Dealing with Oracle audits can be a complicated affair. When running Oracle on a VMware virtual environment, there are times that you need to prove to Oracle that your database virtual machines have not migrated to unlicensed ESX clusters. If you don’t have the data to show during an audit, things could get messy. Luckily, VMware Aria Operations for Logs is here to help you retain the events you need to keep Oracle audits at bay!
Aria Operations for Logs has a feature called ‘non-index’ partitioning. This lets you store certain logs and events in a separate, lower cost partition of which the data can be stored up to seven years. There is a small fee for querying data in these partitions, but since the events in this partition are usually things like auditing or authentication events, we only really need to query them during audits.
Let’s see how we can set up a new non-index partition in Aria Operations for Logs and send vMotion events to it so we can save those events for our next Oracle audit.
Query the events that you need from your ESX cluster
First we need to build a query to show the migration events for our Oracle ESX cluster. This query will be used so that the non-index partition knows which events to ingest. We built a simple query here that looks for the text ‘Migrated’, and our cluster field is the cluster in question. You can use your own query that might work better for your environment.
If we look at the events the query returned, we can see that they tell us when, where and how the VMs in the cluster are migrating. This should work for building our non-index partition.
Build our new Oracle audit partition
Now that we have the information we need, we can build our partition. Navigate to ‘Log Management -> Log Partitions’ using the left-hand menu in Aria Operations for Logs and click ‘New Partition’ at the top right. Fill in the name, description, and your retention period. I used 365 days. Make sure you choose Non-Indexed for the partition type.
Next, we take the query we build in Log Explorer, and use it here to define the events that the partition will ingest. If you saved the query as a ‘favorite query’, you can choose it from there. There is an option to ‘show chart’ to the right of our query builder, if you want to make sure the query is picking up the proper events. If the chart is empty, you might have to tweak your query or wait until more events flow into Aria Logs.
If you want our migration logs to also show up in your default partition, so you can continue to query them as normal for 30 days, check the ‘Forward data to Indexed Partitions’ option. If not, leave it unchecked as I did.
Once we have verified our query and all of our other inputs, we can save the partition by clicking ‘Create’ at the top right. Your new partition will start ingesting events right away.
Query your migration events in your non-indexed partition
Finally, lets test our partition to make sure the correct events are returned. We next return to the Log Explorer and choose our Oracle vMotion partition from the partition options to the right of the query box, then choose a seven day or less period for the date range. (Non-Index partition queries are limited to a seven-day range)
Then we do a search for one of our Oracle database VMs, and it should show all migration events for the time period we chose.
Conclusion
And its that simple! In just a few steps we have created a new non-index partition in Aria Operations for Logs, and we can use it during audit time to prove our VMs only stayed on licensed clusters. This functionality isn’t only for Oracle audits, you can use it for internal or external audits to show authorized root/admin logins to your systems, that only authorized software was installed, or even that only authorized users checked code in and out of your version control systems. Anything that Aria Operations for Logs collects as an event can be stored in a non-index partition and recalled later as needed.
