Database Reference
In-Depth Information
Syslog Facility
A new feature of Oracle10
g
is the ability to write audit trails using the syslog facility on UNIX
systems. This facility consists of a daemon process named
syslogd
(see
man
syslogd
) that accepts
log messages from applications via the
syslog
C library function (see
man
syslog
). The configu-
ration file for
syslogd
is usually
/etc/syslog.conf
and log messages go to files in
/var/log
or
/var/adm
depending on the UNIX variant. The log file name is determined by a string that
consists of a facility name and a priority or level. Most of these may be used when setting
AUDIT_SYSLOG_LEVEL
. Each entry in
/etc/syslog.conf
assigns a log file name to a certain combi-
nation of facility and priority. By placing the entry
user.notice
/var/log/oracle_dbms
into the
file
syslog.conf
and telling
syslogd
to reread the configuration file by sending it a hang-up
signal with the command
kill
,
1
any subsequent log entries from an ORACLE instance with the
setting
AUDIT_SYSLOG_LEVEL=user.notice
will be recorded in the file
/var/log/oracle_dbms
.
Introduction to Auditing
On UNIX systems,
CONNECT
,
STARTUP
, and
SHUTDOWN
of an ORACLE instance with
SYSDBA
or
SYSOPER
privileges are unconditionally audited to files with extension
.aud
in
$ORACLE_HOME/rdbms/audit
or a directory specified with the parameter
AUDIT_FILE_DEST
.
2
Oracle9
i
was the first release that
had the capability of auditing actions other than
CONNECT
,
STARTUP
, and
SHUTDOWN
performed with
SYSDBA
or
SYSOPER
privileges by setting
AUDIT_SYS_OPERATIONS=TRUE
.
Figure 1-1.
Event Details in Windows Event Viewer
1. Use
kill -HUP `cat /var/run/syslogd.pid`
on Red Hat Linux.
2.
AUDIT_FILE_DEST
is used as soon as an instance has started. When connecting as SYSDBA or SYSOPER
while an instance is down, the default audit file destination
$ORACLE_HOME/rdbms/audit
is used.