RSA Admin

Oracle syslog relayed through syslog-ng - how to get a hostname/IP included?

Discussion created by RSA Admin Employee on Jun 10, 2011
Latest reply on Jun 21, 2011 by RSA Admin

Has anyone gotten Oracle Audit logging to work behind a syslog-ng relay?

 

We've got a syslog-ng relay in our second data center that we're using to relay messages to enVision.  It is properly configured per the RSA docs and is sending logs for more than a dozen different systems.

 

Enter Oracle.

 

An Oracle system behind the syslog-ng relay is incorrectly logging Oracle message to the relay's IP address.  Oracle doesn't put the hostname or IP in it's log messages, so the only source enVision can identify is the relay itself.  We can see this in a capture of the raw syslog traffic at the enVision server. 10.1.X.Y is the syslog relay, 10.1.A.B is enVision:

 

12134    50.423856    10.1.X.Y    10.1.A.B    Syslog    LOCAL0.INFO: Jun 10 07:38:39 Oracle Audit[5582888]: LENGTH: "155" SESSIONID: "14005466" ENTRYID: "1" ACTION: "101" RETURNCODE: "0" LOGOFF$PREAD: "0" LOGOFF$LREAD: "69" LOGOFF$LWRITE: "0" LOGOFF$DEAD: "0" SESSIONCPU: "0"\n

 

For all practical purposes, the hostname appears to be "Oracle", based on it's position after the timestamp.

 

Oracle's docs aren't very helpful, there is little configuration you can do with the AUDIT commands.

 

We don't want to configure the Oracle boxes to log directly to enVision, bypassing the relay.  Any other solutions?

Outcomes