OS: The operating system audit trail records in the file, the file name specified by the audit_file_dest parameters
ORACLE 10G AUDIT ALL WINDOWS
If windows platform, audti trail will be recorded in the windows event management, if it is linux / unix platform will be recorded in the audit_file_dest parameter specifies the file.ĭB: the audit trail recorded in the audit related database tables, such as AUD $, only the results of the audit connection information ĭB, Extended: In addition to connecting this audit information which further comprises specific statement was executed The default is false, when set to true, all sys users (including user with sysdba, sysoper logged in) operations will be recorded, audit trail can not write in aud $ the table, this is well understood, if the database has not been started aud $ is not available, then the connection information such as conn / as sysdba, can only be recorded elsewhere. Regardless of whether you open the database auditing features, the following operating system will force the record: a management connection Instance privileges start the database close the database. Rising by UNIFIED_AUDIT_TRAIL.Audit (Audit) for monitoring performed by the user database operations, and Oracle will store the results of the audit trail to the OS file (the default location is $ ORACLE_BASE / admin / $ ORACLE_SID / adump /) or database (stored in system table space in the SYS.AUD $ table, view) by the view dba_audit_trail. Tables/views that contain data for current state are used to collect data in batches.Įvents from tables/views that contain historical or dynamic data are collected in rising mode.ĭate columns are used to define checkpoint for incremental load. DUAL for oracle:sga).ĭate columns or current date (index time) can be used to define event timestamp. beside V$SESSION, V$INSTANCE to build oracle:session events) or for other reasons (eg. Additional tables or views may be involved to collect more detail information (eg. V$SESSION or DBA_TABLESPACES to get session or tablespace information). The source types are based on specific database tables or views to get essential type of data (eg. Query this location by issuing show parameter USER_DUMP_DEST Ĭollect the following metrics using Splunk DB Connect. $ORACLE_HOME/diag/rdbms/$ORACLE_SID/ $ORACLE_SID/trace $ORACLE_HOME/admin/$ORACLE_SID/ udump/*.trc
Query this location by issuing select value from v$diag_info where name = 'Diag Incident' $ORACLE_BASE/diag/rdbms/$ORACLE_SID/$ORACLE_SID/ incident/*/*.trc $ORACLE_BASE/diag/tnslsnr/$HOST_NAME/listener/ alert/log.xml Query this location by running lsnrctl status $ORACLE_BASE/product/db_1/network/log/listener.log Query this location by issuing select value from v$diag_info where name = 'Diag Alert' $ORACLE_BASE/diag/rdbms/$ORACLE_SID/$ORACLE_SID/ alert/log.xml Query this location by issuing select value from v$diag_info where name = 'Diag Trace' $ORACLE_BASE/diag/rdbms/$ORACLE_SID/$ORACLE_SID/ trace/alert_$ORACLE_SID.log $ORACLE_BASE/admin/$ORACLE_SID/adump/*.xml Query this location by issuing show parameter AUDIT_FILE_DEST $ORACLE_BASE/admin/$ORACLE_SID/adump/*.aud
More information about the different log and event data supported by this add-on is available below the table.Īll listed source types based on log files are for Oracle Versions 11g/12.1/12.2/19c Log/ The table below provides the default location for each log file and a query that you can run in case the location has changed. You can customize the location and name of most log files in Oracle. In general, XML-formatted logs have more verbose information and are easier to parse, but may occupy more OS disk space. You can choose to configure the logs in either of these formats because this add-on supports field extractions for both formats. Many Oracle log files offer the option of a plain text format or an XML format.