i need to send audit log from Oracle DB version 12c to my SIEM via syslog on IBM AIX. The problem is it not include the information i need. For exp:
<134>Mar 4 11:00:25 Message forwarded from abc: Oracle Audit[5374348]: LENGTH : '494' ACTION :[344] '9'),chartorowid('AAAAJCAABAAAA+nABn'),chartorowid('AAAAJCAABAAAA+nABv'),chartorowid('AAAAJCAABAAAisBAAP'),chartorowid('AAAAJCAABAAAisBAC9'),chartorowid('AAAAJCAABAAAisBADQ'),chartorowid('AAAAJCAABAAAisDACn'),chartorowid('AAAAJCAABAAAisEABG'),chartorowid('AAAAJCAABAAAisEABf'),chartorowid('AAAAJCAABAAAisEABn'),chartorowid('AAAAJCAABAAAisEACb'),' DATABASE USER:[3] 'SYS' PRIVILEGE :[4] 'NONE' CLIENT USER:[0] '' CLIENT TERMINAL:[7] 'UNKNOWN' STATUS:[1] '0' DBID:[10] '2346730987'
It not have the information about source IP which really needed to parsing log for security purpose. Is there possile for us to modify and include some information that we need into it ? Thank!
It is not possible to modify the information generated by Oracle's internal auditing. If you need to supplement the data going to your SIEM, then either
the SIEM tool needs to generate SQL queries to the audit trail
and any other necessary tables within the database, instead of
relying on syslog; or
you need to write a custom PL/SQL function to run the
appropriate queries and use UTL_FILE to write the output to an
external log file that the SIEM can read.
That said, it looks like your log sample is an audit of SYS actions, which may not even exist in the internal audit trail depending on your specific setup and version. If that is the case, what you see is all there is.
Related
We are pushing logs using "buildfire.publicData.insert". How do we get access to those logs?
Would these logs contain the header that is sent in the calls? We also need to see the source and destination information. Those are the logs we really need.
Public data is really just a data source, think of it as a database where the data you save in you can retrieve later.
So if you're using it to push logs you need to make sure that any needed information is in the body object are passed to save or insert calls. those can be retrieved later using search calls as documented in https://sdk.buildfire.com/docs/public-data
You can also implement the search only on the control side of your plugin if these data are not meant to be shared with widget users.
Since you might have a lot of records it is recommended you use https://sdk.buildfire.com/docs/indexed-fields so your queries are efficient.
I have a node.js application and I am using Application Insights to collect telemetry on our users. We are using the applicationinsights npm package.
Our users' privacy is very important to us and we want to collect as little data about them as we need. To this end, we do not want to collect location data (country, state/province, and client-ip). However, I can't see how we can avoid sending that data to azure. Is it possible to avoid sending it?
I'm guessing that the location data is coming directly from the http request. So, it might be that I need to change something in the npm package to remove the location headers from the request, but this does not appear to be exposed to the application.
Any ideas on how to fix this?
As Matt mentioned, you can change the data being sent to App Insights- this is certainly necessary in cases where the default logging contains information you don't want sent to our servers for any reason. The only thing I would adjust from his suggestion is the it is recommended to use TelemetryInitializers instead of TelemetryProcessors to do this modification. Any part of the data model should be able to be adjusted or removed from an initializer. This is also particularly useful if there is anything in the request data that you would consider PII. You can see the non-custom data model here: https://learn.microsoft.com/en-us/azure/azure-monitor/app/export-data-model
All location data in App Insights is based on IP address. The IP address is sent to App Insights and from there is is processed using the GeoLite2 database. Once the conversion happens, we discard the IP address so that we are never keeping IP addresses permanently. That's why when you query your logs the IP address field will always contain 0.0.0.0 for all records.
I'm trying to use jmeter to simulate 500 usernames/passwords being created on a test site I have. The home page has 3 fields, username,email address, and password. How can I get jmeter to auto-fill those fields?
The next question is can jmeter then go to the next page and fill in credit information for example?
One thing to note here is JMeter is not like QTP / Selenium. It is not a pure functional testing tool.
However, It can be used for functional testing when you know how to use it!
For your question,
Record the http requests for creating the user and entering the credit information. Check this for more information. http://jmeter.apache.org/usermanual/jmeter_proxy_step_by_step.pdf
Then update the recorded scripts to parameterize the username, password email etc
Then you can update the loop count to rerun it again and again to create the data you want to create
JMeter is an excellent tool for performance testing, functional testing and for creating test data etc.
JMeter has possibility to use either external pre-defined data or generate some random values.
To use existing username/password/email combinations there are following options:
CSV Data Set Config- to read information from CSV files
JDBC PreProcessor - to fetch information from any database which supports JDBC protocol
StringFromFile - to read a string from file
CSVRead - similar to CSV Data Set Config
RandomString - to generate a random string
In regards to "go to the next page", it is also possible given that you have a HTTP Cookie Manager
Remember that JMeter acts on protocol level so you'll need to properly construct HTTP Requests.
The best way to trace execution and visualize requests/responses is using View Results Tree listener.
When I launch a RemoteApp via Remote Desktop Web Access, is there a way to send data to the remote app?
Desired senario:
A user logs into a website with their credentials. They also provide demographic information such as first name, last name, address, etc.
The website connects to the RemoteApp via SSO and makes the demographic information available to the RemoteApp.
For example, if the RemoteApp is a Windows Forms app, can I get this information and display it in a message box?
Edit1: TomTom's response in this question mentions using named pipes to send data. Is that applicable to this problem?
It turns out you can pass command line parameters to the RemoteApp using the remoteapplicationcmdline property like such:
remoteapplicationcmdline:s:/Parameter1: 5234 /Parameter2: true
(The names "/Parameter1" and "/Parameter2" are just examples. Your remote app will have to define and handle these as appropriate.)
This setting is part of the RdpFileContents property of the MsRdpClientShell object.
Here is a resource for other RdpFileContents properties.
Your code might end up looking something like this:
MsRdpClientShell.PublicMode = true;
MsRdpClientShell.RdpFileContents = 'redirectclipboard:i:1 redirectposdevices:i:0 remoteapplicationcmdline:s:/Parameter1: 5234 /Parameter2: true [Other properties here...]';
MsRdpClientShell.Launch();
For larger amounts of information, we might send preliminary data to a web service, retrieve an identifier back, pass this identifier to the RemoteApp via the command line, then have the RemoteApp query the web service to get all the information.
Of course, for the parameters to be of use the program must be looking for them. Setting up a database to query has a little security issue if it is sensitive data.
If the program (RemoteApp) is looking for data in the form of a CSV or table or something, then you might be able to send a lot of data to be processed. It just depends upon what parameters (and form) the program is going to use.
I am using log4net in a web app, and log all page errors to a SQL server. I was wondering if there was any way to retrieve the entry ID generated by it. I'm going off of the documentation found here
http://logging.apache.org/log4net/release/config-examples.html
I want to use this ID as a reference number I can show to a customer so that they may contact customer support to lookup in the system and not have to go through a log file.
Apart from writing your own appender as floyddotnet suggested you could consider:
Use a GUID. You can easily generate it in your application and will serve most of your purposes. Drawback: It may be inconvenient for the customers if they try to tell your support stuff about it on the phone. If you have only email support than this is maybe not an issue.
Consider creating an incident number outside of the logging framework. A quick call to a stored procedure that returns an ID that you save in a nullable field in your log table.
A combination of the above: Use a Guid and after logging you call a stored procedure that creates an incident and returns the ID.
Writing an appender that returns the ID creates a dependency between your application and appenders that you normally do not have: Log4net was designed with a clear separation between logging and writing the log messages somewhere. The appender that you need would affect that separation.
Since the ID is generated by the database and not by log4net, I don't believe this information is available to you.
What I've done in using log4net for such conditions is to include a datetime stamp in the message that goes down to the millisecond and present that to the user as a reference number. You can do then do a simple SQL query to get to the message in the log table.
I'm not sure its posible but you can write your own Appender for log4net end store this information in the log4net-context.
Howto writing an appender for log4net:
http://www.alteridem.net/2008/01/10/writing-an-appender-for-log4net/
Context-Description:
http://logging.apache.org/log4net/release/manual/contexts.html