9 Replies Latest reply on Oct 27, 2010 10:04 PM by 729900

    Collecting lost audit trails

      My question is about what happens with the audit trails generated while the agents/collectors are stopped.

      How can i make the collectors collect the audit trails that were generated during its inactivity and upload them to the AV server?

      Is there any documented procedure to do it? I can't find anything on docs...

      Any help would be appreciated.
      Thanks in advance
        • 1. Re: Collecting lost audit trails
          The agent catches up when the agent/collector restart.

          Remember the underlying technology here is Streams.
          • 2. Re: Collecting lost audit trails
            Pat Huey-Oracle
            Thanks, Dan and User602992. I've updated the Auditor's Guide with an explanation about "lost" (or rather, queued) audit data. It will appear the next time the book is refreshed on OTN.

            • 3. Re: Collecting lost audit trails
              A lurking tech writer. <g> I have sent my positive comments to Francisco.

              Will be at HQ last week of January. Contact me off-line if you will be in the neighborhood.
              • 4. Re: Collecting lost audit trails
                Pat Huey-Oracle
                Crumbs, sorry I missed ya! Will resume trolling the discussion forum now, and picking at my docs like the poor little worrisome scabs they be.


                Edited by: user462144 on Feb 10, 2010 9:11 AM
                • 5. Re: Collecting lost audit trails
                  does the same thing go for redo collectors?

                  what happens if the archived logs have already been deleted from the server by the time the redo collectors are started up?
                  • 6. Re: Collecting lost audit trails
                    Yes, the REDO collector too picks up the audit trail where it left off when it was shut down. However, just like all other collectors, it can't collect any audit records that have been deleted on the source before they were collected. So, if it needs to go to archive logs to collect records, and the logs were deleted, they are lost, as expected. However, please keep in mind that, for the most part, the collector should not have to go to the archive logs at all, as it tries to stay current as much as possible. Unless the transaction volume on the source is extremely high, the collector should be collecting from the online logs, not needing the archive logs at all.

                    • 7. Re: Collecting lost audit trails
                      how is streams used by the redo collector, and where do capture rules come into play?

                      won't the source db be queueing the messages in the streams tables in the event the redo collector is down?
                      • 8. Re: Collecting lost audit trails
                        The REDO collector does use Streams to capture audit records. There's one capture process running on the source. Capture rules are provisioned to the source using Audit Vault's Audit Policy manager, which lets you easily specify capture rules either globally, per-schema, or per-table. Starting the REDO collector starts the capture and propagate processes on the source, and the corresponding apply process on the AV server. Streams uses LogMiner to mine the REDO logs, whether they are online or archived. As LogMiner passes LCRs from the logs to the capture process, the LCRs are evaluated to see if they match any of the provisioned capture rules. If they are, they are sent over to AV where they are converted into audit records and inserted into the audit repository.

                        Please note, however, that the LCRs are "pulled" from the redo logs by LogMiner; they are not queued (or "pushed") to Streams. In essence, there's only one copy of the LCR that is stored, and that is in the redo logs (whether online or archived). Streams does not store a separate copy for capture. The whole system acts as a pipeline, with the capture process being the driver. There's no queuing involved at all.

                        Hope this helps.
                        • 9. Re: Collecting lost audit trails
                          looking at the audit repository, specifically the avsys.av$rads_view and the avsys.audit_event_fact, how can you determine if the row entry was collected by the REDO_COLL, the DBAUD, or the OSAUD collectors?