Release notes for the Splunk Add-on for Oracle Database¶
Version 4.2.0 of the Splunk Add-on for Oracle Database was released on
About this release¶
Version 4.2.0 of the Splunk Add-on for Oracle Database is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 9.x, 10.0 |
| Splunk DB Connect | 4.0.1 |
| CIM | 6.1.0 |
| Platforms | Platform independent |
| Vendor Products | Oracle Database Server 19c/21c/23ai |
Note
Splunk DB Connect version 2.x reached its end of life on July 7, 2019.
New features¶
-
Support for Oracle Database Version 23ai.
-
Support for CIM version 6.1.0.
-
Enhanced CIM mappings and tags for Audit Command events and Roles and Priveleges Management events in
oracle:audit:unified,oracle:audit:textandoracle:audit:xml. -
The sourcetypes
oracle:audit:textandoracle:audit:xmlhas been deprecated from this release onwards. Please useoracle:audit:unifiedsourcetype instead.Use Splunk DB Connect App to collect audit data from the UNIFIED_AUDIT_TRAIL database table into the
oracle:audit:unifiedsourcetype using theoracle:audit:unifiedtemplate in this add-on. For more information, see Configure Splunk DB Connect v3.8.0 inputs for the Splunk Add-on for Oracle Database.
Starting from the release for Oracle 21c, Oracle no longer supports traditional auditing, as referenced Oracle documentation.
Instead of previous Oracle Auditing functionality, use Oracle Unified Auditing.
Note
Splunk may no longer support the source types for the previous auditing configs, such as oracle:audit:text and oracle:audit:xml, in the upcoming releases of the the Splunk Add-on for Oracle Database.
CIM Data Model Changes¶
| Source type | ACTION_NAME | Previous CIM model | New CIM model |
|---|---|---|---|
oracle:audit:unified |
ALTER ROLE, CREATE ROLE, DROP ROLE, EXECUTE | Change.Account_Management | Change.All_Changes |
oracle:audit:unified |
AUDIT, NOAUDIT | Change.Account_Management | Change.Audit_Management |
| Source type | ACTION_NUMBER | Previous CIM model | New CIM model |
|---|---|---|---|
oracle:audit:text. |
18 | - | Change.Account_Management |
oracle:audit:text. |
30, 31 | - | Change.Audit_Management |
oracle:audit:text. |
47, 52, 54, 79 | - | Change.All_Changes |
| Source type | ACTION | Previous CIM model | New CIM model |
|---|---|---|---|
oracle:audit:xml |
17, 18, 114, 115 | Databases.All_Databases | ChangeAccount_Management |
oracle:audit:xml |
30, 31, 104, 105 | Databases.All_Databases | ChangeAudit_Management |
oracle:audit:xml |
47, 52, 54, 79, 116 | Databases.All_Databases | Change.All_Changes |
Field Changes¶
| Source type | ACTION_NAME | Fields added | Fields removed |
|---|---|---|---|
['oracle:audit:unified'] |
NOAUDIT, EXECUTE, DROP ROLE, AUDIT, CREATE ROLE, ALTER ROLE | user_type, src_ip, object_id, action, object_attrs, object_category | |
['oracle:audit:unified'] |
GRANT | src_user_name, user_type, src_ip, src_user_type, object_id, object_attrs | |
['oracle:audit:unified'] |
LOGON | reason_id | |
['oracle:audit:unified'] |
REVOKE | src_user_name, user_type, src_ip, src_user, src_user_type, object_id, action, object_attrs, object_category |
| Source type | ACTION | Fields added | Fields removed |
|---|---|---|---|
['oracle:audit:xml'] |
17 | src_user_name, user_type, src_nt_domain, src_user_type, object_id, action, object_attrs, status, change_type | |
['oracle:audit:xml'] |
18 | src_user_name, user_type, src_ip, src_nt_domain, src_user_type, object_id, action, object_attrs, status, change_type | |
['oracle:audit:xml'] |
47, 30, 31 | user_type, src_ip, object_id, action, object_attrs, status, change_type | |
['oracle:audit:xml'] |
52, 79, 54 | user_type, object_id, object_attrs, object_category | |
['oracle:audit:xml'] |
100 | reason_id | |
['oracle:audit:xml'] |
105, 104 | user_type, src_ip, object, object_id, action, object_attrs, status, change_type, object_category | |
['oracle:audit:xml'] |
114, 115 | src_user_name, user_type, src_nt_domain, src_user_type, object_id, object_attrs, object_category | |
['oracle:audit:xml'] |
116 | user_type, object_id, action, object_attrs, status, change_type |
| Source type | ACTION_NUMBER | Fields added | Fields removed |
|---|---|---|---|
['oracle:audit:text'] |
17 | src_user_name, src_ip, object, src_user_type, object_id | |
['oracle:audit:text'] |
18 | src_user_name, eventtype, tag::eventtype, src_ip, object, src_user, user_name, tag, src_user_type, action, object_id, object_attrs, object_category | |
['oracle:audit:text'] |
47, 54, 30, 52, 79, 31 | eventtype, tag::eventtype, user_type, src_ip, object, user_name, tag, object_id, action, object_attrs, object_category | |
['oracle:audit:text'] |
51, 187, 43, 49, 57, 44, 40, 67, 138, 42, 53, 91 | src_ip | |
['oracle:audit:text'] |
100 | reason_id, src_ip |
Fixed issues¶
Version 4.2.0 of the Splunk Add-on for Oracle Database contains the following fixed issues.
Known issues¶
Version 4.2.0 of the Splunk Add-on for Oracle Database contains the following known issues. If no issues appear below, no issues have yet been reported.
Third-party software attributions¶
Version 4.2.0 of the Splunk Add-on for Oracle Database does not incorporate any third-party software or libraries.