Nagios Support Forum

Posted: **Thu Mar 10, 2016 10:29 am**

Hi,

I am trying to forward Oracle DB audit logs that are written out as xml files. Each transaction writes a separate xml file and there are a lot of them. Is there a way to get this data into NLS? I have tried several times with a rsyslog config. Here is an example of what I tried.

Code: Select all

ModLoad imfile
$InputFilePollInterval 10
$PrivDropToGroup adm
$WorkDirectory /var/lib/rsyslog

# Input for FILE_PATH
$InputFileName /oraaudit/*.xml
$InputFileTag OracleDB_Audit:
$InputFileStateFile nls-state-EPOP01 # Must be unique for each file being polled
# Uncomment the folowing line to override the default severity for messages
# from this file.
#$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor

# Forward to Nagios Logserver and then discard.
if $programname == 'OracleDB_Audit' then @@nlsserver:5544
if $programname == 'OracleDB_Audit' then ~

I have tried to change the InputFileName with different iterations. The files start out with this DBOP011_ora_ and have a timestamp followed by .xml. So I tried to set the file name to DBOP011_ora_*

I am wondering if sending xml data may not be possible. Any help would be greatly appreciated.

Thanks,
David

Posted: **Thu Mar 10, 2016 3:59 pm**

I have a theory. Can you try to change your syslog input(administration menu > global configuration) from

Code: Select all

syslog {
    type => 'syslog'
    port => 5544
}

to

Code: Select all

tcp {
    port => 5544
    type => syslog
  }
  udp {
    port => 5544
    type => syslog
  }

And create a filter that looks like this:

Code: Select all

  if [type] == "syslog" {
    grok {
      match => { "message" => "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
    }
  }

And then save and apply the configuration, and see if the logs start flowing in?

Posted: **Thu Mar 10, 2016 9:16 pm**

Hi,

I made the changes, but I am still not getting the data in the xml files being forwarded. Before making the changes, I was getting data from syslog as well as other types of log files, such as Weblogic sent to NLS. Is there anything I need to set up to deal with xml files?

Thanks,
David

Posted: **Fri Mar 11, 2016 10:22 am**

Can you send in a ticket to [email protected] for this? I would like to do a remote session to look at this. Unfortunately, I do not have any time slots available for the rest of the day. Let me know if this is not an option that works for you.

Posted: **Fri Mar 11, 2016 1:32 pm**

Thats fine. I will do that now.

Thanks.

Posted: **Fri Mar 11, 2016 2:28 pm**

Ticket received. I'll close this post.

Nagios Support Forum

Send Oracle xml Audit files to NLS

Send Oracle xml Audit files to NLS

Re: Send Oracle xml Audit files to NLS

Re: Send Oracle xml Audit files to NLS

Re: Send Oracle xml Audit files to NLS

Re: Send Oracle xml Audit files to NLS

Re: Send Oracle xml Audit files to NLS