Hello Fabio, I am facing the same problem as you explained... did you find any workaround to read oracle 9i audit files?
Thank you. Best, Sathish. On Thursday, December 10, 2009 7:03:41 PM UTC+5:30, Fabio Paracchini wrote: > > Hi folks, > > I implemented a new collector for Oracle 9i audit trail, but I have a > little problem regarding the funny way used by Oracle to write logfiles. > > > > Oracle writes in the same directory a different logfile for each process, > I’m able to correctly monitor the files that already exists at OSSEC start, > but it seems that there is no way to check and monitor new files. > > > > Is it possible to have the agent check for new files periodically or, > better, to start monitor the file as soon as it appears ? > > > As an alternative, is it possible to have the agent read the beginning of > the logfile instead of reading from the last byte, so that I can restart > periodically the agent (e.g. every 10 minutes) and analyze the logs ? > > > > I tried to look at logcollector.c but for sure there is someone out there > that has better knowledge… > > > > I’ll be more than happy to release the code for inclusion in the main > release, but I’d like to have it work properly. > > > > Thank you in advance for the help. > > Ciao > > Fabio > > > The Agent configuration is as follows: > > > > <localfile> > > <log_format>oracle_audit_log</log_format> > > <location>/vol1/ora9/product/9.2/rdbms/audit/*.aud</location> > > </localfile> > > > > The directory structure is similar to this: > > > > ls /vol1/ora9/product/9.2/rdbms/audit > > ora_3849.aud ora_3960.aud ora_4446.aud ora_4636.aud ora_4654.aud > ora_4672.aud ora_4704.aud ora_4722.aud ora_4841.aud > > > > The single file contains something like that: > > > > Audit file /vol1/ora9/product/9.2/rdbms/audit/ora_3849.aud > > Oracle9i Release 9.2.0.4.0 - Production > > JServer Release 9.2.0.4.0 - Production > > ORACLE_HOME = /vol1/ora9/product/9.2 > > System name: Linux > > Node name: LNXSQU23.***** > > Release: 2.4.21-20.ELsmp > > Version: #1 SMP Wed Aug 18 20:46:40 EDT 2004 > > Machine: i686 > > Instance name: cope > > Redo thread mounted by this instance: 1 > > Oracle process number: 15 > > Unix process pid: 3849, image: oracle@LNXSQU23.**** (TNS V1-V3) > > > > Thu Dec 10 12:34:03 2009 > > ACTION : 'CONNECT' > > DATABASE USER: 'SYS' > > PRIVILEGE : SYSDBA > > CLIENT USER: ****** > > CLIENT TERMINAL: ******* > > STATUS: 0 > > > > Thu Dec 10 12:34:03 2009 > > ACTION : 'declare cursor NlsParamsCursor is SELECT * FROM > nls_session_parameters;begin SELECT Nvl(Lengthb(Chr(65536)), > Nvl(Lengthb(Chr(256)), 1)) INTO > > :CharLength FROM dual; for NlsRecord in NlsParamsCursor loop if > NlsRecord.parameter = 'NLS_DATE_LANGUAGE' then :NlsDateLanguage := > NlsRecord.value; > > elsif NlsRecord.parameter = 'NLS_DATE_FORMAT' then ' > > DATABASE USER: 'SYS' > > PRIVILEGE : SYSDBA > > CLIENT USER: ******** > > CLIENT TERMINAL: ******** > > STATUS: 0 > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
