Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Filebeat][New Module] Adding support for Oracle Audit logs #21991

Merged
merged 8 commits into from
Nov 11, 2020
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -633,6 +633,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- New juniper.srx dataset for Juniper SRX logs. {pull}20017[20017]
- Adding support for Microsoft 365 Defender (Microsoft Threat Protection) {pull}21446[21446]
- Adding support for FIPS in s3 input {pull}21446[21446]
- Adding support for Oracle Database Audit Logs {pull}21991[21991]
- Add SSL option to checkpoint module {pull}19560[19560]

*Heartbeat*
Expand Down
152 changes: 152 additions & 0 deletions filebeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ grouped in the following categories:
* <<exported-fields-nginx>>
* <<exported-fields-o365>>
* <<exported-fields-okta>>
* <<exported-fields-oracle>>
* <<exported-fields-osquery>>
* <<exported-fields-panw>>
* <<exported-fields-postgresql>>
Expand Down Expand Up @@ -108270,6 +108271,157 @@ type: geo_point

--

[[exported-fields-oracle]]
== Oracle fields

Oracle Module



[float]
=== oracle

Fields from Oracle logs.



[float]
=== database_audit

Module for parsing Oracle Database audit logs



*`oracle.database_audit.status`*::
+
--
Database Audit Status.


type: keyword

--

*`oracle.database_audit.sessionid`*::
+
--
Session ID related to the audit event.


type: keyword

--

*`oracle.database_audit.client_terminal`*::
+
--
If available, the client terminal type, for example "pty"


type: keyword

--

*`oracle.database_audit.client_address`*::
+
--
The IP Address or Domain used by the client.


type: keyword

--

*`oracle.database_audit.client_user`*::
+
--
The user running the client or connection to the database


type: keyword

--

*`oracle.database_audit.database_user`*::
+
--
The database user used to authenticate.


type: keyword

--

*`oracle.database_audit.privilege`*::
+
--
The privilege group related to the database user


type: keyword

--

*`oracle.database_audit.entryid`*::
+
--
EntryID


type: keyword

--

*`oracle.database_audit.userhost`*::
+
--
The host in which the database is running.


type: keyword

--

*`oracle.database_audit.action`*::
+
--
The type of action logged in the audit event.


type: keyword

--

*`oracle.database_audit.action_number`*::
+
--
Action number related to the audit event


type: keyword

--

*`oracle.database_audit.dbid`*::
+
--
The ID of the DB/container accessed.


type: keyword

--

*`oracle.database_audit.length`*::
+
--
The duration length.


type: keyword

--

[[exported-fields-osquery]]
== Osquery fields

Expand Down
77 changes: 77 additions & 0 deletions filebeat/docs/modules/oracle.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
////
This file is generated! See scripts/docs_collector.py
////

[[filebeat-module-oracle]]
[role="xpack"]

:modulename: oracle
:has-dashboards: false


== Oracle module
beta[]

This is a module for ingesting Audit Trail logs from Oracle Databases.

The module expects an *.aud audit file that is generated from Oracle Databases by default. If this has been disabled then please see the https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/introduction-to-auditing.html#GUID-8D96829C-9151-4FA4-BED9-831D088F12FF[Oracle Database Audit Trail Documentation].



include::../include/gs-link.asciidoc[]


[float]
=== Compatibility

This module has been tested with Oracle Database 19c, and should work for 18c as well though it has not been tested.

include::../include/configuring-intro.asciidoc[]

:fileset_ex: database_audit

include::../include/config-option-intro.asciidoc[]

[float]
==== `database_audit` fileset settings

Example config:

[source,yaml]
----
- module: oracle
database_audit:
var.input: file
var.paths: /home/user/oracleauditlogs/*/*.aud
----

include::../include/var-paths.asciidoc[]

*`var.tags`*::

A list of tags to include in events. Including `forwarded` indicates that the
events did not originate on this host and causes `host.name` to not be added to
events. Defaults to `[oracle-database-audit]`.

[float]
==== Oracle Database fields

Oracle Database fields are mapped to the current ECS Fields:
[options="header"]
|==============================================================
| Oracle Fields | ECS Fields |
| privilege | host.user.roles |
| client_user | client.user.name |
| userhost | client.ip/domain |
| database_user | server.user.name |
|==============================================================

:modulename!:


[float]
=== Fields

For a description of each field in the module, see the
<<exported-fields-oracle,exported fields>> section.

2 changes: 2 additions & 0 deletions filebeat/docs/modules_list.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ This file is generated! See scripts/docs_collector.py
* <<filebeat-module-nginx>>
* <<filebeat-module-o365>>
* <<filebeat-module-okta>>
* <<filebeat-module-oracle>>
* <<filebeat-module-osquery>>
* <<filebeat-module-panw>>
* <<filebeat-module-postgresql>>
Expand Down Expand Up @@ -114,6 +115,7 @@ include::modules/netscout.asciidoc[]
include::modules/nginx.asciidoc[]
include::modules/o365.asciidoc[]
include::modules/okta.asciidoc[]
include::modules/oracle.asciidoc[]
include::modules/osquery.asciidoc[]
include::modules/panw.asciidoc[]
include::modules/postgresql.asciidoc[]
Expand Down
21 changes: 21 additions & 0 deletions x-pack/filebeat/filebeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1351,6 +1351,27 @@ filebeat.modules:
#var.url: https://yourOktaDomain/api/v1/logs
#var.api_key: 'yourApiTokenHere'

#-------------------------------- Oracle Module --------------------------------
- module: oracle
database_audit:
enabled: true

# Set which input to use between syslog or file (default).
#var.input: file

# Set paths for the log files when file input is used.
# Should only be used together with file input
# var.paths: /home/user/oracleauditlogs/*.aud

# The interface to listen to UDP based syslog traffic. Defaults to
# localhost. Set to 0.0.0.0 to bind to all available interfaces.
# Should only be used together with syslog input
#var.syslog_host: localhost

# The UDP port to listen for syslog traffic. Defaults to 9001.
# Should only be used together with syslog input
#var.syslog_port: 9001

#------------------------------- Osquery Module -------------------------------
- module: osquery
result:
Expand Down
1 change: 1 addition & 0 deletions x-pack/filebeat/include/list.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

19 changes: 19 additions & 0 deletions x-pack/filebeat/module/oracle/_meta/config.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
- module: oracle
database_audit:
enabled: true

# Set which input to use between syslog or file (default).
#var.input: file

# Set paths for the log files when file input is used.
# Should only be used together with file input
# var.paths: /home/user/oracleauditlogs/*.aud

# The interface to listen to UDP based syslog traffic. Defaults to
# localhost. Set to 0.0.0.0 to bind to all available interfaces.
# Should only be used together with syslog input
#var.syslog_host: localhost

# The UDP port to listen for syslog traffic. Defaults to 9001.
# Should only be used together with syslog input
#var.syslog_port: 9001
64 changes: 64 additions & 0 deletions x-pack/filebeat/module/oracle/_meta/docs.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
[role="xpack"]

:modulename: oracle
:has-dashboards: false


== Oracle module
beta[]

This is a module for ingesting Audit Trail logs from Oracle Databases.

The module expects an *.aud audit file that is generated from Oracle Databases by default. If this has been disabled then please see the https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/introduction-to-auditing.html#GUID-8D96829C-9151-4FA4-BED9-831D088F12FF[Oracle Database Audit Trail Documentation].



include::../include/gs-link.asciidoc[]


[float]
=== Compatibility

This module has been tested with Oracle Database 19c, and should work for 18c as well though it has not been tested.

include::../include/configuring-intro.asciidoc[]

:fileset_ex: database_audit

include::../include/config-option-intro.asciidoc[]

[float]
==== `database_audit` fileset settings

Example config:

[source,yaml]
----
- module: oracle
database_audit:
var.input: file
var.paths: /home/user/oracleauditlogs/*/*.aud
----

include::../include/var-paths.asciidoc[]

*`var.tags`*::

A list of tags to include in events. Including `forwarded` indicates that the
events did not originate on this host and causes `host.name` to not be added to
events. Defaults to `[oracle-database-audit]`.

[float]
==== Oracle Database fields

Oracle Database fields are mapped to the current ECS Fields:
[options="header"]
|==============================================================
| Oracle Fields | ECS Fields |
| privilege | host.user.roles |
| client_user | client.user.name |
| userhost | client.ip/domain |
| database_user | server.user.name |
|==============================================================

:modulename!:
10 changes: 10 additions & 0 deletions x-pack/filebeat/module/oracle/_meta/fields.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
- key: oracle
title: Oracle
description: >
Oracle Module
fields:
- name: oracle
type: group
description: >
Fields from Oracle logs.
fields:
Loading