This appendix contains examples for the different types of collection plug-ins:
This section covers these topics:
These attributes and fields are mandatory:
securedTargetType
maxSecuredTargetVersion
version
TableName
Driver
EventTimeUTC
CommandClass transformations
EventStatus transformations
MarkerField
Source names that map to these Audit Vault Server fields are not mandatory, but if the information is not provided, when data collection starts, all audit records are treated as invalid:
UserName
CommandClass
See Also:
Appendix A, "Audit Vault Server Fields" for lists of fields and eventsExample C-1 Sample XML Mapper File for a database table collection plug-in
<AVTableCollectorTemplate securedTargetType="DBSOURCE" minSecuredTargetVersion="10.2.0"
maxSecuredTargetVersion="11.0" version="1.0" >
<!--Example Template for a database Collector-->
<!-- Attributes: securedTargetType, maxSecuredTargetVersion,
and version are mandatory;
minSecuredTargetVersion attribute is optional -->
<!-- Accepted Format for min/maxSecuredTargetVersion and
version attribute value is numbers separated by
dots (For example: 12.2,10.3.2, 11.2.3.0 etc..)-->
<!-- Audit Table Information -->
<!-- Name of Audit Table: Mandatory information -->
<TableName>dummy_auditTable</TableName>
<!-- Source Connection Information -->
<ConnectionInfo>
<!--Datasource class name for current secured target type:
Mandatory information -->
</ConnectionInfo>
<!-- This Gives Mapping Information of Source Fields to various AV
Fields(core and large fields) -->
<!-- There should be no many-to-one mappings from source fields to
AV Server fields -->
<FieldMappingInfo>
<!-- Mapping of Source Fields to Core Fields of AV server -->
<!-- Source fields specified in core field mappings must be of SQL
Datatype: String OR convertible to String-->
<CoreFields>
<Map>
<!-- Mandatory: EventTime mapping information -->
<Name>EVENT_TIME</Name>
<MapTo>EventTimeUTC</MapTo>
</Map>
<Map>
<!-- If UserName core field mapping is not provided, Audit Data
Collection still starts successfully, but every audit record
will be treated as invalid -->
<Name>USER_ID</Name>
<MapTo>UserName</MapTo>
</Map>
<Map>
<Name>OS_USER_ID</Name>
<MapTo>OSUserName</MapTo>
</Map>
<Map>
<!-- If source name, the ACTION field, for CommandClass core field
mapping is not provided, Audit Data Collection still starts
successfully, but all audit records are treated as invalid -->
<Name>ACTION</Name>
<MapTo>CommandClass</MapTo>
<!-- Mandatory: value transformation from secured target field value
to command class field value. Value of "to" Attribute is from AV
Event set -->
<Transformation>
<ValueTransformation from="1" to="CREATE"/>
<ValueTransformation from="2" to="INSERT"/>
<ValueTransformation from="3" to="SELECT"/>
<ValueTransformation from="4" to="CREATE"/>
<ValueTransformation from="15" to="READ"/>
<ValueTransformation from="30" to="LOGON"/>
<ValueTransformation from="34" to="LOGOFF"/>
<ValueTransformation from="35" to="ACQUIRE"/>
</Transformation>
</Map>
<Map>
<Name> OBJ_NAME</Name>
<MapTo>TargetObject</MapTo>
</Map>
<Map>
<Name>USER_HOST</Name>
<MapTo>ClientHostName</MapTo>
</Map>
<Map>
<Name>OBJ_CREATOR</Name>
<MapTo>TargetOwner</MapTo>
</Map>
<Map>
<Name>STATUS</Name>
<MapTo>EventStatus</MapTo>
<!-- Value transformation for "STATUS" source field value.
Mandatory: EventStatus value transformation.
There are three possible values for EventStatus:
SUCCESS, FAILURE, UNKNOWN -->
<Transformation>
<ValueTransformation from="0" to="FAILURE"/>
<ValueTransformation from="1" to="SUCCESS"/>
<ValueTransformation from="2" to="UNKNOWN"/>
</Transformation>
</Map>
</CoreFields>
<!-- Mapping of Source Fields to Large Fields of AV server i.e fields
with huge content -->
<!-- Secured target fields specified in large field mappings must be
of SQL Datatype:CLOB OR SQL Datatype:String OR convertible to
String -->
<LargeFields>
<Map>
<Name>SQL_TEXT</Name>
<MapTo>CommandText</MapTo>
</Map>
<Map>
<Name>COMMAND_PARAMETER</Name>
<MapTo>CommandParam</MapTo>
</Map>
</LargeFields>
<!-- These secured target fields are collected in a single extension
field, all name-value pairs separated by standard delimiter -->
<!-- Secured target fields specified in extension field mapping must
be of SQL Datatype:String OR convertible to String -->
<ExtensionField>
<Name>DB_ID</Name>
<Name>INSTANCE</Name>
<Name>PROCESS</Name>
<Name>TERMINAL</Name>
</ExtensionField>
<!-- Mandatory: Secured target fields for MarkerField
A group of secured target fields to uniquely identify each Audit
Record -->
<!-- Secured target fields specified to be used as MarkerField mapping
must be of SQL Datatype:String OR convertible to String -->
<MarkerField>
<Name>SESSION_ID</Name>
<Name>ENTRY_ID</Name>
</MarkerField>
</FieldMappingInfo>
</AVTableCollectorTemplate>
This is a sample manifest file for a database table collection plug-in.
Example C-2 Sample Manifest File for a database table collection plug-in
<?xml version="1.0"?>
<plugin xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.oracle.com/av/plugin plugin-manifest.xsd"
xmlns="http://xmlns.oracle.com/av/plugin"
name="HRMS-Template"
id="com.oracle.av.plugin"
version="1.0"
provider-name="Oracle Corp."
copyright="Copyright Oracle Corp. 2011">
<!-- targetVersion: Version of Oracle Audit Vault supported by this
plugin. This is represented by the "min" attribute of
<targetVersion> tag -->
<targetVersion min="11.1.0.0.0"/>
<extensionSet>
<extensionPoint type= "securedTargetType">
<!-- Tag: fileList: Lists all files that ship with the plugin -->
<fileList>
<jars></jars>
<templates>
<include file="DBSource-Mapper.xml"/>
</templates>
<bin></bin>
<config></config>
<shell></shell>
<patch></patch>
<unresolved-external>
</unresolved-external>
</fileList>
<!-- Tag: securedTargetTypeInfo: Contains secured target type and
trail information -->
<securedTargetTypeInfo name="DBSOOURCE"/>
<!-- Tag: trailType: contains trail type, location , classname for
source type testSource -->
<trailInfo>
<trailType>TABLE</trailType>
<className name="oracle.av.platform.agent.
collfwk.Collector. table.DatabaseTableCollector"/>
</trailInfo>
<!-- eventPatch: OPTIONAL field that indicates any event patches
that need to be applied as part of plugin deployment
The files listed here must be present in the <patch>
tag entries. The order in which the patches need to
applied can be controlled via the "order" attribute
Patches with lower "order" value will be applied
first -->
<eventPatch name="p6753288_11.1.2.0.0_GENERIC.zip" order="2"/>
</extensionPoint>
</extensionSet>
</plugin>
This section covers these topics:
These attributes and fields are mandatory:
securedTargetType
maxSecuredTargetVersion
version
HeaderInfo
RecordInfo
EventTimeUTC
CommandClass transformations
EventStatus transformations
MarkerField
Source names that map to these Audit Vault Server fields are not mandatory, but if the information is not provided, when data collection starts, all audit records are treated as invalid:
UserName
CommandClass
See Also:
Appendix A, "Audit Vault Server Fields" for lists of fields and eventsExample C-3 Sample XML file collection plug-in Mapper File
<AVXMLCollectorTemplate securedTargetType="XMLSOURCE"
maxSecuredTargetVersion="11.0"
version="1.0">
<!--Example Template for XML template collector-->
<!-- Attributes: "securedTargetType", "maxSecuredTargetVersion" and
"version" are mandatory attributes, "minSecuredTargetVersion"
attribute is optional -->
<!-- Accepted Format for min/maxSecuredTargetVersion and version
attribute value is numbers separated by dots (For example:
12.2,10.3.2, 11.2.3.0 etc..)-->
<!-- Header Information like XML Header start tag -->
<HeaderInfo>
<!-- Mandatory: HeaderInfo-->
<!-- Value in this tag gives Root tag of the XML audit file-->
<StartTag>Audit</StartTag>
</HeaderInfo>
<!-- Record Information like Record Start tag and conformation to hold
original record -->
<RecordInfo>
<!-- Mandatory: RecordInfo -->
<!-- Provides starting tag of audit record in XML audit file -->
<StartTag>AuditRecord</StartTag>
</RecordInfo>
<!-- Gives Mapping Information of Source Fields to various AV Fields
(core and large fields) -->
<!-- Not Allowed: many-to-one mapping from source field to
AV Server fields -->
<FieldMappingInfo>
<!-- Mapping of Source Fields to Core Fields of AV server
Source fields specified in core field mappings must be of SQL
Datatype: String OR convertible to String -->
<CoreFields>
<Map>
<Name>EVENT_TIME</Name>
<MapTo>EventTimeUTC</MapTo>
<TimestampPattern>yyyy-MM-dd HH:mm:ss.SSS</TimestampPattern>
</Map>
<Map>
<!-- If UserName core field mapping is not provided, Audit Data
Collection still starts successfully, but every audit record
will be treated as invalid -->
<Name>USER_ID</Name>
<MapTo>UserName</MapTo>
</Map>
<Map>
<Name>OS_USER_ID</Name>
<MapTo>OSUserName</MapTo>
</Map>
<Map>
<!-- If source name, the ACTION field, for CommandClass
core field mapping is not provided, Audit Data Collection
still starts successfully, but all audit records are treated
as invalid -->
<Name>ACTION</Name>
<MapTo>CommandClass</MapTo>
<!-- Mandatory: value transformations from source to Action
field value. Value of "to" Attribute is from AV Event set -->
<Transformation>
<ValueTransformation from="1" to="CREATE"/>
<ValueTransformation from="2" to="INSERT"/>
<ValueTransformation from="3" to="SELECT"/>
<ValueTransformation from="4" to="CREATE"/>
<ValueTransformation from="15" to="READ"/>
<ValueTransformation from="30" to="LOGON"/>
<ValueTransformation from="34" to="LOGOFF"/>
<ValueTransformation from="35" to="ACQUIRE"/>
</Transformation>
</Map>
<Map>
<Name> OBJ_NAME</Name>
<MapTo>TargetObject</MapTo>
</Map>
<Map>
<Name>USER_HOST</Name>
<MapTo>ClientHostName</MapTo>
</Map>
<Map>
<Name>OBJ_CREATOR</Name>
<MapTo>TargetOwner</MapTo>
</Map>
<Map>
<Name>STATUS</Name>
<MapTo>EventStatus</MapTo>
<!-- Specifying value transformation for Status source field value.
Mandatory: EventStatus value transformation.
There are three possible values for EventStatus:
SUCCESS, FAILURE, UNKNOWN -->
<Transformation>
<ValueTransformation from="0" to="FAILURE"/>
<ValueTransformation from="1" to="SUCCESS"/>
<ValueTransformation from="2" to="UNKNOWN"/>
</Transformation>
</Map>
</CoreFields>
<!-- Mapping of Source Fields to Large Fields of AV server i.e fields
with huge content -->
<!-- Source fields specified in large field mappings must be of SQL
Datatype:CLOB OR SQL Datatype:String OR convertible to String -->
<LargeFields>
<Map>
<Name>SQL_TEXT</Name>
<MapTo>CommandText</MapTo>
</Map>
<Map>
<Name>COMMAND_PARAMETER</Name>
<MapTo>CommandParam</MapTo>
</Map>
</LargeFields>
<!-- These Source fields will be collected in a single extension
field, all name-value pairs are separated by standard delimiter -->
<!-- Source fields specified in extension field mapping must be of
SQL Datatype:String OR convertible to String -->
<ExtensionField>
<Name>DB_ID</Name>
<Name>INSTANCE</Name>
<Name>PROCESS</Name>
<Name>TERMINAL</Name>
</ExtensionField>
<!-- This is group of source fields for uniquely identifying each
Audit Record Marker -->
<!-- Source fields specified to be used as Marker field mapping must
be of SQL Datatype:String OR convertible to String -->
<!-- Mandatory: Source fields for MarkerField -->
<MarkerField>
<Name>SESSION_ID</Name>
<Name>ENTRY_ID</Name>
</MarkerField>
</FieldMappingInfo>
</AVXMLCollectorTemplate>
This is a sample manifest file for an XML file collection plug-in.
Example C-4 Sample Manifest File for an XML file collection plug-in
<?xml version="1.0"?>
<plugin xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.oracle.com/av/plugin plugin-manifest.xsd"
xmlns="http://xmlns.oracle.com/av/plugin"
name="Oracle-XML-Template"
id="com.oracle.av.plugin"
version="1.0"
provider-name="Oracle Corp."
copyright="Copyright Oracle Corp. 2011">
<!-- targetVersion: Version of Oracle Audit Vault supported by
this plugin. This is represented by the "min" attribute of
targetVersion> tag -->
<targetVersion min="11.1.0.0.0"/>
<extensionSet>
<extensionPoint type= "securedTargetType">
<!-- fileList: Lists *all* the files that ship with the plugin -->
<fileList>
<jars></jars>
<templates>
<include file="XMLSource-Mapper.xml"/>
</templates>
<bin></bin>
<config></config>
<shell></shell>
<patch></patch>
<unresolved-external></unresolved-external>
</fileList>
<!-- securedTargetTypeInfo: Contains source type and trail information
-->
<securedTargetTypeInfo name="oracle"/>
<!-- trailType: contains trail type, location , classname for
source type testSource -->
<trailInfo>
<trailType>DIRECTORY</trailType>
<className name="oracle.av.platform.agent.collfwk.
ezcollector.xml.XMLFileCollector"/>
</trailInfo>
<!-- eventPatch: OPTIONAL field that indicates any event patches
that need to be applied as part of plugin deployment-->
The files listed here must be present in the <patch>-->
tag entries. The order in which the patches need to -->
applied can be controlled via the "order" attribute -->
Patches with lower "order" value will be applied -->
first -->
<eventPatch name="p6753288_11.1.2.0.0_GENERIC.zip" order="2"/>
</extensionPoint>
</extensionSet>
</plugin>