C Example Code
Learn from examples the different types of collection plug-ins, including database tables, XML files, and Java-based file collection plug-ins.
C.1 Database Table Collection Plug-in Example
See examples of Oracle Audit Vault database table collection plug-in mapper files and database table plug-in manifest files.
C.1.1 Database Table Collection Plug-in Mapper File
Learn which Oracle Audit Vault attributes and fields are mandatory and which are optional for database table collection plug-in mapper files.
Oracle Audit Vault database table collection plug-in mapper files have certain mandatory fields. S
Mandatory Fields
These attributes and fields are mandatory:
-
securedTargetType -
maxSecuredTargetVersion -
version -
TableName -
Driver -
EventTimeUTC -
CommandClasstransformations -
EventStatustransformations -
MarkerField
Optional Fields
Source names that map to Oracle Audit Vault Server fields are not mandatory. However, if the information is not provided when data collection starts, then all audit records are treated as invalid:
-
UserName -
CommandClass
Example C-1 Sample XML Mapper File for a Database Table Collection Plug-in
<AVTableCollectorTemplate securedTargetType="DBSOURCE" minSecuredTargetVersion="10.2.0"
maxSecuredTargetVersion="11.0" version="1.0" >
<!--Example Template for a database Collector-->
<!-- Attributes: securedTargetType, maxSecuredTargetVersion,
and version are mandatory;
minSecuredTargetVersion attribute is optional -->
<!-- Accepted Format for min/maxSecuredTargetVersion and
version attribute value is numbers separated by
dots (For example: 12.2,10.3.2, 11.2.3.0 etc..)-->
<!-- Audit Table Information -->
<!-- Name of Audit Table: Mandatory information -->
<TableName>dummy_auditTable</TableName>
<!-- Source Connection Information -->
<ConnectionInfo>
<DataSource>oracle.jdbc.pool.OracleDataSource</DataSource>
<!--Datasource class name for current secured target type:
Mandatory information -->
</ConnectionInfo>
<!-- This Gives Mapping Information of Source Fields to various AV
Fields(core and large fields) -->
<!-- There should be no many-to-one mappings from source fields to
AV Server fields -->
<FieldMappingInfo>
<!-- Mapping of Source Fields to Core Fields of AV server -->
<!-- Source fields specified in core field mappings must be of SQL
Datatype: String OR convertible to String-->
<CoreFields>
<Map>
<!-- Mandatory: EventTime mapping information -->
<Name>EVENT_TIME</Name>
<MapTo>EventTimeUTC</MapTo>
</Map>
<Map>
<!-- If UserName core field mapping is not provided, Audit Data
Collection still starts successfully, but every audit record
will be treated as invalid -->
<Name>USER_ID</Name>
<MapTo>UserName</MapTo>
</Map>
<Map>
<Name>OS_USER_ID</Name>
<MapTo>OSUserName</MapTo>
</Map>
<Map>
<!-- If source name, the ACTION field, for CommandClass core field
mapping is not provided, Audit Data Collection still starts
successfully, but all audit records are treated as invalid -->
<Name>ACTION</Name>
<MapTo>CommandClass</MapTo>
<!-- Mandatory: value transformation from secured target field value
to command class field value. Value of "to" Attribute is from AV
Event set -->
<Transformation>
<ValueTransformation from="1" to="CREATE"/>
<ValueTransformation from="2" to="INSERT"/>
<ValueTransformation from="3" to="SELECT"/>
<ValueTransformation from="4" to="CREATE"/>
<ValueTransformation from="15" to="READ"/>
<ValueTransformation from="30" to="LOGON"/>
<ValueTransformation from="34" to="LOGOFF"/>
<ValueTransformation from="35" to="ACQUIRE"/>
</Transformation>
</Map>
<Map>
<Name>OBJ_NAME</Name>
<MapTo>TargetObject</MapTo>
</Map>
<Map>
<Name>USER_HOST</Name>
<MapTo>ClientHostName</MapTo>
</Map>
<Map>
<Name>OBJ_CREATOR</Name>
<MapTo>TargetOwner</MapTo>
</Map>
<Map>
<Name>STATUS</Name>
<MapTo>EventStatus</MapTo>
<!-- Value transformation for "STATUS" source field value.
Mandatory: EventStatus value transformation.
There are three possible values for EventStatus:
SUCCESS, FAILURE, UNKNOWN -->
<Transformation>
<ValueTransformation from="0" to="FAILURE"/>
<ValueTransformation from="1" to="SUCCESS"/>
<ValueTransformation from="2" to="UNKNOWN"/>
</Transformation>
</Map>
</CoreFields>
<!-- Mapping of Source Fields to Large Fields of AV server i.e fields
with huge content -->
<!-- Secured target fields specified in large field mappings must be
of SQL Datatype:CLOB OR SQL Datatype:String OR convertible to
String -->
<LargeFields>
<Map>
<Name>SQL_TEXT</Name>
<MapTo>CommandText</MapTo>
</Map>
<Map>
<Name>COMMAND_PARAMETER</Name>
<MapTo>CommandParam</MapTo>
</Map>
</LargeFields>
<!-- These secured target fields are collected in a single extension
field, all name-value pairs separated by standard delimiter -->
<!-- Secured target fields specified in extension field mapping must
be of SQL Datatype:String OR convertible to String -->
<ExtensionField>
<Name>DB_ID</Name>
<Name>INSTANCE</Name>
<Name>PROCESS</Name>
<Name>TERMINAL</Name>
</ExtensionField>
<!-- Mandatory: Secured target fields for MarkerField
A group of secured target fields to uniquely identify each Audit
Record -->
<!-- Secured target fields specified to be used as MarkerField mapping
must be of SQL Datatype:String OR convertible to String -->
<MarkerField>
<Name>SESSION_ID</Name>
<Name>ENTRY_ID</Name>
</MarkerField>
</FieldMappingInfo>
</AVTableCollectorTemplate>Related Topics
C.1.2 Database Table Collection Plug-in Manifest File
See an example of a database table collection plug-in manifest file.
This is a sample manifest file for a database table collection plug-in.
Example C-2 Sample Manifest File for a Database Table Collection Plug-in
<?xml version="1.0"?>
<plugin xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.oracle.com/av/plugin plugin-manifest.xsd"
xmlns="http://xmlns.oracle.com/av/plugin"
name="HRMS-Template"
id="com.oracle.av.plugin"
version="1.0"
provider-name="Oracle Corp."
copyright="Copyright Oracle Corp. 2011">
<!-- targetVersion: Version of Oracle Audit Vault supported by this
plugin. This is represented by the "min" attribute of
<targetVersion> tag -->
<targetVersion min="11.1.0.0.0"/>
<extensionSet>
<extensionPoint type= "securedTargetType">
<!-- Tag: fileList: Lists all files that ship with the plugin -->
<fileList>
<jars></jars>
<templates>
<include file="DBSource-Mapper.xml"/>
</templates>
<bin></bin>
<config></config>
<shell></shell>
<patch></patch>
<unresolved-external>
</unresolved-external>
</fileList>
<!-- Tag: securedTargetTypeInfo: Contains secured target type and
trail information -->
<securedTargetTypeInfo name="DBSOURCE"/>
<!-- Tag: trailType: contains trail type, location , classname for
source type testSource -->
<trailInfo>
<trailType>TABLE</trailType>
<className name="oracle.av.platform.agent.collfwk.Collector.table.DatabaseTableCollector"/>
</trailInfo>
<!-- eventPatch: OPTIONAL field that indicates any event patches
that need to be applied as part of plugin deployment
The files listed here must be present in the <patch>
tag entries. The order in which the patches need to
applied can be controlled via the "order" attribute
Patches with lower "order" value will be applied
first -->
<eventPatch name="p6753288_11.1.2.0.0_GENERIC.zip" order="2"/>
</extensionPoint>
</extensionSet>
</plugin>C.2 XML File Collection Plug-in Examples
Learn about the plug-in mapper file and plug-in manifest file attributes and fields for Oracle Audit Vault and Database Firewall.
C.2.1 XML File Collection Plug-In Mapper File
See an XML template collector file example, and find out about the attributes and fields used with XML file collection in Oracle Audit Vault and Database Firewall.
There are both mandatory attributes and fields, and fields that are not mandatory, but that can cause your audit records to be treated as invalid.
Mandatory Attributes and Fields for XML File Collection Plug-In Mapper Files
-
securedTargetType -
maxSecuredTargetVersion -
version -
HeaderInfo -
RecordInfo -
EventTimeUTC -
CommandClasstransformations -
EventStatustransformations -
MarkerField
Standard Fields for XML File Collection Plug-In Mapper Files
Source names that map to these Oracle Audit Vault Server fields are not mandatory. However, if the information specified by these fields is not provided, then when data collection starts, all audit records are treated as invalid:
-
UserName -
CommandClass
Example C-3 Sample XML File Collection Plug-in Mapper File
<AVXMLCollectorTemplate securedTargetType="XMLSOURCE"
maxSecuredTargetVersion="11.0"
version="1.0">
<!--Example Template for XML template collector-->
<!-- Attributes: "securedTargetType", "maxSecuredTargetVersion" and
"version" are mandatory attributes, "minSecuredTargetVersion"
attribute is optional -->
<!-- Accepted Format for min/maxSecuredTargetVersion and version
attribute value is numbers separated by dots (For example:
12.2,10.3.2, 11.2.3.0 etc..)-->
<!-- Header Information like XML Header start tag -->
<HeaderInfo>
<!-- Mandatory: HeaderInfo-->
<!-- Value in this tag gives Root tag of the XML audit file-->
<StartTag>Audit</StartTag>
</HeaderInfo>
<!-- Record Information like Record Start tag and conformation to hold
original record -->
<RecordInfo>
<!-- Mandatory: RecordInfo -->
<!-- Provides starting tag of audit record in XML audit file -->
<StartTag>AuditRecord</StartTag>
</RecordInfo>
<!-- Gives Mapping Information of Source Fields to various AV Fields
(core and large fields) -->
<!-- Not Allowed: many-to-one mapping from source field to
AV Server fields -->
<FieldMappingInfo>
<!-- Mapping of Source Fields to Core Fields of AV server
Source fields specified in core field mappings must be of SQL
Datatype: String OR convertible to String -->
<CoreFields>
<Map>
<Name>EVENT_TIME</Name>
<MapTo>EventTimeUTC</MapTo>
<TimestampPattern>yyyy-MM-dd HH:mm:ss.SSS</TimestampPattern>
</Map>
<Map>
<!-- If UserName core field mapping is not provided, Audit Data
Collection still starts successfully, but every audit record
will be treated as invalid -->
<Name>USER_ID</Name>
<MapTo>UserName</MapTo>
</Map>
<Map>
<Name>OS_USER_ID</Name>
<MapTo>OSUserName</MapTo>
</Map>
<Map>
<!-- If source name, the ACTION field, for CommandClass
core field mapping is not provided, Audit Data Collection
still starts successfully, but all audit records are treated
as invalid -->
<Name>ACTION</Name>
<MapTo>CommandClass</MapTo>
<!-- Mandatory: value transformations from source to Action
field value. Value of "to" Attribute is from AV Event set -->
<Transformation>
<ValueTransformation from="1" to="CREATE"/>
<ValueTransformation from="2" to="INSERT"/>
<ValueTransformation from="3" to="SELECT"/>
<ValueTransformation from="4" to="CREATE"/>
<ValueTransformation from="15" to="READ"/>
<ValueTransformation from="30" to="LOGON"/>
<ValueTransformation from="34" to="LOGOFF"/>
<ValueTransformation from="35" to="ACQUIRE"/>
</Transformation>
</Map>
<Map>
<Name> OBJ_NAME</Name>
<MapTo>TargetObject</MapTo>
</Map>
<Map>
<Name>USER_HOST</Name>
<MapTo>ClientHostName</MapTo>
</Map>
<Map>
<Name>OBJ_CREATOR</Name>
<MapTo>TargetOwner</MapTo>
</Map>
<Map>
<Name>STATUS</Name>
<MapTo>EventStatus</MapTo>
<!-- Specifying value transformation for Status source field value.
Mandatory: EventStatus value transformation.
There are three possible values for EventStatus:
SUCCESS, FAILURE, UNKNOWN -->
<Transformation>
<ValueTransformation from="0" to="FAILURE"/>
<ValueTransformation from="1" to="SUCCESS"/>
<ValueTransformation from="2" to="UNKNOWN"/>
</Transformation>
</Map>
</CoreFields>
<!-- Mapping of Source Fields to Large Fields of AV server i.e fields
with huge content -->
<!-- Source fields specified in large field mappings must be of SQL
Datatype:CLOB OR SQL Datatype:String OR convertible to String -->
<LargeFields>
<Map>
<Name>SQL_TEXT</Name>
<MapTo>CommandText</MapTo>
</Map>
<Map>
<Name>COMMAND_PARAMETER</Name>
<MapTo>CommandParam</MapTo>
</Map>
</LargeFields>
<!-- These Source fields will be collected in a single extension
field, all name-value pairs are separated by standard delimiter -->
<!-- Source fields specified in extension field mapping must be of
SQL Datatype:String OR convertible to String -->
<ExtensionField>
<Name>DB_ID</Name>
<Name>INSTANCE</Name>
<Name>PROCESS</Name>
<Name>TERMINAL</Name>
</ExtensionField>
<!-- This is group of source fields for uniquely identifying each
Audit Record Marker -->
<!-- Source fields specified to be used as Marker field mapping must
be of SQL Datatype:String OR convertible to String -->
<!-- Mandatory: Source fields for MarkerField -->
<MarkerField>
<Name>SESSION_ID</Name>
<Name>ENTRY_ID</Name>
</MarkerField>
</FieldMappingInfo>
</AVXMLCollectorTemplate>Related Topics
C.2.2 XML File Collection Plug-In Manifest File
See an XML file collection plug-in manifest file example used with XML file collection in Oracle Audit Vault and Database Firewall.
This is a sample manifest file for an XML file collection plug-in.
Example C-4 Sample Manifest File for an XML File Collection Plug-in
<?xml version="1.0"?>
<plugin xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.oracle.com/av/plugin plugin-manifest.xsd"
xmlns="http://xmlns.oracle.com/av/plugin"
name="Oracle-XML-Template"
id="com.oracle.av.plugin"
version="1.0"
provider-name="Oracle Corp."
copyright="Copyright Oracle Corp. 2011">
<!-- targetVersion: Version of Oracle Audit Vault supported by
this plugin. This is represented by the "min" attribute of
targetVersion> tag -->
<targetVersion min="11.1.0.0.0"/>
<extensionSet>
<extensionPoint type= "securedTargetType">
<!-- fileList: Lists *all* the files that ship with the plugin -->
<fileList>
<jars></jars>
<templates>
<include file="XMLSource-Mapper.xml"/>
</templates>
<bin></bin>
<config></config>
<shell></shell>
<patch></patch>
<unresolved-external></unresolved-external>
</fileList>
<!-- securedTargetTypeInfo: Contains source type and trail information
-->
<securedTargetTypeInfo name="oracle"/>
<!-- trailType: contains trail type, location , classname for
source type testSource -->
<trailInfo>
<trailType>DIRECTORY</trailType>
<className name="oracle.av.platform.agent.collfwk.ezcollector.xml.XMLFileCollector"/>
</trailInfo>
<!-- eventPatch: OPTIONAL field that indicates any event patches
that need to be applied as part of plugin deployment-->
The files listed here must be present in the <patch>-->
tag entries. The order in which the patches need to -->
applied can be controlled via the "order" attribute -->
Patches with lower "order" value will be applied -->
first -->
<eventPatch name="p6753288_11.1.2.0.0_GENERIC.zip" order="2"/>
</extensionPoint>
</extensionSet>
</plugin>
C.3 JSON File Collection Plug-in Example
Learn about the JSON plug-in mapper file and plug-in manifest file attributes and fields for Oracle Audit Vault and Database Firewall.
C.3.1 JSON File Collection Plug-In Mapper File
See a JSON template collector file example, and find out about the attributes and fields used with JSON file collection in Oracle Audit Vault and Database Firewall.
There are both mandatory attributes and fields, and fields that are not mandatory, but that can cause your audit records to be treated as invalid.
Mandatory Attributes and Fields for JSON File Collection Plug-In Mapper Files
-
securedTargetType -
maxSecuredTargetVersion -
version -
HeaderInfo -
RecordInfo -
EventTimeUTC -
CommandClasstransformations -
EventStatustransformations -
MarkerField
Standard Fields for JSON File Collection Plug-In Mapper Files
Source names that map to these Oracle Audit Vault Server fields are not mandatory. However, if the information specified by these fields is not provided, then when data collection starts, all audit records are treated as invalid:
-
UserName -
CommandClass
Example C-5 Sample JSON File Collection Plug-in Mapper File
<?xml version="1.0" encoding="UTF-8"?>
<AVJSONCollectorTemplate securedTargetType="JSONSOURCE" maxSecuredTargetVersion="11.0" version="1.0">
<!--Example Template for JSON template collector-->
<!-- Attributes: "securedTargetType", "maxSecuredTargetVersion" and
"version" are mandatory attributes, "minSecuredTargetVersion"
attribute is optional -->
<!-- Accepted Format for min/maxSecuredTargetVersion and version
attribute value is numbers separated by dots (For example:
12.2,10.3.2, 11.2.3.0 etc..)-->
<!-- Header Information like JSON Header start tag -->
<HeaderInfo>
<!-- Mandatory: HeaderInfo-->
<!-- Value in this tag gives Root tag of the JSON audit file-->
<StartTag>ITEMS</StartTag>
</HeaderInfo>
<!-- Record Information like Record Start tag and conformation to hold
original record -->
<RecordInfo>
<!-- Mandatory: RecordInfo -->
<!-- Provides starting tag of audit record in JSON audit file -->
<StartTag>SESSION_ID</StartTag>
</RecordInfo>
<!-- Gives Mapping Information of Source Fields to various AV Fields
(core and large fields) -->
<!-- Not Allowed: many-to-one mapping from source field to
AV Server fields -->
<FieldMappingInfo>
<!-- Mapping of Source Fields to Core Fields of AV server
Source fields specified in core field mappings must be of SQL
Datatype: String OR convertible to String -->
<CoreFields>
<Map>
<Name>$.EVENT_TIME</Name>
<MapTo>EventTimeUTC</MapTo>
<TimestampPattern>yyyy-MM-dd HH:mm:ss.SSS</TimestampPattern>
</Map>
<Map>
<!-- If UserName core field mapping is not provided, Audit Data
Collection still starts successfully, but every audit record
will be treated as invalid -->
<Name>$.USER_ID</Name>
<MapTo>UserName</MapTo>
</Map>
<Map>
<Name>$.OS_USER_ID</Name>
<MapTo>OSUserName</MapTo>
</Map>
<Map>
<!-- If source name, the ACTION field, for CommandClass
core field mapping is not provided, Audit Data Collection
still starts successfully, but all audit records are treated
as invalid -->
<Name>$.ACTION</Name>
<MapTo>CommandClass</MapTo>
<!-- Mandatory: value transformations from source to Action
field value. Value of "to" Attribute is from AV Event set -->
<Transformation>
<ValueTransformation from="1" to="CREATE" />
<ValueTransformation from="2" to="INSERT" />
<ValueTransformation from="3" to="SELECT" />
<ValueTransformation from="4" to="CREATE" />
<ValueTransformation from="15" to="READ" />
<ValueTransformation from="30" to="LOGON" />
<ValueTransformation from="34" to="LOGOFF" />
<ValueTransformation from="35" to="ACQUIRE" />
</Transformation>
</Map>
<Map>
<Name>$.OBJ_NAME</Name>
<MapTo>TargetObject</MapTo>
</Map>
<Map>
<Name>$.USER_HOST</Name>
<MapTo>ClientHostName</MapTo>
</Map>
<Map>
<Name>$.OBJ_CREATOR</Name>
<MapTo>TargetOwner</MapTo>
</Map>
<Map>
<Name>$.STATUS</Name>
<MapTo>EventStatus</MapTo>
<!-- Specifying value transformation for Status source field value.
Mandatory: EventStatus value transformation.
There are three possible values for EventStatus:
SUCCESS, FAILURE, UNKNOWN -->
<Transformation>
<ValueTransformation from="0" to="FAILURE" />
<ValueTransformation from="1" to="SUCCESS" />
<ValueTransformation from="2" to="UNKNOWN" />
</Transformation>
</Map>
</CoreFields>
<!-- Mapping of Source Fields to Large Fields of AV server i.e fields
with huge content -->
<!-- Source fields specified in large field mappings must be of SQL
Datatype:CLOB OR SQL Datatype:String OR convertible to String -->
<LargeFields>
<Map>
<Name>$.SQL_TEXT</Name>
<MapTo>CommandText</MapTo>
</Map>
<Map>
<Name>$.COMMAND_PARAMETER</Name>
<MapTo>CommandParam</MapTo>
</Map>
</LargeFields>
<!-- These Source fields will be collected in a single extension
field, all name-value pairs are separated by standard delimiter -->
<!-- Source fields specified in extension field mapping must be of
SQL Datatype:String OR convertible to String -->
<ExtensionField>
<Name>$.DB_ID</Name>
<Name>$.INSTANCE</Name>
<Name>$.PROCESS</Name>
<Name>$.TERMINAL</Name>
</ExtensionField>
<!-- This is group of source fields for uniquely identifying each
Audit Record Marker -->
<!-- Source fields specified to be used as Marker field mapping must
be of SQL Datatype:String OR convertible to String -->
<!-- Mandatory: Source fields for MarkerField -->
<MarkerField>
<Name>$.SESSION_ID</Name>
<Name>$.ENTRY_ID</Name>
</MarkerField>
</FieldMappingInfo>
</AVJSONCollectorTemplate>Related Topics
C.3.2 JSON File Collection Plug-In Manifest File
See a JSON file collection plug-in manifest file example used with JSON file collection in Oracle Audit Vault and Database Firewall.
This is a sample manifest file for an JSON file collection plug-in.
Example C-6 Sample Manifest File for a JSON File Collection Plug-in
<?xml version="1.0" encoding="UTF-8"?>
<plugin xmlns="http://foobar.example.com/av/plugin" xmlns:xsi="http://foobar.example.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/av/plugin plugin-manifest.xsd" name="Oracle-XML-Template" id="com.oracle.av.plugin" version="1.0" provider-name="Oracle Corp." copyright="Copyright Oracle Corp. 2011">
<!-- targetVersion: Version of Oracle Audit Vault supported by
this plugin. This is represented by the "min" attribute of
targetVersion> tag -->
<targetVersion min="11.1.0.0.0" />
<extensionSet>
<extensionPoint type="securedTargetType">
<!-- fileList: Lists *all* the files that ship with the plugin -->
<fileList>
<jars />
<templates>
<include file="JSONSource-Mapper.xml" />
</templates>
<bin />
<config />
<shell />
<patch />
<unresolved-external />
</fileList>
<!-- securedTargetTypeInfo: Contains source type and trail information-->
<securedTargetTypeInfo name="json_file_secured_target" />
<!-- trailType: contains trail type, location , classname for
source type testSource -->
<trailInfo>
<trailType>DIRECTORY</trailType>
<className name="oracle.av.platform.agent.collfwk.ezcollector.json.MultiJSONFileCollectorFactory" />
</trailInfo>
<!-- eventPatch: OPTIONAL field that indicates any event patches
that need to be applied as part of plugin deployment
The files listed here must be present in the patch
tag entries. The order in which the patches need to
applied can be controlled via the "order" attribute
Patches with lower "order" value will be applied first -->
<eventPatch name="p6753288_11.1.2.0.0_GENERIC.zip" order="2" />
</extensionPoint>
</extensionSet>
</plugin>C.4 CSV File Collection Plug-in Example
Learn about the CSV plug-in mapper file and plug-in manifest file attributes and fields for Oracle Audit Vault and Database Firewall.
C.4.1 CSV File Collection Plug-In Mapper File
See a CSV template collector file example, and find out about the attributes and fields used with CSV file collection in Oracle Audit Vault and Database Firewall.
There are both mandatory attributes and fields, and fields that are not mandatory, but that can cause your audit records to be treated as invalid.
Mandatory Attributes and Fields for CSV File Collection Plug-In Mapper Files
-
securedTargetType -
maxSecuredTargetVersion -
version -
HeaderInfo -
RecordInfo -
EventTimeUTC -
CommandClasstransformations -
EventStatustransformations -
MarkerField
Standard Fields for CSV File Collection Plug-In Mapper Files
Source names that map to these Oracle Audit Vault Server fields are not mandatory. However, if the information specified by these fields is not provided, then when data collection starts, all audit records are treated as invalid:
-
UserName -
CommandClass
Example C-7 Sample CSV File Collection Plug-in Mapper File
<?xml version="1.0" encoding="UTF-8"?>
<AVCSVCollectorTemplate securedTargetType="csv_file_secured_target" maxSecuredTargetVersion="11.0" version="1.0">
<!--Example Template for CSV template collector-->
<!-- Attributes: "securedTargetType", "maxSecuredTargetVersion" and
"version" are mandatory attributes, "minSecuredTargetVersion"
attribute is optional -->
<!-- Accepted Format for min/maxSecuredTargetVersion and version
attribute value is numbers separated by dots (For example:
12.2,10.3.2, 11.2.3.0 etc..)-->
<!-- Header Information like CSV Header start tag -->
<HeaderInfo>
<!-- Mandatory: HeaderInfo-->
<!-- Hardcoded to CSV -->
<StartTag>CSV</StartTag>
</HeaderInfo>
<!-- Record Information like Record Start tag and conformation to hold
original record -->
<RecordInfo>
<!-- Mandatory: RecordInfo -->
<!-- Hardcoded to CSV -->
<StartTag>CSV</StartTag>
</RecordInfo>
<!-- Gives Mapping Information of Source Fields to various AV Fields
(core and large fields) -->
<!-- Not Allowed: many-to-one mapping from source field to
AV Server fields -->
<FieldMappingInfo>
<!-- Mapping of Source Fields to Core Fields of AV server
Source fields specified in core field mappings must be
either string OR convertible to string -->
<!-- CSV files have "COMMA" as field delimiter -->
<!-- The first field has index 0, second field has index 1 and so on -->
<CoreFields>
<!-- In our CSV sample data, EVENT_TIME field has index 2 -->
<!-- Hence 2 is used in below EventTimeUTC mapping -->
<Map>
<Name>2</Name>
<MapTo>EventTimeUTC</MapTo>
<TimestampPattern>yyyy-MM-dd'T'HH:mm:ss.SSSZ</TimestampPattern>
</Map>
<Map>
<!-- If UserName core field mapping is not provided, Audit Data
Collection still starts successfully, but every audit record
will be treated as invalid -->
<Name>5</Name>
<MapTo>UserName</MapTo>
</Map>
<Map>
<!-- If source name, the ACTION field, for CommandClass
core field mapping is not provided, Audit Data Collection
still starts successfully, but all audit records are treated
as invalid -->
<Name>1</Name>
<MapTo>CommandClass</MapTo>
<!-- Mandatory: value transformations from source to Action
field value. Value of "to" Attribute is from AV Event set -->
<Transformation>
<ValueTransformation from="createUser" to="CREATE" />
<ValueTransformation from="createCollection" to="CREATE" />
<ValueTransformation from="authenticate" to="AUTHENTICATE" />
<ValueTransformation from="dropCollection" to="DROP" />
<ValueTransformation from="dropUser" to="DROP" />
</Transformation>
</Map>
<Map>
<Name>1</Name>
<MapTo>TargetObject</MapTo>
<Transformation>
<FieldTransformation from="createUser" to="6" />
<FieldTransformation from="createCollection" to="6" />
<FieldTransformation from="authenticate" to="6" />
<FieldTransformation from="dropCollection" to="6" />
<FieldTransformation from="dropUser" to="6" />
</Transformation>
</Map>
<Map>
<Name>1</Name>
<MapTo>TargetType</MapTo>
<Transformation>
<ValueTransformation from="createUser" to="USER" />
<ValueTransformation from="createCollection" to="COLLECTION" />
<ValueTransformation from="authenticate" to="USER" />
<ValueTransformation from="dropCollection" to="COLLECTION" />
<ValueTransformation from="dropUser" to="USER" />
</Transformation>
</Map>
<Map>
<Name>3</Name>
<MapTo>ClientIP</MapTo>
</Map>
<Map>
<Name>7</Name>
<MapTo>EventStatus</MapTo>
<!-- Specifying value transformation for Status source field value.
Mandatory: EventStatus value transformation.
There are three possible values for EventStatus:
SUCCESS, FAILURE, UNKNOWN -->
<Transformation>
<ValueTransformation from="0" to="FAILURE" />
<ValueTransformation from="100" to="SUCCESS" />
<ValueTransformation from="200" to="UNKNOWN" />
</Transformation>
</Map>
</CoreFields>
<!-- Mapping of Source Fields to Large Fields of AV server i.e fields
with huge content -->
<!-- Source fields specified in large field mappings must be of SQL
Datatype:CLOB OR SQL Datatype:String OR convertible to String -->
<LargeFields>
<Map>
<Name>11</Name>
<MapTo>CommandText</MapTo>
</Map>
<Map>
<Name>12</Name>
<MapTo>CommandParam</MapTo>
</Map>
</LargeFields>
<!-- These Source fields will be collected in a single extension
field, all name-value pairs are separated by standard delimiter -->
<!-- Source fields specified in extension field mapping must be of
SQL Datatype:String OR convertible to String -->
<ExtensionField>
<ComplexName>
<Name>10</Name>
<DisplayName>sessionid</DisplayName>
</ComplexName>
<ComplexName>
<Name>13</Name>
<DisplayName>entryid</DisplayName>
</ComplexName>
</ExtensionField>
<!-- This is group of source fields for uniquely identifying each
Audit Record Marker -->
<!-- Source fields specified to be used as Marker field mapping must
be of SQL Datatype:String OR convertible to String -->
<!-- Mandatory: Source fields for MarkerField -->
<MarkerField>
<Name>10</Name>
<Name>13</Name>
</MarkerField>
</FieldMappingInfo>
</AVCSVCollectorTemplate>
Related Topics
C.4.2 CSV File Collection Plug-In Manifest File
See a CSV file collection plug-in manifest file example used with CSV file collection in Oracle Audit Vault and Database Firewall.
This is a sample manifest file for an CSV file collection plug-in.
Example C-8 Sample Manifest File for a CSV File Collection Plug-in
<?xml version="1.0" encoding="UTF-8"?>
<plugin xmlns="http://xmlns.oracle.com/av/plugin" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/av/plugin plugin-manifest.xsd" name="Oracle-XML-Template" id="com.oracle.av.plugin" version="1.0" provider-name="Oracle Corp." copyright="Copyright Oracle Corp. 2011">
<!-- targetVersion: Version of Oracle Audit Vault supported by
this plugin. This is represented by the "min" attribute of
targetVersion> tag -->
<targetVersion min="20.4.0.0.0" />
<extensionSet>
<extensionPoint type="securedTargetType">
<!-- fileList: Lists *all* the files that ship with the plugin -->
<fileList>
<jars />
<templates>
<include file="CSVSource-Mapper.xml" />
</templates>
<bin />
<config />
<shell />
<patch />
<unresolved-external />
</fileList>
<!-- securedTargetTypeInfo: Contains source type and trail information-->
<securedTargetTypeInfo name="csv_file_secured_target" />
<!-- trailType: contains trail type, location , classname for
source type testSource -->
<trailInfo>
<trailType>DIRECTORY</trailType>
<className name="oracle.av.platform.agent.collfwk.ezcollector.csv.GenericCSVFileCollectorFactory" />
</trailInfo>
</extensionPoint>
</extensionSet>
</plugin>
C.5 JSON REST Collection Plug-in Example
Learn about the JSON REST plug-in mapper file and plug-in manifest file attributes and fields for Oracle Audit Vault and Database Firewall.
C.5.1 JSON REST Collection Plug-In Mapper File
See a JSON REST template collector file example, and find out about the attributes and fields used with JSON file collection in Oracle Audit Vault and Database Firewall.
There are both mandatory attributes and fields, and fields that are not mandatory, but that can cause your audit records to be treated as invalid.
Mandatory Attributes and Fields for JSON REST Collection Plug-In Mapper Files
-
securedTargetType -
maxSecuredTargetVersion -
version -
HeaderInfo -
RecordInfo -
EventTimeUTC -
CommandClasstransformations -
EventStatustransformations -
MarkerField -
QueryFormat -
TimeFormat -
NextLinkStartTag -
NextLinkPattern -
RESTAuthentication -
BasicAuth
Standard Fields for JSON REST Collection Plug-In Mapper Files
Source names that map to these Oracle Audit Vault Server fields are not mandatory. However, if the information specified by these fields is not provided, then when data collection starts, all audit records are treated as invalid:
-
UserName -
CommandClass
Example C-9 Sample JSON REST Collection Plug-in Mapper File
<?xml version="1.0" encoding="UTF-8"?>
<AVJSONCollectorTemplate securedTargetType="JSONSOURCE" maxSecuredTargetVersion="11.0" version="1.0">
<!--Example Template for JSON template collector-->
<!-- Attributes: "securedTargetType", "maxSecuredTargetVersion" and
"version" are mandatory attributes, "minSecuredTargetVersion"
attribute is optional -->
<!-- Accepted Format for min/maxSecuredTargetVersion and version
attribute value is numbers separated by dots (For example:
12.2,10.3.2, 11.2.3.0 etc..)-->
<!-- REST url corresponding to the the specific audit trail -->
<ResourceName>/audit_events/get_events/</ResourceName>
<!-- Header Information like JSON Header start tag -->
<HeaderInfo>
<!-- Mandatory: HeaderInfo-->
<!-- Value in this tag gives Root tag of the JSON audit file-->
<StartTag>ITEMS</StartTag>
</HeaderInfo>
<!-- Record Information like Record Start tag and conformation to hold
original record -->
<RecordInfo>
<!-- Mandatory: RecordInfo -->
<!-- Provides starting tag of audit record in JSON audit file -->
<StartTag>SESSION_ID</StartTag>
</RecordInfo>
<!-- Details of the REST Service -->
<ServiceDetails>
<!-- Query format for providing the start time and end time query parameters -->
<QueryFormat>{startTime}/{endTime}</QueryFormat>
<!-- Timestamp format for start time and end time -->
<TimeFormat>yyyy-MM-dd hh:mm:ss.SSS</TimeFormat>
<NextLink>
<!-- Next link start tag -->
<NextLinkStartTag>next</NextLinkStartTag>
<!-- Next link pattern -->
<NextLinkPattern>$.next.$ref</NextLinkPattern>
</NextLink>
<!-- Authentication mechanism for REST Service -->
<RESTAuthentication>
<!-- Username and password based Basic Authentication -->
<BasicAuth/>
</RESTAuthentication>
</ServiceDetails>
<!-- Gives Mapping Information of Source Fields to various AV Fields
(core and large fields) -->
<!-- Not Allowed: many-to-one mapping from source field to
AV Server fields -->
<FieldMappingInfo>
<!-- Mapping of Source Fields to Core Fields of AV server
Source fields specified in core field mappings must be of SQL
Datatype: String OR convertible to String -->
<CoreFields>
<Map>
<Name>$.EVENT_TIME</Name>
<MapTo>EventTimeUTC</MapTo>
<TimestampPattern>yyyy-MM-dd HH:mm:ss.SSS</TimestampPattern>
</Map>
<Map>
<!-- If UserName core field mapping is not provided, Audit Data
Collection still starts successfully, but every audit record
will be treated as invalid -->
<Name>$.USER_ID</Name>
<MapTo>UserName</MapTo>
</Map>
<Map>
<Name>$.OS_USER_ID</Name>
<MapTo>OSUserName</MapTo>
</Map>
<Map>
<!-- If source name, the ACTION field, for CommandClass
core field mapping is not provided, Audit Data Collection
still starts successfully, but all audit records are treated
as invalid -->
<Name>$.ACTION</Name>
<MapTo>CommandClass</MapTo>
<!-- Mandatory: value transformations from source to Action
field value. Value of "to" Attribute is from AV Event set -->
<Transformation>
<ValueTransformation from="1" to="CREATE" />
<ValueTransformation from="2" to="INSERT" />
<ValueTransformation from="3" to="SELECT" />
<ValueTransformation from="4" to="CREATE" />
<ValueTransformation from="15" to="READ" />
<ValueTransformation from="30" to="LOGON" />
<ValueTransformation from="34" to="LOGOFF" />
<ValueTransformation from="35" to="ACQUIRE" />
</Transformation>
</Map>
<Map>
<Name>$.OBJ_NAME</Name>
<MapTo>TargetObject</MapTo>
</Map>
<Map>
<Name>$.USER_HOST</Name>
<MapTo>ClientHostName</MapTo>
</Map>
<Map>
<Name>$.OBJ_CREATOR</Name>
<MapTo>TargetOwner</MapTo>
</Map>
<Map>
<Name>$.STATUS</Name>
<MapTo>EventStatus</MapTo>
<!-- Specifying value transformation for Status source field value.
Mandatory: EventStatus value transformation.
There are three possible values for EventStatus:
SUCCESS, FAILURE, UNKNOWN -->
<Transformation>
<ValueTransformation from="0" to="FAILURE" />
<ValueTransformation from="1" to="SUCCESS" />
<ValueTransformation from="2" to="UNKNOWN" />
</Transformation>
</Map>
</CoreFields>
<!-- Mapping of Source Fields to Large Fields of AV server i.e fields
with huge content -->
<!-- Source fields specified in large field mappings must be of SQL
Datatype:CLOB OR SQL Datatype:String OR convertible to String -->
<LargeFields>
<Map>
<Name>$.SQL_TEXT</Name>
<MapTo>CommandText</MapTo>
</Map>
<Map>
<Name>$.COMMAND_PARAMETER</Name>
<MapTo>CommandParam</MapTo>
</Map>
</LargeFields>
<!-- These Source fields will be collected in a single extension
field, all name-value pairs are separated by standard delimiter -->
<!-- Source fields specified in extension field mapping must be of
SQL Datatype:String OR convertible to String -->
<ExtensionField>
<Name>$.DB_ID</Name>
<Name>$.INSTANCE</Name>
<Name>$.PROCESS</Name>
<Name>$.TERMINAL</Name>
</ExtensionField>
<!-- This is group of source fields for uniquely identifying each
Audit Record Marker -->
<!-- Source fields specified to be used as Marker field mapping must
be of SQL Datatype:String OR convertible to String -->
<!-- Mandatory: Source fields for MarkerField -->
<MarkerField>
<Name>$.SESSION_ID</Name>
<Name>$.ENTRY_ID</Name>
</MarkerField>
</FieldMappingInfo>
</AVJSONCollectorTemplate>Related Topics
C.5.2 JSON REST Collection Plug-In Manifest File
See a JSON REST collection plug-in manifest file example used with JSON file collection in Oracle Audit Vault and Database Firewall.
This is a sample manifest file for an JSON REST collection plug-in.
Example C-10 Sample Manifest File for a JSON REST Collection Plug-in
<?xml version="1.0" encoding="UTF-8"?>
<plugin xmlns="http://foobar.example.com/av/plugin" xmlns:xsi="http://foobar.example.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/av/plugin plugin-manifest.xsd" name="Oracle-XML-Template" id="com.oracle.av.plugin" version="1.0" provider-name="Oracle Corp." copyright="Copyright Oracle Corp. 2011">
<!-- targetVersion: Version of Oracle Audit Vault supported by
this plugin. This is represented by the "min" attribute of
targetVersion> tag -->
<targetVersion min="11.1.0.0.0" />
<extensionSet>
<extensionPoint type="securedTargetType">
<!-- fileList: Lists *all* the files that ship with the plugin -->
<fileList>
<jars />
<templates>
<include file="RESTJSONSource-Mapper.xml" />
</templates>
<bin />
<config />
<shell />
<patch />
<unresolved-external />
</fileList>
<!-- securedTargetTypeInfo: Contains source type and trail information-->
<securedTargetTypeInfo name="json_rest_secured_target" />
<!-- trailType: contains trail type, location , classname for
source type testSource -->
<trailInfo>
<trailType>REST</trailType>
<className name="oracle.av.platform.agent.collfwk.ezcollector.json.JSONRESTCollectorFactory" />
</trailInfo>
<!-- eventPatch: OPTIONAL field that indicates any event patches
that need to be applied as part of plugin deployment
The files listed here must be present in the patch
tag entries. The order in which the patches need to
applied can be controlled via the "order" attribute
Patches with lower "order" value will be applied first -->
<eventPatch name="p6753288_11.1.2.0.0_GENERIC.zip" order="2" />
</extensionPoint>
</extensionSet>
</plugin>
C.6 Java-Based Collection Plug-in Example
Learn about the Java plug-in code and Java-based collection plug-in manifest file packages and structure for Oracle Audit Vault and Database Firewall.
C.6.1 Java Collection Plug-in Code
This examples shows a complete Java-based collection plug-in.
This example is the end result of the discussion, "How to Create a Java-Based Collection Plug-in".
Example C-11 SampleEventCollectorFactory.java
package oracle.av.plugin.sample.collector;
import oracle.av.platform.agent.collfwk.AuditEventCollector;
import oracle.av.platform.agent.collfwk.AuditEventCollectorException;
import oracle.av.platform.agent.collfwk.AuditEventCollectorFactory;
import oracle.av.platform.agent.collfwk.CollectorContext;
public class SampleEventCollectorFactory implements AuditEventCollectorFactory {
public AuditEventCollector createAuditCollection(
CollectorContext collectorContext) throws AuditEventCollectorException {
// It simply creates and returns an instance of SampleEventCollector
return new SampleEventCollector();
}
}Example C-12 SampleEventCollector.java
package oracle.av.plugin.sample.collector;
import java.io.Reader;
import java.sql.Clob;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Timestamp;
import java.util.HashMap;
import java.util.Map;
import oracle.av.platform.agent.collfwk.AuditEventCollector;
import oracle.av.platform.agent.collfwk.AuditEventCollectorException;
import oracle.av.platform.agent.collfwk.AuditService;
import oracle.av.platform.agent.collfwk.CollectorContext;
import oracle.av.platform.agent.collfwk.SetAttributeException;
import oracle.av.platform.common.ErrorCodes;
import oracle.av.platform.common.dao.ConnectionManager;
import oracle.av.platform.common.dao.ConnectionManagerImpl;
import oracle.av.platform.common.exception.AuditException;
import oracle.av.platform.common.util.AVLogger;
/**
* This collector collects events from AUD table and sends them to Collection
* Framework. It connects to the Source database during initialization and uses
* the same connection till close() is called. It maintains one ResultSet
* containing events. Once the ResultSet gets exhausted, the Collector sets a
* checkpoint and creates another ResultSet.
*
* @author myellu
*
*/
public class SampleEventCollector extends AuditEventCollector {
// The delay used when querying events.
private static final long DELAY = 5 * 1000;
private static final Map<Integer, String> eventNameMap =
new HashMap<Integer, String>();
static {
eventNameMap.put(1, "CREATE");
eventNameMap.put(2, "INSERT");
eventNameMap.put(3, "SELECT");
eventNameMap.put(4, "CREATE");
eventNameMap.put(15, "ALTER");
eventNameMap.put(30, "AUDIT");
eventNameMap.put(34, "CREATE");
eventNameMap.put(35, "ALTER");
eventNameMap.put(51, "CREATE");
eventNameMap.put(52, "CREATE");
}
// This map contains mapping from the source event ids to Audit Vault target
// types.
private static final Map<Integer, String> targetTypeMap = new HashMap<Integer,
String>();
static {
targetTypeMap.put(1, "TABLE");
targetTypeMap.put(2, "TABLE");
targetTypeMap.put(3, "TABLE");
targetTypeMap.put(4, "CLUSTER");
targetTypeMap.put(15, "TABLE");
targetTypeMap.put(30, "OBJECT");
targetTypeMap.put(34, "DATABASE");
targetTypeMap.put(35, "DATABASE");
targetTypeMap.put(51, "USER");
targetTypeMap.put(52, "ROLE");
}
// This map contains mapping from the source event ids to Source Event Names.
// This is necessary since source event ids do not describe the Source Event.
private static final Map<Integer, String> sourceEventMap = new HashMap<Integer,
String>();
static {
targetTypeMap.put(1, "OBJECT:CREATED:TABLE");
targetTypeMap.put(2, "INSERT INTO TABLE");
targetTypeMap.put(3, "SELECT FROM TABLE");
targetTypeMap.put(4, "OBJECT:CREATED:TABLE");
targetTypeMap.put(15, "OBJECT:ALTERED:TABLE");
targetTypeMap.put(30, "AUDIT OBJECT");
targetTypeMap.put(34, "OBJECT:CREATED:DATABASE");
targetTypeMap.put(35, "OBJECT:ALTERED:DATABASE");
targetTypeMap.put(51, "OBJECT:CREATED:USER");
targetTypeMap.put(52, "OBJECT:CREATED:ROLE");
}
// holds a connection to the Source database.
private ConnectionManager m_connectionManager;
// Connection to the Source.
private Connection m_connection;
// PreparedStatement used to get ResultSet.
private PreparedStatement m_preparedStatement;
// holds the ResultSet containing records.
private ResultSet m_resultSet;
// AuditService will be used to set checkpoint.
private AuditService m_auditService;
// previous checkpoint set.
private Timestamp m_previousCheckpoint;
// next checkpoint to be set.
private Timestamp m_nextCheckpoint;
private AVLogger m_logger;
// The CollectorContext received from the Collection Framework.
private CollectorContext m_collectorContext;
private long m_timeZoneOffset;
/**
* It connects to the database using the credentials and Connection String
* from the CollectorContext.
*
* @throws AuditEventCollectorException
*/
private void connectToSource() throws AuditEventCollectorException {
m_logger.logDebugMethodEntered();
// Get connection information from collector context.
String user = m_collectorContext.getSecuredTargetUser();
String password = new String(m_collectorContext.getSecuredTargetPassword());
String connectionString = m_collectorContext.getSecuredTargetLocation();
// Create a ConnectionManager object.
try {
m_connectionManager = new ConnectionManagerImpl(connectionString,
user, password.toCharArray());
m_connection = m_connectionManager.getConnection();
} catch (AuditException ex) {
throw new AuditEventCollectorException(
ErrorCodes.FAILED_CONNECT_TO_SOURCE,
new Object[] { connectionString }, ex);
}
m_logger.logDebugMethodExited();
}
/**
* converts the timone offset specified in String to a number of
* milliseconds.
*
*/
private long getTimeZoneOffsetInMs(String offset) {
if (offset == null)
return 0;
long timeZoneOffset;
/** process offset to get value in milliseconds */
int hour = Integer.parseInt(offset.substring(1, 3));
int min = Integer.parseInt(offset.substring(4, 6));
timeZoneOffset = (hour * 60 * 60 + min * 60) * 1000;
if (offset.charAt(0) == '-')
timeZoneOffset *= -1;
return timeZoneOffset;
}
/**
* Initializes the Collector with the values from CollectorContext. It also
* connects to the database.
*/
public void initializeCollector(CollectorContext collectorContext)
throws AuditEventCollectorException {
m_collectorContext = collectorContext;
m_auditService = m_collectorContext.getAuditService();
m_previousCheckpoint = m_collectorContext.getCheckpoint();
m_logger = m_collectorContext.getLogger();
// Get the timone offset for the Source.
String offset = m_collectorContext.getAttribute("TimeZoneOffset");
if (offset != null) {
m_timeZoneOffset = getTimeZoneOffsetInMs(offset);
}
connectToSource();
fetchEvents();
}
/**
* Queries the Source to get audit events that occurred from previous
* checkpoint to the current time. Apart from during the initialization, this
* method should be called only when ResultSet is exhausted. There are two
* reasons for this. <br>
* 1. This method will set the checkpoint. Checkpoint should only be set when
* the ResultSet is exhausted as the results with in the ResultSet can be in
* random order.<br>
* 2. This method will create a new ResultSet. Hence the contents of the old
* ResultSet will be inaccessible after this function is called.
*
* @throws AuditEventCollectorException
*/
private void fetchEvents() throws AuditEventCollectorException {
m_logger.logDebugMethodEntered();
if (m_nextCheckpoint != null) {
m_auditService.setCheckpoint(m_nextCheckpoint);
m_previousCheckpoint = m_nextCheckpoint;
}
// It is not good to hold on to the Connection for long. As this is the
// only place we can release the connection, we release and reacquire the
// connection.
try {
if (m_connection != null) {
m_connectionManager.releaseConnection(m_connection);
}
} catch (AuditException ex) {
throw new AuditEventCollectorException(
ErrorCodes.FAILED_TO_RELEASE_CONNECTION_TO_DB, null, ex);
}
try {
m_connection = m_connectionManager.getConnection();
} catch (AuditException ex) {
throw new AuditEventCollectorException(
ErrorCodes.FAILED_TO_GET_CONNECTION_TO_DB, null, ex);
}
// Now we need to aim for the next checkpoint. We will query for all
// events from previous checkpoint to the next checkpoint. So we want to
// make sure that all the events with event time lesser than the next
// checkpoint are already available in the table. However, the events
// might take a small amount of time before they are present in the table.
// Hence the next checkpoint we aim will be current time minus delta time.
m_nextCheckpoint = new Timestamp(System.currentTimeMillis() - DELAY);
String query = null;
try {
if (m_previousCheckpoint == null) {
query = "select * from AUD where EVENT_TIME <= ?";
m_preparedStatement = m_connection.prepareStatement(query);
m_preparedStatement.setTimestamp(1, m_nextCheckpoint);
} else {
query = "select * from AUD where EVENT_TIME > ? and EVENT_TIME <= ?";
m_preparedStatement = m_connection.prepareStatement(query);
m_preparedStatement.setTimestamp(1, m_previousCheckpoint);
m_preparedStatement.setTimestamp(2, m_nextCheckpoint);
}
m_resultSet = m_preparedStatement.executeQuery();
} catch (SQLException ex) {
throw new AuditEventCollectorException(
ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE,
new Object[] { query }, ex);
}
m_logger.logDebugMethodExited();
}
/**
* If the result set is not exhausted this will return true. If it has
* exhausted, it will query to get the events till the current time. If it
* could get any events, it will return true, false otherwise.
*/
public boolean hasNext() throws AuditEventCollectorException {
boolean hasMore;
try {
if(m_resultSet == null) {
fetchEvents();
return m_resultSet.next();
}
hasMore = m_resultSet.next();
if (!hasMore) {
fetchEvents();
hasMore = m_resultSet.next();
}
} catch (SQLException ex) {
throw new AuditEventCollectorException(
ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
return hasMore;
}
// All the getter methods make use of the ResultSet get methods and return
// the value appropriately.
public String getUserName() throws AuditEventCollectorException {
try {
return m_resultSet.getString("USER_ID");
} catch (SQLException ex) {
throw new AuditEventCollectorException(
ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
}
public String getOSUserName() throws AuditEventCollectorException {
try {
return m_resultSet.getString("OS_USER_ID");
} catch (SQLException ex) {
throw new AuditEventCollectorException(
ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
}
public String getCommandClass() throws AuditEventCollectorException {
try {
int eventId = m_resultSet.getInt("ACTION");
return eventNameMap.get(eventId);
} catch (SQLException ex) {
throw new AuditEventCollectorException(
ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
}
public String getEventName() throws AuditEventCollectorException {
try {
int eventId = m_resultSet.getInt("ACTION");
return sourceEventMap.get(eventId);
} catch (SQLException ex) {
throw new AuditEventCollectorException(
ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
}
public EventStatus getEventStatus() throws AuditEventCollectorException {
try {
int status = m_resultSet.getInt("STATUS");
if (status == 1) {
return EventStatus.SUCCESS;
} else if (status == 0) {
return EventStatus.FAILURE;
} else {
return EventStatus.UNKNOWN;
}
} catch (SQLException ex) {
throw new AuditEventCollectorException(
ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
}
public Timestamp getEventTimeUTC() throws AuditEventCollectorException {
try {
Timestamp eventTime = m_resultSet.getTimestamp("EVENT_TIME");
// As the method name suggests, the timestamp must be returned only in
// UTC timone.
return new Timestamp(eventTime.getTime() - m_timeZoneOffset);
} catch (SQLException ex) {
throw new AuditEventCollectorException( ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
}
public String getErrorMessage() throws AuditEventCollectorException {
// There is no corresponding field for ErrorMessage. Hence we
// return NULL always.
return null;
}
public String getErrorId() throws AuditEventCollectorException {
// There is no corresponding field for ErrorId. Hence we
// return NULL always.
return null;
}
public String getTargetObject() throws AuditEventCollectorException {
try {
return m_resultSet.getString("OBJ_NAME");
} catch (SQLException ex) {
throw new AuditEventCollectorException( ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
}
public String getTargetType() throws AuditEventCollectorException {
try {
int eventId = m_resultSet.getInt("ACTION");
return targetTypeMap.get(eventId);
} catch (SQLException ex) {
throw new AuditEventCollectorException(
ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
}
public String getTargetOwner() throws AuditEventCollectorException {
try {
return m_resultSet.getString("OBJ_CREATOR");
} catch (SQLException ex) {
throw new AuditEventCollectorException(
ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
}
public String getClientHostName() throws AuditEventCollectorException {
try {
return m_resultSet.getString("USER_HOST");
} catch (SQLException ex) {
throw new AuditEventCollectorException(
ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
}
public String getClientIP() throws AuditEventCollectorException {
// There is no corresponding field for IP address. Hence we
// return NULL always.
return null;
}
public String getExtension() throws AuditEventCollectorException {
try {
StringBuilder sb = new StringBuilder();
// Here we will put those fields which are not sent in other getter
// methods.
sb.append("DB_ID=" + m_resultSet.getString("DB_ID") + ";");
sb.append("INSTANCE=" + m_resultSet.getString("INSTANCE") + ";");
sb.append("PROCESS=" + m_resultSet.getString("PROCESS"));
return sb.toString();
} catch (SQLException ex) {
throw new AuditEventCollectorException(
ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
}
public Reader getCommandText() throws AuditEventCollectorException {
try {
// Clobs and the Readers contained in the Clobs are alive only
// as long as the Connection to the Source is alive. So if the Source
// Connection is closed, Collection Framework will fail when it tries
// to send the events to AV Server. If there is any need to close and
// recreate a connection that should be done immediately after setting
// the checkpoint. Setting the checkpoint causes the Collection
// Framework to flush all the events it is holding. So immediately
// after setting the checkpoint, we are sure that the Framework is not
// holding any events.
Clob clob = m_resultSet.getClob("SQL_TEXT");
return clob.getCharacterStream();
} catch (SQLException ex) {
throw new AuditEventCollectorException(
ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
}
public Reader getCommandParam() throws AuditEventCollectorException {
try {
Clob clob = m_resultSet.getClob("SQL_BIND");
return clob.getCharacterStream();
} catch (SQLException ex) {
throw new AuditEventCollectorException(
ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
}
public String getMarker() throws AuditEventCollectorException {
// ENTRY_ID will identify an audit event uniquely with in a session. Hence
// ENTRY_ID along with SESSION_ID will uniquely identify an audit event
// across sessions.
try {
return m_resultSet.getString("SESSION_ID") + ":"
+ m_resultSet.getString("ENTRY_ID");
} catch (SQLException ex) {
throw new AuditEventCollectorException(
ErrorCodes.ERROR_GETTING_DATA_FROM_SOURCE, null, ex);
}
}
public void setAttribute(String name, String value)
throws SetAttributeException {
if (name.equalsIgnoreCase("TimeZoneOffset")) {
m_timeZoneOffset = getTimeZoneOffsetInMs(value);
} else {
throw new SetAttributeException(ErrorCodes.INVALID_ATTRIBUTE_NAME,
new Object[] { name, value }, null);
}
}
public void close() {
try {
if (m_resultSet != null) {
m_resultSet.close();
m_resultSet = null;
}
if (m_connectionManager != null) {
m_connectionManager.destroy();
m_connectionManager = null;
}
m_previousCheckpoint = null;
m_nextCheckpoint = null;
m_logger = null;
} catch (SQLException ex) {
m_logger.logError("SampleEventCollector", "close",
"SQLException occurred. ", ex);
} catch (AuditException ex) {
m_logger.logError("SampleEventCollector", "close",
"AuditException occurred. ", ex);
}
}
}C.6.2 Java Based Collection Plug-in Manifest File
See how to set up a Java-based collection plug-in for Oracle Audit Vault and Database Firewall.
This is a sample manifest file for a Java-based collection.
Example C-13 Java-Based Manifest File
<?xml version="1.0"?>
<plugin xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.oracle.com/av/plugin plugin-manifest.xsd"
xmlns="http://xmlns.oracle.com/av/plugin"
name="Sample Plugin"
id="com.oracle.av.plugin.sample"
version="12.1.0.0.0"
provider-name="Oracle Corp."
copyright="Copyright Oracle Corp. 2011">
<!-- targetVersion: Version of Oracle Audit Vault supported by
this plugin. This is represented by the "min" attribute of
targetVersion> tag -->
<targetVersion min="12.1.0.0.0"/>
<extensionSet>
<extensionPoint type= "securedTargetType">
<!-- fileList: Lists *all* the files that ship with the plugin -->
<fileList>
<jars>
<include file="samplecollector.jar"/>
<!-- All your collector Java jar binaries go here -->
</jars>
<templates>
<bin>
<!-- All your collector native binaries go here -->
</bin>
<config>
<!-- Any configuration information (such as .properites files)
go here -->
</config>
<shell>
<!-- Any shell scripts that your collector relies on go here -->
</shell>
<patch>
<!-- Oracle provided patches go here -->
</patch>
<unresolved-external>
<!-- Any files belonging to the unresolved-external category here -->
</unresolved-external>
</fileList>
<!-- securedTargetTypeInfo: Contains source type and trail information
-->
<securedTargetTypeInfo name="Sample"/>
<!-- trailType: contains trail type, location , classname for
source type testSource -->
<trailInfo>
<trailType>TABLE</trailType>
<className name="oracle.av.plugin.sample.collector.SampleEventCollectorFactory" />
</trailInfo >
</extensionPoint>
</extensionSet>
</plugin>