Has anyone gotten Oracle Audit logging to work behind a syslog-ng relay?
We've got a syslog-ng relay in our second data center that we're using to relay messages to enVision. It is properly configured per the RSA docs and is sending logs for more than a dozen different systems.
An Oracle system behind the syslog-ng relay is incorrectly logging Oracle message to the relay's IP address. Oracle doesn't put the hostname or IP in it's log messages, so the only source enVision can identify is the relay itself. We can see this in a capture of the raw syslog traffic at the enVision server. 10.1.X.Y is the syslog relay, 10.1.A.B is enVision:
12134 50.423856 10.1.X.Y 10.1.A.B Syslog LOCAL0.INFO: Jun 10 07:38:39 Oracle Audit: LENGTH: "155" SESSIONID: "14005466" ENTRYID: "1" ACTION: "101" RETURNCODE: "0" LOGOFF$PREAD: "0" LOGOFF$LREAD: "69" LOGOFF$LWRITE: "0" LOGOFF$DEAD: "0" SESSIONCPU: "0"\n
For all practical purposes, the hostname appears to be "Oracle", based on it's position after the timestamp.
Oracle's docs aren't very helpful, there is little configuration you can do with the AUDIT commands.
We don't want to configure the Oracle boxes to log directly to enVision, bypassing the relay. Any other solutions?