Sentinel Log Manager 1.2.1
Oracle Database Collector version: 2011.1r1
Syslog Connector Version: 2011.1r3

Oracle database is running on RHEL 5 update 5. Database Admin has
configured Oralce to log SYS user events into syslog, and Oracle SYS
user events are being logged at /var/log/audit.log

We have configured that RHEL 5.5 Server to send syslog events to our SLM
box, in /etc/syslog.conf:


local1.warning /var/log/audit.log
*.info;mail.none;cron.none;kern.none;local1.warnin g @


after doing the above configuration and restarting the syslog service at
RHEL box, we found an event source under NetIQ Universal Collector. We
then changed the Collector from NetIQ Universal to RedHat from SLM webui
> Event Sources.

Then we also configure the same rhel box to send 'local1.warning'
events(i.e SYS user events) to slm, and now /etc/syslog.conf looks like


local1.warning /var/log/audit.log
local1.warning @
*.info;mail.none;cron.none;kern.none;local1.warnin g @


and after the above configuration I can see another event source under
Universal Event Collector named 'Oracle', which reports all SYS user
activities to SLM ;-).
I then select this newly created 'Oracle' event source(that receive SYS
user events) via slm webui as Collection > Event Source > Oracle and
then set/select the Oracle Collector for that 'Oracle' event source. But
as soon I do this, the Oracle event source which I associated with
Oracle Database 2011.1r1 Collector stops receiving SYS user events,
though remain Online(green), and automatically another event source with
the same name 'Oracle' creates under the NetIQ Universal Collector, that
start receiving SYS user events.

So my problem is I am unable to recieve 'SYS' user activities via the
latest Oracle Collector(syslog connector).

sharfuddin's Profile:
View this thread: