Skip to content

Grd 112885 DO NOT MERGE OUA DIFF TO MASTER #989

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
zeeIBM wants to merge 3 commits into
base: release-v1.7.0
Choose a base branch
from
Open

Grd 112885 DO NOT MERGE OUA DIFF TO MASTER #989

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fd0fc4e
GRD-112885 Sync milvus UC defect fixes to public repo (#985)
zeeIBM Oct 23, 2025
fcb01e2
Merge remote-tracking branch 'origin/release-v1.7.0' into GRD-112885_1.7
zeeIBM Oct 23, 2025
90566ca
GRD-112885 DO NOT CHECKIN only for debug purpose
zeeIBM Oct 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions filter-plugin/logstash-filter-oua-guardium/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
logstash_dir=/home/marockar/oua_uc/logstash-7.5.2
java_home_dir=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-2.el8_5.x86_64
logstash_dir=${HOME}/tools/logstash_8.13.4
java_home_dir=/Library/Java/JavaVirtualMachines/ibm-jdk-8//Contents/Home/
version=$(shell cat VERSION)

all: jar gem
Expand Down
26 changes: 0 additions & 26 deletions ...gin/logstash-filter-oua-guardium/OracleUnifiedAuditPackage/OracleUnifiedAudit/filter.conf
View file
Open in desktop

This file was deleted.

216 changes: 216 additions & 0 deletions ...n/logstash-filter-oua-guardium/OracleUnifiedAuditPackageOverCloudwatch/OuaCloudwatch.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,216 @@
#/*
#Copyright 2023-24 IBM Inc. - All Rights Reserved.
#SPDX-License-Identifier: Apache-2.0
#*/

input{
cloudwatch_logs {
#Mandatory arguments:
#Insert the log group that is created for the data instance for example, /aws/rds/instance/<instance_name>/postgresql
log_group => ["<LOG_GROUP>"]
#Insert the access key and secret that has access to log group
access_key_id => "***"
secret_access_key => "***"
region => "us-east-1" #Region that has the DB, Default value: us-east-1
start_position => "end"
interval => 5
event_filter => ""
type => "Oua"
add_field => {"account_id" => "<ACCOUNT_ID>"}
#Unmask is an optional parameter. To get unmasked logs, you need to set unmask = true.
#unmask => true
}
}


filter {
if [type] == "Oua" {

xml {
source => "message"
store_xml => false
xpath => [
"/AuditRecord/Audit_Type/text()", "Audit_Type",
"/AuditRecord/Session_Id/text()", "Session_Id",
"/AuditRecord/StatementId/text()", "StatementId",
"/AuditRecord/EntryId/text()", "EntryId",
"/AuditRecord/Extended_Timestamp/text()", "Extended_Timestamp", #thisisTimeStamp
"/AuditRecord/DB_User/text()", "DB_User", #this is DBUser
"/AuditRecord/OS_User/text()", "OS_User",
"/AuditRecord/Userhost/text()", "Userhost", #this is clienIP or clientHostname
"/AuditRecord/OS_Process/text()", "OS_Process",
"/AuditRecord/Instance_Number/text()", "Instance_Number",
"/AuditRecord/Object_Schema/text()", "Object_Schema", #this is databaseName
"/AuditRecord/Object_Name/text()", "Object_Name", #this is tableName
"/AuditRecord/Action/text()", "Action",
"/AuditRecord/Returncode/text()", "Returncode",
"/AuditRecord/Comment_Text/text()", "Comment_text", #this is to captureloginfailed.
"/AuditRecord/Scn/text()", "Scn",
"/AuditRecord/DBID/text()", "DBID",
"/AuditRecord/Current_User/text()", "Current_User",
"/AuditRecord/Sql_Bind/text()", "Sql_Bind",
"/AuditRecord/Sql_Text/text()", "Sql_Text"
]
}
mutate {
add_field => { "Check_DB_User" => "%{DB_User}" }
add_field => { "Check_Sql_Text" => "%{Sql_Text}" }
add_field => { "Check_Comment_text" => "%{Comment_text}" }
}


if [Check_DB_User] == "RDSADMIN" or [Check_DB_User] == "SYS"
or [Check_DB_User] == "/" or [Sql_Text] == "" or [Sql_Text] == "/" or (![Comment_text] and ![Sql_Text])
{
drop {}
}

# Clean up Sql_Text
mutate {
gsub => [
"Sql_Text", ":\\\"SYS_B_([0-9]+)\\\"", ":\"SYS_B_\\1\""
]
}

# Clean up Sql_Bind
grok {
match => { "Sql_Bind" => "^ #1\(1\):: %{GREEDYDATA:cleaned_sql_bind}" }
}
mutate {
replace => { "Sql_Bind" => "%{cleaned_sql_bind}" }
}

mutate { add_field => { "log_group" => "%{[cloudwatch_logs][log_group]}" } }

grok { match => { "log_group" => "(?<data11>[^\/]*)\/(?<data12>[^\/]*)\/(?<data13>[^\/]*)\/(?<data14>[^\/]*)\/(?<instance>[^\/]*)\/(?<data15>[^\/]*)" } }


#Build GuardRecord

mutate {
add_field =>
{
"[GuardRecord][accessor][serverHostName]" => "%{account_id}_%{instance}"
"[GuardRecord][accessor][dbProtocol]" => "ORACLE"
"[GuardRecord][accessor][dataType]" => "TEXT"
"[GuardRecord][accessor][language]" => "ORACLE"
"[GuardRecord][accessor][serverType]" => "Oracle"
"[GuardRecord][dbName]" => "NA"
"[GuardRecord][time][minOffsetFromGMT]" => "0"
"[GuardRecord][time][minDst]" => "0"
"[GuardRecord][sessionLocator][clientPort]" => "-1"
"[GuardRecord][sessionLocator][serverIp]" => "0.0.0.0"
"[GuardRecord][sessionLocator][isIpv6]" => "false"
"[GuardRecord][sessionLocator][serverPort]" => "-1"
"[GuardRecord][accessor][dbUser]" => "NA"
"[GuardRecord][accessor][dbProtocolVersion]" => ""
"[GuardRecord][accessor][clientMac]" => ""
"[GuardRecord][accessor][serverOs]" => ""
"[GuardRecord][accessor][clientOs]" => ""
"[GuardRecord][accessor][osUser]" => ""
"[GuardRecord][appUserName]" => ""

}
}

ruby { code => 'event.set("[GuardRecord][sessionLocator][clientIpv6]", nil)' }
ruby { code => 'event.set("[GuardRecord][sessionLocator][serverIpv6]", nil)' }

mutate {
add_field => { "check_action_code" => "%{Action}" }
add_field => { "check_return_code" => "%{Returncode}" }

}


if [check_return_code] != "0"
{
if [check_action_code] == "12"
{
mutate { add_field => { "[GuardRecord][exception][exceptionTypeId]" => "SQL_ERROR" }}
mutate { replace => { "[GuardRecord][exception][sqlString]" => "%{Sql_Text}" }}
mutate { replace => { "[GuardRecord][exception][description]" => "SQL_ERROR" }}
ruby { code => 'event.set("[GuardRecord][data]", nil)' }

}
else
{
mutate { add_field => { "[GuardRecord][exception][exceptionTypeId]" => "LOGIN_FAILED" }}
mutate { replace => { "[GuardRecord][exception][sqlString]" => "%{Comment_text}" }}
mutate { replace => { "[GuardRecord][exception][description]" => "LOGIN_FAILED" }}
ruby { code => 'event.set("[GuardRecord][data]", nil)' }
}
}
else
{
ruby { code => 'event.set("[GuardRecord][data][construct]", nil)' }
mutate { add_field => { "[GuardRecord][data][originalSqlCommand]" => "%{Sql_Text}" }}
ruby { code => 'event.set("[GuardRecord][exception]", nil)' }

}


if [Session_Id]{
mutate { add_field => { "[GuardRecord][sessionId]" => "%{Session_Id}" }}
}

if [Object_Schema]{
mutate { replace => { "[GuardRecord][dbName]" => "%{account_id}:%{instance}:%{Object_Schema}" }}
mutate { replace => { "[GuardRecord][accessor][serviceName]" => "%{account_id}:%{instance}:%{Object_Schema}" }}

}
if[DB_User]
{
mutate { replace => { "[GuardRecord][accessor][dbUser]" => "%{DB_User}" }}
}


if [Userhost] {
mutate {
add_field => { "[GuardRecord][accessor][clientHostName]" => "NA" }
add_field => { "[GuardRecord][sessionLocator][clientIp]" => "0.0.0.0" }
}
grok {
match => { "Userhost" => "(?:%{WORD}[-_])?(?:%{IP:myclientIp}|%{HOSTNAME:myclientHostName})" }
}
if [myclientHostName] {
mutate {
replace => { "[GuardRecord][accessor][clientHostName]" => "%{myclientHostName}" }
}
} else {
mutate {
replace => { "[GuardRecord][sessionLocator][clientIp]" => "%{myclientIp}" }
}
}
}

# Date conversion
if [Extended_Timestamp] {
date {
match => ["[Extended_Timestamp][0]", "ISO8601"]
target => "new_timeStamp"
}
ruby {
code => '
if event.get("[new_timeStamp]")
event.set("[GuardRecord][time][timestamp]", event.get("[new_timeStamp]").time.to_i * 1000)
else
event.tag("timestamp_missing_error")
end
'
}
}


# Remove unnecessary fields
prune {
whitelist_names => [ "GuardRecord"]
}
mutate {
convert => { "[GuardRcecord]" => "string" }
}
json_encode {
source => "[GuardRecord]"
}
}
}
Loading