Audit Flag Syntax
The prefixes determine whether a class of events is audited whether it succeeds or fails, or only if it succeeds, or only if it fails. Here is the format of the audit flag:
prefixflag
The following table shows prefixes that specify whether the audit class is audited for success or failure, or both.
Table 25–3 Prefixes Used in Audit Flags|
Prefix |
Definition |
|---|---|
|
none |
Audit for both success and failure |
|
+ |
Audit for success only |
|
- |
Audit for failure only |
For example, the audit flag lo (without any prefix) means that auditing should occur for “all successful attempts to log in and log out, and all failed attempts to log in.” You cannot fail an attempt to log out. As another example, the -all flag means that auditing should occur only for all failed attempts of any kind. The +all flag means that auditing should only occur for all successful attempts of any kind.
Caution – The -all flag can generate large amounts of data and fill up audit file systems quickly. Use the -all flag only if you have extraordinary reasons to audit all activities.
- © 2010, Oracle Corporation and/or its affiliates