5 Replies Latest reply: Jul 7, 2014 3:58 AM by MariaKarpa(MK) RSS

    Audit_trail   string      OS

    MariaKarpa(MK)

      Hi all,

       

      11g

      aix

       

      I have setup our database audit trail as OS.

       

      SQL> show parameter audit

       

       

      NAME                                 TYPE        VALUE

      ------------------------------------ ----------- ------------------------------

      audit_file_dest                      string      /var/log/oracle

      audit_sys_operations                 boolean     TRUE

      audit_syslog_level                   string      LOCAL0.INFO

      audit_trail                          string      OS

       

       

      Then I tried to login/logout as sys. But my connection was not logged in /var/log/oracle.

       

      Is there process at root or admin user that need to be started?

       

       

      Thanks,

      mk

        • 1. Re: Audit_trail   string      OS
          IBarr

          By setting a syslog level, you have told the database to not use the audit file destination. You now need to set the destination in your syslog conf file. Try checking the default messages location in syslog to see if the audit records are there.

           

          Regards,

           

          Iain Barr

          • 2. Re: Audit_trail   string      OS
            MariaKarpa(MK)

            Yeah I have check it and there is none, the folder is still empty

             

            I did  the following:

             

            SQL> show parameter audit

             

             

            NAME                                 TYPE        VALUE

            ------------------------------------ ----------- ------------------------------

            audit_file_dest                      string      /var/log/oracle

            audit_sys_operations                 boolean     TRUE

            audit_syslog_level                   string      LOCAL0.INFO

            audit_trail                          string      OS

             

             

            >> Edit your syslog config to forward local1.warning to Splunk. In case of syslogd edit the /etc/syslog.conf and set the following. The first entry is for the local syslog. The second entry sends it to a remote server:

             

            #Save oracle rdbms audit trail to oracle_audit.log

            local0.info          /var/log/oracle/oracle_audit.log rotate size 10m files 20

            #Send oracle rdbms audit trail to remote syslog server

            local0.info          @192.168.100.1

             

            Then Restart you syslog daemon.

             

            # refresh -s syslogd

             

            or

             

            #stopsrc -s syslogd

            #chssys -s syslogd -a ""

            #startsrc -s syslogd


            Is LOCAL0.INFO case sensitive?


            Thanks

            • 3. Re: Audit_trail   string      OS
              MariaKarpa(MK)

              Hi all,

               

              Why do I have this error?

               

              alter system set audit_file_dest=/var/log/oracle scope=spfile

                                                *

              ERROR at line 1:

              ORA-02096: specified initialization parameter is not modifiable with this

              option

              • 4. Re: Audit_trail   string      OS
                Harm Joris ten Napel-Oracle

                hi,

                 

                because you must use quotes around the directory name:

                 

                alter system set audit_file_dest = '/var/log/oracle' scope=spfile;

                 

                but I agree the error is a bit misleading,

                 

                greetings,

                 

                Harm ten Napel

                • 5. Re: Audit_trail   string      OS
                  MariaKarpa(MK)

                  Thanks Harm,

                   

                  Can you help me why my OS logging does not work?