# AQUILA - Oracle Audit Logs Integration

##### This integration is for ingesting Audit Trail logs and fetching performance, tablespace and sysmetric metrics from Oracle Databases.

##### The integration expects an \*.aud audit file that is generated from Oracle Databases by default. If this has been disabled, then please see the [Oracle Database Audit Trail Documentation](https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/introduction-to-auditing.html#GUID-8D96829C-9151-4FA4-BED9-831D088F12FF).

#### **Requirements**

##### Connectivity to Oracle can be facilitated in two ways either by using official Oracle libraries or by using a JDBC driver. Facilitation of the connectivity using JDBC is not supported currently with Metricbeat. Connectivity can be facilitated using Oracle libraries and the detailed steps to do the same are mentioned below.

#### **Oracle Database Connection Pre-requisites**

##### To get connected with the Oracle Database ORACLE\_SID, ORACLE\_BASE, ORACLE\_HOME environment variables should be set.

##### For example: Let’s consider Oracle Database 21c installation using RPM manually by following the [Oracle Installation instructions](https://docs.oracle.com/en/database/oracle/oracle-database/21/ladbi/running-rpm-packages-to-install-oracle-database.html). Environment variables should be set as follows: `ORACLE_SID=ORCLCDB` `ORACLE_BASE=/opt/oracle/oradata` `ORACLE_HOME=/opt/oracle/product/21c/dbhome_1` Also, add `$ORACLE_HOME/bin` to the `PATH` environment variable.

#### **Oracle Instant Client**

##### Oracle Instant Client enables development and deployment of applications that connect to Oracle Database. The Instant Client libraries provide the necessary network connectivity and advanced data features to make full use of Oracle Database. If you have OCI Oracle server which comes with these libraries pre-installed, you don't need a separate client installation.

##### The OCI library install few Client Shared Libraries that must be referenced on the machine where Metricbeat is installed. Please follow the [Oracle Client Installation link](https://docs.oracle.com/en/database/oracle/oracle-database/21/lacli/install-instant-client-using-zip.html#GUID-D3DCB4FB-D3CA-4C25-BE48-3A1FB5A22E84) link for OCI Instant Client set up. The OCI Instant Client is available with the Oracle Universal Installer, RPM file or ZIP file. Download links can be found at the [Oracle Instant Client Download page](https://www.oracle.com/database/technologies/instant-client/downloads.html).

##### If Elastic Agent is running as a systemd service and not using `ldconfig` is an option, to update the links to the shared libraries, you can use the `LD_LIBRARY_PATH` environment variable instead. Follow these steps to ensure Elastic Agent and its spawned processes respect the `LD_LIBRARY_PATH` environment variable.

> ##### Prerequisites: Ensure that you have administrative privileges to modify the Elastic Agent systemd service configuration.

##### **Steps:**

1. ##### Check the status of the Elastic Agent systemd service by running the following command: `systemctl status elastic-agent.service` Take note of the path to the elastic-agent.service file, which is typically located in the systemd service directory. Example path: `/etc/systemd/system/elastic-agent.service`
2. ##### Open the elastic-agent.service file in your preferred text editor, find the `EnvironmentFile` key (commonly found at `/etc/sysconfig/elastic-agent`), and verify its contents, as these configurations are essential for the elastic-agent's runtime environment initialization. If the EnvironmentFile is absent, create it and set the necessary permissions to ensure the elastic-agent has full access.
3. ##### Add the LD\_LIBRARY\_PATH environment variable to the configured `EnvironmentFile`. You can set it to the directory where libraries (`libclntsh.so`) are located. For example, if your libraries are in the `/opt/oracle/instantclient_21_1 directory`, add the following line to the `EnvironmentFile` (i.e. `/etc/systemd/system/elastic-agent.service`)
    
    ##### `LD_LIBRARY_PATH=/opt/oracle/instantclient_21_1`
4. ##### Save the changes made to the configured `EnvironmentFile`.
5. ##### Restart the Elastic Agent systemd service to apply the changes by running the following command:
    
    ##### `systemctl restart elastic-agent.service`
    
    ##### Ensure that you replace `/opt/oracle/instantclient_21_1` with the actual path to the directory where the required libraries (`libclntsh.so`) are located. This will set the library search path for the Elastic Agent service to include the specified directory, allowing it to locate the required libraries.
    
    ##### \* Please take note of the **Path** since we will need it later for the integration part.

#### **Enable Listener**

##### The Oracle listener is a service that runs on the database host and receives requests from Oracle clients. Make sure that [Listener](https://docs.oracle.com/cd/B19306%5F01/network.102/b14213/lsnrctl.htm) is be running. To check if the listener is running or not, run:

##### `lsnrctl STATUS`

##### If the listener is not running, use the command to start:

##### `lsnrctl START`

##### Then, Metricbeat can be launched.

#### **Oracle DSN Configuration**

##### The following two configuration formats are supported:

```
oracle://<user>:<password>@<connection_string>
user="<user>" password="<password>" connectString="<connection_string>" sysdba=<true|false>

```

<div class="highlight" id="bkmrk-"><button aria-label="Copy code to clipboard" class="copybtn o-tooltip--left" data-clipboard-target="#codecell0" data-tooltip="Copy"><svg class="size-6" fill="none" stroke="currentColor" stroke-width="1.5" viewbox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"></svg></button></div>##### Example values are:

```
oracle://sys:Oradoc_db1@0.0.0.0:1521/ORCLCDB.localdomain?sysdba=1
user="sys" password="Oradoc_db1" connectString="0.0.0.0:1521/ORCLCDB.localdomain" sysdba=true

```

<div class="highlight" id="bkmrk--1"><button aria-label="Copy code to clipboard" class="copybtn o-tooltip--left" data-clipboard-target="#codecell1" data-tooltip="Copy"><svg class="size-6" fill="none" stroke="currentColor" stroke-width="1.5" viewbox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"></svg></button></div>##### In the first, URL-based format, special characters should be URL encoded.

##### In the seoncd, logfmt-encoded DSN format, if the password contains a backslash character (`\`), it must be escaped with another backslash. For example, if the password is `my\_password`, it must be written as `my\\_password`.

##### To mask the password shown in the DSN, remove the username and password from the DSN string, and configure the DSN to only include the host address and any additional parameters required for the connection. Subsequently, we can use the username and password fields under advanced options in the backend to configure them.

##### \* Please take note of the **Oracle DSN** since we will need it later for the integration part.

#### **Integration on AQUILA**

1. ##### Login to **AQUILA**. Go to **Cyber Monitoring** -&gt; **Cyber Incident Management (CIM)** -&gt; **Settings**.

![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-07/scaled-1680-/y9IIfN2IghY0IbCy-image.png)

##### 2. Choose **Log Source**. Type "**Oracle**" on the text field then choose the first shown on **List of Integrations** and click **Add to Agent**.

![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-07/scaled-1680-/H0rfivk2I1hB0uvC-image.png)

##### 3. Choose what **Log Collector** you want to integrate the **Log Source**.

![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-07/scaled-1680-/evNXMDaI8iZPgOYl-image.png)

##### 4. Click the drop-down arrow on **Oracle Audit Logs**. On the **Oracle DSN** textbox input the details you gathered earlier.

![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-07/scaled-1680-/IUlZCQw4Mio7oEXe-image.png)

##### 5. Scroll down and click the drop-down arrow on **Oracle Audit Log**. In the **Paths** textbox input the data you gathered earlier. In the **Tags** textbox, click the textbox and it will show 1 value choose that.

![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-07/scaled-1680-/LBxfZD96ryJIVWZz-image.png)

##### 6. For **Memory metrics, Oracle performance metrics, Sysmetric related metrics, System Statistics** and **Oracle** **tablespace metrics** just click all the **Tags** textbox on them and choose the only value shown. After that click **next**.

![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-07/scaled-1680-/xSQluT4o4IB7fB89-image.png)

![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-07/scaled-1680-/9KPia3lWEOcbJypS-image.png)

![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-07/scaled-1680-/BVV6sINSO79l8bpt-image.png)

![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-07/scaled-1680-/g0u0xV3ussqwLfdV-image.png)

![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-07/scaled-1680-/lOp1i6wBbglWjC4m-image.png)

##### 7. Wait for the **Successful** window to display, this will confirm the successful integration.

![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-07/scaled-1680-/qqQMRTFr5V1HLZOJ-image.png)

*If you need further assistance, kindly contact our support at **support@cytechint.com** for prompt assistance and guidance.*