Oracle 数据库 ELK收集审计日志的管道配置

Oracle 数据库阿木 发布于 18 天前 7 次阅读

Oracle数据库ELK收集审计日志的管道配置实践

随着信息技术的飞速发展,企业对数据安全和审计的需求日益增长。Oracle数据库作为企业级应用的关键组成部分,其审计日志的收集和分析变得尤为重要。ELK(Elasticsearch、Logstash、Kibana)是一个强大的日志收集、分析和可视化平台,可以有效地帮助企业和组织收集、存储、分析和可视化Oracle数据库的审计日志。本文将围绕Oracle数据库ELK收集审计日志的管道配置进行详细阐述。

1. 系统环境

在开始配置之前,我们需要准备以下环境:

- Oracle数据库:确保数据库版本支持审计功能。

- Elasticsearch:版本建议为5.6.12或更高。

- Logstash:版本建议为5.6.12或更高。

- Kibana:版本建议为5.6.12或更高。

- Java:确保Elasticsearch、Logstash和Kibana运行所需的Java环境。

2. Oracle数据库审计日志配置

2.1 开启审计功能

1. 登录Oracle数据库,执行以下命令开启审计功能:

sql
AUDIT SYSTEM;

2. 根据实际需求,开启特定操作的审计功能,例如:

sql
AUDIT SELECT ON SCHEMA SCHEMA_NAME;

2.2 配置审计日志输出

1. 在Oracle数据库中,审计日志默认输出到操作系统日志文件中。我们可以通过修改`sqlnet.log`文件来指定审计日志的输出路径。

2. 修改`sqlnet.log`文件,添加以下内容:


AUDIT_FILE_DEST = '/path/to/oracle/audit'

3. 重启Oracle数据库,使配置生效。

3. ELK管道配置

3.1 Logstash配置

1. 创建一个Logstash配置文件,例如`oracle_audit.conf`,内容如下:

```conf

input {

file {

path => "/path/to/oracle/audit/.log"

start_position => "beginning"

sincedb_path => "/dev/null"

}

}

filter {

if [message] =~ /^AUDIT/ {

mutate {

add_tag => ["oracle_audit"]

}

}

grok {

match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{NUMBER:session_id} %{NUMBER:client_id} %{NUMBER:client_program} %{NUMBER:client_host} %{NUMBER:client_port} %{NUMBER:sql_id} %{NUMBER:operation} %{NUMBER:object_name} %{NUMBER:object_schema} %{NUMBER:object_owner} %{NUMBER:object_type} %{NUMBER:object_role} %{NUMBER:object_grantee} %{NUMBER:object_grantee_role} %{NUMBER:object_grantee_type} %{NUMBER:object_grantee_role_type} %{NUMBER:object_grantee_role_owner} %{NUMBER:object_grantee_role_owner_role} %{NUMBER:object_grantee_role_owner_role_type} %{NUMBER:object_grantee_role_owner_role_owner} %{NUMBER:object_grantee_role_owner_role_owner_role} %{NUMBER:object_grantee_role_owner_role_owner_role_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_grantee_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_role_owner_type} %{NUMBER:object_gr