This content has been marked as final. Show 11 replies
Audit Vault does not do auditing. Auditing is performed using the AUDIT, FGA, and other auditing facilities in your database.
Audit Vault serves as a collector and presenter of audit trails. It does not enable or disable any database auditing activities.
Yes, Audit Vault Server does not do auditing.
Does Oracle AUDIT and FGA can solve our problem ?
As we know to audit the login session, we can use Trigger & AUDIT CREATE SESSION command.
1. AUDIT CREATE SESSION by access [username]
With this way, we only audit the session by ACCESS | SESSION and USERNAME. But in my case, we would like to audit the session by APPLICATION or PROGRAM.
So this way cannot solve our problem.
With Trigger, we can write PL/SQL to filter the session by APPLICATION, PROGRAM or anythings else, and then we store these audit trails in a log table (for ex: USER_LOG). But this way do NOT support by DB Collector, because DB Collector just only extract audit trails from SYS.AUD$ and SYS.FGA$.
So instead of storing the audit trails in customized USER_LOG table, we're going insert directly these audit trails to SYS.AUD$. Is it possible ? Does DB Collector can extract the audit trails from SYS.AUD$ as normal ?
I've not test it yet, so please share your expieriences about this case.
Hi. Did you manage to find a solution on this?
It will be very useful to not register all the sessions created, for example, by the auto connections of the dbsnmp user of grid control agents.
agree with you, this is a real requirement in real system.
The solution as i described above, but not test it yet. And I would like Oracle provide the built-in solution for this.
How about your solution, bednar ?
Thanks & Regards.
The solution is to write an AFTER LOGON SYSTEM EVENT TRIGGER
you can find a demo at http://www.morganslibrary.org/library.html
If we use trigger to catched the login/off activities, and then stored it in our log table. So How the AV Collector can transfer audit trail log to AV Server automatically ?
AV Collector just transfer audit trails from SYS.AUD$ | SYS.FGA_LOG | OS files to AV Server, not from others location.
Please share your expierences on this.
My questions is again did you managed to find a solutions for your case ? We also would like to audit the application user only when he is connected from non-application-server IP address. If we turn auditing on this user in general this would cause performance issue. Thats why we seek for the same solution, how to turn on full auditing on the user if he is connected from non-app-ip and audit only this session.
Thanks in advance.
I have a really simple way to do it here:
We tried to do the same and couldn't find a solution in audit vault. Be interested to know how to setup this. There is just too much noise from our app and since we trust the ip it comes from - we don't want to audit that but we need to audit if it's not from the trusted ip. we are evaluating a 3rd party tools called core audit by blue core research to do this.
No, you do not.