I recently came across requirement to get OCI Oracle Autonomous Database audit logs to OCI Logging Service, mainly due to getting them to external SIEM system.

Typically once we get the logs to Logging, we can use OCI Service Connector to ingest them to Oracle Streaming and then from there, external systems can get the logs as Streaming is fully Kafka compatible.

When you use Autonomous Database, you can easily configure OCI Data Safe for your database which provides functionality to audit database activity. Unfortunately, by default, you can’t get those logs further. However, I did some digging and seems there’s Oracle made open source function that can be deployed which fetches the logs accordingly.

Data Safe gives you also 1M audit records PER database for free per month. Another nice offering from Oracle to enhance your DB capabilities with native service.

Data Safe has also bunch of other features such as data masking, SQL Firewall and security assessment etc. You can read more from here.

Data Safe and the Function are very easy to install and setup, let’s take a look! This part 1 of the blog post will be working on Data Safe side and second part getting the Function deployed and validating OCI Logging side.

Enabling OCI Data Safe for Autonomous Database

First we will need to enable Data Safe for my Autonomous Database. From the OCI Console navigate to Data Safe -> Target Databases and click the register database button. (You can also use the wizard to streamline the process if you want)

On my test, ADB is publicly available so I don’t need to do additional setup for connectivity. If yours is running on private subnet, you will have to just configure it to use the private endpoint.

Now that my ADB is added to Data Safe, I can configure the audit policies I want.

Configure Audit policies for your database

I’ll navigate to Data Safe -> Security Center -> Activity Auditing where I have option to configure Auditing.

First I’ll configure Alert policies, I want to have alerting for profile changes and user creation/modification.

Next I will configure Audit policy, for this I’ll select some options to get data to my audit logs. You have option to audit also CIS and STIG recommendations as you can see from below screenshot.

Then I’ll select the audit trails I want, you can see even with DB being up for 5 days, I have 35k audit records already available.

And that’s pretty much it for enabling Data Safe, in real world scenarios, this phase to design necessary data based on security and compliance requirements would take longer.

Reviewing Audit logs from Data Safe Console

Now I can take a look what Data Safe sees from the OCI Console. It has a nice summary on different events and I can drill down on each event by clicking on it.

This time I’m interested on user creation, I’ll click on user/role/permissions changes to see if it logged my user creation which I did earlier.

You can see the Create User statement is in the middle and logged. I can also create nice PDF report if I’d need it.

For reports, there are bunch of predefined reports available that you can run as well which cover many different requirements.

Summary

Enabling Data Safe for testing is really simple task for anyone to do, even without prior experience you’ll be able to get to testing phase in 5-15 minutes. For real use cases, I would go through a design phase to see what audit records are required and how long I need to store them as well as if I need to send them further.

On part 2 I will enable the OCI Function and then filter only specific log messages from OCI Logging to Streaming so we get the data we need to our external SIEM.

Leave a Reply

Your email address will not be published.