Hello Jared Did you try to configure Oracle logs in JSON format? I think it's the easier way to ingest the logs due to automatic JSON decoding of Wazuh. Do you have this option?
Best regards, On Saturday, May 5, 2018 at 9:27:38 PM UTC+2, Jared wrote: > > Hello, > > I am looking for guidance on how to approach decoding the following events > in XML with Wazuh. > > > Raw format: > > <?xml version="1.0" encoding="UTF-8"?> > <Audit xmlns=" > http://xmlns.oracle.com/oracleas/schema/dbserver_audittrail-11_2.xsd" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xsi:schemaLocation=" > http://xmlns.oracle.com/oracleas/schema/dbserver_audittrail-11_2.xsd"> > <Version>11.2</Version> > <AuditRecord><Audit_Type>1</Audit_Type><Session_Id>108590</Session_Id><StatementId>1</StatementId><EntryId>1</EntryId><Extended_Timestamp>2018-02-06T20:41:03.382000Z</Extended_Timestamp><DB_User>SYSTEM</DB_User><OS_User>NT > > AUTHORITY\SYSTEM</OS_User><Userhost>WORKGROUP\Marksman-TEST</Userhost><OS_Process>780:1584</OS_Process><Terminal>Marksman-TEST</Terminal><Instance_Number>0</Instance_Number><Action>100</Action><TransactionId>0000000000000000</TransactionId><Returncode>0</Returncode><Comment_Text>Authenticated > > by: DATABASE</Comment_Text><Priv_Used>5</Priv_Used><DBID>4045712141</DBID> > </AuditRecord> > <AuditRecord><Audit_Type>1</Audit_Type><Session_Id>108590</Session_Id><EntryId>2</EntryId><Extended_Timestamp>2018-02-06T20:41:03.386000Z</Extended_Timestamp><DB_User>SYSTEM</DB_User><OS_User>NT > > AUTHORITY\SYSTEM</OS_User><Userhost>WORKGROUP\Marksman-TEST</Userhost><OS_Process>780:1584</OS_Process><Terminal>Marksman-TEST</Terminal><Instance_Number>0</Instance_Number><Action>101</Action><Returncode>0</Returncode><DBID>4045712141</DBID> > </AuditRecord> > </Audit> > > By field format: > > <?xml version="1.0" encoding="UTF-8"?> > <Audit xmlns=" > http://xmlns.oracle.com/oracleas/schema/dbserver_audittrail-11_2.xsd" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xsi:schemaLocation=" > http://xmlns.oracle.com/oracleas/schema/dbserver_audittrail-11_2.xsd"> > <Version>11.2</Version> > <AuditRecord> > <Audit_Type>1</Audit_Type> > <Session_Id>109109</Session_Id> > <StatementId>1</StatementId> > <EntryId>1</EntryId> > <Extended_Timestamp>2018-02-06T20:45:17.820000Z</Extended_Timestamp> > <DB_User>SYSTEM</DB_User> > <OS_User>NT AUTHORITY\SYSTEM</OS_User> > <Userhost>WORKGROUP\Marksman-TEST</Userhost> > <OS_Process>780:172</OS_Process> > <Terminal>Marksman-TEST</Terminal> > <Instance_Number>0</Instance_Number> > <Action>100</Action> > <TransactionId>0000000000000000</TransactionId> > <Returncode>0</Returncode> > <Comment_Text>Authenticated by: DATABASE</Comment_Text> > <Priv_Used>5</Priv_Used> > <DBID>4045712141</DBID> > </AuditRecord> > <AuditRecord> > <Audit_Type>1</Audit_Type> > <Session_Id>109109</Session_Id> > <EntryId>2</EntryId> > <Extended_Timestamp>2018-02-06T20:45:17.824000Z</Extended_Timestamp> > <DB_User>SYSTEM</DB_User> > <OS_User>NT AUTHORITY\SYSTEM</OS_User> > <Userhost>WORKGROUP\Marksman-TEST</Userhost> > <OS_Process>780:172</OS_Process> > <Terminal>Marksman-TEST</Terminal> > <Instance_Number>0</Instance_Number> > <Action>101</Action> > <Returncode>0</Returncode> > <DBID>4045712141</DBID> > </AuditRecord> > </Audit> > > > 1. This is the content of a single log file > 2. Getting 1-4 of these per second with a dynamic file name for each > file. > 3. Every file is 40 lines long > 4. Every log entry has two <AuditRecord> sections > > > Any help on getting started would be greatly appreciated. > > Thank you in advance!! > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.