queryy

Production-Safe Next Steps ONLY

Do NOT gather stats or invalidate plans directly. Instead:

-- Step 1: Get actual runtime stats (READ ONLY, zero risk)

SELECT sql_id, child_number, elapsed_time/1000000 elapsed_sec,

       buffer_gets, disk_reads, executions,

       buffer_gets/DECODE(executions,0,1,executions) bgets_per_exec

FROM v$sql

WHERE sql_id = 'd8txf935msbx5';

-- Step 2: Check last stats gather on these tables (READ ONLY)

SELECT table_name, last_analyzed, num_rows, stale_stats

FROM dba_tab_statistics

WHERE table_name IN ('MSC_TP_ID_LID','MSC_ST_TRADING_PARTNER_SITES',

                     'MSC_TRADING_PARTNER_SITES')

AND owner = 'MSC';

-- Step 3: Check index column order (READ ONLY)

SELECT column_name, column_position

FROM dba_ind_columns

WHERE index_name = 'MSC_TP_ID_LID_U1'

ORDER BY column_position;

view

 Oracle Apps DBA

Fix Slow View Execution Plan in Oracle EBS 12.2 / 19c DB
— Step-by-Step Guide

Oracle EBS 12.2.xDatabase 19cSQL Tuning & SPMPerformance

DBMS_XPLANDBMS_SPMSQL Plan BaselineDBMS_STATSDBMS_SHARED_POOL

Scenario: The view CHPOZF_IC_UI_SEARCH_V runs in ~4 seconds on P04 and PRD, but hangs on P05. The fix involves identifying the bad execution plan, capturing the good plan from the healthy instance, and pinning it on P05 using SQL Plan Baselines (SPM) — Oracle's preferred plan stabilization mechanism in 19c.

Phase 1

Identify the SQL on P05 (Slow Instance)

Run the following queries on P05 as apps or system.

Step 1.1 — Find SQL_ID of the slow view query

SQL

col sql_id           for a15
col plan_hash_value  for 9999999999
col avg_sec          for 999.99
col last_active      for a20

SELECT sql_id,
       child_number,
       plan_hash_value,
       executions,
       ROUND(elapsed_time/GREATEST(executions,1)/1e6, 2) avg_sec,
       TO_CHAR(last_active_time,'YYYY-MM-DD HH24:MI:SS') last_active
FROM   v$sql
WHERE  UPPER(sql_text) LIKE '%CHPOZF_IC_UI_SEARCH_V%'
  AND  sql_text NOT LIKE '%v$sql%'
ORDER  BY last_active_time DESC;

Step 1.2 — Get full execution plan with actuals

SQL

-- Replace &sql_id and &child_number with values from Step 1.1
SELECT * FROM TABLE(
  DBMS_XPLAN.DISPLAY_CURSOR(
    '&sql_id',
    &child_number,
    'ALLSTATS LAST +PEEKED_BINDS +OUTLINE'
  )
);

⚠ Save this output! You need the Outline Data section for the SQL Profile in Phase 5.

Step 1.3 — Note the bad plan_hash_value

SQL

SELECT plan_hash_value FROM v$sql
WHERE  sql_id = '&sql_id' AND child_number = &child_number;

---

Phase 2

Capture the Good Plan from P04 / PRD

Step 2.1 — Find SQL_ID on P04/PRD

SQL

SELECT sql_id,
       child_number,
       plan_hash_value,
       ROUND(elapsed_time/GREATEST(executions,1)/1e6,2) avg_sec
FROM   v$sql
WHERE  UPPER(sql_text) LIKE '%CHPOZF_IC_UI_SEARCH_V%'
  AND  sql_text NOT LIKE '%v$sql%'
ORDER  BY elapsed_time/GREATEST(executions,1);

Step 2.2 — Capture good plan with OUTLINE

SQL

SELECT * FROM TABLE(
  DBMS_XPLAN.DISPLAY_CURSOR(
    '&good_sql_id',
    &good_child_number,
    'ALLSTATS LAST +PEEKED_BINDS +OUTLINE'
  )
);

Copy the Outline Data hints block from the output — you will use these hints in Phase 5 for SQL Profile creation.

---

Phase 3

Root Cause Diagnosis on P05

Step 3.1 — Compare optimizer parameters (run on BOTH instances)

SQL

SELECT name, value
FROM   v$parameter
WHERE  name IN (
  'optimizer_mode',
  'optimizer_features_enable',
  'db_file_multiblock_read_count',
  'optimizer_adaptive_plans',
  'optimizer_adaptive_statistics',
  '_optimizer_use_feedback',
  'statistics_level'
)
ORDER BY name;

Step 3.2 — Check stats on base tables of the view

SQL

-- Find base tables first
SELECT referenced_name AS table_name
FROM   dba_dependencies
WHERE  name            = 'CHPOZF_IC_UI_SEARCH_V'
  AND  type            = 'VIEW'
  AND  referenced_type = 'TABLE';

-- Check stats freshness
SELECT table_name,
       num_rows,
       blocks,
       last_analyzed,
       stattype_locked,
       stale_stats
FROM   dba_tab_statistics
WHERE  table_name IN (
  SELECT referenced_name FROM dba_dependencies
  WHERE  name = 'CHPOZF_IC_UI_SEARCH_V'
    AND  type = 'VIEW'
    AND  referenced_type = 'TABLE'
)
ORDER BY last_analyzed NULLS FIRST;

Step 3.3 — Check indexes on P05

SQL

SELECT i.table_name, i.index_name, i.status, i.visibility,
       i.last_analyzed, i.num_rows
FROM   dba_indexes i
WHERE  i.table_name IN (
  SELECT referenced_name FROM dba_dependencies
  WHERE  name = 'CHPOZF_IC_UI_SEARCH_V'
    AND  type = 'VIEW'
    AND  referenced_type = 'TABLE'
)
ORDER BY i.table_name, i.index_name;

Step 3.4 — Check adaptive plan / cardinality feedback (19c specific)

SQL

SELECT sql_id, child_number, is_resolved_adaptive_plan,
       is_reoptimizable, use_feedback_stats
FROM   v$sql_shared_cursor
WHERE  sql_id = '&p05_sql_id';

Root Cause	P05 Symptom	Fix
Stale / missing stats	Full table scans, bad cardinality estimates	Phase 4 — Gather stats
Different optimizer_mode	Different plan shape vs P04	Align parameter in P05
Missing index on P05	Full scan where P04 uses index range scan	Rebuild index
Bind variable peeking mismatch	Different plan_hash_value per execution	Phase 5 — Pin via SPM
19c Adaptive Plans interference	is_reoptimizable = Y	Disable feedback or pin plan

---

Phase 4

Fix Option A — Gather Fresh Stats (Try First)

Step 4.1 — Gather stats on base tables

SQL

-- Replace 'APPS' / 'YOUR_BASE_TABLE' with actual schema and table name
BEGIN
  DBMS_STATS.GATHER_TABLE_STATS(
    ownname          => 'APPS',
    tabname          => 'YOUR_BASE_TABLE',
    estimate_percent => DBMS_STATS.AUTO_SAMPLE_SIZE,
    method_opt       => 'FOR ALL COLUMNS SIZE AUTO',
    degree           => 4,
    cascade          => TRUE,
    no_invalidate    => FALSE
  );
END;
/

Step 4.2 — Flush the specific cursor (preferred over full shared pool flush)

SQL

DECLARE
  l_address  RAW(8);
  l_hash_val NUMBER;
BEGIN
  SELECT address, hash_value
  INTO   l_address, l_hash_val
  FROM   v$sqlarea
  WHERE  sql_id = '&p05_sql_id';

  DBMS_SHARED_POOL.PURGE(
    l_address || ',' || l_hash_val, 'C'
  );
END;
/

Re-run the view query and check avg execution time. If still slow — proceed to Phase 5.

---

Phase 5

Fix Option B — Pin Good Plan via SQL Plan Baseline (SPM)

Step 5A — Load good plan into SPM on P04/PRD

Run as SYS or user with ADMINISTER SQL MANAGEMENT OBJECT privilege.

SQL — On P04/PRD

DECLARE
  l_cnt PLS_INTEGER;
BEGIN
  l_cnt := DBMS_SPM.LOAD_PLANS_FROM_CURSOR_CACHE(
    sql_id          => '&good_sql_id',
    plan_hash_value => &good_plan_hash_value
  );
  DBMS_OUTPUT.PUT_LINE('Plans loaded: ' || l_cnt);
END;
/

Step 5B — Verify baseline created on P04/PRD

SQL — On P04/PRD

col sql_handle  for a30
col plan_name   for a35
col origin      for a20

SELECT sql_handle, plan_name, enabled, accepted, fixed, origin,
       TO_CHAR(created,'YYYY-MM-DD HH24:MI') created
FROM   dba_sql_plan_baselines
WHERE  sql_text LIKE '%CHPOZF_IC_UI_SEARCH_V%';

Step 5C — Create staging table on P04/PRD

SQL — On P04/PRD (as SYS)

BEGIN
  DBMS_SPM.CREATE_STGTAB_BASELINE(
    table_name  => 'SPM_XFER_STAGE',
    table_owner => 'SYSTEM',
    db_version  => '19.1.0.0.0'
  );
END;
/

Step 5D — Pack the baseline into staging table

SQL — On P04/PRD

DECLARE
  l_cnt PLS_INTEGER;
BEGIN
  l_cnt := DBMS_SPM.PACK_STGTAB_BASELINE(
    table_name  => 'SPM_XFER_STAGE',
    table_owner => 'SYSTEM',
    sql_handle  => '&sql_handle_from_5B'
  );
  DBMS_OUTPUT.PUT_LINE('Plans packed: ' || l_cnt);
END;
/

Step 5E — Export staging table via DataPump (OS level on P04/PRD)

Bash — OS

expdp system/password \
  tables=SYSTEM.SPM_XFER_STAGE \
  directory=DATA_PUMP_DIR \
  dumpfile=spm_xfer_p04.dmp \
  logfile=spm_xfer_p04.log

Step 5F — Transfer dump file to P05 server

Bash — OS

scp spm_xfer_p04.dmp oracle@p05_host:/u01/app/oracle/admin/P05/dpdump/

Step 5G — Import on P05

Bash — OS on P05

impdp system/password \
  tables=SYSTEM.SPM_XFER_STAGE \
  directory=DATA_PUMP_DIR \
  dumpfile=spm_xfer_p04.dmp \
  logfile=spm_xfer_p05_import.log \
  remap_schema=SYSTEM:SYSTEM

Step 5H — Unpack baseline into P05 SPM repository

SQL — On P05 (as SYS)

DECLARE
  l_cnt PLS_INTEGER;
BEGIN
  l_cnt := DBMS_SPM.UNPACK_STGTAB_BASELINE(
    table_name  => 'SPM_XFER_STAGE',
    table_owner => 'SYSTEM'
  );
  DBMS_OUTPUT.PUT_LINE('Plans unpacked: ' || l_cnt);
END;
/

Step 5I — Verify and mark baseline as FIXED on P05

SQL — On P05

-- Confirm it's accepted
SELECT sql_handle, plan_name, enabled, accepted, fixed
FROM   dba_sql_plan_baselines
WHERE  sql_text LIKE '%CHPOZF_IC_UI_SEARCH_V%';

-- Mark as FIXED so optimizer always uses this plan
DECLARE
  l_cnt PLS_INTEGER;
BEGIN
  l_cnt := DBMS_SPM.ALTER_SQL_PLAN_BASELINE(
    sql_handle      => '&sql_handle',
    plan_name       => '&plan_name',
    attribute_name  => 'FIXED',
    attribute_value => 'YES'
  );
END;
/

---

Phase 6

Validate the Fix on P05

SQL — On P05

-- Step 1: Purge old cursor
DECLARE
  l_address  RAW(8);
  l_hash_val NUMBER;
BEGIN
  SELECT address, hash_value
  INTO   l_address, l_hash_val
  FROM   v$sqlarea
  WHERE  sql_id = '&p05_sql_id';
  DBMS_SHARED_POOL.PURGE(l_address||','||l_hash_val,'C');
END;
/

-- Step 2: Re-run view query, then check new plan
SELECT * FROM TABLE(
  DBMS_XPLAN.DISPLAY_CURSOR(
    '&new_sql_id', NULL,
    'ALLSTATS LAST +PEEKED_BINDS'
  )
);

-- SUCCESS: Look for this line in output:
-- "SQL plan baseline SQL_PLAN_xxx used for this statement"

✓ Confirmation: If the plan output contains SQL plan baseline SQL_PLAN_xxx used for this statement — the fix is successful.

---

Summary

Decision Flow — Which Fix to Apply

P05 view query is slow? │ ├── Stats stale/missing? ──YES──► Gather stats (Phase 4) → retest │ ├── optimizer params differ? ──YES──► Align parameter with P04 │ or set at session level │ ├── Index missing on P05? ──YES──► Rebuild index → gather stats │ └── Plan just wrong? ──────────► SPM Baseline transfer (Phase 5)

Oracle EBS 12.219c DatabaseSQL TuningSPMApps DBADBMS_STATSPerformance

Oracle Apps DBA BlogEBS 12.2 / 19c Field Notes

spluk

 Oracle EBS 12.2  ·  SIEM Engineering

Complete Guide: Capturing Oracle EBS 12.2 Logs in Splunk

A production-grade reference covering all 8 tiers — from the DB alert log to DMZ extranet servers, WAF, SiteMinder, OAM WebGate, and custom automation feeds. 80+ log sources. No log left behind.

· Oracle Apps DBA Lead· Oracle Solaris 11.4 SPARC· EBS 12.2.x Production· Splunk Universal Forwarder

8+

Log layers

80+

Log sources

5

DMZ hops

24/7

Coverage

Table of Contents

1. 01. Why Splunk for Oracle EBS?
2. 02. Application Tier Logs
3. 03. WebLogic Server (WLS) Logs
4. 04. Database Tier Logs
5. 05. OS / Solaris 11.4 Logs
6. 06. Security & Threat Detection Logs
7. 07. Monitoring & Automation Feeds
8. 08. Infrastructure / Storage / Network
9. 09. Patching / ADOP / Change Logs
10. 10. DMZ & Extranet EBS — Full Log Strategy
11. 11. Splunk inputs.conf Reference
12. 12. SPL Correlation Queries

01

Why Splunk for Oracle EBS?

Oracle E-Business Suite 12.2 generates logs across a sprawling multi-tier stack — OHS, WebLogic, Oracle DB, Solaris OS, OAM, SiteMinder, ADOP, and custom automation scripts. Without centralised log aggregation, an incident that spans even two layers can take hours to diagnose.

Splunk bridges this gap by ingesting all these sources into a single searchable platform, enabling real-time alerting, cross-layer correlation, and forensic investigation.

Post-CL0P Ransomware Context: The CL0P ransomware campaign specifically targeted Oracle EBS environments via unpatched JSP endpoints. Complete Splunk coverage — especially JSP endpoint monitoring on OHS access logs and DB audit trails — is no longer optional.

02

Application Tier Logs

The application tier covers the full request lifecycle — OHS web entry point, OAF/Forms, Concurrent Manager, and ADOP patching artefacts.

Log	Path	Source Type	Priority
Apache/OHS access	$INST_TOP/logs/ora/10.1.3/Apache/access_log	oracle:ebs:ohs:access	P1
Apache/OHS error	$INST_TOP/logs/ora/10.1.3/Apache/error_log	oracle:ebs:ohs:error	P1
OA Framework / JSP errors	$INST_TOP/logs/ora/10.1.3/j2ee/	oracle:ebs:oaf	P1
OPMN process log	$INST_TOP/logs/ora/10.1.3/opmn/	oracle:ebs:opmn	P2
Forms server	$INST_TOP/logs/ora/10.1.3/forms/	oracle:ebs:forms	P2
Concurrent Manager startup	$APPLCSF/$APPLLOG/	oracle:ebs:cm:manager	P1
Concurrent request logs	$APPLCSF/$APPLLOG/*.req	oracle:ebs:cm:request:log	P2
Concurrent request output	$APPLCSF/$APPLOUT/*.out	oracle:ebs:cm:request:out	P3
ADOP patch logs	$NE_BASE/EBSapps/patch/	oracle:ebs:adop	P2
AutoConfig logs	$INST_TOP/admin/log/	oracle:ebs:autoconfig	P3

03

WebLogic Server (WLS) Logs

WLS is the critical Java EE container underpinning EBS 12.2. These logs are the first place to look for SSO login failures, 500 errors on the external portal, OAM redirect loops, and JDBC pool exhaustion.

Real-world case: A production CORP EBS SSO login performance issue traced to a CRP Test OAM server being referenced instead of production was first visible in the WLS managed server log — not the OHS access log.

Log	Path	Source Type	Priority
AdminServer log	$DOMAIN_HOME/servers/AdminServer/logs/AdminServer.log	oracle:wls:admin	P1
Managed server log	$DOMAIN_HOME/servers/EBS_managed*/logs/*.log	oracle:wls:managed	P1
WLS access log	$DOMAIN_HOME/servers/*/logs/access.log	oracle:wls:access	P1
OAM/SSO integration log	$DOMAIN_HOME/servers/*/logs/	oracle:wls:oam	P1
GC / JVM heap log	$FMW_HOME/../domain/logs/*.log	oracle:wls:jvm	P2
WLS Node Manager log	$WL_HOME/common/nodemanager/*.log	oracle:wls:nodemanager	P2
WLS JDBC datasource log	$DOMAIN_HOME/servers/*/logs/	oracle:wls:jdbc	P2
WLS deployment log	$DOMAIN_HOME/servers/*/logs/	oracle:wls:deploy	P3

04

Database Tier Logs

The DB alert log is the single highest-priority log in any EBS environment. It surfaces ORA- errors, startup/shutdown events, redo switches, deadlocks, and block corruption — all in one place.

Log	Path	Source Type	Priority
DB alert log	$ORACLE_BASE/diag/rdbms/<db>/<SID>/trace/alert_<SID>.log	oracle:db:alert	P1
Listener log (XML)	$ORACLE_BASE/diag/tnslsnr/<host>/listener/alert/log.xml	oracle:db:listener	P1
DB audit trail (AUD$)	$ORACLE_BASE/admin/<SID>/adump/*.aud	oracle:db:audit	P1
FGA audit (FGA_LOG$)	DB view → flat file extract	oracle:db:fga	P1
Trace files	$ORACLE_BASE/diag/rdbms/<db>/<SID>/trace/*.trc	oracle:db:trace	P1
RMAN backup log	$ORACLE_BASE/admin/<SID>/log/	oracle:db:rman	P2
Data Pump log	$DATA_PUMP_DIR/*.log	oracle:db:datapump	P3
FND_LOGINS (app audit)	DB extract → flat file	oracle:ebs:fnd:logins	P1
FND_UNSUCCESSFUL_LOGINS	DB extract → flat file	oracle:ebs:fnd:auth_fail	P1
AD_PATCH_HIST	DB extract → flat file	oracle:ebs:patch:hist	P2

05

OS / Solaris 11.4 Logs

Oracle Solaris 11.4 SPARC has a distinct log layout from Linux. Syslog lives in /var/adm/messages, auth in /var/log/authlog, and C2/BSM audit in /var/audit/. The SMF service log is Solaris-specific and frequently missed in Splunk deployments.

Log	Path	Source Type	Priority
Syslog / messages	/var/adm/messages	solaris:syslog	P1
Auth log	/var/log/authlog	solaris:auth	P1
Cron log	/var/cron/log	solaris:cron	P2
Audit log (BSM/C2)	/var/audit/	solaris:bsm	P2
ZFS / Volume manager	/var/adm/messages (zpool events)	solaris:zfs	P2
NFS / mount events	/var/adm/messages	solaris:nfs	P1
SMF service log	/var/svc/log/*.log	solaris:smf	P2
Disk / SCSI errors	/var/adm/messages	solaris:disk	P1
Core dump events	/var/core/	solaris:coredump	P2
Network interface errors	kstat / snoop logs	solaris:network	P2

06

Security & Threat Detection Logs

Security-focused logs deserve their own tier. Several are DB extracts that require a scheduled export script to make them Splunk-consumable as flat files. These feed SOC dashboards, incident response playbooks, and compliance reports.

Log	Source	Source Type	Priority
OHS access — JSP endpoints	access_log (filtered)	oracle:ebs:ohs:access	P1
EBS FND security events	FND_EVENTS_Q extract	oracle:ebs:fnd:security	P1
SiteMinder / FCC log	$OAM_HOME/../logs/	oracle:oam:siteminder	P1
OAM access server log	$OAM_HOME/../logs/	oracle:oam:access	P1
OS sudo / privilege log	/var/log/authlog	solaris:sudo	P1
File integrity events	AIDE / Solaris BART	security:fim	P1
Network IDS alerts	Snort/Suricata/Sourcefire	security:ids	P1
Oracle AVDF / DB Vault	AVDF export	oracle:avdf	P2
Patch compliance gaps	ADOP / OEM feed	oracle:ebs:patch:compliance	P2

07

Monitoring & Automation Feeds

Custom automation scripts encode your team's institutional knowledge about what "healthy" looks like. Treat them as first-class Splunk sources, not afterthoughts. These feeds are especially valuable for trend analysis and proactive alerting.

Feed	Source	Source Type	Priority
OEM metric alerts	OEM → syslog bridge	oracle:oem:alert	P1
PagerDuty incident feed	PagerDuty REST → HEC	pagerduty:incident	P2
Datadog APM spans	Datadog → HEC	datadog:apm	P2
FlexDeploy deploy log	FlexDeploy log export	flexdeploy:deploy	P2
ServiceNow change records	SNOW REST feed	snow:change	P2
mount_monitor.sh output	/var/log/mount_monitor.log	custom:mount_monitor	P1
Batch consolidation report (72 programs)	HTML email + log file	custom:batch_monitor	P1
copy_clonebkp.sh exit codes	syslog or log file	custom:clone_pipeline	P2
CORP_QCC_RELINK output	Log file	custom:relink	P2
EBS URL extractor report	HTML email + log	custom:url_extractor	P3

08

Infrastructure / Storage / Network

NTP is often overlooked: Clock drift on any EBS tier silently breaks Kerberos token validity and OAM session handling. Monitor NTP sync on ALL hosts — internal and DMZ — as a P1 operational alert.

Log	Source	Source Type	Priority
Storage array log	NetApp/EMC syslog	storage:array	P1
SAN switch log	Brocade/Cisco FC syslog	storage:san	P1
Load balancer log	F5/Oracle LBR syslog	network:lb	P1
Firewall / ACL log	Firewall syslog	network:firewall	P1
DNS resolution log	BIND / Unbound log	network:dns	P2
IPMI / iLO / ILOM hardware	IPMI syslog	hardware:ipmi	P1
Backup agent log	Veritas/Commvault agent	backup:agent	P2
NTP sync log	ntpd / chrony log	infra:ntp	P2

09

Patching / ADOP / Change Logs

ADOP introduced online patching for EBS 12.2. Each phase generates distinct log artefacts. Capturing these phase-by-phase enables automatic change window validation and unauthorized patch detection — including out-of-window DFF recompilation events.

Log	Path	Source Type	Priority
ADOP prepare phase	$NE_BASE/EBSapps/patch/*/log/adop_*.log	oracle:ebs:adop:prepare	P1
ADOP apply phase	$NE_BASE/EBSapps/patch/*/log/adop_*.log	oracle:ebs:adop:apply	P1
ADOP finalize phase	$NE_BASE/EBSapps/patch/*/log/adop_*.log	oracle:ebs:adop:finalize	P1
ADOP cleanup phase	$NE_BASE/EBSapps/patch/*/log/adop_*.log	oracle:ebs:adop:cleanup	P2
ADOP worker log	$NE_BASE/EBSapps/patch/*/log/worker*.log	oracle:ebs:adop:worker	P2
AD_PATCH_HIST extract	DB extract → flat file	oracle:ebs:patch:hist	P1
AutoPatch log	$APPL_TOP/admin/log/	oracle:ebs:autopatch	P2
DFF / flex compilation log	Concurrent req log + AD worker	oracle:ebs:dff:compile	P3

---

10

DMZ & Extranet EBS — Full Log Strategy

This is the section most teams get wrong. The DMZ/extranet layer is not just "another OHS server" — it is a separate attack surface with distinct authentication infrastructure, network controls, and external-facing modules. A Splunk deployment that treats DMZ hosts the same as internal hosts will have critical blind spots.

DMZ Traffic Flow — Log Capture at Every Hop

External user

→

FW1 ①

→

WAF / F5 LBR

→

DMZ OHS (SSL term.)

→

OAM WebGate / SiteMinder

→

FW2 ②

→

Internal WLS / OAM

→

Oracle DB

Critical distinction: The DMZ OHS access log captures real external client IPs. The internal OHS access log shows only the DMZ proxy IP. Both logs are mandatory for end-to-end IP correlation during incident investigation. Tag them with different host values in inputs.conf.

Layer 1 — Perimeter / WAF / External Load Balancer

Log	Source	Source Type	Priority
F5 BIG-IP access log	F5 syslog → Splunk	network:lb:access	P1
F5 BIG-IP SSL log	F5 syslog	network:lb:ssl	P1
WAF alert log	F5 ASM / ModSecurity	network:waf:alert	P1
WAF traffic log	F5 ASM / ModSecurity	network:waf:traffic	P1
External firewall (FW1)	Firewall syslog	network:fw:external	P1

Layer 2 — DMZ OHS / Reverse Proxy (SSL Termination)

Log	Path	Source Type	Priority
DMZ OHS access log	$INST_TOP/logs/ora/10.1.3/Apache/access_log (DMZ host)	oracle:ebs:dmz:ohs:access	P1
DMZ OHS error log	$INST_TOP/logs/ora/10.1.3/Apache/error_log (DMZ host)	oracle:ebs:dmz:ohs:error	P1
SSL/TLS error log	$INST_TOP/logs/ora/10.1.3/Apache/ssl_error_log	oracle:ebs:dmz:ssl	P1
mod_proxy / mod_rewrite log	Apache error log (rewrite debug)	oracle:ebs:dmz:proxy	P2
OHS OPMN (DMZ)	$INST_TOP/logs/ora/10.1.3/opmn/ (DMZ)	oracle:ebs:dmz:opmn	P2

Layer 3 — Authentication: SiteMinder + OAM WebGate

Log	Path	Source Type	Priority
SiteMinder Web Agent log	$NETE_WA_ROOT/webagent.log	oracle:siteminder:webagent	P1
SiteMinder Policy Server log	$SMPS_HOME/log/smps.log	oracle:siteminder:policy	P1
SiteMinder Audit log	$SMPS_HOME/log/smaccess.log	oracle:siteminder:audit	P1
FCC (Forms Credential Collector) log	SiteMinder Web Agent log	oracle:siteminder:fcc	P1
SiteMinder session store log	LDAP / SQL session DB	oracle:siteminder:session	P2
OAM WebGate log (DMZ)	$WEBGATE_HOME/oblix/log/	oracle:oam:webgate:dmz	P1
OAM Access Server log	$OAM_HOME/oblix/log/	oracle:oam:access	P1
OAM Audit log	$OAM_HOME/oblix/log/obaudit.log	oracle:oam:audit	P1
OID / LDAP access log	$ORACLE_HOME/ldap/log/	oracle:oid:access	P2

Layer 4 — External-Facing EBS Modules

Module	Filter Pattern	Source Type	Priority
iSupplier Portal	/OA_HTML/OA.jsp?OAFunc=ISUPPLIER*	oracle:ebs:isupplier:access	P1
XML Gateway / B2B	WLS log + $INST_TOP/logs	oracle:ebs:xmlgw	P1
Guest / anonymous sessions	FND_LOGINS (GUEST user extract)	oracle:ebs:fnd:guest	P1
iRecruitment	OHS access log (filtered by function)	oracle:ebs:irecruitment:access	P2
Self-Service HR (SSHR)	OHS access log (filtered)	oracle:ebs:sshr:access	P2
iStore / Quoting	OHS access log (filtered)	oracle:ebs:istore:access	P2

XML Gateway is high-risk: B2B/EDI inbound payloads can arrive unauthenticated in some configurations. Monitor for abnormal payload sizes, unexpected source IPs, and calls outside business hours.

Layer 5 — DMZ Network & Infrastructure

Log	Source	Source Type	Priority
Internal firewall (FW2)	FW2 syslog (DMZ → internal)	network:fw:internal	P1
IDS / IPS alerts (DMZ)	Snort/Suricata/Sourcefire	security:ids:dmz	P1
SSL certificate expiry alerts	Cert manager / cron check	security:cert:expiry	P1
DMZ switch log	Cisco/Juniper syslog	network:switch:dmz	P2
Reverse DNS failure log	DNS server log	network:dns:dmz	P2
NTP sync (DMZ hosts)	chrony/ntpd log	infra:ntp:dmz	P1

Layer 6 — DMZ OS & Bastion Host

Log	Path	Source Type	Priority
DMZ host syslog	/var/adm/messages (DMZ Solaris)	solaris:syslog:dmz	P1
DMZ auth log	/var/log/authlog (DMZ Solaris)	solaris:auth:dmz	P1
Bastion / jump host auth	/var/log/authlog (bastion)	security:bastion:auth	P1
Bastion session recording	/var/log/bastion/sessions/ (CyberArk/Teleport)	security:bastion:session	P1
DMZ cron log	/var/cron/log (DMZ)	solaris:cron:dmz	P2
DMZ BSM audit	/var/audit/ (DMZ)	solaris:bsm:dmz	P2

---

11

Splunk inputs.conf Reference

Representative inputs.conf snippets for both internal and DMZ Universal Forwarder deployments on Solaris 11.4.

inputs.conf — Internal Tier (Solaris UF)

# DB Alert Log
[monitor://$ORACLE_BASE/diag/rdbms/*/*/trace/alert_*.log]
index = oracle_db
sourcetype = oracle:db:alert
host = EBSPROD_DB01

# OHS Access Log
[monitor://$INST_TOP/logs/ora/10.1.3/Apache/access_log]
index = ebs_app
sourcetype = oracle:ebs:ohs:access
host = EBSPROD_APP01

# WLS Managed Server
[monitor://$DOMAIN_HOME/servers/*/logs/*.log]
index = ebs_app
sourcetype = oracle:wls:managed

# Concurrent Manager
[monitor://$APPLCSF/$APPLLOG/*]
index = ebs_batch
sourcetype = oracle:ebs:cm:manager

# ADOP Patch Logs
[monitor://$NE_BASE/EBSapps/patch/*/log/*.log]
index = ebs_change
sourcetype = oracle:ebs:adop

# Solaris OS Logs
[monitor:///var/adm/messages]
index = os_internal
sourcetype = solaris:syslog

[monitor:///var/log/authlog]
index = os_security
sourcetype = solaris:auth

# Custom Automation
[monitor:///var/log/mount_monitor.log]
index = custom_ops
sourcetype = custom:mount_monitor

inputs.conf — DMZ Tier (Solaris UF)

# DMZ OHS — separate index from internal OHS
[monitor://$INST_TOP/logs/ora/10.1.3/Apache/access_log]
index = ebs_dmz
sourcetype = oracle:ebs:dmz:ohs:access
host = EBSDMZ_OHS01

# SiteMinder Web Agent
[monitor://$NETE_WA_ROOT/webagent.log]
index = ebs_security
sourcetype = oracle:siteminder:webagent

# SiteMinder Audit
[monitor://$SMPS_HOME/log/smaccess.log]
index = ebs_security
sourcetype = oracle:siteminder:audit

# OAM WebGate (DMZ)
[monitor://$WEBGATE_HOME/oblix/log/*]
index = ebs_security
sourcetype = oracle:oam:webgate:dmz

# DMZ OS Logs
[monitor:///var/adm/messages]
index = os_dmz
sourcetype = solaris:syslog:dmz
host = EBSDMZ_HOST01

[monitor:///var/log/authlog]
index = os_dmz
sourcetype = solaris:auth:dmz

12

SPL Correlation Queries

Production-ready SPL searches for the most common cross-layer alert scenarios covering internal, DMZ, and security tiers.

Detect external IP bypassing WAF

index=ebs_dmz sourcetype=oracle:ebs:dmz:ohs:access
| where NOT src_ip IN ("<<WAF_IP_LIST>>")
| stats count by src_ip, uri
| where count > 5

FCC 500 error detection (SiteMinder)

index=ebs_security sourcetype=oracle:siteminder:webagent
  (fcc OR redirect) (error OR fail OR 500)
| timechart span=5m count by host

Brute force on extranet login

index=ebs_security sourcetype=oracle:siteminder:audit action=REJECT
| bucket _time span=5m
| stats count by src_ip, _time
| where count > 10

ORA- errors in DB alert log (P1 alert)

index=oracle_db sourcetype=oracle:db:alert
  (ORA-600 OR ORA-7445 OR ORA-4031 OR ORA-1555)
| rex field=_raw "(?P<ora_error>ORA-\d+)"
| stats count by ora_error, host
| sort -count

SSL certificate expiry < 30 days

index=infra sourcetype=security:cert:expiry
| where days_to_expiry < 30
| table cn, expiry_date, host, days_to_expiry
| sort days_to_expiry

ADOP patch applied outside change window

index=ebs_change sourcetype=oracle:ebs:adop:apply
| eval hour=strftime(_time,"%H")
| where hour < 22 AND hour > 6
| stats count by host, _time, patch_id

CM batch job failure rate (QCT production)

index=ebs_batch sourcetype=oracle:ebs:cm:request:log
  completion_status=ERROR
| timechart span=1h count as failures
| where failures > 5

Tags

oracle-ebssplunkebs-12.2siemoracle-apps-dbadmzsiteminderoam-webgateweblogicsolaris-11adopsecurity-hardeninglog-managementclop-ransomwareextranet-ebs