SIEM tool with 19c multi-tenant and Unified Auditing

From: DOUG KUSHNER <dougk5_at_cox.net>
Date: Fri, 23 Jun 2023 12:18:59 -0700 (MST)
Message-ID: <836236848.652225.1687547939645_at_myemail.cox.net>

We have been using QRadar for many years with 11g, and it was efficiently querying the DBA_AUDIT _TRAIL view to fetch audit trail rows. These databases have all been migrated to 19c (19.19) single-tenant. Interfacing QRadar with 19c's Unified Auditing has been a challenge. IBM does not yet support 19c or multi-tenant (no surprise there), so no help from them.

Wondering if anyone can share a success story using their SIEM tool to query Oracle to scrape rows from the unified audit trail in a single or multi-tenant scenario.

• Do you pull CDB and PDB records together? My experience with this has resulted in expensive parallel execution plans. Looks like the best bet is to query the CDB and PDB separately.
• Do you pull from the unified audit table directly or from the audit trail view?
• As recommended by Oracle, the partition interval on the audit table has been changed from 1 month to 1 day. Have you also set up a local index on the partition key (event_timestamp) column?
• Any other configuration changes that we should be aware of?

To further complicate matters, our security team wants to filter logs through Cribl and then pass on to QRadar, but it seems that this is a square peg / round hole solution when it comes to Oracle. Cribl does not have built-in Oracle database connectivity. I am trying to avoid having to write the audit trail out to disk, losing the ability to query it in the database.

Regards,

Doug

--
http://www.freelists.org/webpage/oracle-l

Received on Fri Jun 23 2023 - 21:18:59 CEST