Audit trail files consist of a set of audit records. Each audit record represents a single event. Audit trail files are located in the mount_point
/.Security/audit
directory.
Audit trail files generated by Oracle ACFS auditing are meant to be available for the following:
Manual review by an Oracle ACFS auditor using text viewing tools
Import into Oracle Audit Vault and Database Firewall
Third party products that can parse and import the audit sources
The audit trail file consists of audit records. There are several different types of audit records, each of which represent a unique type of event and contain different information relevant to diagnosing the event. The types of events are:
The combination of audit record fields entered in the audit trail file depends on the event type.
Each record is written to the audit trail file as a set of field names and values. Depending on the type of record, the number and type of fields may vary. Fields consist of a name and value pair, in the form field name:value, followed by an end of line character.
The audit record fields that can be present in the audit trail file are described in the following list. The string in parenthesis is the field name that appears in the audit trail log file.
Timestamp (Timestamp
): The time at which the event occurred, always specified in UTC. The format for the time stamp is: MM/DD/YYYY HH:MM:SS UTC
Event Code (Event
): A code identifying the type of event. For the list of evaluation result codes, refer to "File Access Events" and "Privilege Use Events".
Source (Source
): Oracle ACFS
User identification (User
): The user who triggered the event. On Linux platforms this is a user ID and on Windows this is the user SID.
Group identification (Group
): The primary group of the user who triggered the event. On Linux platforms this is the ID the primary group of the user and on Windows this is the SID of the primary group of the user.
Process identification (Process
): The current process ID.
Host name (Host
): The host which recorded the event.
Application name (Application
): The application name for the current process.
Realm name (Realm
): The name of the realm which was violated, or the realm that is authorized and is protecting the file.
File name (File
): The file name which the user was accessing.
Evaluation Result (Evaluation
Result
): This field contains the information about the result of the command executed. For the list of evaluation result codes, refer to "Evaluation Result Events".
File system Id (FileSystem-ID
):
Message (Message
): The message field has the information about the command executed and its result.
Example 11-1 shows an example of an audit trail file.
Example 11-1 Sample audit trail file
Timestamp: 06/08/12 11:00:37:616 UTC Event: ACFS_AUDIT_READ_OP Source: Oracle_ACFS User: 0 Group: 0 Process: 1234 Host: slc01hug Application: cat Realm: MedicalDataRealm File: f2.txt Evaluation Result: ACFS_AUDIT_REALM_VIOLATION FileSystem-ID: 1079529531 Message: Realm authorization failed for file ops READ Timestamp: 06/08/12 11:00:37:616 UTC Event: ACFS_AUDIT_WRITE_OP Source: Oracle_ACFS User: 102 Group: 102 Process: 4567 Host: slc01hug Application: vi Realm: PayrollRealm,SecuredFiles File: f2.txt Evaluation Result: ACFS_AUDIT_REALM_AUTH FileSystem-ID: 1079529531 Message: Realm authorization succeeded for file ops WRITE Timestamp: 06/08/12 10:42:20:977 UTC Event: ACFS_SEC_PREPARE Source: Oracle_ACFS User: 507867 Group: 8500 Process: 603 Host: slc01hug Application: acfsutil.bin Evaluation Result: ACFS_CMD_SUCCESS FileSystem-ID: 1079529531 Message: acfsutil sec prepare: ACFS-10627: Mount point '/mnt' is now prepared for security operations.