C Sybase Adaptive Server Enterprise Audit Events

This appendix contains:

About the Sybase Adaptive Server Enterprise Audit Events
Account Management Events
Application Management Events
Audit Command Events
Data Access Events
Exception Events
Invalid Record Events
Object Management Events
Peer Association Events
Role and Privilege Management Events
Service and Application Utilization Events
System Management Events
Unknown or Uncategorized Events
User Session Events

C.1 About the Sybase Adaptive Server Enterprise Audit Events

This appendix lists the audit event names and IDs, and the attribute names and data types for Sybase Adaptive Server Enterprise (ASE). The audit events are organized by their respective categories; for example, Account Management. You can use these audit events as follows:

For alerts. When you create an alert, you can specify an audit event, based on its category, that can trigger the alert. See "Creating an Alert" for more information.
For custom reports using third-party tools. If you want to create custom reports using other Oracle Database reporting products or third-party tools, refer to the tables in this appendix when you design the reports. See Chapter 4, "Oracle Audit Vault Data Warehouse Schema" for more information about custom reports created with third-party tools.

C.2 Account Management Events

Account management events track Transact-SQL commands that affect user accounts, such as the UNLOCK ADMIN ACCOUNT command. The Account Management Report, described in Section 3.4.1, uses these events.

Table C-1 lists the Sybase ASE account management events and event IDs.

Table C-1 Sybase ASE Account Management Events and Event IDs

Event Name	Event ID
`Login Command`	`CREATE LOGIN COMMAND` `DROP LOGIN COMMAND`
`Set SSA Command`	`SET SSA COMMAND`
`SSO Changed Password`	`SSO CHANGED PASSWORD`
`Unlock Admin Account`	`UNLOCK ADMIN ACCOUNT`

Table C-2 lists the Sybase ASE account management event attributes.

Table C-2 Sybase ASE Account Management Event Attributes

Attribute Name	Data Type
`COMMENT_TEXT`	`VARCHAR2(4000)`
`CONTEXTID`	`VARCHAR2(4000)`
`CURRENT_VALUE`	`VARCHAR2(4000)`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_MOD`	`VARCHAR2(4000)`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`HOST_ID`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`KEYWORD`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PREVIOUS_VALUE`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`PROXY_INFORMATION`	`VARCHAR2(4000)`
`SEQUENCE`	`VARCHAR2(4000)`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USER_GUID`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

C.3 Application Management Events

Application management events track actions that were performed on the underlying Transact-SQL commands of system services and applications, such as the CREATE RULE command. The Procedure Management Report, described in Section 3.4.4, uses these events.

Table C-3 lists the Sybase ASE application management events and event IDs.

Table C-3 Sybase ASE Application Management Events and Event IDs

Event Name	Event ID
`Create Default`	`CREATE DEFAULT`
`Create Message`	`CREATE MESSAGE`
`Create Procedure`	`CREATE PROCEDURE`
`Create Rule`	`CREATE RULE`
`Create SQLJ Function`	`CREATE SQLJ FUNCTION`
`Create Trigger`	`CREATE TRIGGER`
`Drop Default`	`DROP DEFAULT`
`Drop Message`	`DROP MESSAGE`
`Drop Procedure`	`DROP PROCEDURE`
`Drop Rule`	`DROP RULE`
`Drop SQLJ Function`	`DROP SQLJ FUNCTION`
`Drop Trigger`	`DROP TRIGGER`

Table C-4 lists the Sybase ASE application management event attributes.

Table C-4 Sybase ASE Application Management Event Attributes

Attribute Name	Data Type
`ASSOCIATED_OBJECT_NAME`	`VARCHAR2(4000)`
`ASSOCIATED_OBJECT_OWNER`	`VARCHAR2(4000)`
`COMMENT_TEXT`	`VARCHAR2(4000)`
`CONTEXTID`	`VARCHAR2(4000)`
`CURRENT_VALUE`	`VARCHAR2(4000)`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_MOD`	`VARCHAR2(4000)`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`KEYWORD`	`VARCHAR2(4000)`
`NEW_OBJECT_NAME`	`VARCHAR2(4000)`
`NEW_OBJECT_OWNER`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PREVIOUS_VALUE`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`PROXY_INFORMATION`	`VARCHAR2(4000)`
`SEQUENCE`	`VARCHAR2(4000)`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USER_GUID`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

C.4 Audit Command Events

Audit command events track the use of auditing Transact-SQL commands on other Transact-SQL commands and on database objects. The Audit Command Report, described in Section 3.4.2, uses these events.

Table C-5 lists the Sybase ASE audit command events and event IDs.

Table C-5 Sybase ASE Audit Command Events and Event IDs

Event Name	Event ID
`Auditing Disabled`	`AUDITING DISABLED`
`Auditing Enabled`	`AUDITING ENABLED`

Table C-6 lists the Sybase ASE audit command event attributes.

Table C-6 Sybase ASE Audit Command Event Attributes

Attribute Name	Data Type
`AUDIT_OPTION`	`VARCHAR2(4000)`
`COMMENT_TEXT`	`VARCHAR2(4000)`
`CONTEXTID`	`VARCHAR2(4000)`
`CURRENT_VALUE`	`VARCHAR2(4000)`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_MOD`	`VARCHAR2(4000)`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`KEYWORD`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PREVIOUS_VALUE`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`PROXY_INFORMATION`	`VARCHAR2(4000)`
`SEQUENCE`	`VARCHAR2(4000)`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USER_GUID`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

C.5 Data Access Events

Data access events track audited Transact-SQL commands, such as all SELECT TABLE, INSERT TABLE, or UPDATE TABLE commands. The Data Access Report, described in Section 3.3.2, uses these events.

Table C-7 lists the Sybase ASE data access events and event IDs.

Table C-7 Sybase ASE Data Access Events and Event IDs

Event Name	Event ID
`Access To Audit Table`	`ACCESS TO AUDIT TABLE`
`BCP In`	`BCP IN`
`Delete Table`	`DELETE TABLE`
`Delete View`	`DELETE VIEW`
`Insert Table`	`INSERT TABLE`
`Insert View`	`INSERT VIEW`
`Select Table`	`SELECT TABLE`
`Select View`	`SELECT VIEW`
`Truncate Table`	`TRUNCATE TABLE`
`Truncation of audit table`	`TRUNCATION OF AUDIT TABLE`
`Update Table`	`UPDATE TABLE`
`Update View`	`UPDATE VIEW`

Table C-8 lists the Sybase ASE data access event attributes.

Table C-8 Sybase ASE Data Access Event Attributes

Attribute Name	Data Type
`COMMENT_TEXT`	`VARCHAR2(4000)`
`CONTEXTID`	`VARCHAR2(4000)`
`CURRENT_VALUE`	`VARCHAR2(4000)`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_MOD`	`VARCHAR2(4000)`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`KEYWORD`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PREVIOUS_VALUE`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`PROXY_INFORMATION`	`VARCHAR2(4000)`
`SEQUENCE`	`VARCHAR2(4000)`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USER_GUID`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

C.6 Exception Events

Exception events track audited error and exception activity, such as network errors. The Exception Activity Report, described in Section 3.5.1, uses these events.

Table C-9 lists Sybase ASE exception events and event IDs.

Table C-9 Sybase ASE Exception Events and Event IDs

Event Name	Event ID
`Fatal Error`	`FATAL ERROR`
`Nonfatal Error`	`NONFATAL ERROR`

Table C-10 lists the Sybase ASE exception event attributes.

Table C-10 Sybase ASE Exception Event Attributes

Attribute Name	Data Type
`COMMENT_TEXT`	`VARCHAR2(4000)`
`CONTEXTID`	`VARCHAR2(4000)`
`CURRENT_VALUE`	`VARCHAR2(4000)`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_MOD`	`VARCHAR2(4000)`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`KEYWORD`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PREVIOUS_VALUE`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`PROXY_INFORMATION`	`VARCHAR2(4000)`
`SEQUENCE`	`VARCHAR2(4000)`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USER_GUID`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

C.7 Invalid Record Events

Invalid record events track audited activity that Oracle Audit Vault cannot recognize, possibly due to a corrupted audit record. The Invalid Audit Record Report, described in Section 3.5.2, uses these events.

Table C-11 lists Sybase ASE invalid record event attributes.

Table C-11 Sybase ASE Invalid Record Event Attributes

Attribute Name	Data Type
`COMMENT_TEXT`	`VARCHAR2(4000)`
`CONTEXTID`	`VARCHAR2(4000)`
`CURRENT_VALUE`	`VARCHAR2(4000)`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`ENDUSER`	`VARCHAR2(4000)`
`ERROR_ID`	`NUMBER`
`ERROR_MESSAGE`	`VARCHAR2(30)`
`EVENT_MOD`	`VARCHAR2(4000)`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`KEYWORD`	`VARCHAR2(4000)`
`MODULE_NAME`	`VARCHAR2(100)`
`OBJECT_ID`	`NUMBER`
`ORIGINAL_CONTENT2`	`VARCHAR2(4000)`
`ORIGINAL_CONTENT3`	`VARCHAR2(4000)`
`OSUSER_NAME`	`VARCHAR2(4000)`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PREVIOUS_VALUE`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`PROXY_INFORMATION`	`VARCHAR2(4000)`
`SEQUENCE`	`VARCHAR2(4000)`
`SEVERITY`	`NUMBER`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USER_GUID`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

C.8 Object Management Events

Object management events track audited actions performed on database objects, such as CREATE TABLE commands. The Object Management Report, described in Section 3.4.3, uses these events.

Table C-12 lists the Sybase ASE object management events and event IDs.

Table C-12 Sybase ASE Object Management Events and Event IDs

Event Name	Event ID
`Access To Database`	`ACCESS TO DATABASE`
`Alter Table`	`ALTER TABLE`
`Bind Default`	`BIND DEFAULT`
`Bind Message`	`BIND MESSAGE`
`Bind Rule`	`BIND RULE`
`Create Index`	`CREATE INDEX`
`Create Table`	`CREATE TABLE`
`Create View`	`CREATE VIEW`
`Drop Index`	`DROP INDEX`
`Drop Table`	`DROP TABLE`
`Drop View`	`DROP VIEW`
`Unbind Default`	`UNBIND DEFAULT`
`Unbind Message`	`UNBIND MESSAGE`
`Unbind Rule`	`UNBIND RULE`

Table C-13 lists the Sybase ASE object management event attributes.

Table C-13 Sybase ASE Object Management Event Attributes

Attribute Name	Data Type
`ASSOCIATED_OBJECT_NAME`	`VARCHAR2(4000`)
`ASSOCIATED_OBJECT_OWNER`	`VARCHAR2(4000)`
`COMMENT_TEXT`	`VARCHAR2(4000)`
`CONTEXTID`	`VARCHAR2(4000)`
`CURRENT_VALUE`	`VARCHAR2(4000)`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_MOD`	`VARCHAR2(4000)`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`KEYWORD`	`VARCHAR2(4000)`
`NEW_OBJECT_NAME`	`VARCHAR2(4000)`
`NEW_OBJECT_OWNER`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PREVIOUS_VALUE`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`PROXY_INFORMATION`	`VARCHAR2(4000)`
`SEQUENCE`	`VARCHAR2(4000)`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USER_GUID`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

C.9 Peer Association Events

Peer association events track database link commands. The Distributed Database Report, described in Section 3.3.4, uses these events. (These events do not have any event names or event IDs; they only contain event attributes.)

Table C-14 lists the Sybase ASE peer association event attributes.

Table C-14 Sybase ASE Peer Association Event Attributes

Attribute Name	Data Type
`COMMENT_TEXT`	`VARCHAR2(4000)`
`CONTEXTID`	`VARCHAR2(4000)`
`CURRENT_VALUE`	`VARCHAR2(4000)`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_MOD`	`VARCHAR2(4000)`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`KEYWORD`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PREVIOUS_VALUE`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`PROXY_INFORMATION`	`VARCHAR2(4000)`
`SEQUENCE`	`VARCHAR2(4000)`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USER_GUID`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

C.10 Role and Privilege Management Events

Role and privilege management events track audited role and privilege management activity, such as revoking permissions from a user to use a specified command. The Role and Privilege Management Report, described in Section 3.4.5, uses these events.

Table C-15 lists the Sybase ASE role and privilege management events and event IDs.

Table C-15 Sybase ASE Role and Privilege Management Events and Event IDs

Event Name	Event ID
`Grant Command`	`GRANT COMMAND`
`Revoke Command`	`REVOKE COMMAND`
`Role Check Performed`	`ROLE CHECK PERFORMED`
`Role Toggling`	`ROLE TOGGLING`
`User-defined Function Command`	`ALTER ROLE FUNCTION EXECUTED` `CREATE ROLE FUNCTION EXECUTED` `DROP ROLE FUNCTION EXECUTED` `GRANT ROLE FUNCTION EXECUTED` `REVOKE ROLE FUNCTION EXECUTED`

Table C-16 lists the Sybase ASE role and privilege management event attributes.

Table C-16 Sybase ASE Role and Privilege Management Event Attributes

Attribute Name	Data Type
`ADMIN_OPTION`	`NUMBER`
`CONTEXTID`	`VARCHAR2(4000)`
`COMMENT_TEXT`	`VARCHAR2(4000)`
`CURRENT_VALUE`	`VARCHAR2(4000)`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_MOD`	`VARCHAR2(4000)`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`GRANTEE`	`VARCHAR2(4000)`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`KEYWORD`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OBJECT_PRIVILEGE`	`VARCHAR2(255)`
`OSUSER_NAME`	`VARCHAR2(4000)`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PREVIOUS_VALUE`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`PROXY_INFORMATION`	`VARCHAR2(4000)`
`ROLE_NAME`	`VARCHAR2(4000)`
`SEQUENCE`	`VARCHAR2(4000)`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`SYSTEM_PRIVILEGE`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USER_GUID`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

C.11 Service and Application Utilization Events

Service and application utilization events track audited application access activity, such as the execution of Transact-SQL commands. The Procedure Executions Report, described in Section 3.3.5, uses these events.

Table C-17 lists the Sybase ASE service and application utilization events and event IDs.

Table C-17 Sybase ASE Service and Application Utilization Events and Event IDs

Event Name	Event ID
`Execution Of Stored Procedure`	`STORED PROCEDURE EXECUTION`
`Execution Of Trigger`	`TRIGGER EXECUTION`
`RPC In`	`RPC IN`
`RPC Out`	`RPC OUT`
`Trusted procedure execution`	`TRUSTED PROCEDURE EXECUTION`
`Trusted trigger execution`	`TRUSTED TRIGGER EXECUTION`

Table C-18 lists the Sybase ASE service and application utilization event attributes.

Table C-18 Sybase ASE Service and Application Utilization Event Attributes

Attribute Name	Data Type
`COMMENT_TEXT`	`VARCHAR2(4000)`
`CONTEXTID`	`VARCHAR2(4000)`
`CURRENT_VALUE`	`VARCHAR2(4000)`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_MOD`	`VARCHAR2(4000)`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`KEYWORD`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PREVIOUS_VALUE`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`PROXY_INFORMATION`	`VARCHAR2(4000)`
`SEQUENCE`	`VARCHAR2(4000)`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USER_GUID`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

C.12 System Management Events

System management events track audited system management activity, such as the CREATE DATABASE and DISK INIT commands. The System Management Report, described in Section 3.4.6, uses these events.

Table C-19 lists the Sybase ASE system management events and event IDs.

Table C-19 Sybase ASE System Management Events and Event IDs

Event Name	Event ID
`AEK Add Encryption`	`AEK ADD ENCRYPTION`
`AEK Drop Encryption`	`AEK DROP ENCRYPTION`
`AEK Key Recovery`	`AEK KEY RECOVERY`
`AEK Modify Encryption`	`AEK MODIFY ENCRYPTION`
`AEK Modify Owner`	`AEK MODIFY OWNER`
`Alter Database`	`ALTER DATABASE`
`Alter Encryption Key`	`ALTER ENCRYPTION KEY`
`Audit Option Change`	`AUDIT OPTION CHANGE`
`Config`	`CONFIG`
`Create Database`	`CREATE DATABASE`
`Create Encryption Key`	`CREATE ENCRYPTION KEY`
`DBCC Command`	`DB CONSISTENCY CHECK`
`Deploy UDWS`	`DEPLOY UDWS`
`Disk Init`	`DISK INIT`
`Disk Mirror`	`DISK MIRROR`
`Disk Refit`	`DISK REFIT`
`Disk Reinit`	`DISK REINIT`
`Disk Release`	`DISK RELEASE`
`Disk Remirror`	`DISK REMIRROR`
`Disk Resize`	`DISK RESIZE`
`Disk Unmirror`	`DISK UNMIRROR`
`Drop Database`	`DROP DATABASE`
`Drop Encryption Key`	`DROP ENCRYPTION KEY`
`Dump Database`	`DUMP DATABASE`
`Dump Transaction`	`DUMP TRANSACTION`
`Encrypted Column Administration`	`ENCRYPTED COLUMN ADMINISTRATION`
`kill/terminate Command`	`KILL/TERMINATE COMMAND`
`Load Database`	`LOAD DATABASE`
`Load Transaction`	`LOAD TRANSACTION`
`Mount Database`	`MOUNT DATABASE`
`Online Database`	`ONLINE DATABASE`
`Quiesce Database Command`	`QUIESCE DATABASE COMMAND`
`Server Boot`	`SERVER BOOT`
`Server Shutdown`	`SERVER SHUTDOWN`
`SSL Administration`	`SSL ADMINISTRATION`
`Undeploy UDWS`	`UNDEPLOY UDWS`
`Unmount Database`	`UNMOUNT DATABASE`

Table C-20 lists the Sybase ASE system management event attributes.

Table C-20 Sybase ASE System Management Event Attributes

Attribute Name	Data Type
`COMMENT_TEXT`	`VARCHAR2(4000)`
`CONTEXTID`	`VARCHAR2(4000)`
`CURRENT_VALUE`	`VARCHAR2(4000)`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_MOD`	`VARCHAR2(4000)`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`KEYWORD`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PREVIOUS_VALUE`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`PROXY_INFORMATION`	`VARCHAR2(4000)`
`SEQUENCE`	`VARCHAR2(4000)`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USER_GUID`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

C.13 Unknown or Uncategorized Events

Unknown or uncategorized events track audited activity that cannot be categorized. The Uncategorized Activity Report, described in Section 3.5.3, uses these events.

Table C-21 shows the Sybase ASE unknown or uncategorized event and event ID.

Table C-21 Sybase ASE Unknown or Uncategorized Events and Event IDs

Event Name	Event ID
`Ad Hoc Audit record`	`AD HOC AUDIT RECORD`

Table C-22 lists the Sybase ASE unknown or uncategorized event attributes.

Table C-22 Sybase ASE Unknown or Uncategorized Event Attributes

Attribute Name	Data Type
`COMMENT_TEXT`	`VARCHAR2(4000)`
`CONTEXTID`	`VARCHAR2(4000)`
`CURRENT_VALUE`	`VARCHAR2(4000)`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_MOD`	`VARCHAR2(4000)`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`KEYWORD`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PREVIOUS_VALUE`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`PROXY_INFORMATION`	`VARCHAR2(4000)`
`SEQUENCE`	`VARCHAR2(4000)`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USER_GUID`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

C.14 User Session Events

User session events track audited authentication events for users who log in to the database. The User Sessions Report, described in Section 3.3.6, uses these events.

Table C-23 lists the Sybase ASE user session events and event IDs.

Table C-23 Sybase ASE User Session Events and Event IDs

Event Name	Event ID
`Connect to command`	`CONNECT TO COMMAND`
`Log In`	`LOG IN`
`Log Out`	`LOG OUT`
`Setuser Command`	`SETUSER COMMAND`

Table C-24 lists the Sybase ASE user session event attributes.

Table C-24 Sybase ASE User Session Event Attributes

Attribute Name	Data Type
`AUTHENTICATION_METHOD`	`VARCHAR2(255)`
`COMMENT_TEXT`	`VARCHAR2(4000)`
`CONTEXTID`	`VARCHAR2(4000)`
`CURRENT_VALUE`	`VARCHAR2(4000)`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_MOD`	`VARCHAR2(4000)`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`KEYWORD`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PREVIOUS_VALUE`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`PROXY_INFORMATION`	`VARCHAR2(4000)`
`SEQUENCE`	`VARCHAR2(4000)`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USER_GUID`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`