FortiSIEM Oracle Database Server Configuration

Oracle Database Server Configuration

Supported Versions

What is Discovered and Monitored

Event Types

Rules

Reports

SNMP

JDBC for Database Performance Monitoring – Oracle Database Server

JDBC for Database Auditing – Oracle Database Server

Configuring listener log and error log via SNARE – Oracle side

Settings for Access Credentials

Sample Events

System Level Database Performance Metrics

Table Space Performance Metrics

Oracle Audit Trail (AccelOps Generated Events)

Oracle Audit Log

Oracle Listener Log

Oracle Alert Log

Supported Versions

Oracle Database 10g

Oracle Database 11g

Oracle Database 12c

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
SNMP Application type Process level CPU and memory utilization Performance

Monitoring

WMI Application type, service mappings Process level metrics: uptime, CPU utilization, Memory utilization, Read I/O KBytes/sec, Write I/O KBytes/sec Performance

Monitoring

JDBC   Generic database information: version, Character Setting, Archive Enabled, Listener Status, Instance Status, Last backup date,  
JDBC   Database performance metrics: Buffer cache hit ratio, Row cache hit ratio, Library cache hit ratio, Shared pool free ratio, Wait time ratio, Memory Sorts ratio, Host CPU Util ratio, CPU Time ratio, Disk Read/Write rates

(operations and MBps),  Network I/O Rate, Enqueue Deadlock rate, Database Request rate, User Transaction rate, User count, Logged on user count, Session Count, System table space usage, User table space usage, Temp table space usage, Last backup date, Days since last backup

Table space performance metrics: Table space name, table space type, table space  usage, table space free space, table space next extent

Performance

Monitoring

Syslog   Listener log, Alert log, Audit Log  
JDBC None Database audit trail: Successful and failed database logon, Various database operation audit trail including CREATE/ALTER/DROP/TRUNCATE operations on tables, table spaces, databases, clusters, users, roles, views, table indices, triggers etc. Security

Monitoring

Event Types

In CMDB > Event Types, search for “oracle database” in the Description column to see the event types associated with this device.

Rules

In Analytics > Rules, search for “oracle database” in the Description column to see the rules associated with this application or device.

Reports

In Analytics > Reports, search for “oracle database” in the Name column to see the reports associated with this application or device. Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

JDBC for Database Performance Monitoring – Oracle Database Server

To configure your Oracle Database Server for performance monitoring by AccelOps, you need to create a read-only user who has select permissions for the database. This is the user you will use to create the access credentials for AccelOps to communicate with your database server.

  1. Open the SQLPlus application.
  2. Log in with a system-level account.

Verify the permissions.

JDBC for Database Auditing – Oracle Database Server

  1. Enable auditing by modifying the Oracle instance initialization file init<SID>.ora.

This is typically located in $ORACLE_BASE/admin/<SID>/pfile where DIS is the Oracle instance

Configuring listener log and error log via SNARE – Oracle side

  1. Install and configure Epilog application to send syslog to AccelOps
  2. Download Epilog from Epilog download site and install it on your Windows Server.
  3. Launch Epilog from StartAll ProgramsInterSect AllianceEpilog for windows

 

  1. Configure Epilog application as follows
    1. Select Log Configuration on left hand panel, click Add button to add Oracle Listener log file to be sent to AccelOps. Also make sure the Log Type is OracleListenerLog.
    2. Click Add button to add Oracle Alert log file to be sent to AccelOps. Also make sure the Log Type is OracleAlertLog.
  • After adding both the files, SNARE Log Configuration will show both the files included as follows
  1. Select Network Configuration on left hand panel. On the right, set the destination address to that of AccelOps server, port to 514 and make sure that syslog header is enabled. Then click Change Configuration button.
  2. Click the “Apply the latest audit configuration” link on the left hand side to apply the changes to Epilog applications.

 

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

System Level Database Performance Metrics

[PH_DEV_MON_PERF_ORADB]:[eventSeverity]=PHL_INFO, [hostIpAddr]=10.1.2.8,

[hostName]=Host-10.1.2.8, [appGroupName]=Oracle Database Server,

[appVersion]=Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 –

Production, [instanceName]=orcl, [instanceStatus]=OPEN,

[charSetting]=ZHS16GBK, [archiveEnabled]=FALSE,

[lastBackupDate]=1325566287,

[listenerStatus]=OPEN,[dbBufferCacheHitRatio]=100,[dbMemorySortsRatio]=1

00,[dbUserTransactionPerSec]=0.13,[dbPhysicalReadsPerSec]=0,

[dbPhysicalWritesPerSec]=0.48,[dbHostCpuUtilRatio]=0,[dbNetworkKBytesPer

Sec]=0.58,[dbEnqueueDeadlocksPerSec]=0,[dbCurrentLogonsCount]=32,[dbWait

TimeRatio]=7.13,[dbCpuTimeRatio]=92.87, [dbRowCacheHitRatio]=100,[dbLibraryCacheHitRatio]=99.91,[dbSharedPoolFre eRatio]=18.55,[dbSessionCount]=40,[dbIOKBytesPerSec]=33.26,[dbRequestsPe rSec]=3.24, [dbSystemTablespaceUsage]= 2.88,[dbTempTablespaceUsage]=

0,[dbUsersTablespaceUsage]= 0.01,[dbUserCount]=

2,[dbInvalidObjectCount]= 4

Table Space Performance Metrics

Oracle Audit Trail (AccelOps Generated Events)

Oracle Audit Log

<172>Oracle Audit[25487]: LENGTH : ‘153’ ACTION :[004] ‘bjn’ DATABASE

USER:[9] ‘user’ PRIVILEGE :[4] ‘NONE’ CLIENT USER:[9] ‘user’ CLIENT

TERMINAL:[14] ‘terminal’ STATUS:[1] ‘0’]

<172>Oracle Audit[6561]: LENGTH : ‘158’ ACTION :[6] ‘COMMIT’ DATABASE

USER:[8] ‘user’ PRIVILEGE :[6] ‘SYSDBA’ CLIENT USER:[6] ‘user’ CLIENT

TERMINAL:[0] ” STATUS:[1] ‘0’ DBID:[9] ‘200958341’

<172>Oracle Audit[28061]: LENGTH: 265 SESSIONID:[9] 118110747

ENTRYID:[5] 14188 STATEMENT:[5] 28375 USERID:[8] user ACTION:[3] 100 RETURNCODE:[1] 0 COMMENT$TEXT:[99] Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.90.217.247)(PORT=4566)) PRIV$USED:[1] 5

Oracle Listener Log

Oracle Alert Log

DHCP and DNS Server Configuration

AccelOps supports these DHCP and DNS servers for discovery and monitoring.

Infoblox DNS/DHCP Configuration

ISC BIND DNS Configuration

Linux DHCP Configuration

Microsoft DHCP (2003, 2008) Configuration Microsoft DNS (2003, 2008) Configuration

Infoblox DNS/DHCP Configuration

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
SNMP Host Name, Hardware model, Serial number, Network Interfaces, Running

processes, Installed software

System CPU utilization, Memory utilization, Disk usage, Disk I/O Performance

Monitoring

SNMP   Process level CPU utilization, Memory utilization  
SNMP   Zone Transfer metrics:  For each zone: DNS Responses Sent, Failed DNS Queries,

DNS Referrals, Non-existent DNS Record Queries, DNS Non-existent Domain

Queries, Recursive DNS Query Received

DNS Cluster Replication metrics: DNS Replication Queue Status, Sent Queue

From Master, Last Sent Time From Master, Sent Queue To Master, Last Sent Time To Master

DNS Performance metrics: NonAuth DNS Query Count, NonAuth Avg DNS

Latency, Auth DNS Query Count, Auth Avg DNS Latency, Invalid DNS Port

Response, Invalid DNS TXID Response

DHCP Performance metrics: Discovers/sec, Requests/Sec, Releases/Sec,

Offers/sec, Acks/sec, Nacks/sec, Declines/sec, Informs/sec

DDNS Update metrics: DDNS Update Success, DDNS Update Fail, DDNS Update

Reject, DDNS Prereq Update Reject, DDNS Update Latency, DDNS Update Timeout

DHCP subnet usage metrics: For each DHCP Subnet (addr, mask) – percent used

Security Monitoring and compliance
SNMP   Hardware status Availability monitoring
SNMP

Trap

  Hardware failures, Software failures Availability monitoring

Event Types

In CMDB > Event Types, search for “infoblox” in the Device Type and Description columns to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “infoblox” in the Name and Description column to see the reports associated with this application or device. Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

SNMP Trap

AccelOps processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Settings for Access Credentials

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.