Splunk® Supported Add-ons

Splunk Add-on for Oracle Database

Download manual as PDF

Download topic as PDF

Source types for the Splunk Add-on for Oracle Database

The Splunk Add-on for Oracle Database collects different logs and events from different sources in Oracle Database Server. The add-on assigns different source types for each different log or event source.

Many Oracle log files offer the option of a plain text format or an XML format. You can choose to configure the logs in either of these formats because this add-on supports field extractions for both formats. In general, XML-formatted logs have more verbose information and are easier to parse, but may occupy more OS disk space.

You can customize the location and name of most log files in Oracle. The table below provides the default location for each log file and a query that you can run in case the location has changed.

More information about the different log and event data supported by this add-on is available below the table.

Calculate oracle:readwrite from oracle:sysPerf by running the following search: sourcetype=oracle:sysPerf (METRIC_NAME="Physical Read*" OR METRIC_NAME="Physical Write*")

Log/
Event
Log Format Oracle Version Source Type Default File Location
Audit Log Plain text 10g/11g/12c in Linux.
11g/12c in Windows.
oracle:audit:text $ORACLE_BASE/admin/$ORACLE_SID/adump/*.aud

Query this location by issuing show parameter AUDIT_FILE_DEST;
XML 10g/11g/12c (Linux and Windows) oracle:audit:xml $ORACLE_BASE/admin/$ORACLE_SID/adump/*.xml

Query this location by issuing show parameter AUDIT_FILE_DEST;
Unified Auditing Log Oracle SecureFiles (proprietary) 12c in Linux.
12c in Windows.
oracle:audit:unified Query this location by issuing SELECT * FROM "SYS"."UNIFIED_AUDIT_TRAIL"
Alert Log Plain text 10g/11g/12c (Linux and Windows) oracle:alert:text For 10g:
$ORACLE_BASE/admin/$ORACLE_SID/ bdump/alert_$ORACLE_SID.log

Query this location by issuing show parameter background_dump_dest;

For 11g/12c:
$ORACLE_BASE/diag/rdbms/$ORACLE_SID/$ORACLE_SID/ trace/alert_$ORACLE_SID.log

Query this location by issuing select value from v$diag_info where name = 'Diag Trace';

XML 11g/12c (Linux and Windows) oracle:alert:xml $ORACLE_BASE/diag/rdbms/$ORACLE_SID/$ORACLE_SID/ alert/log.xml

Query this location by issuing select value from v$diag_info where name = 'Diag Alert';

Listener Log Plain text 10g (Linux and Windows) oracle:listener:text $ORACLE_BASE/product/db_1/network/log/listener.log

Query this location by running lsnrctl status

XML 11g/12c (Linux and Windows) oracle:listener:xml $ORACLE_BASE/diag/tnslsnr/$HOST_NAME/listener/ alert/log.xml

Query this location by running lsnrctl status

Incident log Plain text 11g/12c (Linux and Windows) oracle:incident $ORACLE_BASE/diag/rdbms/$ORACLE_SID/$ORACLE_SID/ incident/*/*.trc

Query this location by issuing select value from v$diag_info where name = 'Diag Incident';

Trace log Plain text 10g/11g/12c (Linux and Windows) oracle:trace For 10g:
$ORACLE_HOME/admin/$ORACLE_SID/ udump/*.trc

For 11g/12c:
$ORACLE_HOME/diag/rdbms/$ORACLE_SID/ $ORACLE_SID/trace

Query this location by issuing show parameter USER_DUMP_DEST;

Inventory Key=Value 10g/11g/12c (Linux and Windows) oracle:instance

oracle:database
oracle:session
oracle:sga
oracle:tablespace
oracle:tablespaceMetrics
oracle:instanceReadWrite

N/A. Collect these metrics using Splunk DB Connect.
Performance CSV 10g/11g/12c (Linux and Windows) oracle:dbFileIoPerf

oracle:sysPerf
oracle:osPerf
oracle:libraryCachePerf
oracle:cpuLoadPerf
oracle:dbIoPerf
oracle:memPerf
oracle:networkPerf
oracle:readwrite
oracle:avgExecutions

N/A. Collect these metrics using Splunk DB Connect.
Note: The data for oracle:sysPerf is collected in key=value format by Splunk DB Connect.
Key=Value 10g/11g/12c (Linux and Windows) oracle:connections

oracle:pool:connections
oracle:database
oracle:database:size
oracle:table
oracle:user
oracle:query
oracle:session

N/A. Collect these metrics using Splunk DB Connect.

Audit logs

Oracle auditing is the monitoring and recording of selected user database actions. Oracle database has two major kinds of auditing: Standard Audit Trail and Fine Grained Audit Trail.

Standard Audit Trail audits include:

  • Administrative privilege connection
  • Database startup/shutdown
  • SQL statement
  • Privileges
  • Schema object
  • Network

Fine Grained Audit Trail audits include:

  • Audit Delete/Merge/Update/Query etc actions against database tables
  • Audit by performing Boolean condition check. For example, if a table is accessed on a Saturday, the audit takes place.

Oracle Database administrators can configure the database to write audit trail in plain text format or in XML format. The add-on can parse standard audit trail in either text format or XML format, but the add-on can parse the fine-grained audit trail in XML format only.

When audit trails are in XML format, audit or AUDITTYPE field tells if an audit record is a Standard, SYS, Fine-grained, or Mandatory audit trail. You can create Splunk alerts and dashboards by monitoring audit events. For example, alerts or dashboards can display when and which client connects to the database as SYSDBA, the failed actions, when and which client did a drop/update/select against the target tables, who and how many login failures happened.

Since the add-on is designed to monitor the audit trail files, the Oracle Database administrator needs to configure the audit trail to write to the Operating System file system. On Windows, plain text audit records write to the Windows Event Viewer Service, instead of persisting in the OS file system. Pulling files from the Windows Event Viewer Service is not supported in this release of the add-on.

For more information about how to set up Oracle database Operating System Audit, please refer to the Oracle Database Security Guide 10g/11g/12c: http://docs.oracle.com/cd/E11882_01/network.112/e36292/auditing.htm#DBSEG60061

The audit log source types map to the following CIM data models:

Source Type CIM Data Models
oracle:audit:text Change Analysis data model object: Account_Management
Authentication data model object: Authentication
oracle:audit:xml
oracle:accountManagement Change Analysis data model object: Account_Management

Unified Auditing logs

In Oracle 12c, a new database auditing foundation has been introduced. Oracle Unified Auditing changes the fundamental auditing functionality of the database. In previous releases of Oracle, there were separate audit trails for each individual component. Unified Auditing consolidates all auditing into a single repository and view. This provides a two-fold simplification: audit data can now be found in a single location and all audit data is in a single format. Oracle 12c Unified Auditing supports:

  • Standard database auditing
  • SYS operations auditing (AUDIT_SYS_OPERATIONS)
  • Fine Grained Audit (FGA)
  • Data Pump
  • Oracle RMAN
  • Oracle Label Security (OLS)
  • Database Vault (DV)
  • Real Application Security (RAS)
  • SQLLoader Direct Load

Unified Auditing comes standard with Oracle Enterprise Edition; no additional license is required. It is installed by default, but not fully enabled by default. There are two modes of operation to allow for a transition from pre-12c auditing:

  • Mixed Mode: default 12c option.
    All pre-12c log and audit functionality and configurations work as before. New Unified Auditing functionality is also available. Log data is available in both the traditional locations as well as the new view SYS.UNIFIED_AUDIT_TRAIL. Also, log data continues to be written in clear text when Syslog is used.
  • Full Mode or PURE mode:
    enabled only by stopping the database and relinking the Oracle kernel. Once enabled, pre-12c log and audit configurations are ignored, and audit data is saved using the Oracle SecureFiles, which is a proprietary file format. Because of this, Syslog is not supported. All audit data can be found in the view SYS.UNIFIED_AUDIT_TRAIL.

Alert log

The alert log captures messages and errors including:

  • All internal errors (ORA-600), block corruption errors (ORA-1578), and deadlock errors (ORA-60)
  • Admin operations, such as CREATE/ALERT/DROP statements, STARTUP, SHUTDOWN and ARCHIVELOG statements
  • Messages and errors relating to the functions of shared server and dispatcher process
  • Errors occurring during the automatic refresh of a materialized view
  • System crashes

Set up the add-on to monitor the alert logs in either text format or XML format, depending on what the Oracle Database administrator has configured. As listed in the table at the top of this page, the text format and XML format alert logs coexist in 11g/12c. You only need to monitor one of them with the add-on. Note that the alert log in XML format has more information than the one in plain text.

This add-on creates eventtypes for different categories of errors. For example, eventtype=oracle:internalError searches all ORA-00600 errors through the trace logs and alert logs.

The alert log source types oracle:alert:text and oracle:alert:xml do not map to the Common Information Model.

Listener log

The listener log is useful for Network Service troubleshooting and real time security monitoring.

The listener log includes:

  • Client connection information, such as host IP, port, program
  • TNS related errors, such as listener or protocol errors
  • Service register/update information

The listener log source types map to the following CIM data model:

Source Type CIM Data Models
oracle:listener:text Authentication data model object: Authentication
oracle:listener:xml

Trace log

The trace log is used for incident, error, and event reporting. Most of the errors that happen in the database are captured in the trace files. Oracle Database administrators also can turn on trace for specific sessions. The trace file is not well formatted, so the add-on does not parse or do field extractions for trace files. Instead, it creates eventtypes for searching the errors (all ORA-xxx errors).

The trace log source type oracle:trace does not map to the Common Information Model.

Incident log

Incident logs were introduced in 11g. When a critical error happens (for example, the system crashes) an incident is generated and this event is recorded in the alert and trace logs. The incident log is similar to the trace log in that it is not well formatted. This add-on creates the eventtype oracle:incident for searching existing incidents. Splunk administrators can create saved searches to monitor critical incidents, send out alerts, and take actions.

The incident log source type oracle:incident does not map to the Common Information Model.

Inventory events

The Splunk Add-on for Oracle Database leverages Splunk DB Connect to query for inventory events. The critical inventories are Oracle instance, database, session, SGA information, tablespace, and tablespace usage. Oracle Database administrators can do event correlation between the inventories with other trace/audit events and performance metrics and view all the database instances and their metrics in one central place.

This table lists which CIM and ITSI data models each source type maps to.

Source Type CIM Data Models ITSI Data Models
oracle:instance Databases data model object: All_Databases Database data model objects: Inventory
oracle:instanceReadWrite Databases data model object: All_Databases none
oracle:database Databases data model object: All_Databases none
oracle:session Databases data model object: All_Databases Database data model object: Session
oracle:sga Databases data model object: All_Databases none
oracle:table Databases data model object: All_Databases Database data model object: Table
oracle:tablespace none none
oracle:tablespaceMetrics Databases data model object: Tablespace,
Performance data model object: Storage
Database data model objects: Query

Performance events

The Splunk Add-on for Oracle Database leverages Splunk DB Connect to query for performance metrics. The basic performance metrics are database file I/O performance, Oracle system performance, Oracle library cache performance, and host OS performance. Oracle system performance collects many performance metrics, including cache hit ratio, database CPU perf, network traffic, SQL service response time, and Oracle Physical and Logical I/O stats. Oracle Database administrators or Splunk Enterprise administrators can create performance trending dashboards or alerts.

This table lists which CIM and ITSI data models each source type maps to.

Source Type CIM Data Models ITSI Data Models
oracle:dbFileIoPerf none none
oracle:sysPerf Databases data model object: All_Databases Database data model object: Performance
oracle:osPerf none none
oracle:libraryCachePerf none none
oracle:connections Databases data model object: All_Databases Database data model object: Performance
oracle:pool:connections Databases data model object: All_Databases Database data model object: Performance
oracle:database:size Databases data model object: All_Databases Database data model object: Performance
oracle:table none Database data model object: Table
oracle:user Databases data model object: All_Databases Database data model object: User
oracle:query Databases data model object: Database_Query Database data model object: Query
oracle:session none Database data model object: Session
oracle:cpuLoadPerf Performance data model object: CPU none
oracle:dbIoPerf Performance data model object: Storage none
oracle:memPerf Performance data model object: Memory none
oracle:networkPerf Performance data model object: Network none
oracle:readwrite Databases data model object: All_Databases Database data model object: Performance
oracle:avgExecutions Databases data model object: All_Databases none
Last modified on 21 February, 2019
PREVIOUS
About the Splunk Add-on for Oracle Database
  NEXT
Release notes for the Splunk Add-on for Oracle Database

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters