Oracle Database Audit - OracleDatabaseAuditEvent function is looking for "Oracle Unified Audit" in Syslog messages but does not match logs produced

[PCNZ]

Describe the bug This line does not parse the syslog correctly with default Oracle Database Audit configuration. Syslog | where SyslogMessage contains "Oracle Unified Audit" https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleDatabaseAudit/Parsers/OracleDatabaseAuditEvent.yaml When logs are ingested by AMA, part of the Oracle syslog message is mapped into the ProcessName field so the parser does not match. Changing it to this resolves the problem. Syslog | where SyslogMessage contains "Unified Audit" and ProcessName == "Oracle" Here is an example of a RAW syslog message. 2023-10-26T03:07:34.040652-04:00 acmeproddb1 Oracle Unified Audit[15149]: LENGTH: '150' TYPE:"4" DBID:"816595110" SESID:"1215445" CLIENTID:"" ENTRYID:"0" STMTID:"0" DBUSER:"PIMSDB" CURUSER:"" ACTION:"102" RETCODE:"0" SCHEMA:"" OBJNAME:"" acmeproddb1 is mapped to Syslog\Computer Oracle is mapped to Syslog\ProcessName The rest of the message is mapped to Syslog\SyslogMessage

To Reproduce Steps to reproduce the behavior:

1. Install Oracle DB on SUSE Linux acmeproddb1
2. Modify init.ora to add UNIFIED_AUDIT_SYSTEMLOG = ‘LOCAL7.INFO’ UNIFIED_AUDIT_COMMON_SYSLOG = TRUE
3. Add acmeproddb1 to Azure Arc
4. Create DCR to collect Linux Syslog from acmeproddb1 on the Local7 facility
5. Install Oracle Database Audit solution from Content Hub 2.0.4
6. Observe output in the Syslog,
7. Run log query and observe no results Syslog | where SyslogMessage contains "Oracle Unified Audit"
8. Run log query using function "OracleDatabaseAuditEvent" and observe no results10.

Expected behavior Default configuration of Oracle Database Audit using AMA should return results when using the function "OracleDatabaseAuditEvent" included with the Content Hub solution.

Additional context Add any other context about the problem here.

[github-actions[bot]]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

[v-muuppugund]

Hi @PCNZ , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 07Nov23. Thanks!

[v-muuppugund]

@PCNZ I am unable to replicate exact machine for this issue ,could you please confirm the exact configuration using to set up the oracle db?please find below screen shot for reference is it the same configuration?

[v-muuppugund]

@PCNZ Could you please help me with above details on this issue,so will proceed further

[v-muuppugund]

Hi @PCNZ , Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive response by the given date, we will close this issue.

[PCNZ]

@PCNZ I am unable to replicate exact machine for this issue ,could you please confirm the exact configuration using to set up the oracle db?please find below screen shot for reference is it the same configuration?

Yes this was SUSE 15 SP4, it was installed on prem not using an Azure template though.

[v-muuppugund]

@PCNZ ,Sure will check on it and work on the analysis and come back with an update

[v-muuppugund]

@PCNZ Unable to set up the environment as having windows machine,meanwhile checking internally,Could you please share email id and convenient time ,so can understand more about the issue and work for a solution,Thanks

[v-muuppugund]

@PCNZ , Gentle reminder, Could you please check the above comment and share email id and convenient time for teams meeting for further trouble shooting issue.

[PCNZ]

@PCNZ Unable to set up the environment as having windows machine,meanwhile checking internally,Could you please share email id and convenient time ,so can understand more about the issue and work for a solution,Thanks

No way to share email id privately here. What would you like to know?

[v-muuppugund]

Hi @PCNZ ,Please share convenient time slots to this email id [email protected],Thanks.

[v-muuppugund]

Hi @PCNZ , Gentle Reminder: Please share convenient time slots to this email id [email protected],Thanks.

[v-muuppugund]

Hi @PCNZ , received email not the time slots, Gentle Reminder: Please share convenient time slots to this email id [email protected],Thanks.

[PCNZ]

Hi @PCNZ , received email not the time slots, Gentle Reminder: Please share convenient time slots to this email id [email protected],Thanks.

You got my first email but are you saying you haven't seen my subsequent emails? Please check.

[v-muuppugund]

Hi @PCNZ ,I have replied your email on 23Nov23 for convenient time slots,Could you please share convenient time slots,Thanks,Please find below screen shot for reference.

[v-sudkharat]

Hi @PCNZ, could you please have a look at above comment and share your convenient time with @v-muuppugund Thanks!

[PCNZ]

Hi @PCNZ, could you please have a look at above comment and share your convenient time with @v-muuppugund Thanks!

We caught up yesterday, v-muuppugund had tested using OMS not AMA and DCR. So is going to retest and compare with example provided in OP. Suspect AMA maybe the reason for the log format being different or specific Oracle DB config is needed and the steps in the data connector need to be updated to reflect this. They can message me directly if any further info is needed.

[v-sudkharat]

Hi @PCNZ, Noted. Thanks!

[v-muuppugund]

Hi @PCNZ ,As discussed over teams ,I am working on this ,will share updates from next week by 21Dec23

[v-muuppugund]

Hi @PCNZ ,Still working on set up ,once data ingested, will work on further analysis of the issue and share updates to you.

[v-muuppugund]

Hi @PCNZ ,As discussed over teams, working on data ingestion, will update you.

[v-muuppugund]

Hi @PCNZ ,Yesterday blocked your calendar to explain the status,I have resolved the issues and working on issue replication,will get back to you with an update

[v-muuppugund]

Hi @PCNZ , Still need some time to replicate the issue,will try to update by Wednesday i.e. 24/1/2024 for status updates,Please join the meeting and let me know this time isn't conveninet.

[v-muuppugund]

@PCNZ ,As discussed yesterday, working on replication of issue with other options and blocked calendar for wednesday ,trying my best to replicate the issue and have a e2e demo session ,will post updates over teams

[v-muuppugund]

@PCNZ ,As discussed over call today,Showed demo for environment configured, as noticed there are certain logs not updated in linux VM ,so will be working on it and will update you ,we can have a teams meeting for a demo.

[v-muuppugund]

@PCNZ ,updated the configuration for enabling missing logs ,working on it, once ready ,will block some time this week or early next week for e2e demo.

[v-muuppugund]

@PCNZ ,As discussed over teams, due to VM complicance and its been deleted,so set up again, once setup completed, will schedule call for demo.

[v-muuppugund]

@PCNZ ,as discussed over teams, set up done, working on data in oracle, once done, will do configurations test it and then block your time for e2e demo session.

[v-muuppugund]

Hi @PCNZ ,as discussed over email,The following is the status and worked on this week,will update you 1.VM created 2.Oracle server and db created 3.Int.ora updated with unfiied auditing 4.Audited the records as demoed earlier

I am having an issue with logging the audit records from oracle and working on it ,please find below screen shot for reference,Once issue resolved ,will schedule call for demo,

[v-muuppugund]

Hi @PCNZ , I have fixed the issue and replicate the issue and please find below screen shot for reference,will discuss in detail on call