x-pack/filebeat/module/oracle - Added authentication messages parsing (…

…#35127)
elastic · Jun 1, 2023 · 83a6b92 · 83a6b92
1 parent 04f54b3
commit 83a6b92
Show file tree

Hide file tree

Showing 27 changed files with 2,099 additions and 2 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -264,6 +264,7 @@ automatic splitting at root level, if root level element is an array. {pull}3415
 - Add nginx ingress_controller parsing if one of upstreams fails to return response {pull}34787[34787]
 - Allow neflow v9 and ipfix templates to be shared between source addresses. {pull}35036[35036]
 - Add support for collecting IPv6 metrics. {pull}35123[35123]
+- Add oracle authentication messages parsing {pull}35127[35127]
 
 *Auditbeat*
    - Migration of system/package module storage from gob encoding to flatbuffer encoding in bolt db. {pull}34817[34817]

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -112476,6 +112476,136 @@ Module for parsing Oracle Database audit logs
 
 
 
+*`oracle.database_audit.priv_used`*::
++
+--
+System privilege used to execute the action.
+
+
+type: integer
+
+--
+
+*`oracle.database_audit.logoff_pread`*::
++
+--
+Physical reads for the session.
+
+
+type: integer
+
+--
+
+*`oracle.database_audit.logoff_lread`*::
++
+--
+Logical reads for the session.
+
+
+type: integer
+
+--
+
+*`oracle.database_audit.logoff_lwrite`*::
++
+--
+Logical writes for the session.
+
+
+type: integer
+
+--
+
+*`oracle.database_audit.logoff_dead`*::
++
+--
+Deadlocks detected during the session.
+
+
+type: integer
+
+--
+
+*`oracle.database_audit.sessioncpu`*::
++
+--
+Amount of CPU time used by each Oracle session.
+
+
+type: integer
+
+--
+
+*`oracle.database_audit.returncode`*::
++
+--
+Oracle error code generated by the action.
+
+
+type: integer
+
+--
+
+*`oracle.database_audit.statement`*::
++
+--
+nth statement in the user session.
+
+
+type: integer
+
+--
+
+*`oracle.database_audit.userid`*::
++
+--
+Name of the user whose actions were audited.
+
+
+type: keyword
+
+--
+
+*`oracle.database_audit.entryid`*::
++
+--
+Numeric ID for each audit trail entry in the session. The entry ID is an index of a session's audit entries that starts at 1 and increases to the number of entries that are written.
+
+
+type: integer
+
+--
+
+*`oracle.database_audit.comment_text`*::
++
+--
+Text comment on the audit trail entry, providing more information about the statement audited.
+
+
+type: text
+
+--
+
+*`oracle.database_audit.os_userid`*::
++
+--
+Operating system login username of the user whose actions were audited.
+
+
+type: keyword
+
+--
+
+*`oracle.database_audit.terminal`*::
++
+--
+Identifier of the user's terminal.
+
+
+type: text
+
+--
+
 *`oracle.database_audit.status`*::
 +
 --

diff --git a/x-pack/filebeat/module/oracle/database_audit/_meta/fields.yml b/x-pack/filebeat/module/oracle/database_audit/_meta/fields.yml
@@ -3,6 +3,71 @@
   description: >
     Module for parsing Oracle Database audit logs
   fields:
+    - name: priv_used
+      type: integer
+      description: >
+        System privilege used to execute the action.
+
+    - name: logoff_pread
+      type: integer
+      description: >
+        Physical reads for the session.
+
+    - name: logoff_lread
+      type: integer
+      description: >
+        Logical reads for the session.
+
+    - name: logoff_lwrite
+      type: integer
+      description: >
+        Logical writes for the session.
+
+    - name: logoff_dead
+      type: integer
+      description: >
+        Deadlocks detected during the session.
+
+    - name: sessioncpu
+      type: integer
+      description: >
+        Amount of CPU time used by each Oracle session.
+
+    - name: returncode
+      type: integer
+      description: >
+        Oracle error code generated by the action.
+
+    - name: statement
+      type: integer
+      description: >
+        nth statement in the user session.
+
+    - name: userid
+      type: keyword
+      description: >
+        Name of the user whose actions were audited.
+
+    - name: entryid
+      type: integer
+      description: >
+        Numeric ID for each audit trail entry in the session. The entry ID is an index of a session's audit entries that starts at 1 and increases to the number of entries that are written.
+
+    - name: comment_text
+      type: text
+      description: >
+        Text comment on the audit trail entry, providing more information about the statement audited.
+
+    - name: os_userid
+      type: keyword
+      description: >
+        Operating system login username of the user whose actions were audited.
+
+    - name: terminal
+      type: text
+      description: >
+        Identifier of the user's terminal.
+
     - name: status
       type: keyword
       description: >