Audit Flag Syntax
Depending on the prefixes, a class of events can be audited whether it succeeds or fails, or only if it succeeds, or only if it fails. The format of the audit flag is shown here.
prefixflag
Table 2-3 shows prefixes that specify whether the audit class is audited for success or failure or both.
Table 2-3 Prefixes Used in Audit Flags|
Prefix |
Definition |
|---|---|
|
none | |
|
+ |
Audit for success only |
|
- |
Audit for failure only |
To give an example of how these work together, the audit flag lo means "all successful attempts to log in and log out and all failed attempts to log in." (You cannot fail an attempt to logout.) For another example, the -all flag refers to all failed attempts of any kind, and the +all flag refers to all successful attempts of any kind.
Caution - The -all flag can generate large amounts of data and fill up audit file systems quickly, so use it only if you have extraordinary reasons to audit everything.
- © 2010, Oracle Corporation and/or its affiliates