データベース表、XMLファイル、Javaベースのファイル収集プラグインなど、様々なタイプの収集プラグインのサンプルから学習します。
Oracle Audit Vaultデータベース表の収集プラグインのマッパー・ファイルとデータベース表プラグインのマニフェスト・ファイルの例を参照してください。
親トピック: サンプル・コード
データベース表の収集プラグインのマッパー・ファイルについて、どのOracle Audit Vault属性およびフィールドが必須かオプションかを学習します。
Oracle Audit Vaultデータベース表の収集プラグインのマッパー・ファイルには、特定の必須フィールドがあります。S
必須フィールド
次の属性およびフィールドは必須です。
securedTargetType
maxSecuredTargetVersion
version
TableName
Driver
EventTimeUTC
CommandClass
変換
EventStatus
変換
MarkerField
オプションのフィールド
Oracle Audit Vault Serverフィールドにマップするソース名は必須ではありません。ただし、データ収集の開始時に情報が提供されない場合、すべての監査レコードは無効として処理されます。
UserName
CommandClass
例C-1 データベース表の収集プラグインのXMLマッパー・ファイルのサンプル
<AVTableCollectorTemplate securedTargetType="DBSOURCE" minSecuredTargetVersion="10.2.0" maxSecuredTargetVersion="11.0" version="1.0" > <!--Example Template for a database Collector--> <!-- Attributes: securedTargetType, maxSecuredTargetVersion, and version are mandatory; minSecuredTargetVersion attribute is optional --> <!-- Accepted Format for min/maxSecuredTargetVersion and version attribute value is numbers separated by dots (For example: 12.2,10.3.2, 11.2.3.0 etc..)--> <!-- Audit Table Information --> <!-- Name of Audit Table: Mandatory information --> <TableName>dummy_auditTable</TableName> <!-- Source Connection Information --> <ConnectionInfo> <DataSource>oracle.jdbc.pool.OracleDataSource</DataSource> <!--Datasource class name for current secured target type: Mandatory information --> </ConnectionInfo> <!-- This Gives Mapping Information of Source Fields to various AV Fields(core and large fields) --> <!-- There should be no many-to-one mappings from source fields to AV Server fields --> <FieldMappingInfo> <!-- Mapping of Source Fields to Core Fields of AV server --> <!-- Source fields specified in core field mappings must be of SQL Datatype: String OR convertible to String--> <CoreFields> <Map> <!-- Mandatory: EventTime mapping information --> <Name>EVENT_TIME</Name> <MapTo>EventTimeUTC</MapTo> </Map> <Map> <!-- If UserName core field mapping is not provided, Audit Data Collection still starts successfully, but every audit record will be treated as invalid --> <Name>USER_ID</Name> <MapTo>UserName</MapTo> </Map> <Map> <Name>OS_USER_ID</Name> <MapTo>OSUserName</MapTo> </Map> <Map> <!-- If source name, the ACTION field, for CommandClass core field mapping is not provided, Audit Data Collection still starts successfully, but all audit records are treated as invalid --> <Name>ACTION</Name> <MapTo>CommandClass</MapTo> <!-- Mandatory: value transformation from secured target field value to command class field value. Value of "to" Attribute is from AV Event set --> <Transformation> <ValueTransformation from="1" to="CREATE"/> <ValueTransformation from="2" to="INSERT"/> <ValueTransformation from="3" to="SELECT"/> <ValueTransformation from="4" to="CREATE"/> <ValueTransformation from="15" to="READ"/> <ValueTransformation from="30" to="LOGON"/> <ValueTransformation from="34" to="LOGOFF"/> <ValueTransformation from="35" to="ACQUIRE"/> </Transformation> </Map> <Map> <Name>OBJ_NAME</Name> <MapTo>TargetObject</MapTo> </Map> <Map> <Name>USER_HOST</Name> <MapTo>ClientHostName</MapTo> </Map> <Map> <Name>OBJ_CREATOR</Name> <MapTo>TargetOwner</MapTo> </Map> <Map> <Name>STATUS</Name> <MapTo>EventStatus</MapTo> <!-- Value transformation for "STATUS" source field value. Mandatory: EventStatus value transformation. There are three possible values for EventStatus: SUCCESS, FAILURE, UNKNOWN --> <Transformation> <ValueTransformation from="0" to="FAILURE"/> <ValueTransformation from="1" to="SUCCESS"/> <ValueTransformation from="2" to="UNKNOWN"/> </Transformation> </Map> </CoreFields> <!-- Mapping of Source Fields to Large Fields of AV server i.e fields with huge content --> <!-- Secured target fields specified in large field mappings must be of SQL Datatype:CLOB OR SQL Datatype:String OR convertible to String --> <LargeFields> <Map> <Name>SQL_TEXT</Name> <MapTo>CommandText</MapTo> </Map> <Map> <Name>COMMAND_PARAMETER</Name> <MapTo>CommandParam</MapTo> </Map> </LargeFields> <!-- These secured target fields are collected in a single extension field, all name-value pairs separated by standard delimiter --> <!-- Secured target fields specified in extension field mapping must be of SQL Datatype:String OR convertible to String --> <ExtensionField> <Name>DB_ID</Name> <Name>INSTANCE</Name> <Name>PROCESS</Name> <Name>TERMINAL</Name> </ExtensionField> <!-- Mandatory: Secured target fields for MarkerField A group of secured target fields to uniquely identify each Audit Record --> <!-- Secured target fields specified to be used as MarkerField mapping must be of SQL Datatype:String OR convertible to String --> <MarkerField> <Name>SESSION_ID</Name> <Name>ENTRY_ID</Name> </MarkerField> </FieldMappingInfo> </AVTableCollectorTemplate>
関連トピック
親トピック: データベース表の収集プラグインの例
これは、データベース表の収集プラグインのマニフェスト・ファイルのサンプルです。
例C-2 データベース表の収集プラグインのマニフェスト・ファイルのサンプル
<?xml version="1.0"?> <plugin xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/av/plugin plugin-manifest.xsd" xmlns="http://xmlns.oracle.com/av/plugin" name="HRMS-Template" id="com.oracle.av.plugin" version="1.0" provider-name="Oracle Corp." copyright="Copyright Oracle Corp. 2011"> <!-- targetVersion: Version of Oracle Audit Vault supported by this plugin. This is represented by the "min" attribute of <targetVersion> tag --> <targetVersion min="11.1.0.0.0"/> <extensionSet> <extensionPoint type= "securedTargetType"> <!-- Tag: fileList: Lists all files that ship with the plugin --> <fileList> <jars></jars> <templates> <include file="DBSource-Mapper.xml"/> </templates> <bin></bin> <config></config> <shell></shell> <patch></patch> <unresolved-external> </unresolved-external> </fileList> <!-- Tag: securedTargetTypeInfo: Contains secured target type and trail information --> <securedTargetTypeInfo name="DBSOURCE"/> <!-- Tag: trailType: contains trail type, location , classname for source type testSource --> <trailInfo> <trailType>TABLE</trailType> <className name="oracle.av.platform.agent.collfwk.Collector.table.DatabaseTableCollector"/> </trailInfo> <!-- eventPatch: OPTIONAL field that indicates any event patches that need to be applied as part of plugin deployment The files listed here must be present in the <patch> tag entries. The order in which the patches need to applied can be controlled via the "order" attribute Patches with lower "order" value will be applied first --> <eventPatch name="p6753288_11.1.2.0.0_GENERIC.zip" order="2"/> </extensionPoint> </extensionSet> </plugin>
親トピック: データベース表の収集プラグインの例
この項の項目は次のとおりです。
次の属性およびフィールドは必須です。
securedTargetType
maxSecuredTargetVersion
version
HeaderInfo
RecordInfo
EventTimeUTC
CommandClass
変換
EventStatus
変換
MarkerField
次のAudit Vault Serverフィールドにマップするソース名は必須ではありませんが、情報が指定されずにデータ収集が開始されると、すべての監査レコードが無効とみなされます。
UserName
CommandClass
関連項目:
フィールドおよびイベントのリストは、「Audit Vault Serverフィールド」を参照してください。
例C-3 XMLファイルの収集プラグインのマッパー・ファイルのサンプル
<AVXMLCollectorTemplate securedTargetType="XMLSOURCE" maxSecuredTargetVersion="11.0" version="1.0"> <!--Example Template for XML template collector--> <!-- Attributes: "securedTargetType", "maxSecuredTargetVersion" and "version" are mandatory attributes, "minSecuredTargetVersion" attribute is optional --> <!-- Accepted Format for min/maxSecuredTargetVersion and version attribute value is numbers separated by dots (For example: 12.2,10.3.2, 11.2.3.0 etc..)--> <!-- Header Information like XML Header start tag --> <HeaderInfo> <!-- Mandatory: HeaderInfo--> <!-- Value in this tag gives Root tag of the XML audit file--> <StartTag>Audit</StartTag> </HeaderInfo> <!-- Record Information like Record Start tag and conformation to hold original record --> <RecordInfo> <!-- Mandatory: RecordInfo --> <!-- Provides starting tag of audit record in XML audit file --> <StartTag>AuditRecord</StartTag> </RecordInfo> <!-- Gives Mapping Information of Source Fields to various AV Fields (core and large fields) --> <!-- Not Allowed: many-to-one mapping from source field to AV Server fields --> <FieldMappingInfo> <!-- Mapping of Source Fields to Core Fields of AV server Source fields specified in core field mappings must be of SQL Datatype: String OR convertible to String --> <CoreFields> <Map> <Name>EVENT_TIME</Name> <MapTo>EventTimeUTC</MapTo> <TimestampPattern>yyyy-MM-dd HH:mm:ss.SSS</TimestampPattern> </Map> <Map> <!-- If UserName core field mapping is not provided, Audit Data Collection still starts successfully, but every audit record will be treated as invalid --> <Name>USER_ID</Name> <MapTo>UserName</MapTo> </Map> <Map> <Name>OS_USER_ID</Name> <MapTo>OSUserName</MapTo> </Map> <Map> <!-- If source name, the ACTION field, for CommandClass core field mapping is not provided, Audit Data Collection still starts successfully, but all audit records are treated as invalid --> <Name>ACTION</Name> <MapTo>CommandClass</MapTo> <!-- Mandatory: value transformations from source to Action field value. Value of "to" Attribute is from AV Event set --> <Transformation> <ValueTransformation from="1" to="CREATE"/> <ValueTransformation from="2" to="INSERT"/> <ValueTransformation from="3" to="SELECT"/> <ValueTransformation from="4" to="CREATE"/> <ValueTransformation from="15" to="READ"/> <ValueTransformation from="30" to="LOGON"/> <ValueTransformation from="34" to="LOGOFF"/> <ValueTransformation from="35" to="ACQUIRE"/> </Transformation> </Map> <Map> <Name> OBJ_NAME</Name> <MapTo>TargetObject</MapTo> </Map> <Map> <Name>USER_HOST</Name> <MapTo>ClientHostName</MapTo> </Map> <Map> <Name>OBJ_CREATOR</Name> <MapTo>TargetOwner</MapTo> </Map> <Map> <Name>STATUS</Name> <MapTo>EventStatus</MapTo> <!-- Specifying value transformation for Status source field value. Mandatory: EventStatus value transformation. There are three possible values for EventStatus: SUCCESS, FAILURE, UNKNOWN --> <Transformation> <ValueTransformation from="0" to="FAILURE"/> <ValueTransformation from="1" to="SUCCESS"/> <ValueTransformation from="2" to="UNKNOWN"/> </Transformation> </Map> </CoreFields> <!-- Mapping of Source Fields to Large Fields of AV server i.e fields with huge content --> <!-- Source fields specified in large field mappings must be of SQL Datatype:CLOB OR SQL Datatype:String OR convertible to String --> <LargeFields> <Map> <Name>SQL_TEXT</Name> <MapTo>CommandText</MapTo> </Map> <Map> <Name>COMMAND_PARAMETER</Name> <MapTo>CommandParam</MapTo> </Map> </LargeFields> <!-- These Source fields will be collected in a single extension field, all name-value pairs are separated by standard delimiter --> <!-- Source fields specified in extension field mapping must be of SQL Datatype:String OR convertible to String --> <ExtensionField> <Name>DB_ID</Name> <Name>INSTANCE</Name> <Name>PROCESS</Name> <Name>TERMINAL</Name> </ExtensionField> <!-- This is group of source fields for uniquely identifying each Audit Record Marker --> <!-- Source fields specified to be used as Marker field mapping must be of SQL Datatype:String OR convertible to String --> <!-- Mandatory: Source fields for MarkerField --> <MarkerField> <Name>SESSION_ID</Name> <Name>ENTRY_ID</Name> </MarkerField> </FieldMappingInfo> </AVXMLCollectorTemplate>
親トピック: XMLファイル収集プラグインの例
これは、XMLファイルの収集プラグインのマニフェスト・ファイルのサンプルです。
例C-4 XMLファイルの収集プラグインのマニフェスト・ファイルのサンプル
<?xml version="1.0"?> <plugin xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/av/plugin plugin-manifest.xsd" xmlns="http://xmlns.oracle.com/av/plugin" name="Oracle-XML-Template" id="com.oracle.av.plugin" version="1.0" provider-name="Oracle Corp." copyright="Copyright Oracle Corp. 2011"> <!-- targetVersion: Version of Oracle Audit Vault supported by this plugin. This is represented by the "min" attribute of targetVersion> tag --> <targetVersion min="11.1.0.0.0"/> <extensionSet> <extensionPoint type= "securedTargetType"> <!-- fileList: Lists *all* the files that ship with the plugin --> <fileList> <jars></jars> <templates> <include file="XMLSource-Mapper.xml"/> </templates> <bin></bin> <config></config> <shell></shell> <patch></patch> <unresolved-external></unresolved-external> </fileList> <!-- securedTargetTypeInfo: Contains source type and trail information --> <securedTargetTypeInfo name="oracle"/> <!-- trailType: contains trail type, location , classname for source type testSource --> <trailInfo> <trailType>DIRECTORY</trailType> <className name="oracle.av.platform.agent.collfwk.ezcollector.xml.XMLFileCollector"/> </trailInfo> <!-- eventPatch: OPTIONAL field that indicates any event patches that need to be applied as part of plugin deployment--> The files listed here must be present in the <patch>--> tag entries. The order in which the patches need to --> applied can be controlled via the "order" attribute --> Patches with lower "order" value will be applied --> first --> <eventPatch name="p6753288_11.1.2.0.0_GENERIC.zip" order="2"/> </extensionPoint> </extensionSet> </plugin>
親トピック: XMLファイル収集プラグインの例
この項の項目は次のとおりです。
これは、Javaベースの収集プラグインの例の一覧です。これは、「Javaベースの収集プラグインの作成方法」の説明の最終結果です。
例C-5 SampleEventCollectorFactory.java
package oracle.av.plugin.sample.collector; import oracle.av.platform.agent.collfwk.AuditEventCollector; import oracle.av.platform.agent.collfwk.AuditEventCollectorException; import oracle.av.platform.agent.collfwk.AuditEventCollectorFactory; import oracle.av.platform.agent.collfwk.CollectorContext; public class SampleEventCollectorFactory implements AuditEventCollectorFactory { public AuditEventCollector createAuditCollection( CollectorContext collectorContext) throws AuditEventCollectorException { // It simply creates and returns an instance of SampleEventCollector return new SampleEventCollector(); } }
例C-6 SampleEventCollector.java
package oracle.av.plugin.sample.collector; import java.io.Reader; import java.sql.Clob; import java.sql.Connection; import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Timestamp; import java.util.HashMap; import java.util.Map; import oracle.av.platform.agent.collfwk.AuditEventCollector; import oracle.av.platform.agent.collfwk.AuditEventCollectorException; import oracle.av.platform.agent.collfwk.AuditService; import oracle.av.platform.agent.collfwk.CollectorContext; import oracle.av.platform.agent.collfwk.SetAttributeException; import oracle.av.platform.common.ErrorCodes; import oracle.av.platform.common.dao.ConnectionManager; import oracle.av.platform.common.dao.ConnectionManagerImpl; import oracle.av.platform.common.exception.AuditException; import oracle.av.platform.common.util.AVLogger; /** * This collector collects events from AUD table and sends them to Collection * Framework. It connects to the Source database during initialization and uses * the same connection till close() is called. It maintains one ResultSet * containing events. Once the ResultSet gets exhausted, the Collector sets a * checkpoint and creates another ResultSet. * * @author myellu * */ public class SampleEventCollector extends AuditEventCollector { // The delay used when querying events. private static final long DELAY = 5 * 1000; private static final Map<Integer, String> eventNameMap = new HashMap<Integer, String>(); static { eventNameMap.put(1, "CREATE"); eventNameMap.put(2, "INSERT"); eventNameMap.put(3, "SELECT"); eventNameMap.put(4, "CREATE"); eventNameMap.put(15, "ALTER"); eventNameMap.put(30, "AUDIT"); eventNameMap.put(34, "CREATE"); eventNameMap.put(35, "ALTER"); eventNameMap.put(51, "CREATE"); eventNameMap.put(52, "CREATE"); } // This map contains mapping from the source event ids to Audit Vault target // types. private static final Map<Integer, String> targetTypeMap = new HashMap<Integer, String>(); static { targetTypeMap.put(1, "TABLE"); targetTypeMap.put(2, "TABLE"); targetTypeMap.put(3, "TABLE"); targetTypeMap.put(4, "CLUSTER"); targetTypeMap.put(15, "TABLE"); targetTypeMap.put(30, "OBJECT"); targetTypeMap.put(34, "DATABASE"); targetTypeMap.put(35, "DATABASE"); targetTypeMap.put(51, "USER"); targetTypeMap.put(52, "ROLE"); } // This map contains mapping from the source event ids to Source Event Names. // This is necessary since source event ids do not describe the Source Event. private static final Map<Integer, String> sourceEventMap = new HashMap<Integer, String>(); static { targetTypeMap.put(1, "OBJECT:CREATED:TABLE"); targetTypeMap.put(2, "INSERT INTO TABLE"); targetTypeMap.put(3, "SELECT FROM TABLE"); targetTypeMap.put(4, "OBJECT:CREATED:TABLE"); targetTypeMap.put(15, "OBJECT:ALTERED:TABLE"); targetTypeMap.put(30, "AUDIT OBJECT"); targetTypeMap.put(34, "OBJECT:CREATED:DATABASE"); targetTypeMap.put(35, "OBJECT:ALTERED:DATABASE"); targetTypeMap.put(51, "OBJECT:CREATED:USER"); targetTypeMap.put(52, "OBJECT:CREATED:ROLE"); } // holds a connection to the Source database. private ConnectionManager m_connectionManager; // Connection to the Source. private Connection m_connection; // PreparedStatement used to get ResultSet. private PreparedStatement m_preparedStatement; // holds the ResultSet containing records. private ResultSet m_resultSet; // AuditService will be used to set checkpoint. private AuditService m_auditService; // previous checkpoint set. private Timestamp m_previousCheckpoint; // next checkpoint to be set. private Timestamp m_nextCheckpoint; private AVLogger m_logger; // The CollectorContext received from the Collection Framework. private CollectorContext m_collectorContext; private long m_timeZoneOffset; /** * It connects to the database using the credentials and Connection String * from the CollectorContext. * * @throws AuditEventCollectorException */ private void connectToSource() throws AuditEventCollectorException { m_logger.logDebugMethodEntered(); // Get connection information from collector context. String user = m_collectorContext.getSecuredTargetUser(); String password = new String(m_collectorContext.getSecuredTargetPassword()); String connectionString = m_collectorContext.getSecuredTargetLocation(); // Create a ConnectionManager object. try { m_connectionManager = new ConnectionManagerImpl(connectionString, user, password.toCharArray()); m_connection = m_connectionManager.getConnection(); } catch (AuditException ex) { throw new AuditEventCollectorException( ErrorCodes.FAILED_CONNECT_TO_SOURCE, new Object[] { connectionString }, ex); } m_logger.logDebugMethodExited(); } /** * converts the timone offset specified in String to a number of * milliseconds. * */ private long getTimeZoneOffsetInMs(String offset) { if (offset == null) return 0; long timeZoneOffset; /** process offset to get value in milliseconds */ int hour = Integer.parseInt(offset.substring(1, 3)); int min = Integer.parseInt(offset.substring(4, 6)); timeZoneOffset = (hour * 60 * 60 + min * 60) * 1000; if (offset.charAt(0) == '-') timeZoneOffset *= -1; return timeZoneOffset; } /** * Initializes the Collector with the values from CollectorContext. It also * connects to the database. */ public void initializeCollector(CollectorContext collectorContext) throws AuditEventCollectorException { m_collectorContext = collectorContext; m_auditService = m_collectorContext.getAuditService(); m_previousCheckpoint = m_collectorContext.getCheckpoint(); m_logger = m_collectorContext.getLogger(); // Get the timone offset for the Source. String offset = m_collectorContext.getAttribute("TimeZoneOffset"); if (offset != null) { m_timeZoneOffset = getTimeZoneOffsetInMs(offset); } connectToSource(); fetchEvents(); } /** * Queries the Source to get audit events that occurred from previous * checkpoint to the current time. Apart from during the initialization, this * method should be called only when ResultSet is exhausted. There are two * reasons for this. <br> * 1. This method will set the checkpoint. Checkpoint should only be set when * the ResultSet is exhausted as the results with in the ResultSet can be in * random order.<br> * 2. This method will create a new ResultSet. Hence the contents of the old * ResultSet will be inaccessible after this function is called. * * @throws AuditEventCollectorException */ private void fetchEvents() throws AuditEventCollectorException { m_logger.logDebugMethodEntered(); if (m_nextCheckpoint != null) { m_auditService.setCheckpoint(m_nextCheckpoint); m_previousCheckpoint = m_nextCheckpoint; } // It is not good to hold on to the Connection for long. As this is the // only place we can release the connection, we release and reacquire the // connection. try { if (m_connection != null) { m_connectionManager.releaseConnection(m_connection); } } catch (AuditException ex) { throw new AuditEventCollectorException( ErrorCodes.FAILED_TO_RELEASE_CONNECTION_TO_DB, null, ex); } try { m_connection = m_connectionManager.getConnection(); } catch (AuditException ex) { throw new AuditEventCollectorException( ErrorCodes.FAILED_TO_GET_CONNECTION_TO_DB, null, ex); } // Now we need to aim for the next checkpoint. We will query for all // events from previous checkpoint to the next checkpoint. So we want to // make sure that all the events with event time lesser than the next // checkpoint are already available in the table. However, the events // might take a small amount of time before they are present in the table. // Hence the next checkpoint we aim will be current time minus delta time. m_nextCheckpoint = new Timestamp(System.currentTimeMillis() - DELAY); String query = null; try { if (m_previousCheckpoint == null) { query = "select * from AUD where EVENT_TIME <= ?"; m_preparedStatement = m_connection.prepareStatement(query); m_preparedStatement.setTimestamp(1, m_nextCheckpoint); } else { query = "select * from AUD where EVENT_TIME > ? and EVENT_TIME <= ?"; m_preparedStatement = m_connection.prepareStatement(query); m_preparedStatement.setTimestamp(1, m_previousCheckpoint); m_preparedStatement.setTimestamp(2, m_nextCheckpoint); } m_resultSet = m_preparedStatement.executeQuery(); } catch (SQLException ex) { throw new AuditEventCollectorException( ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, new Object[] { query }, ex); } m_logger.logDebugMethodExited(); } /** * If the result set is not exhausted this will return true. If it has * exhausted, it will query to get the events till the current time. If it * could get any events, it will return true, false otherwise. */ public boolean hasNext() throws AuditEventCollectorException { boolean hasMore; try { if(m_resultSet == null) { fetchEvents(); return m_resultSet.next(); } hasMore = m_resultSet.next(); if (!hasMore) { fetchEvents(); hasMore = m_resultSet.next(); } } catch (SQLException ex) { throw new AuditEventCollectorException( ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex); } return hasMore; } // All the getter methods make use of the ResultSet get methods and return // the value appropriately. public String getUserName() throws AuditEventCollectorException { try { return m_resultSet.getString("USER_ID"); } catch (SQLException ex) { throw new AuditEventCollectorException( ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex); } } public String getOSUserName() throws AuditEventCollectorException { try { return m_resultSet.getString("OS_USER_ID"); } catch (SQLException ex) { throw new AuditEventCollectorException( ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex); } } public String getCommandClass() throws AuditEventCollectorException { try { int eventId = m_resultSet.getInt("ACTION"); return eventNameMap.get(eventId); } catch (SQLException ex) { throw new AuditEventCollectorException( ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex); } } public String getEventName() throws AuditEventCollectorException { try { int eventId = m_resultSet.getInt("ACTION"); return sourceEventMap.get(eventId); } catch (SQLException ex) { throw new AuditEventCollectorException( ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex); } } public EventStatus getEventStatus() throws AuditEventCollectorException { try { int status = m_resultSet.getInt("STATUS"); if (status == 1) { return EventStatus.SUCCESS; } else if (status == 0) { return EventStatus.FAILURE; } else { return EventStatus.UNKNOWN; } } catch (SQLException ex) { throw new AuditEventCollectorException( ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex); } } public Timestamp getEventTimeUTC() throws AuditEventCollectorException { try { Timestamp eventTime = m_resultSet.getTimestamp("EVENT_TIME"); // As the method name suggests, the timestamp must be returned only in // UTC timone. return new Timestamp(eventTime.getTime() - m_timeZoneOffset); } catch (SQLException ex) { throw new AuditEventCollectorException( ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex); } } public String getErrorMessage() throws AuditEventCollectorException { // There is no corresponding field for ErrorMessage. Hence we // return NULL always. return null; } public String getErrorId() throws AuditEventCollectorException { // There is no corresponding field for ErrorId. Hence we // return NULL always. return null; } public String getTargetObject() throws AuditEventCollectorException { try { return m_resultSet.getString("OBJ_NAME"); } catch (SQLException ex) { throw new AuditEventCollectorException( ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex); } } public String getTargetType() throws AuditEventCollectorException { try { int eventId = m_resultSet.getInt("ACTION"); return targetTypeMap.get(eventId); } catch (SQLException ex) { throw new AuditEventCollectorException( ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex); } } public String getTargetOwner() throws AuditEventCollectorException { try { return m_resultSet.getString("OBJ_CREATOR"); } catch (SQLException ex) { throw new AuditEventCollectorException( ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex); } } public String getClientHostName() throws AuditEventCollectorException { try { return m_resultSet.getString("USER_HOST"); } catch (SQLException ex) { throw new AuditEventCollectorException( ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex); } } public String getClientIP() throws AuditEventCollectorException { // There is no corresponding field for IP address. Hence we // return NULL always. return null; } public String getExtension() throws AuditEventCollectorException { try { StringBuilder sb = new StringBuilder(); // Here we will put those fields which are not sent in other getter // methods. sb.append("DB_ID=" + m_resultSet.getString("DB_ID") + ";"); sb.append("INSTANCE=" + m_resultSet.getString("INSTANCE") + ";"); sb.append("PROCESS=" + m_resultSet.getString("PROCESS")); return sb.toString(); } catch (SQLException ex) { throw new AuditEventCollectorException( ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex); } } public Reader getCommandText() throws AuditEventCollectorException { try { // Clobs and the Readers contained in the Clobs are alive only // as long as the Connection to the Source is alive. So if the Source // Connection is closed, Collection Framework will fail when it tries // to send the events to AV Server. If there is any need to close and // recreate a connection that should be done immediately after setting // the checkpoint. Setting the checkpoint causes the Collection // Framework to flush all the events it is holding. So immediately // after setting the checkpoint, we are sure that the Framework is not // holding any events. Clob clob = m_resultSet.getClob("SQL_TEXT"); return clob.getCharacterStream(); } catch (SQLException ex) { throw new AuditEventCollectorException( ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex); } } public Reader getCommandParam() throws AuditEventCollectorException { try { Clob clob = m_resultSet.getClob("SQL_BIND"); return clob.getCharacterStream(); } catch (SQLException ex) { throw new AuditEventCollectorException( ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex); } } public String getMarker() throws AuditEventCollectorException { // ENTRY_ID will identify an audit event uniquely with in a session. Hence // ENTRY_ID along with SESSION_ID will uniquely identify an audit event // across sessions. try { return m_resultSet.getString("SESSION_ID") + ":" + m_resultSet.getString("ENTRY_ID"); } catch (SQLException ex) { throw new AuditEventCollectorException( ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex); } } public void setAttribute(String name, String value) throws SetAttributeException { if (name.equalsIgnoreCase("TimeZoneOffset")) { m_timeZoneOffset = getTimeZoneOffsetInMs(value); } else { throw new SetAttributeException(ErrorCodes.INVALID_ATTRIBUTE_NAME, new Object[] { name, value }, null); } } public void close() { try { if (m_resultSet != null) { m_resultSet.close(); m_resultSet = null; } if (m_connectionManager != null) { m_connectionManager.destroy(); m_connectionManager = null; } m_previousCheckpoint = null; m_nextCheckpoint = null; m_logger = null; } catch (SQLException ex) { m_logger.logError("SampleEventCollector", "close", "SQLException occurred. ", ex); } catch (AuditException ex) { m_logger.logError("SampleEventCollector", "close", "AuditException occurred. ", ex); } } }
親トピック: Javaベースの収集プラグインの例
これは、Javaベースの収集のマニフェスト・ファイルのサンプルです。
例C-7 Javaベースのマニフェスト・ファイル
<?xml version="1.0"?> <plugin xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/av/plugin plugin-manifest.xsd" xmlns="http://xmlns.oracle.com/av/plugin" name="Sample Plugin" id="com.oracle.av.plugin.sample" version="12.1.0.0.0" provider-name="Oracle Corp." copyright="Copyright Oracle Corp. 2011"> <!-- targetVersion: Version of Oracle Audit Vault supported by this plugin. This is represented by the "min" attribute of targetVersion> tag --> <targetVersion min="12.1.0.0.0"/> <extensionSet> <extensionPoint type= "securedTargetType"> <!-- fileList: Lists *all* the files that ship with the plugin --> <fileList> <jars> <include file="samplecollector.jar"/> <!-- All your collector Java jar binaries go here --> </jars> <templates> <bin> <!-- All your collector native binaries go here --> </bin> <config> <!-- Any configuration information (such as .properites files) go here --> </config> <shell> <!-- Any shell scripts that your collector relies on go here --> </shell> <patch> <!-- Oracle provided patches go here --> </patch> <unresolved-external> <!-- Any files belonging to the unresolved-external category here --> </unresolved-external> </fileList> <!-- securedTargetTypeInfo: Contains source type and trail information --> <securedTargetTypeInfo name="Sample"/> <!-- trailType: contains trail type, location , classname for source type testSource --> <trailInfo> <trailType>TABLE</trailType> <className name="oracle.av.plugin.sample.collector.SampleEventCollectorFactory" /> </trailInfo > </extensionPoint> </extensionSet> </plugin>
親トピック: Javaベースの収集プラグインの例