ArcSight Oracle Flex Connector ID Based Tutorial

Summary:

This document provides a step-by-step guide to configure an Oracle ID Based Flex Connector for use with ArcSight, enabling the extraction of logs stored in an Oracle Database. The setup process includes installing and verifying the ArcSight Flex Software, configuring the Oracle JDBC connector, creating test environment configurations, and executing sample scripts. Key steps involve setting up query configuration, token configuration, event configuration, and Oracle JDBC connector setup. This guide is intended to assist with integrating Oracle Database logs into ArcSight using the ID Based Flex Connector by providing practical steps necessary for successful integration.

Details:

This document provides a detailed tutorial on how to configure an Oracle ID Based Flex Connector for use with ArcSight, facilitating the extraction of logs stored in an Oracle Database. The process outlined includes setting up the ArcSight Flex Software and configuring the Oracle JDBC connector, creating a test environment, and executing sample scripts. The setup involves: 1. Installing the ArcSight Flex Connector and verifying its installation directory to ensure it uses the correct Oracle JDBC driver. 2. Configuring the agent properties file where the JDBCDriver is set to 'oracle.jdbc.driver.OracleDriver', with a config folder named ORCL, ensuring case matches for directory names. 3. Creating a properties file (ORCL.sdkibdatabase.properties) that describes the table structure and parsing requirements, specifying version order and ID. 4. Starting from the first event in the database to ensure immediate data extraction without waiting for new commits, then removing this line before going into production. 5. Configuring the SDKI BDatabase properties file which includes a query used instead of an actual table during setup, as part of the test environment. This guide is intended to supplement existing ArcSight documentation and provides practical steps necessary for integrating Oracle Database logs with ArcSight using the ID Based Flex Connector. The provided text appears to be a configuration or setup guide for connecting to an Oracle database using the JDBC connector, with some additional context related to event handling and data extraction from an audit table. Here's a summary of the key points: 1. **Query Configuration**:

• A query is configured to select specific fields (`ID_NUM`, `MESSAGE`, `SRC_IP`, `DST_IP`) from the `audit_table` where `ID_NUM` is greater than a specified value, ordered by `ID_NUM`.

• The field for unique identification (`uniqueid.fields`) is set to `ID_NUM`.

2. **Token Configuration**:

• Four tokens are defined: `ID_NUM`, `MESSAGE`, `SRC_IP`, and `DST_IP`, each with a specified type (`Numeric`, `String`, `ipaddress`).

3. **Event Configuration**:

• The event's device severity is set to 'HIGH'.

• Event details include:

• **Name**: Oracle Test2

• **Source Host Name**: USAALTM

• **File Name**: file2

• **Device Custom Number 1** (with label IDKEY): Value from `ID_NUM` field.

• **Device Custom String 1** (with label "Message Label"): Value from `MESSAGE` field.

• **Device Vendor**: TEST9

• **Source Address**: From `SRC_IP` field.

• **Target Address**: From `DST_IP` field.

• **Target User Name**: Brian Wolff (assumed to be extracted from the data).

• The event category outcome is set as a failure.

4. **Oracle JDBC Connector Setup**:

• Download and install Oracle Instant Client or a higher version from the specified URL based on the database version.

• Set the environment variable path to include the location of the installed client (e.g., `c:\orcl_instantclient`).

• Ensure that network authentication settings are correctly configured in `SQLNET.ORA`.

This setup guide is specific to Oracle databases and involves setting up a JDBC connection, defining data extraction rules for events based on audit logs, and configuring various event details including custom fields and severity levels. To create an Oracle Test environment as described, follow these steps: 1. **Set Up Oracle Environment:**

• Ensure that the necessary services and directory paths are configured correctly.

• Set `TCP.VALIDNODE_CHECKING` to "NO" if you want to bypass node checking for simplicity in a test environment.

• Add your machine's name to the list of invited nodes using `TCP.INVITED_NODES`.

2. **Create The text provided appears to be a sequence of SQL commands and comments related to database operations within an audit table, likely in a system monitoring or logging context. Here's a summary of what each command does: 1. **Inserting Values into `audit_table`**:

• Multiple `INSERT INTO audit_table VALUES` statements are used to add rows with specific values for different fields (like ID, message, source IP, destination IP, and port numbers). These commands populate the table with records that seem to represent network activities or system events.

2. **Commit Command**:

• The `COMMIT;` command is executed at the end of the sequence of insert operations. This commits all the inserted rows permanently into the database, ensuring that they are saved and will not be rolled back unless a subsequent rollback operation is performed.

3. **SQL Query to View Data**:

• Several SQL commands are used to format and display the data in `audit_table`. These include setting line size and page size for better readability, formatting specific columns (like message, src_ip, dst_ip), and executing a final select query to retrieve all rows from `audit_table` for viewing.

4. **ArcSight-Related Commands**:

• The final part of the text seems to be related to ArcSight, possibly an application or tool used for network management or security monitoring. It mentions running `arcsight agents`, which could start or configure a component of the ArcSight system. This implies that the data being handled is likely pertinent to operations monitored by ArcSight.

5. **Active Channel and Field Set**:

• The text suggests looking at the active channel in ArcSight, possibly selecting a custom field set relevant to the exercise (which wasn't detailed here).

In summary, these commands are part of an operational script for setting up data within a database table via SQL, and then visualizing that data using specific SQL queries. The context is likely related to network monitoring or IT audit, with tools like ArcSight possibly being used for deeper analysis or visualization.