Data Collection from Oracle Database

On a high level, data collection process for Oracle databases works as follows:

  1. Oracle administrator prepares a dedicated service account with sufficient permissions to collect data from Oracle Database. Refer to the For Oracle Database Auditing
  2. Netwrix administrator does the following:

    • Creates a monitoring plan in Netwrix Auditor, specifying the service account (prepared at step 1) as a data collecting account in the Monitoring Plan wizard. Then s/he adds items to the monitoring plan – these are Oracle Databases to collect data from.
    • Configures alerts related to Oracle data source. Current version does not include predefined alerts for that data source, so follow the Create Alerts section to create and configure the necessary alerts.

    NOTE: Remember to set the filter to “Data Source equals Oracle”.

  3. Netwrix Auditor Data Collection Service starts periodic (every 10 min by default) data collection sessions. The results of each session include audit events that occurred since the previous data collection. Data is retrieved via Oracle Instant Client application. The product uses direct connection string or Oracle Wallet to connect to Oracle databases.

  4. Netwrix Auditor Data Collection Service processes collected data into the proprietary format (Activity Records). Each Activity Record contains initiator’s account, time, action, and other details.

    • To determine what has changed in the configuration, it compares a state snapshot from Oracle Server with the previously taken.
    • To get ‘Who’ (initiator) and ‘When’ (date and time) information for the detected changes, the product uses Oracle events data.

    Netwrix Auditor Server then writes the Activity Records to the audit database (default retention – 180 days) and long-term archive (default retention – 120 months).

  5. Users can work with collected data in Netwrix Auditor client UI: run search, view reports, and so on. If you have configured alerting in Netwrix Auditor, then the activities that match the certain criteria will trigger the alerts. Recipients will be notified by email, and response actions will be taken, if configured.

  6. Netwrix Auditor also generates an Activity Summary once a day (by default, at 3 AM) and sends it to the specified recipients. This email lists Oracle infrastructure changes and activities collected by Netwrix Auditor during the last 24 hours.