[Filebeat][New Module] Adding support for Oracle Audit logs

CHANGELOG.next.asciidoc

@@ -633,6 +633,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - New juniper.srx dataset for Juniper SRX logs. {pull}20017[20017]
 - Adding support for Microsoft 365 Defender (Microsoft Threat Protection) {pull}21446[21446]
 - Adding support for FIPS in s3 input {pull}21446[21446]
+- Adding support for Oracle Database Audit Logs {pull}21991[21991]
 - Add SSL option to checkpoint module {pull}19560[19560]
 
 *Heartbeat*

filebeat/docs/fields.asciidoc

@@ -65,6 +65,7 @@ grouped in the following categories:
 * <<exported-fields-nginx>>
 * <<exported-fields-o365>>
 * <<exported-fields-okta>>
+* <<exported-fields-oracle>>
 * <<exported-fields-osquery>>
 * <<exported-fields-panw>>
 * <<exported-fields-postgresql>>
@@ -108270,6 +108271,157 @@ type: geo_point
 
 --
 
+[[exported-fields-oracle]]
+== Oracle fields
+
+Oracle Module
+
+
+
+[float]
+=== oracle
+
+Fields from Oracle logs.
+
+
+
+[float]
+=== database_audit
+
+Module for parsing Oracle Database audit logs
+
+
+
+*`oracle.database_audit.status`*::
++
+--
+Database Audit Status.
+
+
+type: keyword
+
+--
+
+*`oracle.database_audit.session_id`*::
++
+--
+Indicates the audit session ID number.
+
+
+type: keyword
+
+--
+
+*`oracle.database_audit.client.terminal`*::
++
+--
+If available, the client terminal type, for example "pty".
+
+
+type: keyword
+
+--
+
+*`oracle.database_audit.client.address`*::
++
+--
+The IP Address or Domain used by the client.
+
+
+type: keyword
+
+--
+
+*`oracle.database_audit.client.user`*::
++
+--
+The user running the client or connection to the database.
+
+
+type: keyword
+
+--
+
+*`oracle.database_audit.database.user`*::
++
+--
+The database user used to authenticate.
+
+
+type: keyword
+
+--
+
+*`oracle.database_audit.privilege`*::
++
+--
+The privilege group related to the database user.
+
+
+type: keyword
+
+--
+
+*`oracle.database_audit.entry.id`*::
++
+--
+Indicates the current audit entry number, assigned to each audit trail record. The audit entry.id sequence number is shared between fine-grained audit records and regular audit records.
+
+
+type: keyword
+
+--
+
+*`oracle.database_audit.database.host`*::
++
+--
+Client host machine name.
+
+
+type: keyword
+
+--
+
+*`oracle.database_audit.action`*::
++
+--
+The action performed during the audit event. This could for example be the raw query.
+
+
+type: keyword
+
+--
+
+*`oracle.database_audit.action_number`*::
++
+--
+Action is a numeric value representing the action the user performed. The corresponding name of the action type is in the AUDIT_ACTIONS table. For example, action 100 refers to LOGON.
+
+
+type: keyword
+
+--
+
+*`oracle.database_audit.database.id`*::
++
+--
+Database identifier calculated when the database is created. It corresponds to the DBID column of the V$DATABASE data dictionary view.
+
+
+type: keyword
+
+--
+
+*`oracle.database_audit.length`*::
++
+--
+Refers to the total number of bytes used in this audit record. This number includes the trailing newline bytes (\n), if any, at the end of the audit record.
+
+
+type: long
+
+--
+
 [[exported-fields-osquery]]
 == Osquery fields
 

filebeat/docs/modules/oracle.asciidoc

@@ -0,0 +1,77 @@
+////
+This file is generated! See scripts/docs_collector.py
+////
+
+[[filebeat-module-oracle]]
+[role="xpack"]
+
+:modulename: oracle
+:has-dashboards: false
+
+
+== Oracle module
+beta[]
+
+This is a module for ingesting Audit Trail logs from Oracle Databases.
+
+The module expects an *.aud audit file that is generated from Oracle Databases by default. If this has been disabled then please see the https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/introduction-to-auditing.html#GUID-8D96829C-9151-4FA4-BED9-831D088F12FF[Oracle Database Audit Trail Documentation].
+
+
+
+include::../include/gs-link.asciidoc[]
+
+
+[float]
+=== Compatibility
+
+This module has been tested with Oracle Database 19c, and should work for 18c as well though it has not been tested.
+
+include::../include/configuring-intro.asciidoc[]
+
+:fileset_ex: database_audit
+
+include::../include/config-option-intro.asciidoc[]
+
+[float]
+==== `database_audit` fileset settings
+
+Example config:
+
+[source,yaml]
+----
+- module: oracle
+  database_audit:
+    var.input: file
+    var.paths: /home/user/oracleauditlogs/*/*.aud
+----
+
+include::../include/var-paths.asciidoc[]
+
+*`var.tags`*::
+
+A list of tags to include in events. Including `forwarded` indicates that the
+events did not originate on this host and causes `host.name` to not be added to
+events. Defaults to `[oracle-database-audit]`.
+
+[float]
+==== Oracle Database fields
+
+Oracle Database fields are mapped to the current ECS Fields:
+[options="header"]
+|==============================================================
+| Oracle Fields              | ECS Fields                     |
+| privilege                  | host.user.roles                |
+| client_user                | client.user.name               |
+| userhost                   | client.ip/domain               |
+| database_user              | server.user.name               |
+|==============================================================
+
+:modulename!:
+
+
+[float]
+=== Fields
+
+For a description of each field in the module, see the
+<<exported-fields-oracle,exported fields>> section.
+

filebeat/docs/modules_list.asciidoc

@@ -46,6 +46,7 @@ This file is generated! See scripts/docs_collector.py
   * <<filebeat-module-nginx>>
   * <<filebeat-module-o365>>
   * <<filebeat-module-okta>>
+  * <<filebeat-module-oracle>>
   * <<filebeat-module-osquery>>
   * <<filebeat-module-panw>>
   * <<filebeat-module-postgresql>>
@@ -114,6 +115,7 @@ include::modules/netscout.asciidoc[]
 include::modules/nginx.asciidoc[]
 include::modules/o365.asciidoc[]
 include::modules/okta.asciidoc[]
+include::modules/oracle.asciidoc[]
 include::modules/osquery.asciidoc[]
 include::modules/panw.asciidoc[]
 include::modules/postgresql.asciidoc[]

x-pack/filebeat/filebeat.reference.yml

@@ -1351,6 +1351,18 @@ filebeat.modules:
     #var.url: https://yourOktaDomain/api/v1/logs
     #var.api_key: 'yourApiTokenHere'
 
+#-------------------------------- Oracle Module --------------------------------
+- module: oracle
+  database_audit:
+    enabled: true
+
+    # Set which input to use between syslog or file (default).
+    #var.input: file
+
+    # Set paths for the log files when file input is used.
+    # Should only be used together with file input
+    # var.paths: /home/user/oracleauditlogs/*.aud
+
 #------------------------------- Osquery Module -------------------------------
 - module: osquery
   result:

x-pack/filebeat/module/oracle/_meta/config.yml

@@ -0,0 +1,10 @@
+- module: oracle
+  database_audit:
+    enabled: true
+
+    # Set which input to use between syslog or file (default).
+    #var.input: file
+
+    # Set paths for the log files when file input is used.
+    # Should only be used together with file input
+    # var.paths: /home/user/oracleauditlogs/*.aud

x-pack/filebeat/module/oracle/_meta/docs.asciidoc

@@ -0,0 +1,64 @@
+[role="xpack"]
+
+:modulename: oracle
+:has-dashboards: false
+
+
+== Oracle module
+beta[]
+
+This is a module for ingesting Audit Trail logs from Oracle Databases.
+
+The module expects an *.aud audit file that is generated from Oracle Databases by default. If this has been disabled then please see the https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/introduction-to-auditing.html#GUID-8D96829C-9151-4FA4-BED9-831D088F12FF[Oracle Database Audit Trail Documentation].
+
+
+
+include::../include/gs-link.asciidoc[]
+
+
+[float]
+=== Compatibility
+
+This module has been tested with Oracle Database 19c, and should work for 18c as well though it has not been tested.
+
+include::../include/configuring-intro.asciidoc[]
+
+:fileset_ex: database_audit
+
+include::../include/config-option-intro.asciidoc[]
+
+[float]
+==== `database_audit` fileset settings
+
+Example config:
+
+[source,yaml]
+----
+- module: oracle
+  database_audit:
+    var.input: file
+    var.paths: /home/user/oracleauditlogs/*/*.aud
+----
+
+include::../include/var-paths.asciidoc[]
+
+*`var.tags`*::
+
+A list of tags to include in events. Including `forwarded` indicates that the
+events did not originate on this host and causes `host.name` to not be added to
+events. Defaults to `[oracle-database-audit]`.
+
+[float]
+==== Oracle Database fields
+
+Oracle Database fields are mapped to the current ECS Fields:
+[options="header"]
+|==============================================================
+| Oracle Fields              | ECS Fields                     |
+| privilege                  | host.user.roles                |
+| client_user                | client.user.name               |
+| userhost                   | client.ip/domain               |
+| database_user              | server.user.name               |
+|==============================================================
+
+:modulename!:

x-pack/filebeat/module/oracle/_meta/fields.yml

@@ -0,0 +1,10 @@
+- key: oracle
+  title: Oracle
+  description: >
+    Oracle Module
+  fields:
+    - name: oracle
+      type: group
+      description: >
+        Fields from Oracle logs.
+      fields: