The DBMS_AUDIT_MGMT
package provides subprograms to manage audit trail records. These subprograms enable audit administrators to manage the audit trail. In a mixed-mode environment, these audit trails comprise the database, operating system (OS), and XML audit trails. In a unified auditing environment, this comprises the unified audit trail.
See Also:
Oracle Database Security Guide regarding verifying security access with auditing
Oracle Database Upgrade Guide regarding migrating to unified auditing
This chapter contains the following topics:
Overview
Security Model
Constants
Views
Audit Trail Management Subprograms
Audit Trail Cleanup Subprograms
This section contains topics which relate to using the DBMS_AUDIT_MGMT
package. The following topics are included:
Database auditing helps meet your database security and compliance requirements. In a mixed mode environment, audit records are written to database tables, operating system (OS) files, or XML files depending on the AUDIT_TRAIL initialization parameter setting. If you have upgraded to unified auditing, then the audit records are written to the unified audit trail.
In a mixed mode environment, when AUDIT_TRAIL
is set to DB
, database records are written to the AUD$
table. In a unified auditing environment, audit records are written to a read-only table in the AUDSYS
schema. The contents of this table are available from the UNIFIED_AUDIT_TRAIL
data dictionary view.When AUDIT_TRAIL
is set to OS, audit records are written to operating system files. When AUDIT_TRAIL
is set to XML, audit records are written to operating system files in XML format.
With Unified Auditing facility, all audit records are written to the unified audit trail in a uniform format and are made available through the UNIFIED_AUDIT_TRAIL
views.
It is important to manage your audit records properly in order to ensure efficient performance and disk space management. The DBMS_AUDIT_MGMT
subprograms enable you to efficiently manage your audit trail records.
If you have not yet migrated to unified auditing, the DBMS_AUDIT_MGMT
package provides a subprogram that allows you to move the database audit trail tables out of the SYSTEM
tablespace. This improves overall database performance by reducing the load on the SYSTEM
tablespace. It also enables you to dedicate an optimized tablespace for audit records.
For a mixed mode environment, the DBMS_AUDIT_MGMT
subprograms also enable you to manage your operating system and XML audit files. You can define properties like the maximum size and age of an audit file. This enables you to keep the file sizes of OS and XML audit files in check.
The DBMS_AUDIT_MGMT
subprograms enable you to perform cleanup operations on all audit trail types. Audit trails can be cleaned based on the last archive timestamp value. The last archive timestamp represents the timestamp of the most recent audit record that was securely archived.
The DBMS_AUDIT_MGMT
package provides a subprogram that enables audit administrators to set the last archive timestamp for archived audit records. This subprogram can also be used by external archival systems to set the last archive timestamp.
The DBMS_AUDIT_MGMT
subprograms also enable you to configure jobs that periodically delete audit trail records. The frequency with which these jobs should run can be controlled by the audit administrator.
See Also:
Oracle Database Security Guide for a detailed description of unified auditingAll DBMS_AUDIT_MGMT
subprograms require the user to have EXECUTE
privilege over the DBMS_AUDIT_MGMT
package. The SYSDBA
and AUDIT_ADMIN
roles have EXECUTE
privileges on the package by default.
Oracle strongly recommends that only audit administrators should have the EXECUTE
privilege on the DBMS_AUDIT_MGMT
package and be granted the AUDIT_ADMIN
role.
Executions of the DBMS_AUDIT_MGMT
subprograms are always audited.
The DBMS_AUDIT_MGMT
package defines several constants that can be used for specifying parameter values.
The DBMS_AUDIT_MGMT
package includes the constants shown in the following tables:
Audit trails can be classified based on whether audit records are written to database tables, operating system files, or XML files. Table 29-1 lists the audit trail type constants.
Table 29-1 DBMS_AUDIT_MGMT Constants - Audit Trail Types
Constant | Type | Description |
---|---|---|
|
|
All audit trail types. This includes the standard database audit trail ( |
|
|
Standard database audit records in the |
|
|
Both standard audit ( |
|
|
Standard database fine-grained auditing (FGA) records in the |
|
|
Both operating system (OS) and XML audit trails |
|
|
Operating system audit trail. This refers to the audit records stored in operating system files. |
|
|
Unified audit trail. In unified auditing, all audit records are written to the unified audit trail and are made available through the unified audit trail views, such as |
|
|
XML audit trail. This refers to the audit records stored in XML files. |
Audit trail properties determine the audit configuration settings. Table 29-2 lists the constants related to audit trail properties.
Table 29-2 DBMS_AUDIT_MGMT Constants - Audit Trail Properties
Constant | Type | Description |
---|---|---|
|
|
A value of See Also Oracle Database Security Guide |
|
|
Interval, in hours, after which the cleanup procedure is called to clear audit records in the specified audit trail |
|
|
Specifies the batch size to be used for deleting audit records in database audit tables. The audit records are deleted in batches of size equal to |
|
|
Specifies the batch size to be used for deleting audit files in the audit directory. The audit files are deleted in batches of size equal to |
|
|
Specifies the maximum number of days for which an operating system (OS) or XML audit file can be kept open before a new audit file gets created |
|
|
Specifies the maximum size, in kilobytes (KB), to which an operating system (OS) or XML audit file can grow before a new file is opened |
The audit trail purge job cleans the audit trail. Table 29-3 lists the constants related to purge job status values.
The views listed in Table 29-4 are used to display DBMS_AUDIT_MGMT
configuration and cleanup events.
Table 29-4 Views used by DBMS_AUDIT_MGMT
View | Description |
---|---|
|
Displays the cleanup event history |
|
Displays the currently configured audit trail purge jobs |
|
Displays the currently configured audit trail properties |
|
Displays the last archive timestamps set for the audit trails |
See Also:
Oracle Database Reference for more information on these viewsThe DBMS_AUDIT_MGMT
package subprograms can be grouped into the following categories:
Audit trail management subprograms enable you to manage audit trail properties.
Table 29-5 Audit Trail Management Subprograms
Subprogram | Description |
---|---|
Clears the value for the audit trail property that you specify |
|
Writes the unified audit trail records in the SGA queue to disk |
|
Returns the property value set by the SET_AUDIT_TRAIL_PROPERTY Procedure |
|
Returns the timestamp set by the SET_LAST_ARCHIVE_TIMESTAMP Procedure in that database instance |
|
Loads the data from the spillover OS audit files in a unified audit trail into the designated unified audit trail tablespace |
|
Moves the audit trail tables from their current tablespace to a user-specified tablespace |
|
Sets an audit trail property for the audit trail type that you specify |
|
Sets a timestamp indicating when the audit records or files were last archived |
The Summary of DBMS_AUDIT_MGMT Subprograms contains a complete listing of all subprograms in the package.
Audit trail cleanup subprograms help you perform cleanup related operations on the audit trail records.
Table 29-6 Audit Trail Cleanup Subprograms
Subprogram | Description |
---|---|
Deletes audit trail records or files that have been archived |
|
Clears the timestamp set by the SET_LAST_ARCHIVE_TIMESTAMP Procedure |
|
Creates a purge job for periodically deleting the audit trail records or files |
|
Undoes the setup and initialization performed by the INIT_CLEANUP Procedure |
|
Drops old unified audit tables following the cloning of a pluggable database (PDB) |
|
Drops the purge job created using the CREATE_PURGE_JOB Procedure |
|
Sets up the audit management infrastructure and sets a default cleanup interval for audit trail records or files |
|
Checks to see if the INIT_CLEANUP Procedure has been run for an audit trail type |
|
Sets the interval at which the CLEAN_AUDIT_TRAIL Procedure is called for the purge job that you specify |
|
Enables or disables the purge job that you specify |
The Summary of DBMS_AUDIT_MGMT Subprograms contains a complete listing of all subprograms in the package.
Table 29-7 DBMS_AUDIT_MGMT Package Subprograms
Subprogram | Description |
---|---|
Deletes audit trail records that have been archived |
|
Clears the value for the audit trail property that you specify |
|
Clears the timestamp set by the SET_LAST_ARCHIVE_TIMESTAMP Procedure |
|
Creates a purge job for periodically deleting the audit trail records |
|
Undoes the setup and initialization performed by the INIT_CLEANUP Procedure |
|
Drops old unified audit tables following the cloning of a pluggable database (PDB) |
|
Drops the purge job created using the CREATE_PURGE_JOB Procedure |
|
Writes the unified audit trail records in the SGA queue to disk |
|
Returns the audit commit delay time as the number of seconds. This is the maximum time that it takes to |
|
Returns the property value set by the SET_AUDIT_TRAIL_PROPERTY Procedure |
|
Returns the timestamp set by the SET_LAST_ARCHIVE_TIMESTAMP Procedure in that database instance |
|
Sets up the audit management infrastructure and sets a default cleanup interval for audit trail records |
|
Checks to see if the INIT_CLEANUP Procedure has been run for an audit trail type |
|
Loads the data from the spillover OS audit files in a unified audit trail into the designated unified audit trail tablespace |
|
Moves the audit trail tables from their current tablespace to a user-specified tablespace |
|
Sets the audit trail properties for the audit trail type that you specify |
|
Sets a timestamp indicating when the audit records were last archived |
|
Sets the interval at which the CLEAN_AUDIT_TRAIL Procedure is called for the purge job that you specify |
|
Enables or disables the purge job that you specify |
This procedure deletes audit trail records. The CLEAN_AUDIT_TRAIL
procedure is usually called after the SET_LAST_ARCHIVE_TIMESTAMP Procedure has been used to set the last archived timestamp for the audit records.
DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL( audit_trail_type IN PLS_INTEGER, use_last_arch_timestamp IN BOOLEAN DEFAULT TRUE, container IN PLS_INTEGER DEFAULT CONTAINER_CURRENT, database_id IN NUMBER DEFAULT NULL, container_guid IN VARCHAR2 DEFAULT NULL);
Table 29-8 CLEAN_AUDIT_TRAIL Procedure Parameters
Parameter | Description |
---|---|
|
The audit trail type for which the cleanup operation needs to be performed. Audit trail types are listed in Table 29-1, "DBMS_AUDIT_MGMT Constants - Audit Trail Types" . |
|
Specifies whether the last archived timestamp should be used for deciding on the records that should be deleted. A value of A value of The default value is |
|
Values: |
|
Database ID (DBID) of the audit records to cleanup |
|
Container GUID of the audit records to cleanup |
The following usage notes apply:
When cleaning up operating system (OS) or XML audit files, only files in the current audit directory, specified by the AUDIT_FILE_DEST
parameter, are cleaned up.
For Windows platforms, no cleanup is performed when the audit_trail_type
parameter is set to DBMS_AUDIT_MGMT.AUDIT_TRAIL_OS.
This is because operating system (OS) audit records on Windows are written to the Windows Event Viewer.
For Unix platforms, no cleanup is performed for cases where the operating system (OS) audit records are written to the syslog. When the audit_trail_type
parameter is set to DBMS_AUDIT_MGMT.AUDIT_TRAIL_OS,
it removes only the *.aud
files under the directory specified by the AUDIT_FILE_DEST
initialization parameter.
When the audit_trail_type
parameter is set to DBMS_AUDIT_MGMT.AUDIT_TRAIL_XML,
this procedure only removes XML audit files (*.xml
) from the current audit directory.
Oracle database maintains a book-keeping file (adx_
$ORACLE_SID
.txt
) for the XML audit files. This file is not removed by the cleanup procedure.
The following example calls the CLEAN_AUDIT_TRAIL
procedure to clean up the operating system (OS) audit trail records that were updated before the last archive timestamp.
BEGIN DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL( audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_OS, use_last_arch_timestamp => TRUE); END;
This procedure clears the value for the audit trail property that is specified. Audit trail properties are set using the SET_AUDIT_TRAIL_PROPERTY Procedure.
The CLEAR_AUDIT_TRAIL_PROPERTY
procedure can optionally reset the property value to it's default value through the use_default_values
parameter.
DBMS_AUDIT_MGMT.CLEAR_AUDIT_TRAIL_PROPERTY( audit_trail_type IN PLS_INTEGER, audit_trail_property IN PLS_INTEGER, use_default_values IN BOOLEAN DEFAULT FALSE) ;
Table 29-9 CLEAR_AUDIT_TRAIL_PROPERTY Procedure Parameters
Parameter | Description |
---|---|
|
The audit trail type for which the property needs to be cleared. Audit trail types are listed in Table 29-1, "DBMS_AUDIT_MGMT Constants - Audit Trail Types" |
|
The audit trail property whose value needs to be cleared. You cannot clear the value for the Audit trail properties are listed in Table 29-2, "DBMS_AUDIT_MGMT Constants - Audit Trail Properties" |
|
Specifies whether the default value of the The default value for this parameter is |
The following usage notes apply:
You can use this procedure to clear the value for an audit trail property that you do not wish to use. For example, if you do not want a restriction on the operating system audit file size, then you can use this procedure to reset the OS_FILE_MAX_SIZE
property.
You can also use this procedure to reset an audit trail property to it's default value. You need to set use_default_values
to TRUE
when invoking the procedure.
The DB_DELETE_BATCH_SIZE
property needs to be individually cleared for the AUDIT_TRAIL_AUD_STD
and AUDIT_TRAIL_FGA_STD
audit trail types. You cannot clear this property collectively using the AUDIT_TRAIL_DB_STD
and AUDIT_TRAIL_ALL
audit trail types.
If you clear the value of the DB_DELETE_BATCH_SIZE
property with use_default_value
set to FALSE
, the default value of DB_DELETE_BATCH_SIZE
is still assumed. This is because audit records are always deleted in batches.
The FILE_DELETE_BATCH_SIZE
property needs to be individually cleared for the AUDIT_TRAIL_OS
and AUDIT_TRAIL_XML
audit trail types. You cannot clear this property collectively using the AUDIT_TRAIL_FILES
and AUDIT_TRAIL_ALL
audit trail types.
If you clear the value of the FILE_DELETE_BATCH_SIZE
property with use_default_value
set to FALSE
, the default value of FILE_DELETE_BATCH_SIZE
is still assumed. This is because audit files are always deleted in batches.
You cannot clear the value for the CLEANUP_INTERVAL
property.
You cannot clear the value for the AUDIT_TRAIL_WRITE_MODE
property.
The following example calls the CLEAR_AUDIT_TRAIL_PROPERTY
procedure to clear the value for the audit trail property, OS_FILE_MAX_SIZE
. The procedure uses a value of FALSE
for the USE_DEFAULT_VALUES
parameter. This means that there will be no maximum size threshold for operating system (OS) audit files.
BEGIN DBMS_AUDIT_MGMT.CLEAR_AUDIT_TRAIL_PROPERTY( AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_OS, AUDIT_TRAIL_PROPERTY => DBMS_AUDIT_MGMT.OS_FILE_MAX_SIZE, USE_DEFAULT_VALUES => FALSE ); END;
This procedure clears the timestamp set by the SET_LAST_ARCHIVE_TIMESTAMP Procedure.
DBMS_AUDIT_MGMT.CLEAR_LAST_ARCHIVE_TIMESTAMP( audit_trail_type IN PLS_INTEGER, rac_instance_number IN PLS_INTEGER DEFAULT NULL, container IN PLS_INTEGER DEFAULT CONTAINER_CURRENT, database_id IN NUMBER DEFAULT NULL, container_guid IN VARCHAR2 DEFAULT NULL);
Table 29-10 CLEAR_LAST_ARCHIVE_TIMESTAMP Procedure Parameters
Parameter | Description |
---|---|
|
The audit trail type for which the timestamp needs to be cleared. Audit trail types are listed in Table 29-1, "DBMS_AUDIT_MGMT Constants - Audit Trail Types" . |
|
The instance number for the Oracle Real Application Clusters (Oracle RAC) instance. The default value is |
|
Values: |
|
Database ID (DBID) of the audit records to cleanup |
|
Container GUID of the audit records to cleanup |
The following usage notes apply:
The timestamp for only one audit_trail_type
can be cleared at a time.
The following are invalid audit_trail_type
values for this procedure and cannot be used:
AUDIT_TRAIL_ALL
AUDIT_TRAIL_DB_STD
AUDIT_TRAIL_FILES
This procedure creates a purge job for periodically deleting the audit trail records.
This procedure carries out the cleanup operation at intervals specified by the user. It calls the CLEAN_AUDIT_TRAIL Procedure to perform the cleanup operation.
The SET_PURGE_JOB_INTERVAL Procedure is used to modify the frequency of the purge job.
The SET_PURGE_JOB_STATUS Procedure is used to enable or disable the purge job.
The DROP_PURGE_JOB Procedure is used to drop a purge job created with the CREATE_PURGE_JOB
procedure.
DBMS_AUDIT_MGMT.CREATE_PURGE_JOB( audit_trail_type IN PLS_INTEGER, audit_trail_purge_interval IN PLS_INTEGER, audit_trail_purge_name IN VARCHAR2, use_last_arch_timestamp IN BOOLEAN DEFAULT TRUE, container IN PLS_INTEGER DEFAULT CONTAINER_CURRENT) ;
Table 29-11 CREATE_PURGE_JOB Procedure Parameters
Parameter | Description |
---|---|
|
The audit trail type for which the purge job needs to be created. Audit trail types are listed in Table 29-1, "DBMS_AUDIT_MGMT Constants - Audit Trail Types" . |
|
The interval, in hours, at which the clean up procedure is called. A lower value means that the cleanup is performed more often. |
|
A name to identify the purge job. |
|
Specifies whether the last archived timestamp should be used for deciding on the records that should be deleted. A value of A value of The default value is |
|
Values: |
Use this procedure to schedule the CLEAN_AUDIT_TRAIL Procedure for your audit trail records.
The following example calls the CREATE_PURGE_JOB
procedure to create a cleanup job called CLEANUP
, for all audit trail types. It sets the audit_trail_purge_interval
parameter to 100. This means that the cleanup job is invoked every 100 hours. It also sets the use_last_arch_timestamp
parameter value to TRUE
. This means that all audit records older than the last archive timestamp are deleted.
BEGIN DBMS_AUDIT_MGMT.CREATE_PURGE_JOB( audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_ALL, audit_trail_purge_interval => 100 /* hours */, audit_trail_purge_name => 'CLEANUP', use_last_arch_timestamp => TRUE); END;
This procedure undoes the setup and initialization performed by the INIT_CLEANUP Procedure. The DEINIT_CLEANUP
procedure clears the value of the default_cleanup_interval
parameter. However, when used for audit tables, it does not move the audit trail tables back to their original tablespace.
DBMS_AUDIT_MGMT.DEINIT_CLEANUP( audit_trail_type IN PLS_INTEGER, container IN PLS_INTEGER DEFAULT CONTAINER_CURRENT);
Table 29-12 DEINIT_CLEANUP Procedure Parameters
Parameter | Description |
---|---|
|
The audit trail type for which the procedure needs to be called. Audit trail types are listed in Table 29-1, "DBMS_AUDIT_MGMT Constants - Audit Trail Types" |
|
Values: |
You cannot invoke this procedure for AUDIT_TRAIL_UNIFIED
. Doing so it will raise ORA-46250
: Invalid value for argument 'AUDIT_TRAIL_TYPE'
This procedure drops old unified audit tables following the cloning of a pluggable database (PDB).
When a pluggable database gets cloned, the unified audit tables get newly created in the new pluggable database. To drop the old unified audit tables, use the DROP_OLD_UNIFIED_AUDIT_TABLES
by specifying the old GUID
of the PDB from which the clone was created. You can query the historical GUIDs
from the DBA_PDB_HISTORY
view for the given PDB.
This procedure drops the purge job created using the CREATE_PURGE_JOB Procedure. The name of the purge job is passed as an argument.
Table 29-14 DROP_PURGE_JOB Procedure Parameters
Parameter | Description |
---|---|
|
The name of the purge job which is being deleted. This is the purge job name that you specified with the CREATE_PURGE_JOB Procedure. |
This procedure writes the unified audit trail records in the SGA queue to disk.
DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL ( flush_type IN BINARY_INTEGER DEFAULT FLUSH_CURRENT_INSTANCE, container IN BINARY_INTEGER DEFAULT CONTAINER_CURRENT);
Table 29-15 FLUSH_UNIFIED_AUDIT_TRAIL Procedure Parameters
Parameter | Description |
---|---|
|
Takes one of the following two arguments:
|
|
The containers where the SGA queues should be flushed. It takes one of the following two arguments:
|
This function returns the audit commit delay time as the number of seconds. audit commit delay time is the maximum time that it takes to COMMIT
an audit record to the database audit trail. If it takes more time to COMMIT an audit record than defined by the audit commit delay time, then a copy of the audit record is written to the operating system (OS) audit trail.
The audit commit delay time value is useful when determining the last archive timestamp for database audit records.
This procedure returns the property value set by the SET_AUDIT_TRAIL_PROPERTY Procedure.
DBMS_AUDIT_MGMT.GET_LAST_ARCHIVE_TIMESTAMP( audit_trail_type IN PLS_INTEGER, audit_trail_property IN PLS_INTEGER) RETURN NUMBER;
Table 29-16 GET_ AUDIT_TRAIL_PROPERTY_VALUE Function Parameters
Parameter | Description |
---|---|
|
The audit trail type for the timestamp to be retrieved. Audit trail types are listed in Table 29-1, "DBMS_AUDIT_MGMT Constants - Audit Trail Types" . |
|
The audit trail property that is being queried. Audit trail properties are listed in Table 29-2, "DBMS_AUDIT_MGMT Constants - Audit Trail Properties" . |
If the property value is cached in SGA memory, this function will return the value set by the SET_AUDIT_TRAIL_PROPERTY Procedure. Else it will return NULL
.
The following example prints the property value of OS_FILE_MAX_AGE
set by the SET_AUDIT_TRAIL_PROPERTY Procedure.
SET_AUDIT_TRAIL_PROPERTY. SET SERVEROUTPUT ON DECLARE OS_MAX_AGE_VAL NUMBER; BEGIN OS_MAX_AGE_VAL := DBMS_AUDIT_MGMT.GET_AUDIT_TRAIL_PROPERTY_VALUE( audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_OS, audit_trail_property => DBMS_AUDIT_MGMT. OS_FILE_MAX_AGE); IF OS_MAX_AGE_VAL is not NULL THEN DBMS_OUTPUT.PUT_LINE('The Maximum Age configured for OS Audit files is: ' || OS_MAX_AGE_VAL); END IF; END;
This procedure returns the timestamp set by the SET_LAST_ARCHIVE_TIMESTAMP Procedure in that database instance.
DBMS_AUDIT_MGMT.GET_LAST_ARCHIVE_TIMESTAMP( audit_trail_type IN PLS_INTEGER) RETURN TIMESTAMP;
Table 29-17 GET_LAST_ARCHIVE_TIMESTAMP Function Parameters
Parameter | Description |
---|---|
|
The audit trail type for the timestamp to be retrieved. Audit trail types are listed in Table 29-1, "DBMS_AUDIT_MGMT Constants - Audit Trail Types" . |
In a database that is opened for READ WRITE
, since there will no timestamp stored in SGA memory, this function will return NULL
. But in a database that is opened for READ ONLY
, if a timestamp is set by the SET_LAST_ARCHIVE_TIMESTAMP Procedure, the timestamp will be returned. Else it will return NULL
.
This function will return NULL
on a database that is opened READ WRITE
. Use DBA_AUDIT_MGMT_LAST_ARCH_TS
view to check the timestamp set in such a case.
The following example prints the timestamp set by the SET_LAST_ARCHIVE_TIMESTAMP Procedure on a READ ONLY
database.
SET SERVEROUTPUT ON DECLARE LAT_TS TIMESTAMP; BEGIN LAT_TS := DBMS_AUDIT_MGMT.GET_LAST_ARCHIVE_TIMESTAMP( audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_OS); IF LAT_TS is not NULL THEN DBMS_OUTPUT.PUT_LINE('The Last Archive Timestamp is: ' || to_char(LAT_TS)); END IF; END;
This procedure sets up the audit management infrastructure and a default cleanup interval for the audit trail records. If the audit trail tables are in the SYSTEM
tablespace, then the procedure moves them to the SYSAUX
tablespace. If you are using unified auditing, you do not need to run this procedure because the unified audit trail tables are in the SYSAUX
tablespace by default. If you are not using unified auditing, refer to Oracle Database Upgrade Guide for documentation which references an environment without unified auditing.
Moving the audit trail tables out of the SYSTEM
tablespace enhances overall database performance. The INIT_CLEANUP
procedure moves the audit trail tables to the SYSAUX
tablespace. If the SET_AUDIT_TRAIL_LOCATION Procedure has already moved the audit tables elsewhere, then no tables are moved.
The SET_AUDIT_TRAIL_LOCATION Procedure enables you to specify an alternate target tablespace for the database audit tables.
The INIT_CLEANUP
procedure is currently not relevant for the AUDIT_TRAIL_OS
, AUDIT_TRAIL_XML
, and AUDIT_TRAIL_FILES
audit trail types. No preliminary set up is required for these audit trail types.
See Also:
Table 29-1, "DBMS_AUDIT_MGMT Constants - Audit Trail Types" for a list of all audit trail typesThis procedure also sets a default cleanup interval for the audit trail records.
DBMS_AUDIT_MGMT.INIT_CLEANUP( audit_trail_type IN PLS_INTEGER, default_cleanup_interval IN PLS_INTEGER container IN PLS_INTEGER DEFAULT CONTAINER_CURRENT);
Table 29-18 INIT_CLEANUP Procedure Parameters
Parameter | Description |
---|---|
|
The audit trail type for which the clean up operation needs to be initialized. Audit trail types are listed in Table 29-1, "DBMS_AUDIT_MGMT Constants - Audit Trail Types" except |
|
The default time interval, in hours, after which the cleanup procedure should be called. The minimum value is 1 and the maximum is 999. |
|
Values: |
The following usage notes apply:
This procedure may involve data movement across tablespaces. This can be a resource intensive operation especially if your database audit trail tables are already populated. Oracle recommends that you invoke the procedure during non-peak hours.
You should ensure that the SYSAUX
tablespace, into which the audit trail tables are being moved, has sufficient space to accommodate the audit trail tables. You should also optimize the SYSAUX
tablespace for frequent write operations.
You can change the default_cleanup_interval
later using the SET_AUDIT_TRAIL_PROPERTY Procedure.
If you do not wish to move the audit trail tables to the SYSAUX
tablespace, then you should use the DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION
procedure to move the audit trail tables to another tablespace before calling the INIT_CLEANUP
procedure.
Invoking this procedure with AUDIT_TRAIL_UNIFIED
results in ORA-46250
. It requires no initializations for cleanup since it is cleanup-ready by default.
See Also:
"SET_AUDIT_TRAIL_LOCATION Procedure"The following example calls the INIT_CLEANUP
procedure to set a default_cleanup_interval
of 12 hours for all audit trail types:
BEGIN DBMS_AUDIT_MGMT.INIT_CLEANUP( audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_ALL, default_cleanup_interval => 12 /* hours */); END;
See Also:
Table 29-1, "DBMS_AUDIT_MGMT Constants - Audit Trail Types" for a list of all audit trail typesThis function checks to see if the INIT_CLEANUP Procedure has been run for an audit trail type. The IS_CLEANUP_INITIALIZED
function returns TRUE
if the procedure has already been run for the audit trail type. It returns FALSE
if the procedure has not been run for the audit trail type.
This function is currently not relevant for the AUDIT_TRAIL_OS
, AUDIT_TRAIL_XML
, and AUDIT_TRAIL_FILES
audit trail types. The function always returns TRUE for these audit trail types. No preliminary set up is required for these audit trail types.
See Also:
Table 29-1, "DBMS_AUDIT_MGMT Constants - Audit Trail Types" for a list of all audit trail typesDBMS_AUDIT_MGMT.IS_CLEANUP_INITIALIZED( audit_trail_type IN PLS_INTEGER container IN PLS_INTEGER DEFAULT CONTAINER_CURRENT) RETURN BOOLEAN;
Table 29-19 IS_CLEANUP_INITIALIZED Function Parameters
Parameter | Description |
---|---|
|
The audit trail type for which the function needs to be called. Note that this does not apply to Audit trail types are listed in Table 29-1, "DBMS_AUDIT_MGMT Constants - Audit Trail Types" |
|
Values:
|
The following example checks to see if the standard database audit trail type has been initialized for cleanup operation. If the audit trail type has not been initialized, then it calls the INIT_CLEANUP Procedure to initialize the audit trail type.
BEGIN IF NOT DBMS_AUDIT_MGMT.IS_CLEANUP_INITIALIZED(DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD) THEN DBMS_AUDIT_MGMT.INIT_CLEANUP( audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD, default_cleanup_interval => 12 /* hours */); END IF; END;
This procedure loads the data from the spillover OS audit files in a unified audit trail into the designated unified audit trail tablespace.
See Also:
Oracle Database Security Guide for information about moving the OS audit trail records into the unified audit trailTable 29-20 LOAD_UNIFIED_AUDIT_FILES Procedure Parameters
Parameter | Description |
---|---|
|
Values:
|
This procedure moves the audit trail tables from their current tablespace to a user-specified tablespace.
The SET_AUDIT_TRAIL_LOCATION
procedure is not relevant for the AUDIT_TRAIL_OS
, AUDIT_TRAIL_XML
, and AUDIT_TRAIL_FILES
audit trail types. The AUDIT_FILE_DEST
initialization parameter is the only way you can specify the destination directory for these audit trail types.
See Also:
Table 29-1, "DBMS_AUDIT_MGMT Constants - Audit Trail Types" for a list of all audit trail types
"AUDIT_FILE_DEST" in the Oracle Database Reference
DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION( audit_trail_type IN PLS_INTEGER, audit_trail_location_value IN VARCHAR2) ;
Table 29-21 SET_AUDIT_TRAIL_LOCATION Procedure Parameters
Parameter | Description |
---|---|
|
The audit trail type for which the audit trail location needs to be set. Audit trail types are listed in Table 29-1, "DBMS_AUDIT_MGMT Constants - Audit Trail Types" |
|
Target location or tablespace for the audit trail records |
The following usage notes apply:
This procedure involves data movement across tablespaces. This can be a resource intensive operation especially if your database audit trail tables are already populated. Oracle recommends that you invoke the procedure during non-peak hours.
You should ensure that the target tablespace, into which the audit trail tables are being moved, has sufficient space to accommodate the audit trail tables. You should also optimize the target tablespace for frequent write operations.
This procedure is valid for the following audit_trail_type
values only:
AUDIT_TRAIL_AUD_STD
AUDIT_TRAIL_FGA_STD
AUDIT_TRAIL_DB_STD
When AUDIT_TRAIL_TYPE
is AUDIT_TRAIL_UNIFIED
, this procedure sets the tablespace for newer audit records in the unified audit trail but does not move the older audit records. Thus, it is not resource intensive for unified audit trail.
The following example moves the database audit trail tables, AUD$
and FGA_LOG$
, from the current tablespace to a user-created tablespace called RECORDS
:
BEGIN DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION( audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_DB_STD, audit_trail_location_value => 'RECORDS'); END;
This procedure sets an audit trail property for the audit trail type that is specified.
The procedure sets the properties OS_FILE_MAX_SIZE
, OS_FILE_MAX_AGE
, and FILE_DELETE_BATCH_SIZE
for operating system (OS) and XML audit trail types. The OS_FILE_MAX_SIZE
and OS_FILE_MAX_AGE
properties determine the maximum size and age of an audit trail file before a new audit trail file gets created. The FILE_DELETE_BATCH_SIZE
property specifies the number of audit trail files that are deleted in one batch.
The procedure sets the properties DB_DELETE_BATCH_SIZE
and CLEANUP_INTERVAL
for the database audit trail type. DB_DELETE_BATCH_SIZE
specifies the batch size in which records get deleted from audit trail tables. This ensures that if a cleanup operation gets interrupted midway, the process does not need to start afresh the next time it is invoked. This is because all batches before the last processed batch are already committed.
The CLEANUP_INTERVAL
specifies the frequency, in hours, with which the cleanup procedure is called.
DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY( audit_trail_type IN PLS_INTEGER, audit_trail_property IN PLS_INTEGER, audit_trail_property_value IN PLS_INTEGER) ;
Table 29-22 SET_AUDIT_TRAIL_PROPERTY Procedure Parameters
Parameter | Description |
---|---|
|
The audit trail type for which the property needs to be set. Audit trail types are listed in Table 29-1, "DBMS_AUDIT_MGMT Constants - Audit Trail Types" |
|
The audit trail property that is being set. Audit trail properties are listed in Table 29-2, "DBMS_AUDIT_MGMT Constants - Audit Trail Properties" |
|
The value of the property specified using
|
The following usage notes apply:
The audit trail properties for which you do not explicitly set values use their default values.
If you have set both the OS_FILE_MAX_SIZE
and OS_FILE_MAX_AGE
properties for an operating system (OS) or XML audit trail type, then a new audit trail file gets created depending on which of these two limits is reached first.
For example, let us take a scenario where OS_FILE_MAX_SIZE
is 10000 and OS_FILE_MAX_AGE
is 5. If the operating system audit file is already more than 5 days old and has a size of 9000 KB, then a new audit file is opened. This is because one of the limits has been reached.
The DB_DELETE_BATCH_SIZE
property needs to be individually set for the AUDIT_TRAIL_AUD_STD
and AUDIT_TRAIL_FGA_STD
audit trail types. You cannot set this property collectively using the AUDIT_TRAIL_DB_STD
and AUDIT_TRAIL_ALL
audit trail types.
The DB_DELETE_BATCH_SIZE
property enables you to control the number of audit records that are deleted in one batch. Setting a large value for this parameter requires increased allocation for the undo log space.
The FILE_DELETE_BATCH_SIZE
property needs to be individually set for the AUDIT_TRAIL_OS
and AUDIT_TRAIL_XML
audit trail types. You cannot set this property collectively using the AUDIT_TRAIL_FILES
and AUDIT_TRAIL_ALL
audit trail types.
The FILE_DELETE_BATCH_SIZE
property enables you to control the number of audit files that are deleted in one batch. Setting a very large value may engage the GEN0
background process for a long time.
In Oracle Database Standard Edition, you can only associate the tablespace for unified auditing once. You should perform this association before you generate any audit records for the unified audit trail. The default tablespace is SYSAUX
. After you have associated the tablespace, you cannot modify it on the Standard Edition because the partitioning feature is not supported in the Standard Edition.
The following example calls the SET_AUDIT_TRAIL_PROPERTY
procedure to set the OS_FILE_MAX_SIZE
property for the operating system (OS) audit trail. It sets this property value to 102400. This means that a new audit file gets created every time the current audit file size reaches 100 MB.
BEGIN DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY( audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_OS, audit_trail_property => DBMS_AUDIT_MGMT.OS_FILE_MAX_SIZE, audit_trail_property_value => 102400 /* 100MB*/ ); END;
The following example calls the SET_AUDIT_TRAIL_PROPERTY
procedure to set the OS_FILE_MAX_AGE
property for the operating system (OS) audit trail. It sets this property value to 5. This means that a new audit file gets created every sixth day.
BEGIN DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY( audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_OS, audit_trail_property => DBMS_AUDIT_MGMT.OS_FILE_MAX_AGE, audit_trail_property_value => 5 /* days */); END;
The following example calls the SET_AUDIT_TRAIL_PROPERTY
procedure to set the DB_DELETE_BATCH_SIZE
property for the AUDIT_TRAIL_AUD_STD
audit trail. It sets this property value to 100000. This means that during a cleanup operation, audit records are deleted from the SYS.AUD$
table in batches of size 100000.
BEGIN DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY( audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD, audit_trail_property => DBMS_AUDIT_MGMT.DB_DELETE_BATCH_SIZE, audit_trail_property_value => 100000 /* delete batch size */); END;
This procedure sets a timestamp indicating when the audit records were last archived. The audit administrator provides the timestamp to be attached to the audit records. The CLEAN_AUDIT_TRAIL Procedure uses this timestamp to decide on the audit records to be deleted.
DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP( audit_trail_type IN PLS_INTEGER, last_archive_time IN TIMESTAMP, rac_instance_number IN PLS_INTEGER DEFAULT NULL, container IN PLS_INTEGER DEFAULT CONTAINER_CURRENT, database_id IN NUMBER DEFAULT NULL, container_guid IN VARCHAR2 DEFAULT NULL);
Table 29-23 SET_LAST_ARCHIVE_TIMESTAMP Procedure Parameters
Parameter | Description |
---|---|
|
The audit trail type for which the timestamp needs to be set. Audit trail types are listed in Table 29-1, "DBMS_AUDIT_MGMT Constants - Audit Trail Types" . |
|
The |
|
The instance number for the Oracle Real Application Clusters (Oracle RAC) instance.The default value is The |
|
Values: |
|
Database ID (DBID) of the audit records to cleanup |
|
Container GUID of the audit records to cleanup |
The following usage notes apply:
The last_archive_time
must be specified in Coordinated Universal Time (UTC) when the audit trail types are AUDIT_TRAIL_AUD_STD
, AUDIT_TRAIL_FGA_STD
, or AUDIT_TRAIL_UNIFIED
. This is because the database audit trails store the timestamps in UTC. UTC is also known as Greenwich Mean Time (GMT).
The last_archive_time
must be specified as the local time zone time when the audit trail types are AUDIT_TRAIL_OS
or AUDIT_TRAIL_XML
. The time zone must be the time zone of the machine where the OS or XML audit files were created. This is because the operating system audit files are cleaned based on the audit file's Last Modification Timestamp property. The Last Modification Timestamp property value is stored in the local time zone of the machine.
The following audit_trail_type
values for valid for this procedure:
AUDIT_TRAIL_AUD_STD
AUDIT_TRAIL_FGA_STD
AUDIT_TRAIL_OS
AUDIT_TRAIL_XML
When using an Oracle Real Application Clusters (Oracle RAC) database, Oracle recommends that you use the Network Time Protocol (NTP) to synchronize individual Oracle RAC nodes.
The following example calls the SET_LAST_ARCHIVE_TIMESTAMP
procedure to set the last archive timestamp for the operating system (OS) audit trail type on Oracle RAC instance 1. It uses the TO_TIMESTAMP
function to convert a character string into a timestamp value.
A subsequent call to the CLEAN_AUDIT_TRAIL Procedure, with use_last_arch_timestamp
set to TRUE
, will delete all those OS audit files from the current AUDIT_FILE_DEST
directory that were modified before 10-Sep-2012 14:10:10.0.
BEGIN DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP( audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_OS, last_archive_time => TO_TIMESTAMP('12-SEP-0714:10:10.0','DD-MON-RRHH24:MI:SS.FF'), rac_instance_number => 1); END;
This procedure sets the interval at which the CLEAN_AUDIT_TRAIL Procedure is called for the purge job specified. The purge job must have already been created using the CREATE_PURGE_JOB Procedure.
DBMS_AUDIT_MGMT.SET_PURGE_JOB_INTERVAL( audit_trail_purge_name IN VARCHAR2, audit_trail_interval_value IN PLS_INTEGER) ;
Table 29-24 SET_PURGE_JOB_INTERVAL Procedure Parameters
Parameter | Description |
---|---|
|
The name of the purge job for which the interval is being set. This is the purge job name that you specified with the CREATE_PURGE_JOB Procedure. |
|
The interval, in hours, at which the clean up procedure should be called. This value modifies the |
Use this procedure to modify the audit_trail_purge_interval
parameter set using the CREATE_PURGE_JOB Procedure.
The following example calls the SET_PURGE_JOB_INTERVAL
procedure to change the frequency at which the purge job called CLEANUP
is invoked. The new interval is set to 24 hours.
BEGIN DBMS_AUDIT_MGMT.SET_PURGE_JOB_INTERVAL( AUDIT_TRAIL_PURGE_NAME => 'CLEANUP', AUDIT_TRAIL_INTERVAL_VALUE => 24 ); END;
This procedure enables or disables the specified purge job. The purge job must have already been created using the CREATE_PURGE_JOB Procedure.
DBMS_AUDIT_MGMT.SET_PURGE_JOB_STATUS( audit_trail_purge_name IN VARCHAR2, audit_trail_status_value IN PLS_INTEGER) ;
Table 29-25 SET_PURGE_JOB_STATUS Procedure Parameters
Parameter | Description |
---|---|
|
The name of the purge job for which the status is being set. This is the purge job name that you specified with the CREATE_PURGE_JOB Procedure. |
|
One of the values specified in DBMS_AUDIT_MGMT Constants - Purge Job Status. The value The value |