Skip Headers
Oracle® Database Reference
12c Release 1 (12.1)

E17615-23
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

UNIFIED_AUDIT_TRAIL

When unified auditing is enabled in Oracle Database, the audit records are populated in this new audit trail. This view displays audit records in tabular form by retrieving the audit records from the audit trail.

Be aware that if the audit trail mode is QUEUED, then audit records are not written to disk until the in-memory queues are full. The following procedure explicitly flushes the queues to disk, so that you can see the audit trail records in the UNIFIED_AUDIT_TRAIL view:

EXEC SYS.DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL;

Note:

This view is populated only in an Oracle Database where unified auditing is enabled.
Column Datatype NULL Description
AUDIT_TYPE VARCHAR2(64)   Type of auditing:
  • Standard

  • FineGrainedAudit

  • XS

  • Database Vault

  • Label Security

  • RMAN_AUDIT

  • Datapump

  • Direct path API

SESSIONID NUMBER   Audit session identifier
PROXY_SESSIONID NUMBER   Audit session identifier of proxying session
OS_USERNAME VARCHAR2(30)   Name of the operating system user for the database session
USERHOST VARCHAR2(128)   Name of the host machine from which the session was spawned
TERMINAL VARCHAR2(30)   The operating system terminal of the user session
INSTANCE_ID NUMBER   Instance number as specified in the initialization parameter file, init.ora
DBID NUMBER   Database identifier of the audited database
AUTHENTICATION_TYPE VARCHAR2(1024)   Type of authentication for the session user
DBUSERNAME VARCHAR2(30)   Database user name of the user whose actions were audited
DBPROXY_USERNAME VARCHAR2(30)   Proxying user name, in the case of proxy authentication
EXTERNAL_USERID VARCHAR2(1024)   External user name, in the case of network or external authentication
GLOBAL_USERID VARCHAR2(32)   Global user identifier for the user, for a user logged in as an enterprise user
CLIENT_PROGRAM_NAME VARCHAR2(48)   Name of the program used for the database session
DBLINK_INFO VARCHAR2(4000)   Value of SYS_CONTEXT('USERENV','DBLINK_INFO'). Valid if the connection was via a database link.
XS_USER_NAME VARCHAR2(128)   Name of the Real Application Security user
XS_SESSIONID RAW(33)   Identifer of the Real Application Security session
ENTRY_ID NUMBER   Numeric ID for each audit trail entry in the session
STATEMENT_ID NUMBER   Numeric ID for each statement run (a statement may cause many actions)
EVENT_TIMESTAMP TIMESTAMP(6) WITH LOCAL TIME ZONE   Timestamp of the creation of the audit trail entry in UTC
ACTION_NAME VARCHAR2(64)   Name of the action executed by the user. The name should be read in conjunction with the AUDIT_TYPE to understand the real action.
RETURN_CODE NUMBER   Oracle error code generated by the action. Zero if the action succeeded
OS_PROCESS VARCHAR2(16)   Operating system process identifier of the Oracle database process
TRANSACTION_ID RAW(8)   Transaction identifier of the transaction in which the object is modified
SCN NUMBER   System change number (SCN) of the query at the time of the event
EXECUTION_ID VARCHAR2(64)   Execution context identifier for each action
OBJECT_SCHEMA VARCHAR2(30)   Schema name of object affected by the action
OBJECT_NAME VARCHAR2(128)   Name of the object affected by the action
SQL_TEXT CLOB   SQL associated with the event
SQL_BINDS CLOB   List of bind variables, if any, associated with SQL_TEXT
APPLICATION_CONTEXTS VARCHAR2(4000)   Semicolon-seperated list of Application Context Namespace, Attribute, Value information in (APPCTX_NSPACE,APPCTX_ATTRIBUTE=<value>) format
CLIENT_IDENTIFIER VARCHAR2(64)   Client identifier in each Oracle session
NEW_SCHEMA VARCHAR2(30)   The schema of the object named in the NEW_NAME column
NEW_NAME VARCHAR2(128)   New name of object after RENAME, or name of underlying object (for example, CREATE INDEX owner.obj_name ON new_owner.new_name)
OBJECT_EDITION VARCHAR2(30)   Name of the edition containing the audited object
SYSTEM_PRIVILEGE_USED VARCHAR2(1024)   Comma-separated list of system privileges used to execute the action
SYSTEM_PRIVILEGE VARCHAR2(40)   System privilege granted/revoked by a GRANT/REVOKE statement
AUDIT_OPTION VARCHAR2(40)   AUDIT/NOAUDIT SQL command
OBJECT_PRIVILEGES VARCHAR2(19)   Object privileges granted/revoked by a GRANT/REVOKE statement
ROLE VARCHAR2(30)   Roles granted or revoked or set by GRANT/REVOKE/SET ROLE command
TARGET_USER VARCHAR2(30)   User on whom the GRANT/REVOKE/AUDIT/NOAUDIT statement was executed
EXCLUDED_USER VARCHAR2(30)   User who was excluded when the AUDIT/NOAUDIT statement was executed
EXCLUDED_SCHEMA VARCHAR2(30)   Displays the schema of the excluded objects
EXCLUDED_OBJECT VARCHAR2(128)   Displays object excluded from the action
ADDITIONAL_INFO VARCHAR2(4000)   Text comment on the audit trail entry, if any
UNIFIED_AUDIT_POLICIES VARCHAR2(4000)   Lists the audit policies that caused the current audit record. For example, if SELECT ON SCOTT.EMP was configured from policy SCOTT_EMP_POL, for the SELECT event this column will display SCOTT_EMP_POL.

If more than one policy was configured, the list of policies that caused the event to be recorded in the audit trail are displayed in a comma-separated list.

FGA_POLICY_NAME VARCHAR2(30)   Fine-grained auditing (FGA) policy name that generated this FGA audit record
XS_INACTIVITY_TIMEOUT NUMBER   Inactivity timeout of the Real Application Security session
XS_ENTITY_TYPE VARCHAR2(32)   Type of the Real Application Security entity. Possible values are USER, ROLE, ROLESET, SECURITYCLASS, ACL, DATASECURITY, and NSTEMPLATE.
XS_TARGET_PRINCIPAL_NAME VARCHAR2(30)   Target principal name in Real Application Security operations. Possible operations are set verifier, set password, add proxy, remove proxy, switch user, assign user, create session,and grant roles.
XS_PROXY_USER_NAME VARCHAR2(30)   Name of the Real Application Security proxy user
XS_DATASEC_POLICY_NAME VARCHAR2(30)   Name of the Real Application Security data security policy enabled or disabled
XS_SCHEMA_NAME VARCHAR2(30)   Name of the schema in enable, disable data security policy and global callback operation
XS_CALLBACK_EVENT_TYPE VARCHAR2(32)   Real Application Security global callback event type
XS_PACKAGE_NAME VARCHAR2(30)   Real Application Security callback package name for the global callback
XS_PROCEDURE_NAME VARCHAR2(30)   Real Application Security callback procedure name for the global callback
XS_ENABLED_ROLE VARCHAR2(30)   The role that is enabled
XS_COOKIE VARCHAR2(1024)   Real Application Security session cookie
XS_NS_NAME VARCHAR2(30)   Name of the Real Application Security session namespace
XS_NS_ATTRIBUTE VARCHAR2(4000)   Name of the Real Application Security session namespace attribute
XS_NS_ATTRIBUTE_OLD_VAL VARCHAR2(4000)   The old value of the Real Application Security session namespace attribute
XS_NS_ATTRIBUTE_NEW_VAL VARCHAR2(4000)   The new value of the Real Application Security session namespace
DV_ACTION_CODE NUMBER   Numeric action type code for Database Vault
DV_ACTION_NAME VARCHAR2(30)   Name of the action whose numeric code appears in the DV_ACTION_CODE column
DV_EXTENDED_ACTION_CODE NUMBER   Numeric action type code for Database Vault administration
DV_GRANTEE VARCHAR2(30)   Name of the user whose Database Vault authorization was modified
DV_RETURN_CODE NUMBER   Database Vault specific error code
DV_ACTION_OBJECT_NAME VARCHAR2(128)   The unique name of the Database Vault object that was modified
DV_RULE_SET_NAME VARCHAR2(90)   The unique name of the rule set that was executing and caused the audit event to trigger
DV_COMMENT VARCHAR2(4000)   Text comment on the audit trail entry, providing more information about the statement audited
DV_FACTOR_CONTEXT VARCHAR2(4000)   An XML document that contains all of the factor identifiers for the current session at the point when the audit event was triggered
DV_OBJECT_STATUS VARCHAR2(1)   Indicates whether a particular Database Vault object is enabled or disabled. For example, if a Database Vault administrator enables or disables a realm, then this event will be audited and the DV_OBJECT_STATUS value will show the status of the realm after the event occurred. Possible values for this column are:
  • Y - The object is enabled

  • N - The object is disabled

OLS_POLICY_NAME VARCHAR2(30)   Name of the Oracle Label Security (OLS) policy for which this audit record is generated
OLS_GRANTEE VARCHAR2(30)   Name of the user whose OLS authorization was modified
OLS_MAX_READ_LABEL VARCHAR2(4000)   Maximum read label assigned to a user
OLS_MAX_WRITE_LABEL VARCHAR2(4000)   Maximum write label assigned to a user
OLS_MIN_WRITE_LABEL VARCHAR2(4000)   Minimum write label assigned to a user
OLS_PRIVILEGES_GRANTED VARCHAR2(30)   OLS privileges assigned to a user or a trusted stored procedure
OLS_PROGRAM_UNIT_NAME VARCHAR2(30)   Name of the trusted stored procedure whose authorization was modified or was executed
OLS_PRIVILEGES_USED VARCHAR2(128)   OLS privileges used for an event
OLS_STRING_LABEL VARCHAR2(4000)   String representation of the OLS label
OLS_LABEL_COMPONENT_TYPE VARCHAR2(12)   Type of the OLS label component
OLS_LABEL_COMPONENT_NAME VARCHAR2(30)   Name of the OLS label component
OLS_PARENT_GROUP_NAME VARCHAR2(30)   Name of the parent of the OLS group
OLS_OLD_VALUE VARCHAR2(4000)   Old value for OLS ALTER events
OLS_NEW_VALUE VARCHAR2(4000)   New value for OLS ALTER events
RMAN_SESSION_RECID NUMBER   RMAN session identifier. Together with RMAN_SESSION_STAMP uniquely identifies an RMAN job (note that this is not same as user session ID; the value is a recid in controlfile that identifies RMAN job)
RMAN_SESSION_STAMP NUMBER   Timestamp for the session
RMAN_OPERATION VARCHAR2(20)   The RMAN operation executed by the job. One row will be added for each distinct operation within an RMAN session. For example, a backup job would contain BACKUP in the RMAN_OPERATION column.
RMAN_OBJECT_TYPE VARCHAR2(20)   Type of objects involved for backup or restore/recover or change/delete/crosscheck commands.

It contains one of the following values. If RMAN command does not satisfy one of them, then preference is given in order, from top to bottom of the list:

  • DB FULL

  • RECVR AREA

  • DB INCR

  • DATAFILE FULL

  • DATAFILE INCR

  • ARCHIVELOG

  • CONTROLFILE

  • SPFILE

RMAN_DEVICE_TYPE VARCHAR2(5)   Device involved in the RMAN job. It may be DISK or SBT_TAPE or * (An * indicates that more than one location is involved).

For a backup job, it will be the output device type. For other commands (such as restore or crosscheck), it will be the input device type.

DP_TEXT_PARAMETERS1 VARCHAR2(512)   Parameters during a Data Pump operation that have a text/string value. This may contain the values for:
  • ACCESS METHODS

  • DATA OPTIONS

  • DUMPER DIRECTORY

  • JOB_TYPE

  • JOB VERSION

  • MASTER TABLE

  • METADATA_JOB_MODE

  • PARTITION OPTIONS

  • REMOTE LINK

  • TABLE EXISTS

For descriptions and more information about the settings that can appear for these Data Pump text parameters, see Table 6-2, "Data Pump Text Parameter Descriptions".

DP_BOOLEAN_PARAMETERS1 VARCHAR2(512)   Parameters during a Data Pump operation that have a boolean value. This may contain the values for:
  • DATA_ONLY - Boolean value for whether or not the operation processed data only (as opposed to metadata only, or metadata and data combined)

  • DUMPFILE_PRESENT - Denotes whether a dump file exists. Typically, it indicates whether a network export in which no dumpfile is required.

  • JOB_RESTARTED - Boolean that indicates if the export or import job had to be restarted

  • MASTER_ONLY - Indicates whether the import job imported just the master table and then stopped the job so that the contents of the master table can be examined

  • METADATA_ONLY - Boolean value for whether or not the operation processed metadata only (as opposed to data only, or metadata and data combined)

DIRECT_PATH_NUM_COLUMNS_LOADED NUMBER   Shows the number of columns that were loaded using the SQL*Loader direct path load method

Table 6-2 Data Pump Text Parameter Descriptions

Parameter Description

ACCESS METHOD

The method used to load the data. Settings can be:

  • AUTOMATIC: Enables Oracle Data Pump to determine the optimal load method

  • DIRECT_PATH : Uses the direct path API to pass the data to be loaded.

  • EXTERNAL_TABLE: Loads data using the external tables option.

  • CONVENTIONAL: Loads the data using SQL INSERT statements

DATA OPTIONS

Indicates how certain types of data were handled during import operations. Settings are in bit-mask format, which are as follows:

  • 1 (SKIP_CONSTRAINT_ERRORS): Specifies that the import operation proceeded even if non-deferred constraint violations were encountered.

  • 2 (XML_CLOBS): Allows for the export of the XML type data as a CLOB. This setting is deprecated in Oracle Database 12c Release 1 (12.1). See Oracle Database Utilities for more information.

  • 8 (DISABLE_APPEND_HINT): The import operation did not use the APPEND hint while loading a data object.

  • 16 (REJECT_ROWS_WITH_REPL_CHAR): Warnings are issued when the replacement character may be used and an option was added to reject data rows where the replacement character was used during a Data Pump import. This situation can occur if different character sets are used for the export/import process

DUMPER DIRECTORY

Not in use

JOB_TYPE

Is either EXPORT or IMPORT

JOB VERSION

Specifies the version of database objects that were imported

MASTER TABLE

Indicates the name of the master table. By default, it appears as follows for export operations:

schema_name.SYS_EXPORT_TABLE_n

For import operations, it appears as follows:

schema_name.SYS_IMPORT_TABLE_n

The n represents a numeric value of 01. If 01 is in use, the number is incremented with 02, 03, and so on.

METADATA_JOB_MODE

Type of export or import operation. For example a table export would be TABLE_EXPORT

PARTITION OPTIONS

Indicates how table partitions were created during an import operation. Settings can be:

  • NONE: The tables were created as they existed on the system from which the export operation was performed.

  • DEPARTITION: Each partition or subpartition was promoted to a new individual table.

  • MERGE: All partitions and subpartitions were merged into one table

REMOTE LINK

Indicates that the export was performed from a (source) database identified by a valid database link. The data from the source database instance was written to a dump file set on the connected database instance.

TABLE EXISTS

Indicates the action that was taken on an import operation when the target table already existed. The values are as follows:

  • REPLACE

  • TRUNCATE

  • SKIP

  • APPEND


See Also:

Oracle Database PL/SQL Packages and Types Reference for more information about the DBMS_AUDIT_MGMT package