Hi Splunkers,
I have run into an issue when using Splunk_TA_oracle (v3.3.0 & v3.4.0) to analyse audit log data from Oracle databases (11g & 12c). If the data that should be extracted is over multiple lines, only the first line is extracted for the value of ACTION.
Consider the following event (sourcetype is oracle:audit:text):
Tue May 24 11:25:51 2016 +10:00
LENGTH : '238'
ACTION :[80] '
SELECT 1, status, '',archiver, database_status, active_state FROM v$instance
'
DATABASE USER:[3] 'SYS'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[7] 'unknown'
STATUS:[1] '0'
DBID:[10] '1234567890'
For this event, the ACTION field is equal to a single quote '.
Within Splunk_TA_oracle (transforms.conf), ACTION is extracted to the end of the line:
[ACTION_text]
REGEX = ACTION\s*\:\[?\d*\]?\s+(['|"]?)([^"\r\n]*)\1
FORMAT = ACTION::"$2"
But this does not cover instances where the ACTION is over multiple lines.
Looking at the schema of the text audit logs, ACTION appears to always be proceeded by DATABASE USER. Using this piece of info, I have been able to correctly extract ACTION using the following rex in-line:
| rex field=_raw "(?s)ACTION\s*\:\[\d*\]\s+([\'|\"])\s+(?.*)\1\s+DATABASE\sUSER"
Or updating/adding a local transforms.conf
[ACTION_text]
REGEX = (?s)ACTION\s*\:\[?\d*\]?\s+(['|"]?)(.*)\1\s+DATABASE\sUSER
FORMAT = ACTION::"$2"
This issue is also present for the field oracle_audit_action as it uses the same regex in the transforms.conf stanza.
Should I submit a bug report, is it even a bug in the first place? Should I just keep the changes in a local transforms.conf file and drop that file back into place if/when Splunk_TA_oracle is updated? Thanks for any guidance
↧