Click here to expand

    Adding Oracle Server

    • Navigate to Settings > Log Source Configuration > Database Audit. You can also click on the +Add button on the top right corner of the Home page and select Application.
    • Next, select the Oracle Servers tab.
    • Adding Oracle Server
    • Enter the name of the device and click on the Add button.
    • After adding an Oracle device in EventLog Analyzer, configure the Oracle server as instructed below.

    Oracle Server Configuration

    Reference: http://download.oracle.com/docs/cd/B28359_01/network.111/b28531/auditing.htm#CEGBIIJD

    For Oracle server installed in Windows platform

    • Connect to SQL *Plus using the sqlplus command.
    • Execute the command given below to check whether the audit_trail is set to OS or not.
    • Copy to Clipboard

      Show parameter AUDIT_TRAIL;

    • Change audit parameters using the below command:
    • Copy to Clipboard

      Show parameter AUDIT_TRAIL;ALTER SYSTEM SET AUDIT_TRAIL=OS SCOPE=SPFILE;

    • Restart the Oracle server to let the changes take effect.
    • To disable AUDIT_TRAIL
    • Copy to Clipboard

      ALTER SYSTEM SET audit_trail = NONE SCOPE=SPFILE ;

    For Oracle Server installed in Unix platform

    • Execute the command given below to check whether the audit_trail is set to OS or not.
    • Copy to Clipboard

      Show parameter AUDIT_TRAIL;

    • Change audit parameters using the below command:
    • Copy to Clipboard

      ALTER SYSTEM SET AUDIT_TRAIL=OS SCOPE=SPFILE;

    To enable Oracle syslog auditing, follow the procedure given below:

    1. Manually add and set the AUDIT_SYSLOG_LEVEL parameter in the initialization parameter file, initsid.ora.

      The AUDIT_SYSLOG_LEVEL parameter is set to specify a facility and priority in the format AUDIT_SYSLOG_LEVEL=facility.priority.

      facility: Describes the part of the operating system that is logging the message. Accepted values are user, local0–local7, syslog, daemon, kern, mail, auth, lpr, news, uucp, and cron.

      The local0–local7 values are predefined tags that enable you to sort the syslog message into categories. These categories can be log files or other destinations that the syslog utility can access. To find more information about these types of tags, refer to the syslog utility MAN page.

      priority: Defines the severity of the message. Accepted values are notice, info, debug, warning, err, crit, alert, and emerg.

      The syslog daemon compares the value assigned to the facility argument of the AUDIT_SYSLOG_LEVEL parameter with the syslog.conf file to determine where to log information.

      For example,the following statement identifies the facility as local1 with a priority level of warning:

      AUDIT_SYSLOG_LEVEL=local1.warning

    2. See Oracle Database Reference for more information about AUDIT_SYSLOG_LEVEL.

    3. Log in to the machine that contains the syslog configuration file, /etc/syslog.conf, with the superuser (root) privilege.
    4. Add the audit file destination to the syslog configuration file /etc/syslog.conf.

      For example: assuming you had set the AUDIT_SYSLOG_LEVEL to local1.warning, enter the following:

      Copy to Clipboard

      local1.warning /var/log/audit.log

      This setting logs all warning messages to the /var/log/audit.log file.

    5. Restart the syslog logger:
    6. Copy to Clipboard

      $/etc/rc.d/init.d/syslog restart

      Now, all audit records will be captured in the file /var/log/audit.log through the syslog daemon.

    7. Restart the Oracle server so that the changes take effect.
    8. Note: When logged in as SYSDBA/SYSOPER, Oracle database provides limited information on database activity monitoring. Hence, to get the complete audit trail activities of Oracle database, we suggest that you log in as a user with privilege other than SYSDBA/SYSOPER.

    Auditing statements

    DDL

    You can audit DDL activities of a selected user in the database.

    • To enable auditing of all privileges of users:
    • AUDIT ALL PRIVILEGES by user_name; (or)
      AUDIT CREATE TABLE by user_name;

    • To enable auditing of specific privileges:
    • AUDIT CREATE TABLE by user_name;

      Add your required auditing option near "CREATE TABLE".

    • Restart the Oracle server to let the changes take effect.
    • Note: To check the audit options that are enabled under any user, execute the statement given below.

      SELECT user_name, audit_option, success, failure FROM DBA_STMT_AUDIT_OPTS;

    DML

    This auditing enables you to audit specific statements on a particular object. It always applies to all users of the database.

      AUDIT SELECT, INSERT, UPDATE, DELETE on table_name

      You can also add your required auditing option(s) here.

    • The following statement specifies default auditing options for objects that might be created in the future:
    • AUDIT SELECT, INSERT, UPDATE, DELETE on DEFAULT;

    • Restart the Oracle server to let the changes take effect.
    • Note: To check the audit options that are enabled under any object, simply execute the below statement.
        Copy to Clipboard

        SELECT OWNER, OBJECT_NAME, OBJECT_TYPE, INS, UPD, DEL FROM DBA_OBJ_AUDIT_OPTS;

      To disable audit option, use NOAUDIT instead of AUDIT in same statement.

      Details about the audit options are available here.

    Don't see what you're looking for?

    •  

      Visit our community

      Post your questions in the forum.

       
    •  

      Request additional resources

      Send us your requirements.

       
    •  

      Need implementation assistance?

      Try onboarding

       
    Get download link