Hello Balazs,
I am trying to use your app to analyze syslog events generated by Oracle XE 10.2. I believe the extract pattern in props.conf seems not be able to cope (i.e. no results generated by a query index="oracleaudit" | top oracle_actionname) with payloads like the following two examples:
<134>Jan 5 14:37:57 localhost Oracle Audit[9261]: ACTION : 'ALTER DATABASE OPEN'#012DATABASE USER: '/'#012PRIVILEGE : SYSDBA#012CLIENT USER: oracle#012CLIENT TERMINAL: #012STATUS: 0
<134>Jan 5 14:37:49 localhost Oracle Audit[9255]: ACTION : 'SELECT DECODE(null,'','Total System Global Area','') NAME_COL_PLUS_SHOW_SGA, SUM(VALUE), DECODE (null,'', 'bytes','') units_col_plus_show_sga FROM V$SGA UNION ALL SELECT NAME NAME_COL_PLUS_SHOW_SGA , VALUE, DECODE (null,'', 'bytes','') units_col_plus_show_sga FROM V$SGA'#012DATABASE USER: '/'#012PRIVILEGE : SYSDBA#012CLIENT USER: oracle#012CLIENT TERMINAL: #012STATUS: 0
using the simple query index="oracleaudit" does return the expected events.
Any insight?
Thanks,
andrea
... View more