Audit log

Oracle auditing is the monitoring and recording of selected user database actions. Oracle database has two major kinds of auditing:

  1. Standard Audit Trail includes:
    • Administrative privilege connection
    • Database startup/shutdown
    • SQL statement
    • Privileges
    • Schema object
    • Network

  2. Fine Grained Audit Trail includes:
    • Audit Delete/Merge/Update/Query actions against database tables.
    • Audit by performing Boolean condition check. If the Boolean condition you specify is true, for example, a table being accessed on a Saturday, then the audit takes place.

The table below provides the default location of the log file and a query you can run in case location has changed.

Log format Oracle version Tags Default file location
Plain text

10g/11g/12c (Linux)

11g/12c (Windows)

oracle.audit.text

$ORACLE_BASE/admin/$ORACLE_SID/adump/*.aud

  • Query this location by issuing:

show parameter AUDIT_FILE_DEST;

XML 10g/11g/12c (Linux and Windows)

oracle.audit.xml

$ORACLE_BASE/admin/$ORACLE_SID/adump/*.xml

  • Query this location by issuing:

show parameter AUDIT_FILE_DEST;

  • Oracle Database administrators can configure the database to write audit trail in plain text format or in XML format.
  • The add-on can parse standard audit trail in either text format or XML format, but the add-on can parse the fine-grained audit trail in XML format only.
  • When audit trails are in XML format, audit or AUDITTYPE field tells if an audit record is a Standard, SYS, Fine-grained, or Mandatory audit trail.

You can create Devo alerts and dashboards by monitoring audit events. For example, alerts or dashboards can display the following information:

  • when and which client connects to the database as SYSDBA
  • the failed actions
  • when and which client did a drop/update/select against the target tables
  • who and how many login failures happened
  • The Oracle Database administrator needs to configure the audit trail to write to the Operating System file system.
  • On Windows, plain text audit records write to the Windows Event Viewer Service, instead of persisting in the OS file system.
Pulling files from the Windows Event Viewer Service is not supported.

For more information about how to set up Oracle database Operating System Audit, please refer to the Oracle Database Security Guide 10g/11g/12c.

The audit log source types map to the following CIM data models: 

Tags

CIM Data Models

oracle.audit.text

Change Analysis data model object:

  • Account_Management

Authentication data model object:

  • Authentication

oracle.audit.xml

oracle.accountManagement

Change Analysis data model object:

  • Account_Management

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.

CONTACT US