Can we track Oracle logs with any of the Enterprise Agent products?

SUMMARY

Jul 06, 2015

The events found in the Oracle text based logs may be tracked with Snare Epilog if the audit log files are written to an external file.

Snare Enterprise Agent for Windows may also be used to track Oracle events such as executed SQL commands via SQLPlus for example. To do this, the Oracle parameter AUDIT_TRAIL must be set to 'os' which means that auditing is enabled, with all audit records directed to the operating system's audit trail. [NOTE: Auditing events are not available on Oracle XE, express editions]

So ensure the Oracle instance is configured to send audit logs to the OS files in a specific directory the Epilog agent can monitor. This link will help with the setup of the Oracle environment to log the audit logs to an OS file. https://docs.oracle.com/cd/E11882_01/server.112/e10575/tdpsg_auditing.htm#TDPSG50521.

In particular this part of the configuration of the SPFILE is what is required:

OS: Enables database auditing and directs all audit records to an operating system file. Writing the audit trail to operating system files is better for performance instead of sending the audit records to the SYS.AUD$ table. If the auditor is distinct from the database administrator, you must use the operating system setting. Any auditing information stored in the database is viewable and modifiable by the database administrator.
To specify the location of the operating system audit record file, set the AUDIT_FILE_DEST initialization parameter. The first default directory is $ORACLE_BASE/admin/$ORACLE_SID/adump.

Please note, do not use the XML option for the OS audit logs if you are sending to the Snare Server as it will make it harder to parse the logs. If you are sending to the Snare Server these will come in as generic log depending on the tag you assign in the Epilog agent. You can set a custom tag like ORACLE if you like to make then easier to filter and report on in an objective.