Auditing CREATE SESSION WHENEVER UNSUCCESSFUL causes additional audits ?
Goal is to audit for failed logins. Therefore enabled auditing (we're going to OS, not DB). And "audit create session whenever unssuccessful".
This does result in audit log files with entries containing "RETURNCODE: "1017" ...which is what was expected. But - we also get NUMEROUS log files with other RETURNCODES which report failures like 6502 (data issues, etc..), and many others. In all cases, the "PRIV$USED" value in the log entry is "5" (which maps to "CREATE SESSION"... but I don't see the relationship/relevance to this being an unsuccessful create session. ? Any thoughts ?
Here's example:=>
SESSIONID: "181341776" ENTRYID: "1" STATEMENT: "613" USERID: "APPS" TERMINAL: "unknown" ACTION: "47" RETURNCODE: "6502" OS$USERID: "applprd" PRIV$USED: 5
User APPS (this is eBusiness) perfoming action 47 (a PLSQL execution) which results in ORA-6502 (numeric or value error). But how is this an unsuccessful "CREATE SESSION" (PRIV$USED=5) ??
thanks for feedback ... Tom