Topics
Topics
You can create and configure alerts on events for secured targets, and for third-party plug-ins that have been developed using the Oracle Audit Vault and Database Firewall SDK. These events may be collected by the Audit Vault Agent or the Database Firewall. Alerts are independent of audit policies or firewall policies.
Alerts are rule-based. That is, if the rule definition is matched (for example, User A fails to log in to Client Host B after three tries), then an alert is raised. An alert can be applied to multiple secured targets, such as four Oracle databases. The alert rule can include more than one event and the event comes from different secured targets. For example, User A failed to log in to secured target X and User A also failed to log in to secured target Y.
You can specify an alert severity and associate the alert with the audit events through active directory. Also, if a secured target is monitored by a Database Firewall, you can configure alerts based on audit records sent by the firewall, in addition to the alerts specified in the firewall policy.
When you configure an alert, you can set up an email to be automatically sent to a user, such as a security officer, or to a distribution list. You can also configure templates to be used for email alert notification.
Alerts are raised when the audit data reaches the Audit Vault Server, not when the event that raises the alert occurs. The time lag between when the event occurs and when the alert is raised depends on several factors, including how frequently the audit trails are retrieved. The timestamp of an alert event indicates the time that the event occurred (for example, the time that User A tries to log in). The timestamp for the alert indicates when the alert was raised.
A good way to define specific alerts that are meaningful to you is to first browse activity reports in Oracle Audit Vault and Database Firewall. Activity reports contain a variety of audit event data, so browsing them can help you determine the key fields in audit records that are of special interest to you. These audit record fields are columns in the activity reports.
Looking at the report columns of interest, and the values in those columns, is a useful starting point for creating an alert that focuses on the audit events on which you want to be alerted. You can then create an alert with a condition (a rule) that defines the specific audit record field(s) and values that will trigger the alert.
For example, suppose you want to be alerted on schema changes to certain database objects. You can start by browsing the Database Schema Changes activity report. Figure 8-1 shows a sample of this report.
Figure 8-1 Activity Report: Database Schema Changes
From this report, you can see the various database target objects, users, client program names, and other data associated with schema change audit events captured by Oracle Audit Vault and Database Firewall. From here, you can decide which target objects you want to alert on. You can then narrow down the alert to specific users, client programs, etc.
See Also:
Topics
When you create an alert in Oracle Audit Vault and Database Firewall, you define the conditions that will trigger the alert, and specify the type of notification that will be sent, and to whom. For example, you could create an alert that is raised each time User X tries to modify Table Y, which will notify administrator Z, using a specific email notification template.
Oracle Audit Vault and Database Firewall has a preconfigured alert that is triggered based on alert settings in your Database Firewall policy. The alerts you create are for audit and other events not associated with Database Firewall.
To create or modify an alert:
Log in to the Audit Vault Server console as an auditor.
Click the Policy tab.
From the Alerts menu on the left, select Alert Definitions.
The Alert Definitions page appears with a list of the existing alerts. To view or modify the definition for an existing alert, click its name in the Alert Name field.
For a new alert click Create, otherwise, click the name of the alert to modify.
The Create (or Modify) Alert page appears.
Enter the alert Name and optional Description in the appropriate fields.
Specify the following information:
Name: Enter a name for the alert.
Secured Target Type: Select a secured target type, for example, Oracle Database.
Severity: Select Warning or Critical.
Threshold: Enter the number of times the alert condition should be met before the alert is raised.
Duration: If you entered a threshold value that is more than 1, enter the length of time (in minutes) that this alert condition should be evaluated to meet that threshold value. For example if you enter a threshold of 3 and duration of 5, then the condition must be met 3 times in 5 minutes to raise an alert.
Group By (Field): Select a field from the list to group events by this column for this alert.
Description: Optionally, enter a description for this alert.
Condition: Enter a Boolean condition that must be met for this alert to be triggered.
You can click any of the Condition - Available Fields listed on the right to enter them as part of the alert condition. These fields are the permissible audit record fields you can use to build your condition in the following format:
:
condition_field operator expression
You can use any valid SQL WHERE
clause with the available fields, making sure to include a colon (:) before that field. For example, your condition may be:
upper(:EVENT_STATUS)='FAILURE'
Optionally, in the Notification area:
Specify the following information:
Template: Select a notification template to use for this alert. (To create alert templates.)
Distribution List: Select an email distribution list that will be notified about this alert.
To: Enter email addresses, separated by commas, to receive notifications.
Cc: Enter email addresses, separated by commas, to be copied on notifications.
Click Add to List to record the email recipients that you entered in the To and Cc fields.
Click Save.
The new alert appears in the Alert Definitions page.
You can monitor alert activity from the dashboard on the Audit Vault Server console Home page.
In the Condition field of the Create Alert page, you can construct a Boolean condition that evaluates audit events. When the Boolean condition evaluates to TRUE
, then Oracle Audit Vault and Database Firewall raises the alert, and notifies any specified users. As a general guideline, try to keep your alert conditions simple. Overly complex conditions can slow the Audit Vault Server database performance.
Topics
Syntax of Alert Conditions
The syntax for an alert condition is:
:condition_field operator expression
For example:
:event_status='FAILURE' and upper(:event_name)=upper('LOGON')
An alert condition is similar to a WHERE
clause in a SELECT
statement, with an added colon (:). For example, the above condition looks like the WHERE
clause in this SELECT
statement:
SELECT user_name, event_status, event_name from avsys.event_log WHERE event_status='FAILURE' and upper(event_name)=upper('LOGON');
The WHERE
clause above captures events in the avsys.event_log
table where the event was LOGON
and the event status was FAILURE
. Converting this WHERE
clause to an alert condition will cause that alert to be triggered whenever there are failed logons. You can specify in the alert how many failed logons within a specified period of time trigger the alert.
Rules for Writing Alert Conditions
Table 8-1 lists the rules for writing alert conditions and gives some examples.
Table 8-1 Rules for Writing Alert Conditions
Alert for Example 1 in the Audit Vault Server Console
The figure below shows what the alert from Example 1 above looks like in the Create Alert page in the Audit Vault Server console.
This alert says: "Alert me whenever there are three failed logon attempts on Oracle Database secured targets within a five-minute period."
The alert Condition uses two of the Condition - Available Fields on the right side of the Create Alert page.
If this alert is raised, its Severity will be set to Warning. An email will also be sent to the user avdf_auditor@samplecompany.com
, using the Alert Notification Template.
In reports, instances of this alert will be grouped by client application ID.
Available Audit Record Fields for use in Alert Conditions
Table 8-2 describes the available audit record fields you can use in alert conditions. These fields appear on the Create Alert page (shown in the figure above) so that you can cut and paste them into alert conditions as needed.
Important: These fields must be preceded by a colon (:) when used in the condition (for example :USER_NAME
).
Table 8-2 Available Fields for Alert Conditions
Condition Field | Description |
---|---|
ACTION_TAKEN |
(Firewall Alerts) Action taken by the Database Firewall, for example: |
AV_TIME |
The time Oracle Audit Vault and Database Firewall raised the alert |
CLIENT_HOST_NAME |
The host name of the client application that was the source of the event causing the alert |
CLIENT_ID |
The ID of the client application that was the source of the event causing the alert |
CLIENT_IP |
The IP address of the client application that was the source of the event causing the alert |
CLUSTER_TYPE |
(Firewall Alerts) The cluster type of the SQL statement causing the alert. Values may be: Data Manipulation Data Definition Data Control Procedural Transaction Composite Composite with Transaction |
COMMAND_CLASS |
The Oracle Audit Vault and Database Firewall command class. Tip: You can look up audit event names and attributes in Oracle Database Audit Events through Active Directory Audit Events. |
ERROR_CODE |
The secured target's error code |
ERROR_MESSAGE |
The secured target's error message |
EVENT_NAME |
The secured target's audit event name. Tip: You can look up audit event names and attributes in Oracle Database Audit Events through Active Directory Audit Events. |
EVENT_STATUS |
Status of the event: |
EVENT_TIME |
The time that the event occurred |
LOCATION |
Describes where the audit trail is located. Valid values are: Audit File Audit Table Transaction Log Event Log Syslog Network Custom |
NETWORK_CONNECTION |
Description of the connection between the secured target database and the database client, in the following format:
For example:
|
POLICY_NAME |
The name of the Database Firewall policy |
OSUSER_NAME |
Name of the secured target's OS user |
SECURED_TARGET_CLASS |
Secured targets fall into these classes: Database OS Directory Service Filesystem |
SECURED_TARGET_NAME |
Name of the secured target in Oracle Audit Vault and Database Firewall. |
TARGET_OBJECT |
Name of the object on the secured target, for example, a table name, file name, or a directory name. Must be in upper case, for example, |
TARGET_OWNER |
Owner of the object on the secured target |
TARGET_TYPE |
The object type on the secured target, for example, |
TERMINAL |
The Unix terminal that was the source of the event causing the alert (for example, |
THREAT_SEVERITY |
(Firewall Alerts) The threat severity of the SQL statement triggering the alert, as defined in a Database Firewall policy. Values may be: |
USER_NAME |
User name of the secured target user |
Oracle AVDF raises an alert when data matches an alert rule condition in a single audit record, or matches multiple events with its duration and threshold setting. Auditors can view recently raised alerts in the dashboard on the Audit Vault Server console's Home page. Alerts are grouped by the time that the alerts are raised, and by the severity level of the alert (warning or critical). From here, you can drill down to reports.
You can also schedule alert reports from the Audit Vault Server Reports tab.
In addition to seeing alerts in reports, and receiving them in notifications as specified in the alert configuration, you can also forward all alert messages to syslog.
As a prerequisite to forwarding alerts to syslog, the Oracle Audit Vault and Database Firewall administrator must configure syslog destinations in the Audit Vault Server, and select Alert as a syslog category. See the Oracle Audit Vault and Database Firewall Administrator's Guide for instructions.
To forward all alerts to syslog:
Example 8-1 Oracle Audit Vault and Database Firewall Syslog Alert Message Format
Oracle Audit Vault and Database Firewall alerts appear in syslog in a format similar to the following:
[AVDFAlert@111 name="alert_name" severity="alert_severity" url="auditor_console_URL_for_alert" time="alert_generated_time" target="secured_target" user="username" desc="alert_description"]
The user
and target
parameters may list zero or more users or targets related to this alert.
Example:
Apr 16 23:22:31 avs08002707d652 logger: [AVDFAlert@111 name="w_1" severity="Warning" url="https://192.0.2.10/console/f?p=7700..." time="2014-04-16T22:55:30.462332Z" target="cpc_itself" user="JDOE" desc=" "]