Database 12.1 and 11.2 on Windows OS,
Hi, I'd just setup audit_trail=OS scope=spfile and added the following statements to start auditing my database:
AUDIT CREATE USER BY ACCESS;
AUDIT ALTER USER BY ACCESS;
AUDIT DROP USER BY ACCESS;
AUDIT CREATE ROLE BY ACCESS;
AUDIT ALTER ANY ROLE BY ACCESS;
AUDIT DROP ANY ROLE BY ACCESS ;
AUDIT ALTER DATABASE BY ACCESS;
AUDIT ALTER SYSTEM BY ACCESS;
AUDIT AUDIT SYSTEM BY ACCESS;
AUDIT GRANT ANY PRIVILEGE BY ACCESS;
AUDIT GRANT ANY ROLE BY ACCESS;
AUDIT ALTER PROFILE BY ACCESS;
AUDIT CREATE ANY PROCEDURE BY ACCESS;
AUDIT ALTER ANY PROCEDURE BY ACCESS;
AUDIT DROP ANY PROCEDURE BY ACCESS;
AUDIT CREATE PUBLIC DATABASE LINK BY ACCESS;
AUDIT CREATE PUBLIC SYNONYM BY ACCESS;
AUDIT EXECUTE ON DBMS_FGA BY ACCESS;
AUDIT EXECUTE ON DBMS_RLS BY ACCESS;
AUDIT EXECUTE ON DBMS_FILE_TRANSFER BY ACCESS;
AUDIT EXECUTE ON DBMS_SCHEDULER BY ACCESS;
AUDIT EXECUTE ON DBMS_JOB BY ACCESS;
AUDIT SELECT ON SYS.V_$SQL BY ACCESS;
AUDIT SELECT ON SYS.GV_$SQL BY ACCESS;
AUDIT EXECUTE ON SYS.KUPP$PROC BY ACCESS;
AUDIT EXECUTE ON DBMS_XMLGEN BY ACCESS;
AUDIT DROP ANY TABLE;
AUDIT ALTER ANY TABLE;
AUDIT CREATE ANY TABLE;
created a test_audit user and started to create tables, drop tables every action to see if I can view all of this in the MS Event Viewer.
It is supposed when setup the audit_trail to OS that the audit logs not to go any more to SYS.AUD$ ? from now on all audit information will go to Event Viewer?
The Event ID 34 on Event Viewer is so kind of illegible:
Audit trail: LENGTH: "273" SESSIONID:[7] "3840449" ENTRYID:[2] "23" STATEMENT:[3] "123" USERID:[6] "SYSTEM" USERHOST:[15] "AROLIL501823" TERMINAL:[7] "unknown" ACTION:[3] "104" RETURNCODE:[1] "0" AUTH$GRANTEE:[10] "TEST_AUDIT" SYS$OPTIONS:[2] "41" OS$USERID:[9] "user01" DBID:[10] "1279558869" .
How to interpret that log?
Regards