I have enabled the Database Auditing for Oracle Database servers. Can anyone guide me on some custom reports related to Oracle servers.
Thanks in advance
SQL Where clause for failed logins from the Database Audit table, which I discovered via trial an error:
Action IN ('CONNECT','LOGON','LOGOFF') AND Status NOT LIKE '0'
I thought I'd reply to this old forum post in case anybody else is looking for an answer. It's a 3 step process in my opinion.
First create a report that shows all the unique Oracle events that are being logged by your RSA appliance. Then create a second report that targets one or more Action or MessageID, and return all fields for that report (but don't include the sum, count, average, percentcount, etc. fields). Finally, refine your report to return only the fields that returned relevant data.
Below will show you how to create an Oracle report that shows you all the event types being logged (ex: ALTER, CREATE, DELETE, DROP, INSERT, LOGON, LOGOFF, SELECT, etc.). Note that by default RSA's config guide for Oracle devices only shows logon and logoff events.
Type of report: Tabular
Select table: Database AuditSelect fields: Action, count(MessageID), MessageID, percentCount(MessageID)
Sort: Action (Ascending)
SQL: DeviceAddress = '127.0.0.1' (replace 127.0.0.1 with a database IP for testing purposes)
Columns: Action, MessageID, Frequency, Perventage of Events
Run this report to see what you get. Then create a second report to target a specific Action or MessageID (ex: Action LIKE 'DROP%' OR Action LIKE 'DELETE%' )
Retrieving data ...