Hi Praveen,

You can set the  database initialization parameter AUDIT_TRAIL to DB or OS for enabling auditing. The DB setting means the audit trail records are stored in the database in the SYS.AUD$ table. OS will send the audit trail records to an operating system file. The OS setting is operating system-dependent and is not supported on all operating systems.

SQL> ALTER SYSTEM SET audit_trail=db SCOPE=SPFILE;

System altered.

SQL> SHUTDOWN

Database closed.

Database dismounted.

ORACLE instance shut down.

SQL> STARTUP

ORACLE instance started.

Total System Global Area  289406976 bytes

Fixed Size                  1248600 bytes

Variable Size              71303848 bytes

Database Buffers          213909504 bytes

Redo Buffers                2945024 bytes

Database mounted.

Database opened.

SQL>

Praveen Kamble wrote:

 

Dear Team,

 

We are collecting audit logs from Oracle 11g (11.2.0.4.0) into a syslog server/SIEM solution for log monitoring and analysis.

For this we need to edit the parameter audit_trail to os,db etc.

 

But unfortunately, we are unable to find the file initORACLE_SID.ora, in which the audit_trail parameter is edited.

This file is missing in Oracle 11g.

 

Also, we tried to run the command - alter system set audit_trail=os scope=spfile;

after running this command, we are getting error - "insufficient privileges", where as we are logging in as admin, sysdba.

Attaching the screenshot below:

 

 

Can i request your help here in the above 2 scenarios.

I am from security background, need your help on the database part. Would be much appreciated.

 

 

Best Regards,

Praveen Kamble

Are you sure you are
"where as we are logging in as admin, sysdba."

?

Insufficient privileges would suggest you are not. The user you are connecting as must have alter system privileges in order to alter system

Praveen Kamble wrote:

 

Dear Team,

 

We are collecting audit logs from Oracle 11g (11.2.0.4.0) into a syslog server/SIEM solution for log monitoring and analysis.

For this we need to edit the parameter audit_trail to os,db etc.

 

But unfortunately, we are unable to find the file initORACLE_SID.ora, in which the audit_trail parameter is edited.

This file is missing in Oracle 11g.

 

Also, we tried to run the command - alter system set audit_trail=os scope=spfile;

after running this command, we are getting error - "insufficient privileges", where as we are logging in as admin, sysdba.

Attaching the screenshot below:

 

 

Can i request your help here in the above 2 scenarios.

I am from security background, need your help on the database part. Would be much appreciated.

 

 

Best Regards,

Praveen Kamble

show us using COPY & PASTE exactly how you logged into Oracle DB prior to do commands above.

post SQL & results that show if this instance was started using spfile or pfile.

Andrew,

While your response is relevant and on-target, did you notice the age of this thread?

I've seen several of these archeological artifacts revived this morning, both here and on the MOS forums.  I'm beginning to wonder if it is fallout from the 'fix' to the recent forum problems, possibly the forum itself throwing old threads back into the stream?

Hi,

run these commandes:

$ ls -ld /rdsdbdata/admin/ORCLDB/adump

SQL> show user

Best regards