/docs_collector.py
* <<filebeat-module-nginx>>
* <<filebeat-module-o365>>
* <<filebeat-module-okta>>
* <<filebeat-module-oracle>>
* <<filebeat-module-osquery>>
* <<filebeat-module-panw>>
* <<filebeat-module-postgresql>>
Expand Down Expand Up @@ -114,6 +115,7 @@ include::modules/netscout.asciidoc[]
include::modules/nginx.asciidoc[]
include::modules/o365.asciidoc[]
include::modules/okta.asciidoc[]
include::modules/oracle.asciidoc[]
include::modules/osquery.asciidoc[]
include::modules/panw.asciidoc[]
include::modules/postgresql.asciidoc[]
Expand Down
12 changes: 12 additions & 0 deletions x-pack/filebeat/filebeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1402,6 +1402,18 @@ filebeat.modules:
#var.url: https://yourOktaDomain/api/v1/logs
#var.api_key: 'yourApiTokenHere'

#-------------------------------- Oracle Module --------------------------------
- module: oracle
database_audit:
enabled: true

# Set which input to use between syslog or file (default).
#var.input: file

# Set paths for the log files when file input is used.
# Should only be used together with file input
# var.paths: /home/user/oracleauditlogs/*.aud

#------------------------------- Osquery Module -------------------------------
- module: osquery
result:
Expand Down
1 change: 1 addition & 0 deletions x-pack/filebeat/include/list.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 10 additions & 0 deletions x-pack/filebeat/module/oracle/_meta/config.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
- module: oracle
database_audit:
enabled: true

# Set which input to use between syslog or file (default).
#var.input: file

# Set paths for the log files when file input is used.
# Should only be used together with file input
# var.paths: /home/user/oracleauditlogs/*.aud
64 changes: 64 additions & 0 deletions x-pack/filebeat/module/oracle/_meta/docs.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
[role="xpack"]

:modulename: oracle
:has-dashboards: false


== Oracle module
beta[]

This is a module for ingesting Audit Trail logs from Oracle Databases.

The module expects an *.aud audit file that is generated from Oracle Databases by default. If this has been disabled then please see the https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/introduction-to-auditing.html#GUID-8D96829C-9151-4FA4-BED9-831D088F12FF[Oracle Database Audit Trail Documentation].



include::../include/gs-link.asciidoc[]


[float]
=== Compatibility

This module has been tested with Oracle Database 19c, and should work for 18c as well though it has not been tested.

include::../include/configuring-intro.asciidoc[]

:fileset_ex: database_audit

include::../include/config-option-intro.asciidoc[]

[float]
==== `database_audit` fileset settings

Example config:

[source,yaml]
----
- module: oracle
database_audit:
var.input: file
var.paths: /home/user/oracleauditlogs/*/*.aud
----

include::../include/var-paths.asciidoc[]

*`var.tags`*::

A list of tags to include in events. Including `forwarded` indicates that the
events did not originate on this host and causes `host.name` to not be added to
events. Defaults to `[oracle-database-audit]`.

[float]
==== Oracle Database fields

Oracle Database fields are mapped to the current ECS Fields:
[options="header"]
|==============================================================
| Oracle Fields | ECS Fields |
| privilege | host.user.roles |
| client_user | client.user.name |
| userhost | client.ip/domain |
| database_user | server.user.name |
|==============================================================

:modulename!:
10 changes: 10 additions & 0 deletions x-pack/filebeat/module/oracle/_meta/fields.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
- key: oracle
title: Oracle
description: >
Oracle Module
fields:
- name: oracle
type: group
description: >
Fields from Oracle logs.
fields:
Loading

0 comments on commit eda3e7a

Please sign in to comment.