C サンプル・コード
データベース表、XMLファイル、Javaベースのファイル収集プラグインなど、様々なタイプの収集プラグインのサンプルから学習します。
C.1 データベース表の収集プラグインの例
Oracle Audit Vaultデータベース表の収集プラグインのマッパー・ファイルとデータベース表プラグインのマニフェスト・ファイルの例を参照してください。
C.1.1 データベース表の収集プラグインのマッパー・ファイル
データベース表の収集プラグインのマッパー・ファイルについて、どのOracle Audit Vault属性およびフィールドが必須かオプションかを学習します。
Oracle Audit Vaultデータベース表の収集プラグインのマッパー・ファイルには、特定の必須フィールドがあります。S
必須フィールド
次の属性およびフィールドは必須です。
-
securedTargetType -
maxSecuredTargetVersion -
version -
TableName -
Driver -
EventTimeUTC -
CommandClass変換 -
EventStatus変換 -
MarkerField
オプションのフィールド
Oracle Audit Vault Serverフィールドにマップするソース名は必須ではありません。ただし、データ収集の開始時に情報が提供されない場合、すべての監査レコードは無効として処理されます。
-
UserName -
CommandClass
例C-1 データベース表の収集プラグインのXMLマッパー・ファイルのサンプル
<AVTableCollectorTemplate securedTargetType="DBSOURCE" minSecuredTargetVersion="10.2.0"
maxSecuredTargetVersion="11.0" version="1.0" >
<!--Example Template for a database Collector-->
<!-- Attributes: securedTargetType, maxSecuredTargetVersion,
and version are mandatory;
minSecuredTargetVersion attribute is optional -->
<!-- Accepted Format for min/maxSecuredTargetVersion and
version attribute value is numbers separated by
dots (For example: 12.2,10.3.2, 11.2.3.0 etc..)-->
<!-- Audit Table Information -->
<!-- Name of Audit Table: Mandatory information -->
<TableName>dummy_auditTable</TableName>
<!-- Source Connection Information -->
<ConnectionInfo>
<DataSource>oracle.jdbc.pool.OracleDataSource</DataSource>
<!--Datasource class name for current secured target type:
Mandatory information -->
</ConnectionInfo>
<!-- This Gives Mapping Information of Source Fields to various AV
Fields(core and large fields) -->
<!-- There should be no many-to-one mappings from source fields to
AV Server fields -->
<FieldMappingInfo>
<!-- Mapping of Source Fields to Core Fields of AV server -->
<!-- Source fields specified in core field mappings must be of SQL
Datatype: String OR convertible to String-->
<CoreFields>
<Map>
<!-- Mandatory: EventTime mapping information -->
<Name>EVENT_TIME</Name>
<MapTo>EventTimeUTC</MapTo>
</Map>
<Map>
<!-- If UserName core field mapping is not provided, Audit Data
Collection still starts successfully, but every audit record
will be treated as invalid -->
<Name>USER_ID</Name>
<MapTo>UserName</MapTo>
</Map>
<Map>
<Name>OS_USER_ID</Name>
<MapTo>OSUserName</MapTo>
</Map>
<Map>
<!-- If source name, the ACTION field, for CommandClass core field
mapping is not provided, Audit Data Collection still starts
successfully, but all audit records are treated as invalid -->
<Name>ACTION</Name>
<MapTo>CommandClass</MapTo>
<!-- Mandatory: value transformation from secured target field value
to command class field value. Value of "to" Attribute is from AV
Event set -->
<Transformation>
<ValueTransformation from="1" to="CREATE"/>
<ValueTransformation from="2" to="INSERT"/>
<ValueTransformation from="3" to="SELECT"/>
<ValueTransformation from="4" to="CREATE"/>
<ValueTransformation from="15" to="READ"/>
<ValueTransformation from="30" to="LOGON"/>
<ValueTransformation from="34" to="LOGOFF"/>
<ValueTransformation from="35" to="ACQUIRE"/>
</Transformation>
</Map>
<Map>
<Name>OBJ_NAME</Name>
<MapTo>TargetObject</MapTo>
</Map>
<Map>
<Name>USER_HOST</Name>
<MapTo>ClientHostName</MapTo>
</Map>
<Map>
<Name>OBJ_CREATOR</Name>
<MapTo>TargetOwner</MapTo>
</Map>
<Map>
<Name>STATUS</Name>
<MapTo>EventStatus</MapTo>
<!-- Value transformation for "STATUS" source field value.
Mandatory: EventStatus value transformation.
There are three possible values for EventStatus:
SUCCESS, FAILURE, UNKNOWN -->
<Transformation>
<ValueTransformation from="0" to="FAILURE"/>
<ValueTransformation from="1" to="SUCCESS"/>
<ValueTransformation from="2" to="UNKNOWN"/>
</Transformation>
</Map>
</CoreFields>
<!-- Mapping of Source Fields to Large Fields of AV server i.e fields
with huge content -->
<!-- Secured target fields specified in large field mappings must be
of SQL Datatype:CLOB OR SQL Datatype:String OR convertible to
String -->
<LargeFields>
<Map>
<Name>SQL_TEXT</Name>
<MapTo>CommandText</MapTo>
</Map>
<Map>
<Name>COMMAND_PARAMETER</Name>
<MapTo>CommandParam</MapTo>
</Map>
</LargeFields>
<!-- These secured target fields are collected in a single extension
field, all name-value pairs separated by standard delimiter -->
<!-- Secured target fields specified in extension field mapping must
be of SQL Datatype:String OR convertible to String -->
<ExtensionField>
<Name>DB_ID</Name>
<Name>INSTANCE</Name>
<Name>PROCESS</Name>
<Name>TERMINAL</Name>
</ExtensionField>
<!-- Mandatory: Secured target fields for MarkerField
A group of secured target fields to uniquely identify each Audit
Record -->
<!-- Secured target fields specified to be used as MarkerField mapping
must be of SQL Datatype:String OR convertible to String -->
<MarkerField>
<Name>SESSION_ID</Name>
<Name>ENTRY_ID</Name>
</MarkerField>
</FieldMappingInfo>
</AVTableCollectorTemplate>関連トピック
C.1.2 データベース表の収集プラグインのマニフェスト・ファイル
データベース表の収集プラグインのマニフェスト・ファイルの例を示します。
これは、データベース表の収集プラグインのマニフェスト・ファイルのサンプルです。
例C-2 データベース表の収集プラグインのマニフェスト・ファイルのサンプル
<?xml version="1.0"?>
<plugin xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.oracle.com/av/plugin plugin-manifest.xsd"
xmlns="http://xmlns.oracle.com/av/plugin"
name="HRMS-Template"
id="com.oracle.av.plugin"
version="1.0"
provider-name="Oracle Corp."
copyright="Copyright Oracle Corp. 2011">
<!-- targetVersion: Version of Oracle Audit Vault supported by this
plugin. This is represented by the "min" attribute of
<targetVersion> tag -->
<targetVersion min="11.1.0.0.0"/>
<extensionSet>
<extensionPoint type= "securedTargetType">
<!-- Tag: fileList: Lists all files that ship with the plugin -->
<fileList>
<jars></jars>
<templates>
<include file="DBSource-Mapper.xml"/>
</templates>
<bin></bin>
<config></config>
<shell></shell>
<patch></patch>
<unresolved-external>
</unresolved-external>
</fileList>
<!-- Tag: securedTargetTypeInfo: Contains secured target type and
trail information -->
<securedTargetTypeInfo name="DBSOURCE"/>
<!-- Tag: trailType: contains trail type, location , classname for
source type testSource -->
<trailInfo>
<trailType>TABLE</trailType>
<className name="oracle.av.platform.agent.collfwk.Collector.table.DatabaseTableCollector"/>
</trailInfo>
<!-- eventPatch: OPTIONAL field that indicates any event patches
that need to be applied as part of plugin deployment
The files listed here must be present in the <patch>
tag entries. The order in which the patches need to
applied can be controlled via the "order" attribute
Patches with lower "order" value will be applied
first -->
<eventPatch name="p6753288_11.1.2.0.0_GENERIC.zip" order="2"/>
</extensionPoint>
</extensionSet>
</plugin>C.2 XMLファイルの収集プラグインの例
Oracle Audit Vault and Database Firewallのプラグイン・マッパー・ファイルとプラグイン・マニフェスト・ファイルの属性とフィールドについて学習します。
C.2.1 XMLファイルの収集プラグインのマッパー・ファイル
XMLテンプレート・コレクタ・ファイルの例を示し、Oracle Audit Vault and Database FirewallのXMLファイル収集で使用される属性およびフィールドについて説明します。
必須の属性とフィールド、および必須ではないが監査レコードが無効として処理される可能性があるフィールドがあります。
XMLファイルの収集プラグインのマッパー・ファイルの必須属性およびフィールド
-
securedTargetType -
maxSecuredTargetVersion -
version -
HeaderInfo -
RecordInfo -
EventTimeUTC -
CommandClass変換 -
EventStatus変換 -
MarkerField
XMLファイルの収集プラグインのマッパー・ファイルの標準フィールド
これらのOracle Audit Vault Serverフィールドにマップするソース名は必須ではありません。ただし、これらのフィールドで指定した情報が提供されない場合は、データ収集の開始時にすべての監査レコードは無効として処理されます。
-
UserName -
CommandClass
例C-3 XMLファイルの収集プラグインのマッパー・ファイルのサンプル
<AVXMLCollectorTemplate securedTargetType="XMLSOURCE"
maxSecuredTargetVersion="11.0"
version="1.0">
<!--Example Template for XML template collector-->
<!-- Attributes: "securedTargetType", "maxSecuredTargetVersion" and
"version" are mandatory attributes, "minSecuredTargetVersion"
attribute is optional -->
<!-- Accepted Format for min/maxSecuredTargetVersion and version
attribute value is numbers separated by dots (For example:
12.2,10.3.2, 11.2.3.0 etc..)-->
<!-- Header Information like XML Header start tag -->
<HeaderInfo>
<!-- Mandatory: HeaderInfo-->
<!-- Value in this tag gives Root tag of the XML audit file-->
<StartTag>Audit</StartTag>
</HeaderInfo>
<!-- Record Information like Record Start tag and conformation to hold
original record -->
<RecordInfo>
<!-- Mandatory: RecordInfo -->
<!-- Provides starting tag of audit record in XML audit file -->
<StartTag>AuditRecord</StartTag>
</RecordInfo>
<!-- Gives Mapping Information of Source Fields to various AV Fields
(core and large fields) -->
<!-- Not Allowed: many-to-one mapping from source field to
AV Server fields -->
<FieldMappingInfo>
<!-- Mapping of Source Fields to Core Fields of AV server
Source fields specified in core field mappings must be of SQL
Datatype: String OR convertible to String -->
<CoreFields>
<Map>
<Name>EVENT_TIME</Name>
<MapTo>EventTimeUTC</MapTo>
<TimestampPattern>yyyy-MM-dd HH:mm:ss.SSS</TimestampPattern>
</Map>
<Map>
<!-- If UserName core field mapping is not provided, Audit Data
Collection still starts successfully, but every audit record
will be treated as invalid -->
<Name>USER_ID</Name>
<MapTo>UserName</MapTo>
</Map>
<Map>
<Name>OS_USER_ID</Name>
<MapTo>OSUserName</MapTo>
</Map>
<Map>
<!-- If source name, the ACTION field, for CommandClass
core field mapping is not provided, Audit Data Collection
still starts successfully, but all audit records are treated
as invalid -->
<Name>ACTION</Name>
<MapTo>CommandClass</MapTo>
<!-- Mandatory: value transformations from source to Action
field value. Value of "to" Attribute is from AV Event set -->
<Transformation>
<ValueTransformation from="1" to="CREATE"/>
<ValueTransformation from="2" to="INSERT"/>
<ValueTransformation from="3" to="SELECT"/>
<ValueTransformation from="4" to="CREATE"/>
<ValueTransformation from="15" to="READ"/>
<ValueTransformation from="30" to="LOGON"/>
<ValueTransformation from="34" to="LOGOFF"/>
<ValueTransformation from="35" to="ACQUIRE"/>
</Transformation>
</Map>
<Map>
<Name> OBJ_NAME</Name>
<MapTo>TargetObject</MapTo>
</Map>
<Map>
<Name>USER_HOST</Name>
<MapTo>ClientHostName</MapTo>
</Map>
<Map>
<Name>OBJ_CREATOR</Name>
<MapTo>TargetOwner</MapTo>
</Map>
<Map>
<Name>STATUS</Name>
<MapTo>EventStatus</MapTo>
<!-- Specifying value transformation for Status source field value.
Mandatory: EventStatus value transformation.
There are three possible values for EventStatus:
SUCCESS, FAILURE, UNKNOWN -->
<Transformation>
<ValueTransformation from="0" to="FAILURE"/>
<ValueTransformation from="1" to="SUCCESS"/>
<ValueTransformation from="2" to="UNKNOWN"/>
</Transformation>
</Map>
</CoreFields>
<!-- Mapping of Source Fields to Large Fields of AV server i.e fields
with huge content -->
<!-- Source fields specified in large field mappings must be of SQL
Datatype:CLOB OR SQL Datatype:String OR convertible to String -->
<LargeFields>
<Map>
<Name>SQL_TEXT</Name>
<MapTo>CommandText</MapTo>
</Map>
<Map>
<Name>COMMAND_PARAMETER</Name>
<MapTo>CommandParam</MapTo>
</Map>
</LargeFields>
<!-- These Source fields will be collected in a single extension
field, all name-value pairs are separated by standard delimiter -->
<!-- Source fields specified in extension field mapping must be of
SQL Datatype:String OR convertible to String -->
<ExtensionField>
<Name>DB_ID</Name>
<Name>INSTANCE</Name>
<Name>PROCESS</Name>
<Name>TERMINAL</Name>
</ExtensionField>
<!-- This is group of source fields for uniquely identifying each
Audit Record Marker -->
<!-- Source fields specified to be used as Marker field mapping must
be of SQL Datatype:String OR convertible to String -->
<!-- Mandatory: Source fields for MarkerField -->
<MarkerField>
<Name>SESSION_ID</Name>
<Name>ENTRY_ID</Name>
</MarkerField>
</FieldMappingInfo>
</AVXMLCollectorTemplate>関連トピック
C.2.2 XMLファイルの収集プラグインのマニフェスト・ファイル
Oracle Audit Vault and Database FirewallのXMLファイル収集で使用されるXMLファイルの収集プラグインのマニフェスト・ファイルの例を示します。
これは、XMLファイルの収集プラグインのマニフェスト・ファイルのサンプルです。
例C-4 XMLファイルの収集プラグインのマニフェスト・ファイルのサンプル
<?xml version="1.0"?>
<plugin xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.oracle.com/av/plugin plugin-manifest.xsd"
xmlns="http://xmlns.oracle.com/av/plugin"
name="Oracle-XML-Template"
id="com.oracle.av.plugin"
version="1.0"
provider-name="Oracle Corp."
copyright="Copyright Oracle Corp. 2011">
<!-- targetVersion: Version of Oracle Audit Vault supported by
this plugin. This is represented by the "min" attribute of
targetVersion> tag -->
<targetVersion min="11.1.0.0.0"/>
<extensionSet>
<extensionPoint type= "securedTargetType">
<!-- fileList: Lists *all* the files that ship with the plugin -->
<fileList>
<jars></jars>
<templates>
<include file="XMLSource-Mapper.xml"/>
</templates>
<bin></bin>
<config></config>
<shell></shell>
<patch></patch>
<unresolved-external></unresolved-external>
</fileList>
<!-- securedTargetTypeInfo: Contains source type and trail information
-->
<securedTargetTypeInfo name="oracle"/>
<!-- trailType: contains trail type, location , classname for
source type testSource -->
<trailInfo>
<trailType>DIRECTORY</trailType>
<className name="oracle.av.platform.agent.collfwk.ezcollector.xml.XMLFileCollector"/>
</trailInfo>
<!-- eventPatch: OPTIONAL field that indicates any event patches
that need to be applied as part of plugin deployment-->
The files listed here must be present in the <patch>-->
tag entries. The order in which the patches need to -->
applied can be controlled via the "order" attribute -->
Patches with lower "order" value will be applied -->
first -->
<eventPatch name="p6753288_11.1.2.0.0_GENERIC.zip" order="2"/>
</extensionPoint>
</extensionSet>
</plugin>
C.3 JSONファイルの収集プラグインの例
Oracle Audit Vault and Database FirewallのJSONプラグイン・マッパー・ファイルとJSONプラグイン・マニフェスト・ファイルの属性とフィールドについて学習します。
C.3.1 JSONファイルの収集プラグインのマッパー・ファイル
JSONテンプレート・コレクタ・ファイルの例を示し、Oracle Audit Vault and Database FirewallのJSONファイル収集で使用される属性およびフィールドについて説明します。
必須の属性とフィールド、および必須ではないが監査レコードが無効として処理される可能性があるフィールドがあります。
JSONファイルの収集プラグインのマッパー・ファイルの必須属性およびフィールド
-
securedTargetType -
maxSecuredTargetVersion -
version -
HeaderInfo -
RecordInfo -
EventTimeUTC -
CommandClass変換 -
EventStatus変換 -
MarkerField
JSONファイルの収集プラグインのマッパー・ファイルの標準フィールド
これらのOracle Audit Vault Serverフィールドにマップするソース名は必須ではありません。ただし、これらのフィールドで指定した情報が提供されない場合は、データ収集の開始時にすべての監査レコードは無効として処理されます。
-
UserName -
CommandClass
例C-5 JSONファイルの収集プラグインのマッパー・ファイルのサンプル
<?xml version="1.0" encoding="UTF-8"?>
<AVJSONCollectorTemplate securedTargetType="JSONSOURCE" maxSecuredTargetVersion="11.0" version="1.0">
<!--Example Template for JSON template collector-->
<!-- Attributes: "securedTargetType", "maxSecuredTargetVersion" and
"version" are mandatory attributes, "minSecuredTargetVersion"
attribute is optional -->
<!-- Accepted Format for min/maxSecuredTargetVersion and version
attribute value is numbers separated by dots (For example:
12.2,10.3.2, 11.2.3.0 etc..)-->
<!-- Header Information like JSON Header start tag -->
<HeaderInfo>
<!-- Mandatory: HeaderInfo-->
<!-- Value in this tag gives Root tag of the JSON audit file-->
<StartTag>ITEMS</StartTag>
</HeaderInfo>
<!-- Record Information like Record Start tag and conformation to hold
original record -->
<RecordInfo>
<!-- Mandatory: RecordInfo -->
<!-- Provides starting tag of audit record in JSON audit file -->
<StartTag>SESSION_ID</StartTag>
</RecordInfo>
<!-- Gives Mapping Information of Source Fields to various AV Fields
(core and large fields) -->
<!-- Not Allowed: many-to-one mapping from source field to
AV Server fields -->
<FieldMappingInfo>
<!-- Mapping of Source Fields to Core Fields of AV server
Source fields specified in core field mappings must be of SQL
Datatype: String OR convertible to String -->
<CoreFields>
<Map>
<Name>$.EVENT_TIME</Name>
<MapTo>EventTimeUTC</MapTo>
<TimestampPattern>yyyy-MM-dd HH:mm:ss.SSS</TimestampPattern>
</Map>
<Map>
<!-- If UserName core field mapping is not provided, Audit Data
Collection still starts successfully, but every audit record
will be treated as invalid -->
<Name>$.USER_ID</Name>
<MapTo>UserName</MapTo>
</Map>
<Map>
<Name>$.OS_USER_ID</Name>
<MapTo>OSUserName</MapTo>
</Map>
<Map>
<!-- If source name, the ACTION field, for CommandClass
core field mapping is not provided, Audit Data Collection
still starts successfully, but all audit records are treated
as invalid -->
<Name>$.ACTION</Name>
<MapTo>CommandClass</MapTo>
<!-- Mandatory: value transformations from source to Action
field value. Value of "to" Attribute is from AV Event set -->
<Transformation>
<ValueTransformation from="1" to="CREATE" />
<ValueTransformation from="2" to="INSERT" />
<ValueTransformation from="3" to="SELECT" />
<ValueTransformation from="4" to="CREATE" />
<ValueTransformation from="15" to="READ" />
<ValueTransformation from="30" to="LOGON" />
<ValueTransformation from="34" to="LOGOFF" />
<ValueTransformation from="35" to="ACQUIRE" />
</Transformation>
</Map>
<Map>
<Name>$.OBJ_NAME</Name>
<MapTo>TargetObject</MapTo>
</Map>
<Map>
<Name>$.USER_HOST</Name>
<MapTo>ClientHostName</MapTo>
</Map>
<Map>
<Name>$.OBJ_CREATOR</Name>
<MapTo>TargetOwner</MapTo>
</Map>
<Map>
<Name>$.STATUS</Name>
<MapTo>EventStatus</MapTo>
<!-- Specifying value transformation for Status source field value.
Mandatory: EventStatus value transformation.
There are three possible values for EventStatus:
SUCCESS, FAILURE, UNKNOWN -->
<Transformation>
<ValueTransformation from="0" to="FAILURE" />
<ValueTransformation from="1" to="SUCCESS" />
<ValueTransformation from="2" to="UNKNOWN" />
</Transformation>
</Map>
</CoreFields>
<!-- Mapping of Source Fields to Large Fields of AV server i.e fields
with huge content -->
<!-- Source fields specified in large field mappings must be of SQL
Datatype:CLOB OR SQL Datatype:String OR convertible to String -->
<LargeFields>
<Map>
<Name>$.SQL_TEXT</Name>
<MapTo>CommandText</MapTo>
</Map>
<Map>
<Name>$.COMMAND_PARAMETER</Name>
<MapTo>CommandParam</MapTo>
</Map>
</LargeFields>
<!-- These Source fields will be collected in a single extension
field, all name-value pairs are separated by standard delimiter -->
<!-- Source fields specified in extension field mapping must be of
SQL Datatype:String OR convertible to String -->
<ExtensionField>
<Name>$.DB_ID</Name>
<Name>$.INSTANCE</Name>
<Name>$.PROCESS</Name>
<Name>$.TERMINAL</Name>
</ExtensionField>
<!-- This is group of source fields for uniquely identifying each
Audit Record Marker -->
<!-- Source fields specified to be used as Marker field mapping must
be of SQL Datatype:String OR convertible to String -->
<!-- Mandatory: Source fields for MarkerField -->
<MarkerField>
<Name>$.SESSION_ID</Name>
<Name>$.ENTRY_ID</Name>
</MarkerField>
</FieldMappingInfo>
</AVJSONCollectorTemplate>関連トピック
C.3.2 JSONファイルの収集プラグインのマニフェスト・ファイル
Oracle Audit Vault and Database FirewallのJSONファイル収集で使用されるJSONファイルの収集プラグインのマニフェスト・ファイルの例を示します。
これは、JSONファイルの収集プラグインのマニフェスト・ファイルのサンプルです。
例C-6 JSONファイルの収集プラグインのマニフェスト・ファイルのサンプル
<?xml version="1.0" encoding="UTF-8"?>
<plugin xmlns="http://foobar.example.com/av/plugin" xmlns:xsi="http://foobar.example.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/av/plugin plugin-manifest.xsd" name="Oracle-XML-Template" id="com.oracle.av.plugin" version="1.0" provider-name="Oracle Corp." copyright="Copyright Oracle Corp. 2011">
<!-- targetVersion: Version of Oracle Audit Vault supported by
this plugin. This is represented by the "min" attribute of
targetVersion> tag -->
<targetVersion min="11.1.0.0.0" />
<extensionSet>
<extensionPoint type="securedTargetType">
<!-- fileList: Lists *all* the files that ship with the plugin -->
<fileList>
<jars />
<templates>
<include file="JSONSource-Mapper.xml" />
</templates>
<bin />
<config />
<shell />
<patch />
<unresolved-external />
</fileList>
<!-- securedTargetTypeInfo: Contains source type and trail information-->
<securedTargetTypeInfo name="json_file_secured_target" />
<!-- trailType: contains trail type, location , classname for
source type testSource -->
<trailInfo>
<trailType>DIRECTORY</trailType>
<className name="oracle.av.platform.agent.collfwk.ezcollector.json.MultiJSONFileCollectorFactory" />
</trailInfo>
<!-- eventPatch: OPTIONAL field that indicates any event patches
that need to be applied as part of plugin deployment
The files listed here must be present in the patch
tag entries. The order in which the patches need to
applied can be controlled via the "order" attribute
Patches with lower "order" value will be applied first -->
<eventPatch name="p6753288_11.1.2.0.0_GENERIC.zip" order="2" />
</extensionPoint>
</extensionSet>
</plugin>C.4 CSVファイルの収集プラグインの例
Oracle Audit Vault and Database FirewallでのCSVプラグイン・マッパー・ファイルとCSVプラグイン・マニフェスト・ファイルの属性とフィールドについて学習します。
C.4.1 CSVファイルの収集プラグインのマッパー・ファイル
CSVテンプレート・コレクタ・ファイルの例を示し、Oracle Audit Vault and Database FirewallでのCSVファイル収集で使用される属性およびフィールドについて説明します。
必須の属性とフィールド、および必須ではないが監査レコードが無効として処理される可能性があるフィールドがあります。
CSVファイルの収集プラグインのマッパー・ファイルの必須属性およびフィールド
-
securedTargetType -
maxSecuredTargetVersion -
version -
HeaderInfo -
RecordInfo -
EventTimeUTC -
CommandClass変換 -
EventStatus変換 -
MarkerField
CSVファイルの収集プラグインのマッパー・ファイルの標準フィールド
これらのOracle Audit Vault Serverフィールドにマップするソース名は必須ではありません。ただし、これらのフィールドで指定した情報が提供されない場合は、データ収集の開始時にすべての監査レコードは無効として処理されます。
-
UserName -
CommandClass
例C-7 CSVファイルの収集プラグインのマッパー・ファイルのサンプル
<?xml version="1.0" encoding="UTF-8"?>
<AVCSVCollectorTemplate securedTargetType="csv_file_secured_target" maxSecuredTargetVersion="11.0" version="1.0">
<!--Example Template for CSV template collector-->
<!-- Attributes: "securedTargetType", "maxSecuredTargetVersion" and
"version" are mandatory attributes, "minSecuredTargetVersion"
attribute is optional -->
<!-- Accepted Format for min/maxSecuredTargetVersion and version
attribute value is numbers separated by dots (For example:
12.2,10.3.2, 11.2.3.0 etc..)-->
<!-- Header Information like CSV Header start tag -->
<HeaderInfo>
<!-- Mandatory: HeaderInfo-->
<!-- Hardcoded to CSV -->
<StartTag>CSV</StartTag>
</HeaderInfo>
<!-- Record Information like Record Start tag and conformation to hold
original record -->
<RecordInfo>
<!-- Mandatory: RecordInfo -->
<!-- Hardcoded to CSV -->
<StartTag>CSV</StartTag>
</RecordInfo>
<!-- Gives Mapping Information of Source Fields to various AV Fields
(core and large fields) -->
<!-- Not Allowed: many-to-one mapping from source field to
AV Server fields -->
<FieldMappingInfo>
<!-- Mapping of Source Fields to Core Fields of AV server
Source fields specified in core field mappings must be
either string OR convertible to string -->
<!-- CSV files have "COMMA" as field delimiter -->
<!-- The first field has index 0, second field has index 1 and so on -->
<CoreFields>
<!-- In our CSV sample data, EVENT_TIME field has index 2 -->
<!-- Hence 2 is used in below EventTimeUTC mapping -->
<Map>
<Name>2</Name>
<MapTo>EventTimeUTC</MapTo>
<TimestampPattern>yyyy-MM-dd'T'HH:mm:ss.SSSZ</TimestampPattern>
</Map>
<Map>
<!-- If UserName core field mapping is not provided, Audit Data
Collection still starts successfully, but every audit record
will be treated as invalid -->
<Name>5</Name>
<MapTo>UserName</MapTo>
</Map>
<Map>
<!-- If source name, the ACTION field, for CommandClass
core field mapping is not provided, Audit Data Collection
still starts successfully, but all audit records are treated
as invalid -->
<Name>1</Name>
<MapTo>CommandClass</MapTo>
<!-- Mandatory: value transformations from source to Action
field value. Value of "to" Attribute is from AV Event set -->
<Transformation>
<ValueTransformation from="createUser" to="CREATE" />
<ValueTransformation from="createCollection" to="CREATE" />
<ValueTransformation from="authenticate" to="AUTHENTICATE" />
<ValueTransformation from="dropCollection" to="DROP" />
<ValueTransformation from="dropUser" to="DROP" />
</Transformation>
</Map>
<Map>
<Name>1</Name>
<MapTo>TargetObject</MapTo>
<Transformation>
<FieldTransformation from="createUser" to="6" />
<FieldTransformation from="createCollection" to="6" />
<FieldTransformation from="authenticate" to="6" />
<FieldTransformation from="dropCollection" to="6" />
<FieldTransformation from="dropUser" to="6" />
</Transformation>
</Map>
<Map>
<Name>1</Name>
<MapTo>TargetType</MapTo>
<Transformation>
<ValueTransformation from="createUser" to="USER" />
<ValueTransformation from="createCollection" to="COLLECTION" />
<ValueTransformation from="authenticate" to="USER" />
<ValueTransformation from="dropCollection" to="COLLECTION" />
<ValueTransformation from="dropUser" to="USER" />
</Transformation>
</Map>
<Map>
<Name>3</Name>
<MapTo>ClientIP</MapTo>
</Map>
<Map>
<Name>7</Name>
<MapTo>EventStatus</MapTo>
<!-- Specifying value transformation for Status source field value.
Mandatory: EventStatus value transformation.
There are three possible values for EventStatus:
SUCCESS, FAILURE, UNKNOWN -->
<Transformation>
<ValueTransformation from="0" to="FAILURE" />
<ValueTransformation from="100" to="SUCCESS" />
<ValueTransformation from="200" to="UNKNOWN" />
</Transformation>
</Map>
</CoreFields>
<!-- Mapping of Source Fields to Large Fields of AV server i.e fields
with huge content -->
<!-- Source fields specified in large field mappings must be of SQL
Datatype:CLOB OR SQL Datatype:String OR convertible to String -->
<LargeFields>
<Map>
<Name>11</Name>
<MapTo>CommandText</MapTo>
</Map>
<Map>
<Name>12</Name>
<MapTo>CommandParam</MapTo>
</Map>
</LargeFields>
<!-- These Source fields will be collected in a single extension
field, all name-value pairs are separated by standard delimiter -->
<!-- Source fields specified in extension field mapping must be of
SQL Datatype:String OR convertible to String -->
<ExtensionField>
<ComplexName>
<Name>10</Name>
<DisplayName>sessionid</DisplayName>
</ComplexName>
<ComplexName>
<Name>13</Name>
<DisplayName>entryid</DisplayName>
</ComplexName>
</ExtensionField>
<!-- This is group of source fields for uniquely identifying each
Audit Record Marker -->
<!-- Source fields specified to be used as Marker field mapping must
be of SQL Datatype:String OR convertible to String -->
<!-- Mandatory: Source fields for MarkerField -->
<MarkerField>
<Name>10</Name>
<Name>13</Name>
</MarkerField>
</FieldMappingInfo>
</AVCSVCollectorTemplate>
関連トピック
C.4.2 CSVファイルの収集プラグインのマニフェスト・ファイル
Oracle Audit Vault and Database FirewallでのCSVファイル収集で使用される、CSVファイル収集プラグインのマニフェスト・ファイルの例を示します。
これは、CSVファイル収集プラグインのマニフェスト・ファイルのサンプルです。
例C-8 CSVファイルの収集プラグインのマニフェスト・ファイルのサンプル
<?xml version="1.0" encoding="UTF-8"?>
<plugin xmlns="http://xmlns.oracle.com/av/plugin" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/av/plugin plugin-manifest.xsd" name="Oracle-XML-Template" id="com.oracle.av.plugin" version="1.0" provider-name="Oracle Corp." copyright="Copyright Oracle Corp. 2011">
<!-- targetVersion: Version of Oracle Audit Vault supported by
this plugin. This is represented by the "min" attribute of
targetVersion> tag -->
<targetVersion min="20.4.0.0.0" />
<extensionSet>
<extensionPoint type="securedTargetType">
<!-- fileList: Lists *all* the files that ship with the plugin -->
<fileList>
<jars />
<templates>
<include file="CSVSource-Mapper.xml" />
</templates>
<bin />
<config />
<shell />
<patch />
<unresolved-external />
</fileList>
<!-- securedTargetTypeInfo: Contains source type and trail information-->
<securedTargetTypeInfo name="csv_file_secured_target" />
<!-- trailType: contains trail type, location , classname for
source type testSource -->
<trailInfo>
<trailType>DIRECTORY</trailType>
<className name="oracle.av.platform.agent.collfwk.ezcollector.csv.GenericCSVFileCollectorFactory" />
</trailInfo>
</extensionPoint>
</extensionSet>
</plugin>
C.5 JSON RESTの収集プラグインの例
Oracle Audit Vault and Database FirewallのJSON RESTプラグイン・マッパー・ファイルとJSON RESTプラグイン・マニフェスト・ファイルの属性とフィールドについて学習します。
C.5.1 JSON RESTの収集プラグインのマッパー・ファイル
JSON RESTテンプレート・コレクタ・ファイルの例を示し、Oracle Audit Vault and Database FirewallのJSONファイル収集で使用される属性およびフィールドについて説明します。
必須の属性とフィールド、および必須ではないが監査レコードが無効として処理される可能性があるフィールドがあります。
JSON RESTの収集プラグインのマッパー・ファイルの必須属性およびフィールド
-
securedTargetType -
maxSecuredTargetVersion -
version -
HeaderInfo -
RecordInfo -
EventTimeUTC -
CommandClass変換 -
EventStatus変換 -
MarkerField -
QueryFormat -
TimeFormat -
NextLinkStartTag -
NextLinkPattern -
RESTAuthentication -
BasicAuth
JSON RESTの収集プラグインのマッパー・ファイルの標準フィールド
これらのOracle Audit Vault Serverフィールドにマップするソース名は必須ではありません。ただし、これらのフィールドで指定した情報が提供されない場合は、データ収集の開始時にすべての監査レコードは無効として処理されます。
-
UserName -
CommandClass
例C-9 JSON RESTの収集プラグインのマッパー・ファイルのサンプル
<?xml version="1.0" encoding="UTF-8"?>
<AVJSONCollectorTemplate securedTargetType="JSONSOURCE" maxSecuredTargetVersion="11.0" version="1.0">
<!--Example Template for JSON template collector-->
<!-- Attributes: "securedTargetType", "maxSecuredTargetVersion" and
"version" are mandatory attributes, "minSecuredTargetVersion"
attribute is optional -->
<!-- Accepted Format for min/maxSecuredTargetVersion and version
attribute value is numbers separated by dots (For example:
12.2,10.3.2, 11.2.3.0 etc..)-->
<!-- REST url corresponding to the the specific audit trail -->
<ResourceName>/audit_events/get_events/</ResourceName>
<!-- Header Information like JSON Header start tag -->
<HeaderInfo>
<!-- Mandatory: HeaderInfo-->
<!-- Value in this tag gives Root tag of the JSON audit file-->
<StartTag>ITEMS</StartTag>
</HeaderInfo>
<!-- Record Information like Record Start tag and conformation to hold
original record -->
<RecordInfo>
<!-- Mandatory: RecordInfo -->
<!-- Provides starting tag of audit record in JSON audit file -->
<StartTag>SESSION_ID</StartTag>
</RecordInfo>
<!-- Details of the REST Service -->
<ServiceDetails>
<!-- Query format for providing the start time and end time query parameters -->
<QueryFormat>{startTime}/{endTime}</QueryFormat>
<!-- Timestamp format for start time and end time -->
<TimeFormat>yyyy-MM-dd hh:mm:ss.SSS</TimeFormat>
<NextLink>
<!-- Next link start tag -->
<NextLinkStartTag>next</NextLinkStartTag>
<!-- Next link pattern -->
<NextLinkPattern>$.next.$ref</NextLinkPattern>
</NextLink>
<!-- Authentication mechanism for REST Service -->
<RESTAuthentication>
<!-- Username and password based Basic Authentication -->
<BasicAuth/>
</RESTAuthentication>
</ServiceDetails>
<!-- Gives Mapping Information of Source Fields to various AV Fields
(core and large fields) -->
<!-- Not Allowed: many-to-one mapping from source field to
AV Server fields -->
<FieldMappingInfo>
<!-- Mapping of Source Fields to Core Fields of AV server
Source fields specified in core field mappings must be of SQL
Datatype: String OR convertible to String -->
<CoreFields>
<Map>
<Name>$.EVENT_TIME</Name>
<MapTo>EventTimeUTC</MapTo>
<TimestampPattern>yyyy-MM-dd HH:mm:ss.SSS</TimestampPattern>
</Map>
<Map>
<!-- If UserName core field mapping is not provided, Audit Data
Collection still starts successfully, but every audit record
will be treated as invalid -->
<Name>$.USER_ID</Name>
<MapTo>UserName</MapTo>
</Map>
<Map>
<Name>$.OS_USER_ID</Name>
<MapTo>OSUserName</MapTo>
</Map>
<Map>
<!-- If source name, the ACTION field, for CommandClass
core field mapping is not provided, Audit Data Collection
still starts successfully, but all audit records are treated
as invalid -->
<Name>$.ACTION</Name>
<MapTo>CommandClass</MapTo>
<!-- Mandatory: value transformations from source to Action
field value. Value of "to" Attribute is from AV Event set -->
<Transformation>
<ValueTransformation from="1" to="CREATE" />
<ValueTransformation from="2" to="INSERT" />
<ValueTransformation from="3" to="SELECT" />
<ValueTransformation from="4" to="CREATE" />
<ValueTransformation from="15" to="READ" />
<ValueTransformation from="30" to="LOGON" />
<ValueTransformation from="34" to="LOGOFF" />
<ValueTransformation from="35" to="ACQUIRE" />
</Transformation>
</Map>
<Map>
<Name>$.OBJ_NAME</Name>
<MapTo>TargetObject</MapTo>
</Map>
<Map>
<Name>$.USER_HOST</Name>
<MapTo>ClientHostName</MapTo>
</Map>
<Map>
<Name>$.OBJ_CREATOR</Name>
<MapTo>TargetOwner</MapTo>
</Map>
<Map>
<Name>$.STATUS</Name>
<MapTo>EventStatus</MapTo>
<!-- Specifying value transformation for Status source field value.
Mandatory: EventStatus value transformation.
There are three possible values for EventStatus:
SUCCESS, FAILURE, UNKNOWN -->
<Transformation>
<ValueTransformation from="0" to="FAILURE" />
<ValueTransformation from="1" to="SUCCESS" />
<ValueTransformation from="2" to="UNKNOWN" />
</Transformation>
</Map>
</CoreFields>
<!-- Mapping of Source Fields to Large Fields of AV server i.e fields
with huge content -->
<!-- Source fields specified in large field mappings must be of SQL
Datatype:CLOB OR SQL Datatype:String OR convertible to String -->
<LargeFields>
<Map>
<Name>$.SQL_TEXT</Name>
<MapTo>CommandText</MapTo>
</Map>
<Map>
<Name>$.COMMAND_PARAMETER</Name>
<MapTo>CommandParam</MapTo>
</Map>
</LargeFields>
<!-- These Source fields will be collected in a single extension
field, all name-value pairs are separated by standard delimiter -->
<!-- Source fields specified in extension field mapping must be of
SQL Datatype:String OR convertible to String -->
<ExtensionField>
<Name>$.DB_ID</Name>
<Name>$.INSTANCE</Name>
<Name>$.PROCESS</Name>
<Name>$.TERMINAL</Name>
</ExtensionField>
<!-- This is group of source fields for uniquely identifying each
Audit Record Marker -->
<!-- Source fields specified to be used as Marker field mapping must
be of SQL Datatype:String OR convertible to String -->
<!-- Mandatory: Source fields for MarkerField -->
<MarkerField>
<Name>$.SESSION_ID</Name>
<Name>$.ENTRY_ID</Name>
</MarkerField>
</FieldMappingInfo>
</AVJSONCollectorTemplate>関連トピック
C.5.2 JSON RESTの収集プラグインのマニフェスト・ファイル
Oracle Audit Vault and Database FirewallのJSONファイル収集で使用されるJSON RESTの収集プラグインのマニフェスト・ファイルの例を示します。
これは、JSON RESTの収集プラグインのマニフェスト・ファイルのサンプルです。
例C-10 JSON RESTの収集プラグインのマニフェスト・ファイルのサンプル
<?xml version="1.0" encoding="UTF-8"?>
<plugin xmlns="http://foobar.example.com/av/plugin" xmlns:xsi="http://foobar.example.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/av/plugin plugin-manifest.xsd" name="Oracle-XML-Template" id="com.oracle.av.plugin" version="1.0" provider-name="Oracle Corp." copyright="Copyright Oracle Corp. 2011">
<!-- targetVersion: Version of Oracle Audit Vault supported by
this plugin. This is represented by the "min" attribute of
targetVersion> tag -->
<targetVersion min="11.1.0.0.0" />
<extensionSet>
<extensionPoint type="securedTargetType">
<!-- fileList: Lists *all* the files that ship with the plugin -->
<fileList>
<jars />
<templates>
<include file="RESTJSONSource-Mapper.xml" />
</templates>
<bin />
<config />
<shell />
<patch />
<unresolved-external />
</fileList>
<!-- securedTargetTypeInfo: Contains source type and trail information-->
<securedTargetTypeInfo name="json_rest_secured_target" />
<!-- trailType: contains trail type, location , classname for
source type testSource -->
<trailInfo>
<trailType>REST</trailType>
<className name="oracle.av.platform.agent.collfwk.ezcollector.json.JSONRESTCollectorFactory" />
</trailInfo>
<!-- eventPatch: OPTIONAL field that indicates any event patches
that need to be applied as part of plugin deployment
The files listed here must be present in the patch
tag entries. The order in which the patches need to
applied can be controlled via the "order" attribute
Patches with lower "order" value will be applied first -->
<eventPatch name="p6753288_11.1.2.0.0_GENERIC.zip" order="2" />
</extensionPoint>
</extensionSet>
</plugin>
C.6 Javaベースの収集プラグインの例
Oracle Audit Vault and Database FirewallのJavaプラグインのコードとJavaベースの収集プラグインのマニフェスト・ファイルのパッケージと構造について学習します。
C.6.1 Java収集プラグインのコード
この例では、完全なJavaベースの収集プラグインを示しています。
この例は、「Javaベースの収集プラグインの作成方法」の説明の最終結果です。
例C-11 SampleEventCollectorFactory.java
package oracle.av.plugin.sample.collector;
import oracle.av.platform.agent.collfwk.AuditEventCollector;
import oracle.av.platform.agent.collfwk.AuditEventCollectorException;
import oracle.av.platform.agent.collfwk.AuditEventCollectorFactory;
import oracle.av.platform.agent.collfwk.CollectorContext;
public class SampleEventCollectorFactory implements AuditEventCollectorFactory {
public AuditEventCollector createAuditCollection(
CollectorContext collectorContext) throws AuditEventCollectorException {
// It simply creates and returns an instance of SampleEventCollector
return new SampleEventCollector();
}
}例C-12 SampleEventCollector.java
package oracle.av.plugin.sample.collector;
import java.io.Reader;
import java.sql.Clob;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Timestamp;
import java.util.HashMap;
import java.util.Map;
import oracle.av.platform.agent.collfwk.AuditEventCollector;
import oracle.av.platform.agent.collfwk.AuditEventCollectorException;
import oracle.av.platform.agent.collfwk.AuditService;
import oracle.av.platform.agent.collfwk.CollectorContext;
import oracle.av.platform.agent.collfwk.SetAttributeException;
import oracle.av.platform.common.ErrorCodes;
import oracle.av.platform.common.dao.ConnectionManager;
import oracle.av.platform.common.dao.ConnectionManagerImpl;
import oracle.av.platform.common.exception.AuditException;
import oracle.av.platform.common.util.AVLogger;
/**
* This collector collects events from AUD table and sends them to Collection
* Framework. It connects to the Source database during initialization and uses
* the same connection till close() is called. It maintains one ResultSet
* containing events. Once the ResultSet gets exhausted, the Collector sets a
* checkpoint and creates another ResultSet.
*
* @author myellu
*
*/
public class SampleEventCollector extends AuditEventCollector {
// The delay used when querying events.
private static final long DELAY = 5 * 1000;
private static final Map<Integer, String> eventNameMap =
new HashMap<Integer, String>();
static {
eventNameMap.put(1, "CREATE");
eventNameMap.put(2, "INSERT");
eventNameMap.put(3, "SELECT");
eventNameMap.put(4, "CREATE");
eventNameMap.put(15, "ALTER");
eventNameMap.put(30, "AUDIT");
eventNameMap.put(34, "CREATE");
eventNameMap.put(35, "ALTER");
eventNameMap.put(51, "CREATE");
eventNameMap.put(52, "CREATE");
}
// This map contains mapping from the source event ids to Audit Vault target
// types.
private static final Map<Integer, String> targetTypeMap = new HashMap<Integer,
String>();
static {
targetTypeMap.put(1, "TABLE");
targetTypeMap.put(2, "TABLE");
targetTypeMap.put(3, "TABLE");
targetTypeMap.put(4, "CLUSTER");
targetTypeMap.put(15, "TABLE");
targetTypeMap.put(30, "OBJECT");
targetTypeMap.put(34, "DATABASE");
targetTypeMap.put(35, "DATABASE");
targetTypeMap.put(51, "USER");
targetTypeMap.put(52, "ROLE");
}
// This map contains mapping from the source event ids to Source Event Names.
// This is necessary since source event ids do not describe the Source Event.
private static final Map<Integer, String> sourceEventMap = new HashMap<Integer,
String>();
static {
targetTypeMap.put(1, "OBJECT:CREATED:TABLE");
targetTypeMap.put(2, "INSERT INTO TABLE");
targetTypeMap.put(3, "SELECT FROM TABLE");
targetTypeMap.put(4, "OBJECT:CREATED:TABLE");
targetTypeMap.put(15, "OBJECT:ALTERED:TABLE");
targetTypeMap.put(30, "AUDIT OBJECT");
targetTypeMap.put(34, "OBJECT:CREATED:DATABASE");
targetTypeMap.put(35, "OBJECT:ALTERED:DATABASE");
targetTypeMap.put(51, "OBJECT:CREATED:USER");
targetTypeMap.put(52, "OBJECT:CREATED:ROLE");
}
// holds a connection to the Source database.
private ConnectionManager m_connectionManager;
// Connection to the Source.
private Connection m_connection;
// PreparedStatement used to get ResultSet.
private PreparedStatement m_preparedStatement;
// holds the ResultSet containing records.
private ResultSet m_resultSet;
// AuditService will be used to set checkpoint.
private AuditService m_auditService;
// previous checkpoint set.
private Timestamp m_previousCheckpoint;
// next checkpoint to be set.
private Timestamp m_nextCheckpoint;
private AVLogger m_logger;
// The CollectorContext received from the Collection Framework.
private CollectorContext m_collectorContext;
private long m_timeZoneOffset;
/**
* It connects to the database using the credentials and Connection String
* from the CollectorContext.
*
* @throws AuditEventCollectorException
*/
private void connectToSource() throws AuditEventCollectorException {
m_logger.logDebugMethodEntered();
// Get connection information from collector context.
String user = m_collectorContext.getSecuredTargetUser();
String password = new String(m_collectorContext.getSecuredTargetPassword());
String connectionString = m_collectorContext.getSecuredTargetLocation();
// Create a ConnectionManager object.
try {
m_connectionManager = new ConnectionManagerImpl(connectionString,
user, password.toCharArray());
m_connection = m_connectionManager.getConnection();
} catch (AuditException ex) {
throw new AuditEventCollectorException(
ErrorCodes.FAILED_CONNECT_TO_SOURCE,
new Object[] { connectionString }, ex);
}
m_logger.logDebugMethodExited();
}
/**
* converts the timone offset specified in String to a number of
* milliseconds.
*
*/
private long getTimeZoneOffsetInMs(String offset) {
if (offset == null)
return 0;
long timeZoneOffset;
/** process offset to get value in milliseconds */
int hour = Integer.parseInt(offset.substring(1, 3));
int min = Integer.parseInt(offset.substring(4, 6));
timeZoneOffset = (hour * 60 * 60 + min * 60) * 1000;
if (offset.charAt(0) == '-')
timeZoneOffset *= -1;
return timeZoneOffset;
}
/**
* Initializes the Collector with the values from CollectorContext. It also
* connects to the database.
*/
public void initializeCollector(CollectorContext collectorContext)
throws AuditEventCollectorException {
m_collectorContext = collectorContext;
m_auditService = m_collectorContext.getAuditService();
m_previousCheckpoint = m_collectorContext.getCheckpoint();
m_logger = m_collectorContext.getLogger();
// Get the timone offset for the Source.
String offset = m_collectorContext.getAttribute("TimeZoneOffset");
if (offset != null) {
m_timeZoneOffset = getTimeZoneOffsetInMs(offset);
}
connectToSource();
fetchEvents();
}
/**
* Queries the Source to get audit events that occurred from previous
* checkpoint to the current time. Apart from during the initialization, this
* method should be called only when ResultSet is exhausted. There are two
* reasons for this. <br>
* 1. This method will set the checkpoint. Checkpoint should only be set when
* the ResultSet is exhausted as the results with in the ResultSet can be in
* random order.<br>
* 2. This method will create a new ResultSet. Hence the contents of the old
* ResultSet will be inaccessible after this function is called.
*
* @throws AuditEventCollectorException
*/
private void fetchEvents() throws AuditEventCollectorException {
m_logger.logDebugMethodEntered();
if (m_nextCheckpoint != null) {
m_auditService.setCheckpoint(m_nextCheckpoint);
m_previousCheckpoint = m_nextCheckpoint;
}
// It is not good to hold on to the Connection for long. As this is the
// only place we can release the connection, we release and reacquire the
// connection.
try {
if (m_connection != null) {
m_connectionManager.releaseConnection(m_connection);
}
} catch (AuditException ex) {
throw new AuditEventCollectorException(
ErrorCodes.FAILED_TO_RELEASE_CONNECTION_TO_DB, null, ex);
}
try {
m_connection = m_connectionManager.getConnection();
} catch (AuditException ex) {
throw new AuditEventCollectorException(
ErrorCodes.FAILED_TO_GET_CONNECTION_TO_DB, null, ex);
}
// Now we need to aim for the next checkpoint. We will query for all
// events from previous checkpoint to the next checkpoint. So we want to
// make sure that all the events with event time lesser than the next
// checkpoint are already available in the table. However, the events
// might take a small amount of time before they are present in the table.
// Hence the next checkpoint we aim will be current time minus delta time.
m_nextCheckpoint = new Timestamp(System.currentTimeMillis() - DELAY);
String query = null;
try {
if (m_previousCheckpoint == null) {
query = "select * from AUD where EVENT_TIME <= ?";
m_preparedStatement = m_connection.prepareStatement(query);
m_preparedStatement.setTimestamp(1, m_nextCheckpoint);
} else {
query = "select * from AUD where EVENT_TIME > ? and EVENT_TIME <= ?";
m_preparedStatement = m_connection.prepareStatement(query);
m_preparedStatement.setTimestamp(1, m_previousCheckpoint);
m_preparedStatement.setTimestamp(2, m_nextCheckpoint);
}
m_resultSet = m_preparedStatement.executeQuery();
} catch (SQLException ex) {
throw new AuditEventCollectorException(
ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE,
new Object[] { query }, ex);
}
m_logger.logDebugMethodExited();
}
/**
* If the result set is not exhausted this will return true. If it has
* exhausted, it will query to get the events till the current time. If it
* could get any events, it will return true, false otherwise.
*/
public boolean hasNext() throws AuditEventCollectorException {
boolean hasMore;
try {
if(m_resultSet == null) {
fetchEvents();
return m_resultSet.next();
}
hasMore = m_resultSet.next();
if (!hasMore) {
fetchEvents();
hasMore = m_resultSet.next();
}
} catch (SQLException ex) {
throw new AuditEventCollectorException(
ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
return hasMore;
}
// All the getter methods make use of the ResultSet get methods and return
// the value appropriately.
public String getUserName() throws AuditEventCollectorException {
try {
return m_resultSet.getString("USER_ID");
} catch (SQLException ex) {
throw new AuditEventCollectorException(
ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
}
public String getOSUserName() throws AuditEventCollectorException {
try {
return m_resultSet.getString("OS_USER_ID");
} catch (SQLException ex) {
throw new AuditEventCollectorException(
ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
}
public String getCommandClass() throws AuditEventCollectorException {
try {
int eventId = m_resultSet.getInt("ACTION");
return eventNameMap.get(eventId);
} catch (SQLException ex) {
throw new AuditEventCollectorException(
ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
}
public String getEventName() throws AuditEventCollectorException {
try {
int eventId = m_resultSet.getInt("ACTION");
return sourceEventMap.get(eventId);
} catch (SQLException ex) {
throw new AuditEventCollectorException(
ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
}
public EventStatus getEventStatus() throws AuditEventCollectorException {
try {
int status = m_resultSet.getInt("STATUS");
if (status == 1) {
return EventStatus.SUCCESS;
} else if (status == 0) {
return EventStatus.FAILURE;
} else {
return EventStatus.UNKNOWN;
}
} catch (SQLException ex) {
throw new AuditEventCollectorException(
ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
}
public Timestamp getEventTimeUTC() throws AuditEventCollectorException {
try {
Timestamp eventTime = m_resultSet.getTimestamp("EVENT_TIME");
// As the method name suggests, the timestamp must be returned only in
// UTC timone.
return new Timestamp(eventTime.getTime() - m_timeZoneOffset);
} catch (SQLException ex) {
throw new AuditEventCollectorException( ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
}
public String getErrorMessage() throws AuditEventCollectorException {
// There is no corresponding field for ErrorMessage. Hence we
// return NULL always.
return null;
}
public String getErrorId() throws AuditEventCollectorException {
// There is no corresponding field for ErrorId. Hence we
// return NULL always.
return null;
}
public String getTargetObject() throws AuditEventCollectorException {
try {
return m_resultSet.getString("OBJ_NAME");
} catch (SQLException ex) {
throw new AuditEventCollectorException( ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
}
public String getTargetType() throws AuditEventCollectorException {
try {
int eventId = m_resultSet.getInt("ACTION");
return targetTypeMap.get(eventId);
} catch (SQLException ex) {
throw new AuditEventCollectorException(
ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
}
public String getTargetOwner() throws AuditEventCollectorException {
try {
return m_resultSet.getString("OBJ_CREATOR");
} catch (SQLException ex) {
throw new AuditEventCollectorException(
ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
}
public String getClientHostName() throws AuditEventCollectorException {
try {
return m_resultSet.getString("USER_HOST");
} catch (SQLException ex) {
throw new AuditEventCollectorException(
ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
}
public String getClientIP() throws AuditEventCollectorException {
// There is no corresponding field for IP address. Hence we
// return NULL always.
return null;
}
public String getExtension() throws AuditEventCollectorException {
try {
StringBuilder sb = new StringBuilder();
// Here we will put those fields which are not sent in other getter
// methods.
sb.append("DB_ID=" + m_resultSet.getString("DB_ID") + ";");
sb.append("INSTANCE=" + m_resultSet.getString("INSTANCE") + ";");
sb.append("PROCESS=" + m_resultSet.getString("PROCESS"));
return sb.toString();
} catch (SQLException ex) {
throw new AuditEventCollectorException(
ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
}
public Reader getCommandText() throws AuditEventCollectorException {
try {
// Clobs and the Readers contained in the Clobs are alive only
// as long as the Connection to the Source is alive. So if the Source
// Connection is closed, Collection Framework will fail when it tries
// to send the events to AV Server. If there is any need to close and
// recreate a connection that should be done immediately after setting
// the checkpoint. Setting the checkpoint causes the Collection
// Framework to flush all the events it is holding. So immediately
// after setting the checkpoint, we are sure that the Framework is not
// holding any events.
Clob clob = m_resultSet.getClob("SQL_TEXT");
return clob.getCharacterStream();
} catch (SQLException ex) {
throw new AuditEventCollectorException(
ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
}
public Reader getCommandParam() throws AuditEventCollectorException {
try {
Clob clob = m_resultSet.getClob("SQL_BIND");
return clob.getCharacterStream();
} catch (SQLException ex) {
throw new AuditEventCollectorException(
ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
}
public String getMarker() throws AuditEventCollectorException {
// ENTRY_ID will identify an audit event uniquely with in a session. Hence
// ENTRY_ID along with SESSION_ID will uniquely identify an audit event
// across sessions.
try {
return m_resultSet.getString("SESSION_ID") + ":"
+ m_resultSet.getString("ENTRY_ID");
} catch (SQLException ex) {
throw new AuditEventCollectorException(
ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
}
public void setAttribute(String name, String value)
throws SetAttributeException {
if (name.equalsIgnoreCase("TimeZoneOffset")) {
m_timeZoneOffset = getTimeZoneOffsetInMs(value);
} else {
throw new SetAttributeException(ErrorCodes.INVALID_ATTRIBUTE_NAME,
new Object[] { name, value }, null);
}
}
public void close() {
try {
if (m_resultSet != null) {
m_resultSet.close();
m_resultSet = null;
}
if (m_connectionManager != null) {
m_connectionManager.destroy();
m_connectionManager = null;
}
m_previousCheckpoint = null;
m_nextCheckpoint = null;
m_logger = null;
} catch (SQLException ex) {
m_logger.logError("SampleEventCollector", "close",
"SQLException occurred. ", ex);
} catch (AuditException ex) {
m_logger.logError("SampleEventCollector", "close",
"AuditException occurred. ", ex);
}
}
}C.6.2 Javaベースの収集プラグインのマニフェスト・ファイル
Oracle Audit Vault and Database FirewallのJavaベースの収集プラグインの設定方法を示します。
これは、Javaベースの収集のマニフェスト・ファイルのサンプルです。
例C-13 Javaベースのマニフェスト・ファイル
<?xml version="1.0"?>
<plugin xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.oracle.com/av/plugin plugin-manifest.xsd"
xmlns="http://xmlns.oracle.com/av/plugin"
name="Sample Plugin"
id="com.oracle.av.plugin.sample"
version="12.1.0.0.0"
provider-name="Oracle Corp."
copyright="Copyright Oracle Corp. 2011">
<!-- targetVersion: Version of Oracle Audit Vault supported by
this plugin. This is represented by the "min" attribute of
targetVersion> tag -->
<targetVersion min="12.1.0.0.0"/>
<extensionSet>
<extensionPoint type= "securedTargetType">
<!-- fileList: Lists *all* the files that ship with the plugin -->
<fileList>
<jars>
<include file="samplecollector.jar"/>
<!-- All your collector Java jar binaries go here -->
</jars>
<templates>
<bin>
<!-- All your collector native binaries go here -->
</bin>
<config>
<!-- Any configuration information (such as .properites files)
go here -->
</config>
<shell>
<!-- Any shell scripts that your collector relies on go here -->
</shell>
<patch>
<!-- Oracle provided patches go here -->
</patch>
<unresolved-external>
<!-- Any files belonging to the unresolved-external category here -->
</unresolved-external>
</fileList>
<!-- securedTargetTypeInfo: Contains source type and trail information
-->
<securedTargetTypeInfo name="Sample"/>
<!-- trailType: contains trail type, location , classname for
source type testSource -->
<trailInfo>
<trailType>TABLE</trailType>
<className name="oracle.av.plugin.sample.collector.SampleEventCollectorFactory" />
</trailInfo >
</extensionPoint>
</extensionSet>
</plugin>