5 Replies Latest reply: May 13, 2013 7:55 AM by Harm Joris ten Napel-Oracle RSS

    INSERT and UPDATE audit generating more than expected rows in AUD$


      Oracle EE on Solaris

      I had a request to audit all the INSERT and UPDATE activity on all the tables in a particular schema. This was in preparation of an application going live and the owner wanted to see some 'typical' activity from some test users.

      Here are the steps I took:
      alter system set audit_trail=DB_EXTENDED scope=spfile;
      Bounce the instance
      audit INSERT table, UPDATE table by USERX;
      I also have 'audit_sys_operations=TRUE' so I know I'll get some SYS audit data in AUD$ as well but I can query around those.

      My question is that I'm seeing several connections from the application server with actions of 'LOGON' and 'LOGOFF' and I'm not sure why they're showing up in the AUD$ table.

      Is it because I have auditing turned on for inserts and updates on ALL tables for USERX and the logon and logoff operations are doing I/O into tables that are not owned by USERX as part of the logon logoff procedures?

      I am an auditing newbie and the docs I've read haven't answered this question.

      I just found an article about the 'SESSION_REC' value of ACTION_NAME and I need to change my auditing to 'by access'. I'll change that and see what happens but that shouldn't change my question.

      Many thanks for any help!!