...
- Oracle Server App is running on the Oracle default auditLOG.
When adding/editing the logs to XpoLog it is mandatory to apply the correct log type(s) to each of the logs:- oracle - all logs that the application will analyze must have oracle as a log type.
- database - all logs that the application will analyze must have database as a log type.
- audit - only the audit log must also be configured to have audit as a log type.
- By default, the audit log path is located in the internal audit_file_dest parameter of the database. In order to set a path to your audit log, please execute the command: alter system set audit_file_dest='Desired_Path'.
Additionally, there is a need set the value of the AUDIT_TRIAL parameter to 'xml, extended', In order to configure it, please execute the command: alter system set AUDIT_TRIAL =xml, extended. - Once the required information is set, click next and edit the log pattern, this step is crucial to the accuracy and deployment of the Oracle Server App. Use the following pattern for the log:
oracle audit log:
{text}<AuditRecord>{regexp:AuditType,Audit Type,ftype=audittype;refName=Message,<Audit_Type>([^<].*)</Audit_Type>}{regexp:Session _ ID,ftype=sessionid;refName=Message,<Session_Id>([^<].*)</Session_Id>}{regexp:StatementID,Statement ID,ftype=statementid;refName=Message,<StatementId>([^<].*)</StatementId>}{regexp:EntryID,EntryId Type,ftype=entryid;refName=Message,<EntryId>([^<].*)</EntryId>}{regexp:DateExtended Timestamp,refName=Message;columnType=date,<Extended_Timestamp>([^<]*)}{regexp:UserName,ftype=username;dateFormat=yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z';dateUIFormat=yyyy-MM-dd HH:mm:ss.SSSSSS,\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d\\:\\d\\d:\\d\\d\\.\\d\\d\\d\\d\\d\\dZ}{regexp:DB User,ftype=dbuser;refName=Message,<DB_User>(.*)</DB_User>}{regexp:Ext Name,ftype=extname;refName=Message,<DB<Ext_User>Name>([^<].*)</Ext_Name>}{regexp:OS_User,ftype=osuser;refName=Message,<OS_User>([^<].*)</OS_User>}{regexp:Userhost,User Host,ftype=hostname;refName=Message,<Userhost>([^<].*)</Userhost>}{regexp:OS _ Process,ftype=osprocess;refName=Message,<OS_Process>([^<].*)</OS_Process>}{regexp:Terminal,ftype=terminal;refName=Message,<Terminal>([^<].*)</Terminal>}{regexp:Instance _ Number,ftype=instancenumber;refName=Message,<Instance_Number>([^<].*)</Instance_Number>}{regexp:Object _ Schema,ftype=objectschema;refName=Message,<Object_Schema>([^<].*)</Object_Schema>}{regexp:Object _ Name,ftype=object;refName=Message,<Object_Name>([^<].*)</Object_Name>}{regexp:Action,ftype=eventNameaction;refName=Message,<Action>([^<].*)</Action>}{regexp:ReturncodeReturn Code ,ftype=status;refName=Message,<Returncode>([^<].*)</Returncode>}{regexp:SCN,ftype=scn;refName=Message,<Scn>([^<]*).*)</Scn>}{regexp:OSPrivilege,ftype=osprivilege;refName=Message,<OSPrivilege>(.*)</OSPrivilege>}{regexp:SesActions,ftype=sesaction;refName=Message,<SesActions>---------(\w)(.*)</SesAction>}{regexp:DB ID,ftype=dbid;refName=Message,<DBID>(.*)</DBID>}{regexp:Sql_SQL Text,ftype=sqltext;refName=Message,<Sql_Text>(.*)</Sql_Text>}{string:Message}</AuditRecord>