This appendix contains examples for the different types of collection plug-ins:
This section covers these topics:
These attributes and fields are mandatory:
securedTargetType
maxSecuredTargetVersion
version
TableName
Driver
EventTimeUTC
CommandClass
transformations
EventStatus
transformations
MarkerField
Source names that map to these Audit Vault Server fields are not mandatory, but if the information is not provided, when data collection starts, all audit records are treated as invalid:
UserName
CommandClass
See Also:
Appendix A, "Audit Vault Server Fields" for lists of fields and eventsExample C-1 Sample XML Mapper File for a database table collection plug-in
<AVTableCollectorTemplate securedTargetType="DBSOURCE" minSecuredTargetVersion="10.2.0" maxSecuredTargetVersion="11.0" version="1.0" > <!--Example Template for a database Collector--> <!-- Attributes: securedTargetType, maxSecuredTargetVersion, and version are mandatory; minSecuredTargetVersion attribute is optional --> <!-- Accepted Format for min/maxSecuredTargetVersion and version attribute value is numbers separated by dots (For example: 12.2,10.3.2, 11.2.3.0 etc..)--> <!-- Audit Table Information --> <!-- Name of Audit Table: Mandatory information --> <TableName>dummy_auditTable</TableName> <!-- Source Connection Information --> <ConnectionInfo> <!--Datasource class name for current secured target type: Mandatory information --> </ConnectionInfo> <!-- This Gives Mapping Information of Source Fields to various AV Fields(core and large fields) --> <!-- There should be no many-to-one mappings from source fields to AV Server fields --> <FieldMappingInfo> <!-- Mapping of Source Fields to Core Fields of AV server --> <!-- Source fields specified in core field mappings must be of SQL Datatype: String OR convertible to String--> <CoreFields> <Map> <!-- Mandatory: EventTime mapping information --> <Name>EVENT_TIME</Name> <MapTo>EventTimeUTC</MapTo> </Map> <Map> <!-- If UserName core field mapping is not provided, Audit Data Collection still starts successfully, but every audit record will be treated as invalid --> <Name>USER_ID</Name> <MapTo>UserName</MapTo> </Map> <Map> <Name>OS_USER_ID</Name> <MapTo>OSUserName</MapTo> </Map> <Map> <!-- If source name, the ACTION field, for CommandClass core field mapping is not provided, Audit Data Collection still starts successfully, but all audit records are treated as invalid --> <Name>ACTION</Name> <MapTo>CommandClass</MapTo> <!-- Mandatory: value transformation from secured target field value to command class field value. Value of "to" Attribute is from AV Event set --> <Transformation> <ValueTransformation from="1" to="CREATE"/> <ValueTransformation from="2" to="INSERT"/> <ValueTransformation from="3" to="SELECT"/> <ValueTransformation from="4" to="CREATE"/> <ValueTransformation from="15" to="READ"/> <ValueTransformation from="30" to="LOGON"/> <ValueTransformation from="34" to="LOGOFF"/> <ValueTransformation from="35" to="ACQUIRE"/> </Transformation> </Map> <Map> <Name> OBJ_NAME</Name> <MapTo>TargetObject</MapTo> </Map> <Map> <Name>USER_HOST</Name> <MapTo>ClientHostName</MapTo> </Map> <Map> <Name>OBJ_CREATOR</Name> <MapTo>TargetOwner</MapTo> </Map> <Map> <Name>STATUS</Name> <MapTo>EventStatus</MapTo> <!-- Value transformation for "STATUS" source field value. Mandatory: EventStatus value transformation. There are three possible values for EventStatus: SUCCESS, FAILURE, UNKNOWN --> <Transformation> <ValueTransformation from="0" to="FAILURE"/> <ValueTransformation from="1" to="SUCCESS"/> <ValueTransformation from="2" to="UNKNOWN"/> </Transformation> </Map> </CoreFields> <!-- Mapping of Source Fields to Large Fields of AV server i.e fields with huge content --> <!-- Secured target fields specified in large field mappings must be of SQL Datatype:CLOB OR SQL Datatype:String OR convertible to String --> <LargeFields> <Map> <Name>SQL_TEXT</Name> <MapTo>CommandText</MapTo> </Map> <Map> <Name>COMMAND_PARAMETER</Name> <MapTo>CommandParam</MapTo> </Map> </LargeFields> <!-- These secured target fields are collected in a single extension field, all name-value pairs separated by standard delimiter --> <!-- Secured target fields specified in extension field mapping must be of SQL Datatype:String OR convertible to String --> <ExtensionField> <Name>DB_ID</Name> <Name>INSTANCE</Name> <Name>PROCESS</Name> <Name>TERMINAL</Name> </ExtensionField> <!-- Mandatory: Secured target fields for MarkerField A group of secured target fields to uniquely identify each Audit Record --> <!-- Secured target fields specified to be used as MarkerField mapping must be of SQL Datatype:String OR convertible to String --> <MarkerField> <Name>SESSION_ID</Name> <Name>ENTRY_ID</Name> </MarkerField> </FieldMappingInfo> </AVTableCollectorTemplate>
This is a sample manifest file for a database table collection plug-in.
Example C-2 Sample Manifest File for a database table collection plug-in
<?xml version="1.0"?> <plugin xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/av/plugin plugin-manifest.xsd" xmlns="http://xmlns.oracle.com/av/plugin" name="HRMS-Template" id="com.oracle.av.plugin" version="1.0" provider-name="Oracle Corp." copyright="Copyright Oracle Corp. 2011"> <!-- targetVersion: Version of Oracle Audit Vault supported by this plugin. This is represented by the "min" attribute of <targetVersion> tag --> <targetVersion min="11.1.0.0.0"/> <extensionSet> <extensionPoint type= "securedTargetType"> <!-- Tag: fileList: Lists all files that ship with the plugin --> <fileList> <jars></jars> <templates> <include file="DBSource-Mapper.xml"/> </templates> <bin></bin> <config></config> <shell></shell> <patch></patch> <unresolved-external> </unresolved-external> </fileList> <!-- Tag: securedTargetTypeInfo: Contains secured target type and trail information --> <securedTargetTypeInfo name="DBSOOURCE"/> <!-- Tag: trailType: contains trail type, location , classname for source type testSource --> <trailInfo> <trailType>TABLE</trailType> <className name="oracle.av.platform.agent. collfwk.Collector. table.DatabaseTableCollector"/> </trailInfo> <!-- eventPatch: OPTIONAL field that indicates any event patches that need to be applied as part of plugin deployment The files listed here must be present in the <patch> tag entries. The order in which the patches need to applied can be controlled via the "order" attribute Patches with lower "order" value will be applied first --> <eventPatch name="p6753288_11.1.2.0.0_GENERIC.zip" order="2"/> </extensionPoint> </extensionSet> </plugin>
This section covers these topics:
These attributes and fields are mandatory:
securedTargetType
maxSecuredTargetVersion
version
HeaderInfo
RecordInfo
EventTimeUTC
CommandClass
transformations
EventStatus
transformations
MarkerField
Source names that map to these Audit Vault Server fields are not mandatory, but if the information is not provided, when data collection starts, all audit records are treated as invalid:
UserName
CommandClass
See Also:
Appendix A, "Audit Vault Server Fields" for lists of fields and eventsExample C-3 Sample XML file collection plug-in Mapper File
<AVXMLCollectorTemplate securedTargetType="XMLSOURCE" maxSecuredTargetVersion="11.0" version="1.0"> <!--Example Template for XML template collector--> <!-- Attributes: "securedTargetType", "maxSecuredTargetVersion" and "version" are mandatory attributes, "minSecuredTargetVersion" attribute is optional --> <!-- Accepted Format for min/maxSecuredTargetVersion and version attribute value is numbers separated by dots (For example: 12.2,10.3.2, 11.2.3.0 etc..)--> <!-- Header Information like XML Header start tag --> <HeaderInfo> <!-- Mandatory: HeaderInfo--> <!-- Value in this tag gives Root tag of the XML audit file--> <StartTag>Audit</StartTag> </HeaderInfo> <!-- Record Information like Record Start tag and conformation to hold original record --> <RecordInfo> <!-- Mandatory: RecordInfo --> <!-- Provides starting tag of audit record in XML audit file --> <StartTag>AuditRecord</StartTag> </RecordInfo> <!-- Gives Mapping Information of Source Fields to various AV Fields (core and large fields) --> <!-- Not Allowed: many-to-one mapping from source field to AV Server fields --> <FieldMappingInfo> <!-- Mapping of Source Fields to Core Fields of AV server Source fields specified in core field mappings must be of SQL Datatype: String OR convertible to String --> <CoreFields> <Map> <Name>EVENT_TIME</Name> <MapTo>EventTimeUTC</MapTo> <TimestampPattern>yyyy-MM-dd HH:mm:ss.SSS</TimestampPattern> </Map> <Map> <!-- If UserName core field mapping is not provided, Audit Data Collection still starts successfully, but every audit record will be treated as invalid --> <Name>USER_ID</Name> <MapTo>UserName</MapTo> </Map> <Map> <Name>OS_USER_ID</Name> <MapTo>OSUserName</MapTo> </Map> <Map> <!-- If source name, the ACTION field, for CommandClass core field mapping is not provided, Audit Data Collection still starts successfully, but all audit records are treated as invalid --> <Name>ACTION</Name> <MapTo>CommandClass</MapTo> <!-- Mandatory: value transformations from source to Action field value. Value of "to" Attribute is from AV Event set --> <Transformation> <ValueTransformation from="1" to="CREATE"/> <ValueTransformation from="2" to="INSERT"/> <ValueTransformation from="3" to="SELECT"/> <ValueTransformation from="4" to="CREATE"/> <ValueTransformation from="15" to="READ"/> <ValueTransformation from="30" to="LOGON"/> <ValueTransformation from="34" to="LOGOFF"/> <ValueTransformation from="35" to="ACQUIRE"/> </Transformation> </Map> <Map> <Name> OBJ_NAME</Name> <MapTo>TargetObject</MapTo> </Map> <Map> <Name>USER_HOST</Name> <MapTo>ClientHostName</MapTo> </Map> <Map> <Name>OBJ_CREATOR</Name> <MapTo>TargetOwner</MapTo> </Map> <Map> <Name>STATUS</Name> <MapTo>EventStatus</MapTo> <!-- Specifying value transformation for Status source field value. Mandatory: EventStatus value transformation. There are three possible values for EventStatus: SUCCESS, FAILURE, UNKNOWN --> <Transformation> <ValueTransformation from="0" to="FAILURE"/> <ValueTransformation from="1" to="SUCCESS"/> <ValueTransformation from="2" to="UNKNOWN"/> </Transformation> </Map> </CoreFields> <!-- Mapping of Source Fields to Large Fields of AV server i.e fields with huge content --> <!-- Source fields specified in large field mappings must be of SQL Datatype:CLOB OR SQL Datatype:String OR convertible to String --> <LargeFields> <Map> <Name>SQL_TEXT</Name> <MapTo>CommandText</MapTo> </Map> <Map> <Name>COMMAND_PARAMETER</Name> <MapTo>CommandParam</MapTo> </Map> </LargeFields> <!-- These Source fields will be collected in a single extension field, all name-value pairs are separated by standard delimiter --> <!-- Source fields specified in extension field mapping must be of SQL Datatype:String OR convertible to String --> <ExtensionField> <Name>DB_ID</Name> <Name>INSTANCE</Name> <Name>PROCESS</Name> <Name>TERMINAL</Name> </ExtensionField> <!-- This is group of source fields for uniquely identifying each Audit Record Marker --> <!-- Source fields specified to be used as Marker field mapping must be of SQL Datatype:String OR convertible to String --> <!-- Mandatory: Source fields for MarkerField --> <MarkerField> <Name>SESSION_ID</Name> <Name>ENTRY_ID</Name> </MarkerField> </FieldMappingInfo> </AVXMLCollectorTemplate>
This is a sample manifest file for an XML file collection plug-in.
Example C-4 Sample Manifest File for an XML file collection plug-in
<?xml version="1.0"?> <plugin xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/av/plugin plugin-manifest.xsd" xmlns="http://xmlns.oracle.com/av/plugin" name="Oracle-XML-Template" id="com.oracle.av.plugin" version="1.0" provider-name="Oracle Corp." copyright="Copyright Oracle Corp. 2011"> <!-- targetVersion: Version of Oracle Audit Vault supported by this plugin. This is represented by the "min" attribute of targetVersion> tag --> <targetVersion min="11.1.0.0.0"/> <extensionSet> <extensionPoint type= "securedTargetType"> <!-- fileList: Lists *all* the files that ship with the plugin --> <fileList> <jars></jars> <templates> <include file="XMLSource-Mapper.xml"/> </templates> <bin></bin> <config></config> <shell></shell> <patch></patch> <unresolved-external></unresolved-external> </fileList> <!-- securedTargetTypeInfo: Contains source type and trail information --> <securedTargetTypeInfo name="oracle"/> <!-- trailType: contains trail type, location , classname for source type testSource --> <trailInfo> <trailType>DIRECTORY</trailType> <className name="oracle.av.platform.agent.collfwk. ezcollector.xml.XMLFileCollector"/> </trailInfo> <!-- eventPatch: OPTIONAL field that indicates any event patches that need to be applied as part of plugin deployment--> The files listed here must be present in the <patch>--> tag entries. The order in which the patches need to --> applied can be controlled via the "order" attribute --> Patches with lower "order" value will be applied --> first --> <eventPatch name="p6753288_11.1.2.0.0_GENERIC.zip" order="2"/> </extensionPoint> </extensionSet> </plugin>