Hi, Running version 11gR2 on Linux...
With respect to auditing capability in Oracle Database 11.2.0.4, I would like to ask for some advice on the auditing features and how to manipulate the creation of the associated aud files (to the OS layer).
We have audit_file_dest set appropriately to a filesystem location and audit_sys_operations turned on.
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /ora/dest/somedir
audit_sys_operations boolean TRUE
audit_syslog_level string
audit_trail string XML, EXTENDED
I note that when connecting as SYS user via sqlplus that a single audit trail XML file is created for my session corresponding to my SYS user session ID.
When from the same SYS sqlplus session, I begin executing statements that warrant an audit operation, i.e. 'ALTER SYSTEM WHATEVER...' that the statement and info is appended onto the same previously created audit file?
Is there any way to disseminate or break out the login and subsequent audited statements into individual audit files (from the same user session)?
i.e. Login = auditfile1.xml
i.e. Alter system whatever = auditfile2.xml
i.e. Alter system something else = auditfile3.xml
Background: We are examining using the Splunk application to capture and aggregate this audit data, which will (in batch mode) remove a file as it is created.
Regards
RL