Database Reference
In-Depth Information
The audit configuration shown so far in this section will work as shown for 11g, but for 12c the DB audit trail
commands need to be executed from the CDB, not from the PDB. Audit trail settings must be done from the CDB. If
you attempt from the PDB, you will receive an error as follows:
SQL> alter system set audit_syslog_level='local4.info' scope=spfile;
alter system set audit_syslog_level='local4.info' scope=spfile
*
ERROR at line 1:
ORA-02065: illegal option for ALTER SYSTEM
Following is an excerpt of two syslog audit entries showing a connection to the CDB and then to the PDB of a 12c
database server. Note that the number contained within square angle brackets is the number of characters contained
within the actual field afterward. In 12c, the PDBs and CBD will have different DBIDs, as can be seen in this example.
Sep 4 03:41:37 orlin Oracle Audit[12296]: LENGTH : '159' ACTION :[7] 'CONNECT' DATABASE USER:[1]
'/' PRIVILEGE :[4] 'NONE' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[6] 'pts/17' STATUS:[4] '1017'
DBID:[9] '751089987'
Sep 4 03:42:21 orlin Oracle Audit[12655]: LENGTH : '162' ACTION :[7] 'CONNECT' DATABASE USER:[3]
'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[6] 'pts/17' STATUS:[1] '0'
DBID:[10] '2267081778'
Management and Reporting
For the purpose of log file management, Solaris has the built-in logadm command, which I have found to be reliable.
See this URL for more information:
http://www.c0t0d0s0.org/archives/6394-Less-known-Solaris-features-logadm.html
Here is an example of a server-side logadm rotation command, which compresses (-C) the files, except for the
last file, which is given by -z . The rotation is done daily as controlled by -p 1d .
logadm -w /export/oracle_syslog/oracle.log -C 8 -c -p 1d -t '/export/oracle_syslog/oracle.log.$n' -z 1
The following is a single syslog entry, shown first on Solaris and then on Linux. The formatting difference between
Solaris and Linux means it is best to log Solaris and Linux to separate files, so that they can be searched more easily.
Solaris Syslog:
Dec 10 16:26:28 aelab1-1.net Oracle Audit[1221]: [ID 621492 local7.info]
Dec 10 16:26:28 aelab1-1.net DATABASE USER: '/'
Dec 10 16:26:28 aelab1-1.net PRIVILEGE : SYSDBA
Dec 10 16:26:28 aelab1-1.net CLIENT USER: oracle
Dec 10 16:26:28 aelab1-1.net CLIENT TERMINAL: pts/1
Linux Syslog:
Sep 28 11:37:24 oracle Oracle Audit[23714]: SESSIONID: "24523"
ENTRYID: "57" STATEMENT: "8" USERID: "SCOTT" USERHOST: "ro-rac3"
TERMINAL: "pts/2" ACTION: "103" RETURNCODE: "0" OBJ$CREATOR: "SCOTT" OBJ$NAME:
"TEST" SES$ACTIONS: "---------S------"
SES$TID: "154816" OS$USERID: "oracle"
 
Search WWH ::




Custom Search