10 Integration with Third Party SIEM and Log-data Analysis Tools
Oracle Audit Vault and Database Firewall supports integration with third-party SIEM (Security Information and Event Management) and log-data analysis tools. Oracle Audit Vault and Database Firewall can push alerts to an external system using SYSLOG. It also allows third party tools to connect directly to the database and extract (pull) data from the event log table using a collector provided by the SIEM.
For the push method where Oracle Audit Vault and Database Firewall sends alerts to the SIEM using SYSLOG, see Configuring Oracle Audit Vault Server Syslog Destinations for information.
For the pull method, configure SIEM to view and extract all the data from AVSYS.EVENT_LOG table using the collector provided by the SIEM. This requires creating a user in Oracle Audit Vault and Database Firewall with auditor role. Ensure this user has access to the targets whose data has to be sent to SIEM. This is the database user the SIEM will use to connect to the database. The remaining configuration needs to completed in the SIEM. The Oracle Audit Vault and Database Firewall schema and the specific mapping in AVSYS.EVENT_LOG table to the SIEM depends on the SIEM. A description of the EVENT_LOG table is available in Appendix Oracle Audit Vault and Database Firewall Database Schemas.
Note:
In case of Database Firewall configured for high availability, the settings must be the same for all the Database Firewall instances. In the event of a failover, the standby Database Firewall instance becomes the primary. The SYSLOG settings on the standby Database Firewall instance is in effect. In this due course, some SYSLOG settings and logging is turned off. This is done to avoid duplicate logs sent by both the instances.
When the previous primary becomes active again, there is no transfer or sharing of settings between the Database Firewall instances. Manual modification of the rsyslog.conf must be avoided as any changes result in erasing the settings during the following failover. The actual saved values in the SYSLOG settings should not be changed on failover.
Topics
10.1 How Oracle Audit Vault and Database Firewall Integrates with HP ArcSight SIEM
The HP ArcSight Security Information Event Management (SIEM) system is a centralized system for logging, analyzing, and managing messages from different sources. The Audit Vault Server forwards messages to ArcSight SIEM from both the Audit Vault Server and Database Firewall components of Oracle Audit Vault and Database Firewall.
You do not need to install additional software if you want to integrate ArcSight SIEM with Oracle Audit Vault and Database Firewall. You configure the integration by using the Audit Vault Server console.
Messages sent to the ArcSight SIEM Server are independent of any other messages that may be sent from Oracle Audit Vault and Database Firewall. This means you can send standard syslog messages to a different destination.
Oracle Audit Vault and Database Firewall categorizes the messages that can be sent to ArcSight SIEM. There are three categories:
-
System - syslog messages from subcomponents of the Audit Vault Server and Database Firewall components of Oracle Audit Vault and Database Firewall
-
Info - specific change logging from the Database Firewall component of Oracle Audit Vault and Database Firewall
-
Debug - a category that should only be used under the direction of Oracle Support
Note:
Micro Focus Security ArcSight SIEM (previously known as HP ArcSight SIEM) is deprecated in 12.2.0.8.0 and is desupported in 12.2.0.9.0. Use the syslog integration feature instead.
10.2 Enabling the HP ArcSight SIEM Integration
When you enable the ArcSight SIEM integration, the settings take effect immediately. You do not need to restart the Audit Vault Server.
Note:
HP ArcSight SIEM is deprecated in 12.2.0.8.0, and will be desupported in 12.2.0.9.0. It is advisable to use the syslog integration feature instead.
- From the System menu, click Connectors, and scroll down to the HP ArcSight SIEM section.
