The Unavoidable Hacker: September 2019

Wednesday, 11 September 2019

Oracle Integration Cloud Log Analytics Audit Log Parser

At the time of writing Oracle Management Cloud currently comes with a Log Parser for Oracle Integration Cloud Audit logs (ics-audit.log).

The parser does not work if the userId contains a word separating characters like an email address.

The current parser definition is

\[{TIMEDATE}\]\s+\[(\w+)\]\s+\[(\w+)\]\s*\[(.*)?\]\s+\[(\S+)\]\s+\[\w+\:\s+(\d+)\]\s*\[\w+\:\s*(?:\<)?(\w+)(?:\>)?\]\s+\[\w+\:\s+(\S+)\]\s*\[\w+\:\s*([^\,]*)?\]\s*\[\w+\-\w+\:\s*(\w*)?\]\s*\[\w+\-\w+\:\s*(\w*)?\]\s+\[([^\,]*)\]\:\s*\[([^\,]*)?\,([^\,]*)?\,([^\,]*)?\,([^\,]*)?\,([^\,]*)?\,([^\,]*)?\](.*)?

The modified parser definition is

\[{TIMEDATE}\]\s+\[(\w+)\]\s+\[(\w+)\]\s*\[(.*)?\]\s+\[(\S+)\]\s+\[\w+\:\s+(\d+)\]\s*\[\w+\:\s*(?:\<)?(.*)(?:\>)?\]\s+\[\w+\:\s+(\S+)\]\s*\[\w+\:\s*([^\,]*)?\]\s*\[\w+\-\w+\:\s*(\w*)?\]\s*\[\w+\-\w+\:\s*(\w*)?\]\s+\[([^\,]*)\]\:\s*\[([^\,]*)?\,([^\,]*)?\,([^\,]*)?\,([^\,]*)?\,([^\,]*)?\,([^\,]*)?\](.*)?

Tuesday, 3 September 2019

How to Start Oracle Management Cloud Agents automatically using systemctl

The Oracle Management Cloud documentation calls out how to start the OMC agents at system reboot, but at the time of writing it's light years behind still focusing on Linux 6 and /etc/init.d scripts.

If you're interested in the old school way of doing things follow the official documentation located here Configure Automatic Restart of a Cloud Agent.

If like most of the world population you've moved onto Linux 7 then you're on your own. This is where I come in.

Hopefully I'll save you the sh*g and hassle of working out how hard this was, if you're interested comment out "RemainAfterExit=true" and then try and debug it, good luck.

Basically perform these steps as root, you'll obviously have to change User, Group and "/u01/app/omcagent/" but the rest of it should stay the same;

echo "[Unit]
Description=Oracle Management Cloud Agent

[Install]
WantedBy=multi-user.target

[Service]
User=opc
Group=opc
LimitNOFILE=10000
LimitNPROC=10000
ExecStart=/u01/app/omcagent/agent_inst/bin/omcli start agent
ExecStop=/u01/app/omcagent/agent_inst/bin/omcli stop agent
ExecReload=/u01/app/omcagent/agent_inst/bin/omcli reload agent
StandardOutput=syslog
StandardError=syslog
Restart=on-abnormal
RemainAfterExit=true" > /usr/lib/systemd/system/omcagent.service

systemctl enable omcagent.service
systemctl start omcagent.service
systemctl status omcagent.service