From 9e33f02364a6f43292c306ee73926638be5d1616 Mon Sep 17 00:00:00 2001
From: Dylan Myers <Dylan-M@users.noreply.github.com>
Date: Wed, 15 Sep 2021 14:13:28 -0400
Subject: [PATCH 1/4] Allow DBID to be empty & Correct case matching

The DBID field is able to be empty on some versions of Oracle DB
The multiline regex was looking for `Audit File`, but logs have `Audit file`
---
 plugins/oracledb.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/plugins/oracledb.yaml b/plugins/oracledb.yaml
index 2cdcfd10..55a0b0ea 100644
--- a/plugins/oracledb.yaml
+++ b/plugins/oracledb.yaml
@@ -74,7 +74,7 @@ pipeline:
       - {{ $audit_log_path }}
     start_at: {{ $start_at }}
     multiline:
-      line_start_pattern: '^[a-zA-z]+ [a-zA-Z]+\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2} \d{4} [-+]\d{2}:\d{2}\n|^Audit File '
+      line_start_pattern: '^[a-zA-z]+ [a-zA-Z]+\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2} \d{4} [-+]\d{2}:\d{2}\n|^Audit [fF]ile '
     labels:
       log_type: 'oracledb.audit'
       plugin_id: {{ .id }}
@@ -90,7 +90,7 @@ pipeline:
 
   - id: audit_regex_parser
     type: regex_parser
-    regex: '(?P<timestamp>\w+ \w+\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2} \d{4} [-+]\d{2}:\d{2})\nLENGTH : \D(?P<length>\d*)\D\nACTION :\[\d+\]\s+\D(?P<action>[\d\w[:ascii:]]+)\D\nDATABASE USER:\[\d+\]\s+\D(?P<database_user>[^\s]+)\D\n(PRIVILEGE :\[\d+\]\s+\D(?P<privilege>[^\s]+)\D\n)?(CLIENT USER:\[\d+\]\s+\D(?P<client_user>[^\s]+|)\D\n)?(CLIENT TERMINAL:\[\d+\]\s+\D(?P<client_terminal>[^\s]+|)\D\n)?(STATUS:\[\d+\]\s+\D(?P<status_code>[^\s]+|)\D\n)?(DBID:\[\d+\]\s\D(?P<dbid>\d+)\D\n)?(SESSIONID:\[\d+\]\s+\D(?P<sessionid>[^\s]+|)\D\n)?(USERHOST:\[\d+\]\s+\D(?P<userhost>[^\s]+|)\D\n)?(CLIENT ADDRESS:\[\d+\]\s+\D(?P<client_address>[^\s]+|)\D\n)?(ACTION NUMBER:\[\d+\]\s+\D(?P<action_number>[^\s]+|)\D)?'
+    regex: '(?P<timestamp>\w+ \w+\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2} \d{4} [-+]\d{2}:\d{2})\nLENGTH : \D(?P<length>\d*)\D\nACTION :\[\d+\]\s+\D(?P<action>[\d\w[:ascii:]]+)\D\nDATABASE USER:\[\d+\]\s+\D(?P<database_user>[^\s]+)\D\n(PRIVILEGE :\[\d+\]\s+\D(?P<privilege>[^\s]+)\D\n)?(CLIENT USER:\[\d+\]\s+\D(?P<client_user>[^\s]+|)\D\n)?(CLIENT TERMINAL:\[\d+\]\s+\D(?P<client_terminal>[^\s]+|)\D\n)?(STATUS:\[\d+\]\s+\D(?P<status_code>[^\s]+|)\D\n)?(DBID:\[\d+\]\s\D(?P<dbid>\d+|)\D\n)?(SESSIONID:\[\d+\]\s+\D(?P<sessionid>[^\s]+|)\D\n)?(USERHOST:\[\d+\]\s+\D(?P<userhost>[^\s]+|)\D\n)?(CLIENT ADDRESS:\[\d+\]\s+\D(?P<client_address>[^\s]+|)\D\n)?(ACTION NUMBER:\[\d+\]\s+\D(?P<action_number>[^\s]+|)\D)?'
     timestamp:
       parse_from: timestamp
       layout: '%a %h %g %H:%M:%S %Y %j'

From 562b01de87348122d94d74ada6517c74b50bae38 Mon Sep 17 00:00:00 2001
From: Dylan Myers <dylan.myers@bluemedora.com>
Date: Wed, 15 Sep 2021 15:28:25 -0400
Subject: [PATCH 2/4] Switch to line end for multiline with double newline
 pattern

---
 plugins/oracledb.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugins/oracledb.yaml b/plugins/oracledb.yaml
index 55a0b0ea..a748025a 100644
--- a/plugins/oracledb.yaml
+++ b/plugins/oracledb.yaml
@@ -74,7 +74,7 @@ pipeline:
       - {{ $audit_log_path }}
     start_at: {{ $start_at }}
     multiline:
-      line_start_pattern: '^[a-zA-z]+ [a-zA-Z]+\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2} \d{4} [-+]\d{2}:\d{2}\n|^Audit [fF]ile '
+      line_end_pattern: '\n\n'
     labels:
       log_type: 'oracledb.audit'
       plugin_id: {{ .id }}

From 756d70bde2082c2be9504b6c18c3c68a0dc911a9 Mon Sep 17 00:00:00 2001
From: Dylan Myers <dylan.myers@bluemedora.com>
Date: Tue, 21 Sep 2021 15:23:44 -0400
Subject: [PATCH 3/4] Fix plugin failure when using inline truncate check

---
 plugins/oracledb.yaml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/plugins/oracledb.yaml b/plugins/oracledb.yaml
index a748025a..c8ebc513 100644
--- a/plugins/oracledb.yaml
+++ b/plugins/oracledb.yaml
@@ -94,7 +94,11 @@ pipeline:
     timestamp:
       parse_from: timestamp
       layout: '%a %h %g %H:%M:%S %Y %j'
-    output: '{{ if $enable_truncate_audit_action }}audit_action_restructurer{{ else }}{{ .output }}{{ end }}'
+    # {{ if $enable_truncate_audit_action }}
+    output: audit_action_restructurer
+    # {{ else }}
+    output: {{ .output }}
+    # {{ end }}
 
   - id: server_start_regex_parser
     type: regex_parser

From 5e7522616d22aca8dcca296aa3617488749ea3a0 Mon Sep 17 00:00:00 2001
From: Dylan Myers <dylan.myers@bluemedora.com>
Date: Tue, 21 Sep 2021 15:47:31 -0400
Subject: [PATCH 4/4] Switch back to a regex parse for record splitting

---
 plugins/oracledb.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugins/oracledb.yaml b/plugins/oracledb.yaml
index 5d06177b..428eeaf5 100644
--- a/plugins/oracledb.yaml
+++ b/plugins/oracledb.yaml
@@ -74,7 +74,7 @@ pipeline:
       - {{ $audit_log_path }}
     start_at: {{ $start_at }}
     multiline:
-      line_end_pattern: '\n\n'
+      line_start_pattern: '\w+\s+\w+\s{1,2}\d{1,2}\s+\d{2}:\d{2}:\d{2}\s+\d{4}\s+[-+]\d{2}:\d{2}\n|^Audit [fF]ile '
     labels:
       log_type: 'oracledb.audit'
       plugin_id: {{ .id }}