C Sybase Adaptive Server Enterprise Audit Events

This appendix contains:

C.1 About the Sybase Adaptive Server Enterprise Audit Events

This appendix lists the audit event names and IDs, and the attribute names and data types for Sybase Adaptive Server Enterprise (ASE). The audit events are organized by their respective categories; for example, Account Management. You can use these audit events as follows:

  • For alerts. When you create an alert, you can specify an audit event, based on its category, that can trigger the alert. See "Creating a Basic Alert" for more information.

  • For custom reports using third-party tools. If you want to create custom reports using other Oracle Database reporting products or third-party tools, then refer to the tables in this appendix when you design the reports. See Chapter 4, "Oracle Audit Vault Data Warehouse Schema" for more information about custom reports created with third-party tools.

C.2 Account Management Events

Account management events track Transact-SQL commands that affect user accounts, such as the UNLOCK ADMIN ACCOUNT command. The Account Management Report, described in Section 3.3.3.2, uses these events.

Table C-1 lists the Sybase ASE account management source database events and the equivalent Oracle Audit Vault events.

Table C-1 Sybase ASE Account Management Audit Events

Event Name Description Source Event Audit Vault Event

Login Command

CREATE LOGIN COMMAND

DROP LOGIN COMMAND

CREATE USER

DROP USER

Set SSA Command

SET SSA COMMAND

ALTER USER

SSO Changed Password

SSO CHANGED PASSWORD

ALTER USER

Unlock Admin Account

UNLOCK ADMIN ACCOUNT

ALTER USER

Table C-2 lists the Sybase ASE account management event attributes.

Table C-2 Sybase ASE Account Management Event Attributes

Attribute Name Data Type

COMMENT_TEXT

VARCHAR2(4000)

CONTEXTID

VARCHAR2(4000)

CURRENT_VALUE

VARCHAR2(4000)

DATABASE_ID

NUMBER

DATABASE_NAME

VARCHAR2(4000)

ENDUSER

VARCHAR2(4000)

EVENT_MOD

VARCHAR2(4000)

EVENT_STATUS

VARCHAR2(30)

EVENT_TIME

TIMESTAMP WITH LOCAL TIME ZONE

HOST_ID

VARCHAR2(255)

HOST_NAME

VARCHAR2(255)

HOST_TERMINAL

VARCHAR2(255)

KEYWORD

VARCHAR2(4000)

OBJECT_ID

NUMBER

OSUSER_NAME

VARCHAR2(4000)

PARENT_CONTEXTID

VARCHAR2(4000)

PREVIOUS_VALUE

VARCHAR2(4000)

PRIVILEGES_USED

VARCHAR2(4000)

PROCESS#

NUMBER

PROXY_INFORMATION

VARCHAR2(4000)

SEQUENCE

VARCHAR2(4000)

SOURCE_EVENTID

VARCHAR2(255)

SUB_CONTEXTID

VARCHAR2(4000)

TARGET_OBJECT

VARCHAR2(4000)

TARGET_OWNER

VARCHAR2(4000)

THREAD#

NUMBER

TOOLS_USED

VARCHAR2(4000)

USER_GUID

VARCHAR2(4000)

USERNAME

VARCHAR2(4000)

C.3 Application Management Events

Application management events track actions that were performed on the underlying Transact-SQL commands of system services and applications, such as the CREATE RULE command. The Procedure Management Report, described in Section 3.3.3.5, uses these events.

Table C-3 lists the Sybase ASE application management source database events and the equivalent Oracle Audit Vault events.

Table C-3 Sybase ASE Application Management Audit Events

Event Name Description Source Event Audit Vault Event

Create Default

CREATE DEFAULT

CREATE DEFAULT

Create Message

CREATE MESSAGE

CREATE MESSAGE

Create Procedure

CREATE PROCEDURE

CREATE PROCEDURE

Create Rule

CREATE RULE

CREATE RULE

Create SQLJ Function

CREATE SQLJ FUNCTION

CREATE FUNCTION

Create Trigger

CREATE TRIGGER

CREATE TRIGGER

Drop Default

DROP DEFAULT

DROP DEFAULT

Drop Message

DROP MESSAGE

DROP MESSAGE

Drop Procedure

DROP PROCEDURE

DROP PROCEDURE

Drop Rule

DROP RULE

DROP RULE

Drop SQLJ Function

DROP SQLJ FUNCTION

DROP FUNCTION

Drop Trigger

DROP TRIGGER

DROP TRIGGER

Table C-4 lists the Sybase ASE application management event attributes.

Table C-4 Sybase ASE Application Management Event Attributes

Attribute Name Data Type

ASSOCIATED_OBJECT_NAME

VARCHAR2(4000)

ASSOCIATED_OBJECT_OWNER

VARCHAR2(4000)

COMMENT_TEXT

VARCHAR2(4000)

CONTEXTID

VARCHAR2(4000)

CURRENT_VALUE

VARCHAR2(4000)

DATABASE_ID

NUMBER

DATABASE_NAME

VARCHAR2(4000)

ENDUSER

VARCHAR2(4000)

EVENT_MOD

VARCHAR2(4000)

EVENT_STATUS

VARCHAR2(30)

EVENT_TIME

TIMESTAMP WITH LOCAL TIME ZONE

HOST_IP

VARCHAR2(255)

HOST_NAME

VARCHAR2(255)

HOST_TERMINAL

VARCHAR2(255)

KEYWORD

VARCHAR2(4000)

NEW_OBJECT_NAME

VARCHAR2(4000)

NEW_OBJECT_OWNER

VARCHAR2(4000)

OBJECT_ID

NUMBER

OSUSER_NAME

VARCHAR2(4000)

PARENT_CONTEXTID

VARCHAR2(4000)

PREVIOUS_VALUE

VARCHAR2(4000)

PRIVILEGES_USED

VARCHAR2(4000)

PROCESS#

NUMBER

PROXY_INFORMATION

VARCHAR2(4000)

SEQUENCE

VARCHAR2(4000)

SOURCE_EVENTID

VARCHAR2(255)

SUB_CONTEXTID

VARCHAR2(4000)

TARGET_OBJECT

VARCHAR2(4000)

TARGET_OWNER

VARCHAR2(4000)

THREAD#

NUMBER

TOOLS_USED

VARCHAR2(4000)

USER_GUID

VARCHAR2(4000)

USERNAME

VARCHAR2(4000)

C.4 Audit Command Events

Audit command events track the use of auditing Transact-SQL commands on other Transact-SQL commands and on database objects. The Audit Command Report, described in Section 3.3.3.3, uses these events.

Table C-5 lists the Sybase ASE audit command source database events and the equivalent Oracle Audit Vault events.

Table C-5 Sybase ASE Audit Command Audit Events

Event Name Description Source Event Audit Vault Event

Auditing Disabled

AUDITING DISABLED

NOAUDIT DEFAULT

Auditing Enabled

AUDITING ENABLED

AUDIT DEFAULT

Table C-6 lists the Sybase ASE audit command event attributes.

Table C-6 Sybase ASE Audit Command Event Attributes

Attribute Name Data Type

AUDIT_OPTION

VARCHAR2(4000)

COMMENT_TEXT

VARCHAR2(4000)

CONTEXTID

VARCHAR2(4000)

CURRENT_VALUE

VARCHAR2(4000)

DATABASE_ID

NUMBER

DATABASE_NAME

VARCHAR2(4000)

ENDUSER

VARCHAR2(4000)

EVENT_MOD

VARCHAR2(4000)

EVENT_STATUS

VARCHAR2(30)

EVENT_TIME

TIMESTAMP WITH LOCAL TIME ZONE

HOST_IP

VARCHAR2(255)

HOST_NAME

VARCHAR2(255)

HOST_TERMINAL

VARCHAR2(255)

KEYWORD

VARCHAR2(4000)

OBJECT_ID

NUMBER

OSUSER_NAME

VARCHAR2(4000)

PARENT_CONTEXTID

VARCHAR2(4000)

PREVIOUS_VALUE

VARCHAR2(4000)

PRIVILEGES_USED

VARCHAR2(4000)

PROCESS#

NUMBER

PROXY_INFORMATION

VARCHAR2(4000)

SEQUENCE

VARCHAR2(4000)

SOURCE_EVENTID

VARCHAR2(255)

SUB_CONTEXTID

VARCHAR2(4000)

TARGET_OBJECT

VARCHAR2(4000)

TARGET_OWNER

VARCHAR2(4000)

THREAD#

NUMBER

TOOLS_USED

VARCHAR2(4000)

USER_GUID

VARCHAR2(4000)

USERNAME

VARCHAR2(4000)

C.5 Data Access Events

Data access events track audited Transact-SQL commands, such as all SELECT TABLE, INSERT TABLE, or UPDATE TABLE commands. The Data Access Report, described in Section 3.3.2.3, uses these events.

Table C-7 lists the Sybase ASE data access source database events and the equivalent Oracle Audit Vault events.

Table C-7 Sybase ASE Data Access Audit Events

Event Name Description Source Event Audit Vault Event

Access To Audit Table

ACCESS TO AUDIT TABLE

SELECT

BCP In

BCP IN

INSERT

Delete Table

DELETE TABLE

DELETE

Delete View

DELETE VIEW

DELETE

Insert Table

INSERT TABLE

INSERT

Insert View

INSERT VIEW

INSERT

Select Table

SELECT TABLE

SELECT

Select View

SELECT VIEW

SELECT

Truncate Table

TRUNCATE TABLE

TRUNCATE TABLE

Truncation of audit table

TRUNCATION OF AUDIT TABLE

TRUNCATE TABLE

Update Table

UPDATE TABLE

UPDATE

Update View

UPDATE VIEW

UPDATE

Table C-8 lists the Sybase ASE data access event attributes.

Table C-8 Sybase ASE Data Access Event Attributes

Attribute Name Data Type

COMMENT_TEXT

VARCHAR2(4000)

CONTEXTID

VARCHAR2(4000)

CURRENT_VALUE

VARCHAR2(4000)

DATABASE_ID

NUMBER

DATABASE_NAME

VARCHAR2(4000)

ENDUSER

VARCHAR2(4000)

EVENT_MOD

VARCHAR2(4000)

EVENT_STATUS

VARCHAR2(30)

EVENT_TIME

TIMESTAMP WITH LOCAL TIME ZONE

HOST_IP

VARCHAR2(255)

HOST_NAME

VARCHAR2(255)

HOST_TERMINAL

VARCHAR2(255)

KEYWORD

VARCHAR2(4000)

OBJECT_ID

NUMBER

OSUSER_NAME

VARCHAR2(4000)

PARENT_CONTEXTID

VARCHAR2(4000)

PREVIOUS_VALUE

VARCHAR2(4000)

PRIVILEGES_USED

VARCHAR2(4000)

PROCESS#

NUMBER

PROXY_INFORMATION

VARCHAR2(4000)

SEQUENCE

VARCHAR2(4000)

SOURCE_EVENTID

VARCHAR2(255)

SUB_CONTEXTID

VARCHAR2(4000)

TARGET_OBJECT

VARCHAR2(4000)

TARGET_OWNER

VARCHAR2(4000)

THREAD#

NUMBER

TOOLS_USED

VARCHAR2(4000)

USER_GUID

VARCHAR2(4000)

USERNAME

VARCHAR2(4000)

C.6 Exception Events

Exception events track audited error and exception activity, such as network errors. The Exception Activity Report, described in Section 3.3.4.2, uses these events.

Table C-9 lists Sybase ASE exception source database events and the equivalent Oracle Audit Vault events.

Table C-9 Sybase ASE Exception Audit Events

Event Name Description Source Event Audit Vault Event

Fatal Error

FATAL ERROR

FATAL ERROR

Nonfatal Error

NONFATAL ERROR

NONFATAL ERROR

Table C-10 lists the Sybase ASE exception event attributes.

Table C-10 Sybase ASE Exception Event Attributes

Attribute Name Data Type

COMMENT_TEXT

VARCHAR2(4000)

CONTEXTID

VARCHAR2(4000)

CURRENT_VALUE

VARCHAR2(4000)

DATABASE_ID

NUMBER

DATABASE_NAME

VARCHAR2(4000)

ENDUSER

VARCHAR2(4000)

EVENT_MOD

VARCHAR2(4000)

EVENT_STATUS

VARCHAR2(30)

EVENT_TIME

TIMESTAMP WITH LOCAL TIME ZONE

HOST_IP

VARCHAR2(255)

HOST_NAME

VARCHAR2(255)

HOST_TERMINAL

VARCHAR2(255)

KEYWORD

VARCHAR2(4000)

OBJECT_ID

NUMBER

OSUSER_NAME

VARCHAR2(4000)

PARENT_CONTEXTID

VARCHAR2(4000)

PREVIOUS_VALUE

VARCHAR2(4000)

PRIVILEGES_USED

VARCHAR2(4000)

PROCESS#

NUMBER

PROXY_INFORMATION

VARCHAR2(4000)

SEQUENCE

VARCHAR2(4000)

SOURCE_EVENTID

VARCHAR2(255)

SUB_CONTEXTID

VARCHAR2(4000)

TARGET_OBJECT

VARCHAR2(4000)

TARGET_OWNER

VARCHAR2(4000)

THREAD#

NUMBER

TOOLS_USED

VARCHAR2(4000)

USER_GUID

VARCHAR2(4000)

USERNAME

VARCHAR2(4000)

C.7 Invalid Record Events

Invalid record events track audited activity that Oracle Audit Vault cannot recognize, possibly due to a corrupted audit record. The Invalid Audit Record Report, described in Section 3.3.4.3, uses these events.

Table C-11 lists Sybase ASE invalid record event attributes.

Table C-11 Sybase ASE Invalid Record Event Attributes

Attribute Name Data Type

COMMENT_TEXT

VARCHAR2(4000)

CONTEXTID

VARCHAR2(4000)

CURRENT_VALUE

VARCHAR2(4000)

DATABASE_ID

NUMBER

DATABASE_NAME

VARCHAR2(4000)

ENDUSER

VARCHAR2(4000)

ERROR_ID

NUMBER

ERROR_MESSAGE

VARCHAR2(30)

EVENT_MOD

VARCHAR2(4000)

EVENT_STATUS

VARCHAR2(30)

EVENT_TIME

TIMESTAMP WITH LOCAL TIME ZONE

HOST_IP

VARCHAR2(255)

HOST_NAME

VARCHAR2(255)

HOST_TERMINAL

VARCHAR2(255)

KEYWORD

VARCHAR2(4000)

MODULE_NAME

VARCHAR2(100)

OBJECT_ID

NUMBER

ORIGINAL_CONTENT2

VARCHAR2(4000)

ORIGINAL_CONTENT3

VARCHAR2(4000)

OSUSER_NAME

VARCHAR2(4000)

PARENT_CONTEXTID

VARCHAR2(4000)

PREVIOUS_VALUE

VARCHAR2(4000)

PRIVILEGES_USED

VARCHAR2(4000)

PROCESS#

NUMBER

PROXY_INFORMATION

VARCHAR2(4000)

SEQUENCE

VARCHAR2(4000)

SEVERITY

NUMBER

SOURCE_EVENTID

VARCHAR2(255)

SUB_CONTEXTID

VARCHAR2(4000)

TARGET_OBJECT

VARCHAR2(4000)

TARGET_OWNER

VARCHAR2(4000)

THREAD#

NUMBER

TOOLS_USED

VARCHAR2(4000)

USER_GUID

VARCHAR2(4000)

USERNAME

VARCHAR2(4000)

C.8 Object Management Events

Object management events track audited actions performed on database objects, such as CREATE TABLE commands. The Object Management Report, described in Section 3.3.3.4, uses these events.

Table C-12 lists the Sybase ASE object management source database events and the equivalent Oracle Audit Vault events.

Table C-12 Sybase ASE Object Management Audit Events

Event Name Description Source Event Audit Vault Event

Access To Database

ACCESS TO DATABASE

ACCESS DATABASE

Alter Table

ALTER TABLE

ALTER TABLE

Bind Default

BIND DEFAULT

ALTER TABLE

Bind Message

BIND MESSAGE

ALTER TABLE

Bind Rule

BIND RULE

ALTER TABLE

Create Index

CREATE INDEX

CREATE INDEX

Create Table

CREATE TABLE

CREATE TABLE

Create View

CREATE VIEW

CREATE VIEW

Drop Index

DROP INDEX

CREATE INDEX

Drop Table

DROP TABLE

DROP TABLE

Drop View

DROP VIEW

DROP VIEW

Unbind Default

UNBIND DEFAULT

ALTER TABLE

Unbind Message

UNBIND MESSAGE

ALTER TABLE

Unbind Rule

UNBIND RULE

ALTER TABLE

Table C-13 lists the Sybase ASE object management event attributes.

Table C-13 Sybase ASE Object Management Event Attributes

Attribute Name Data Type

ASSOCIATED_OBJECT_NAME

VARCHAR2(4000)

ASSOCIATED_OBJECT_OWNER

VARCHAR2(4000)

COMMENT_TEXT

VARCHAR2(4000)

CONTEXTID

VARCHAR2(4000)

CURRENT_VALUE

VARCHAR2(4000)

DATABASE_ID

NUMBER

DATABASE_NAME

VARCHAR2(4000)

ENDUSER

VARCHAR2(4000)

EVENT_MOD

VARCHAR2(4000)

EVENT_STATUS

VARCHAR2(30)

EVENT_TIME

TIMESTAMP WITH LOCAL TIME ZONE

HOST_IP

VARCHAR2(255)

HOST_NAME

VARCHAR2(255)

HOST_TERMINAL

VARCHAR2(255)

KEYWORD

VARCHAR2(4000)

NEW_OBJECT_NAME

VARCHAR2(4000)

NEW_OBJECT_OWNER

VARCHAR2(4000)

OBJECT_ID

NUMBER

OSUSER_NAME

VARCHAR2(4000)

PARENT_CONTEXTID

VARCHAR2(4000)

PREVIOUS_VALUE

VARCHAR2(4000)

PRIVILEGES_USED

VARCHAR2(4000)

PROCESS#

NUMBER

PROXY_INFORMATION

VARCHAR2(4000)

SEQUENCE

VARCHAR2(4000)

SOURCE_EVENTID

VARCHAR2(255)

SUB_CONTEXTID

VARCHAR2(4000)

TARGET_OBJECT

VARCHAR2(4000)

TARGET_OWNER

VARCHAR2(4000)

THREAD#

NUMBER

TOOLS_USED

VARCHAR2(4000)

USER_GUID

VARCHAR2(4000)

USERNAME

VARCHAR2(4000)

C.9 Peer Association Events

Peer association events track database link commands. The Distributed Database Report, described in Section 3.3.2.5, uses these events. (These events do not have any event names; they only contain event attributes.)

Table C-14 lists the Sybase ASE peer association event attributes.

Table C-14 Sybase ASE Peer Association Event Attributes

Attribute Name Data Type

COMMENT_TEXT

VARCHAR2(4000)

CONTEXTID

VARCHAR2(4000)

CURRENT_VALUE

VARCHAR2(4000)

DATABASE_ID

NUMBER

DATABASE_NAME

VARCHAR2(4000)

ENDUSER

VARCHAR2(4000)

EVENT_MOD

VARCHAR2(4000)

EVENT_STATUS

VARCHAR2(30)

EVENT_TIME

TIMESTAMP WITH LOCAL TIME ZONE

HOST_IP

VARCHAR2(255)

HOST_NAME

VARCHAR2(255)

HOST_TERMINAL

VARCHAR2(255)

KEYWORD

VARCHAR2(4000)

OBJECT_ID

NUMBER

OSUSER_NAME

VARCHAR2(4000)

PARENT_CONTEXTID

VARCHAR2(4000)

PREVIOUS_VALUE

VARCHAR2(4000)

PRIVILEGES_USED

VARCHAR2(4000)

PROCESS#

NUMBER

PROXY_INFORMATION

VARCHAR2(4000)

SEQUENCE

VARCHAR2(4000)

SOURCE_EVENTID

VARCHAR2(255)

SUB_CONTEXTID

VARCHAR2(4000)

TARGET_OBJECT

VARCHAR2(4000)

TARGET_OWNER

VARCHAR2(4000)

THREAD#

NUMBER

TOOLS_USED

VARCHAR2(4000)

USER_GUID

VARCHAR2(4000)

USERNAME

VARCHAR2(4000)

C.10 Role and Privilege Management Events

Role and privilege management events track audited role and privilege management activity, such as revoking permissions from a user to use a specified command. The Role and Privilege Management Report, described in Section 3.3.3.6, uses these events.

Table C-15 lists the Sybase ASE role and privilege management source database events and the equivalent Oracle Audit Vault events.

Table C-15 Sybase ASE Role and Privilege Management Audit Events

Event Name Description Source Event Audit Vault Event

Grant Command

GRANT COMMAND

GRANT OBJECT

Revoke Command

REVOKE COMMAND

REVOKE OBJECT

Role Check Performed

ROLE CHECK PERFORMED

CHECK PRIVILEGE

Role Toggling

ROLE TOGGLING

SET ROLE

User-defined Function Command

ALTER ROLE FUNCTION EXECUTED

CREATE ROLE FUNCTION EXECUTED

DROP ROLE FUNCTION EXECUTED

GRANT ROLE FUNCTION EXECUTED

REVOKE ROLE FUNCTION EXECUTED

ALTER ROLE

CREATE ROLE

DROP ROLE

GRANT ROLE

REVOKE ROLE

Table C-16 lists the Sybase ASE role and privilege management event attributes.

Table C-16 Sybase ASE Role and Privilege Management Event Attributes

Attribute Name Data Type

ADMIN_OPTION

NUMBER

CONTEXTID

VARCHAR2(4000)

COMMENT_TEXT

VARCHAR2(4000)

CURRENT_VALUE

VARCHAR2(4000)

DATABASE_ID

NUMBER

DATABASE_NAME

VARCHAR2(4000)

ENDUSER

VARCHAR2(4000)

EVENT_MOD

VARCHAR2(4000)

EVENT_STATUS

VARCHAR2(30)

EVENT_TIME

TIMESTAMP WITH LOCAL TIME ZONE

GRANTEE

VARCHAR2(4000)

HOST_IP

VARCHAR2(255)

HOST_NAME

VARCHAR2(255)

HOST_TERMINAL

VARCHAR2(255)

KEYWORD

VARCHAR2(4000)

OBJECT_ID

NUMBER

OBJECT_PRIVILEGE

VARCHAR2(255)

OSUSER_NAME

VARCHAR2(4000)

PARENT_CONTEXTID

VARCHAR2(4000)

PREVIOUS_VALUE

VARCHAR2(4000)

PRIVILEGES_USED

VARCHAR2(4000)

PROCESS#

NUMBER

PROXY_INFORMATION

VARCHAR2(4000)

ROLE_NAME

VARCHAR2(4000)

SEQUENCE

VARCHAR2(4000)

SOURCE_EVENTID

VARCHAR2(255)

SUB_CONTEXTID

VARCHAR2(4000)

SYSTEM_PRIVILEGE

VARCHAR2(4000)

TARGET_OBJECT

VARCHAR2(4000)

TARGET_OWNER

VARCHAR2(4000)

THREAD#

NUMBER

TOOLS_USED

VARCHAR2(4000)

USER_GUID

VARCHAR2(4000)

USERNAME

VARCHAR2(4000)

C.11 Service and Application Utilization Events

Service and application utilization events track audited application access activity, such as the execution of Transact-SQL commands. The Procedure Executions Report, described in Section 3.3.2.6, uses these events.

Table C-17 lists the Sybase ASE service and application utilization source database events and the equivalent Oracle Audit Vault events.

Table C-17 Sybase ASE Service and Application Utilization Audit Events

Event Name Description Source Event Audit Vault Event

Execution Of Stored Procedure

STORED PROCEDURE EXECUTION

EXECUTE PROCEDURE

Execution Of Trigger

TRIGGER EXECUTION

EXECUTE TRIGGER

RPC In

RPC IN

EXECUTE PROCEDURE

RPC Out

RPC OUT

EXECUTE PROCEDURE

Trusted procedure execution

TRUSTED PROCEDURE EXECUTION

EXECUTE PROCEDURE

Trusted trigger execution

TRUSTED TRIGGER EXECUTION

EXECUTE TRIGGER

Table C-18 lists the Sybase ASE service and application utilization event attributes.

Table C-18 Sybase ASE Service and Application Utilization Event Attributes

Attribute Name Data Type

COMMENT_TEXT

VARCHAR2(4000)

CONTEXTID

VARCHAR2(4000)

CURRENT_VALUE

VARCHAR2(4000)

DATABASE_ID

NUMBER

DATABASE_NAME

VARCHAR2(4000)

ENDUSER

VARCHAR2(4000)

EVENT_MOD

VARCHAR2(4000)

EVENT_STATUS

VARCHAR2(30)

EVENT_TIME

TIMESTAMP WITH LOCAL TIME ZONE

HOST_IP

VARCHAR2(255)

HOST_NAME

VARCHAR2(255)

HOST_TERMINAL

VARCHAR2(255)

KEYWORD

VARCHAR2(4000)

OBJECT_ID

NUMBER

OSUSER_NAME

VARCHAR2(4000)

PARENT_CONTEXTID

VARCHAR2(4000)

PREVIOUS_VALUE

VARCHAR2(4000)

PRIVILEGES_USED

VARCHAR2(4000)

PROCESS#

NUMBER

PROXY_INFORMATION

VARCHAR2(4000)

SEQUENCE

VARCHAR2(4000)

SOURCE_EVENTID

VARCHAR2(255)

SUB_CONTEXTID

VARCHAR2(4000)

TARGET_OBJECT

VARCHAR2(4000)

TARGET_OWNER

VARCHAR2(4000)

THREAD#

NUMBER

TOOLS_USED

VARCHAR2(4000)

USER_GUID

VARCHAR2(4000)

USERNAME

VARCHAR2(4000)

C.12 System Management Events

System management events track audited system management activity, such as the CREATE DATABASE and DISK INIT commands. The System Management Report, described in Section 3.3.3.7, uses these events.

Table C-19 lists the Sybase ASE system management source database events and the equivalent Oracle Audit Vault events.

Table C-19 Sybase ASE System Management Audit Events

Event Name Description Source Event Audit Vault Event

AEK Add Encryption

AEK ADD ENCRYPTION

ALTER SYSTEM

AEK Drop Encryption

AEK DROP ENCRYPTION

ALTER SYSTEM

AEK Key Recovery

AEK KEY RECOVERY

ALTER SYSTEM

AEK Modify Encryption

AEK MODIFY ENCRYPTION

ALTER SYSTEM

AEK Modify Owner

AEK MODIFY OWNER

ALTER SYSTEM

Alter Database

ALTER DATABASE

ALTER DATABASE

Alter Encryption Key

ALTER ENCRYPTION KEY

ALTER SYSTEM

Audit Option Change

AUDIT OPTION CHANGE

AUDIT DEFAULT

Config

CONFIG

ALTER SYSTEM

Create Database

CREATE DATABASE

CREATE DATABASE

Create Encryption Key

CREATE ENCRYPTION KEY

ALTER SYSTEM

DBCC Command

DB CONSISTENCY CHECK

CONSISTENCY CHECK

Deploy UDWS

DEPLOY UDWS

ALTER SYSTEM

Disk Init

DISK INIT

ALTER SYSTEM

Disk Mirror

DISK MIRROR

ALTER SYSTEM

Disk Refit

DISK REFIT

ALTER SYSTEM

Disk Reinit

DISK REINIT

ALTER SYSTEM

Disk Release

DISK RELEASE

ALTER SYSTEM

Disk Remirror

DISK REMIRROR

ALTER SYSTEM

Disk Resize

DISK RESIZE

ALTER SYSTEM

Disk Unmirror

DISK UNMIRROR

ALTER SYSTEM

Drop Database

DROP DATABASE

DROP DATABASE

Drop Encryption Key

DROP ENCRYPTION KEY

ALTER SYSTEM

Dump Database

DUMP DATABASE

BACKUP

Dump Transaction

DUMP TRANSACTION

BACKUP

Encrypted Column Administration

ENCRYPTED COLUMN ADMINISTRATION

ALTER SYSTEM

kill/terminate Command

KILL/TERMINATE COMMAND

ALTER SYSTEM

Load Database

LOAD DATABASE

RESTORE

Load Transaction

LOAD TRANSACTION

RESTORE

Mount Database

MOUNT DATABASE

ALTER DATABASE

Online Database

ONLINE DATABASE

ALTER DATABASE

Quiesce Database Command

QUIESCE DATABASE COMMAND

ALTER SYSTEM

Server Boot

SERVER BOOT

STARTUP

Server Shutdown

SERVER SHUTDOWN

SHUTDOWN

SSL Administration

SSL ADMINISTRATION

ALTER SYSTEM

Undeploy UDWS

UNDEPLOY UDWS

ALTER SYSTEM

Unmount Database

UNMOUNT DATABASE

ALTER DATABASE

Table C-20 lists the Sybase ASE system management event attributes.

Table C-20 Sybase ASE System Management Event Attributes

Attribute Name Data Type

COMMENT_TEXT

VARCHAR2(4000)

CONTEXTID

VARCHAR2(4000)

CURRENT_VALUE

VARCHAR2(4000)

DATABASE_ID

NUMBER

DATABASE_NAME

VARCHAR2(4000)

ENDUSER

VARCHAR2(4000)

EVENT_MOD

VARCHAR2(4000)

EVENT_STATUS

VARCHAR2(30)

EVENT_TIME

TIMESTAMP WITH LOCAL TIME ZONE

HOST_IP

VARCHAR2(255)

HOST_NAME

VARCHAR2(255)

HOST_TERMINAL

VARCHAR2(255)

KEYWORD

VARCHAR2(4000)

OBJECT_ID

NUMBER

OSUSER_NAME

VARCHAR2(4000)

PARENT_CONTEXTID

VARCHAR2(4000)

PREVIOUS_VALUE

VARCHAR2(4000)

PRIVILEGES_USED

VARCHAR2(4000)

PROCESS#

NUMBER

PROXY_INFORMATION

VARCHAR2(4000)

SEQUENCE

VARCHAR2(4000)

SOURCE_EVENTID

VARCHAR2(255)

SUB_CONTEXTID

VARCHAR2(4000)

TARGET_OBJECT

VARCHAR2(4000)

TARGET_OWNER

VARCHAR2(4000)

THREAD#

NUMBER

TOOLS_USED

VARCHAR2(4000)

USER_GUID

VARCHAR2(4000)

USERNAME

VARCHAR2(4000)

C.13 Unknown or Uncategorized Events

Unknown or uncategorized events track audited activity that cannot be categorized. The Uncategorized Activity Report, described in Section 3.3.4.4, uses these events.

Table C-21 shows the Sybase ASE unknown or uncategorized source database event and the equivalent Oracle Audit Vault event.

Table C-21 Sybase ASE Unknown or Uncategorized Audit Events

Event Name Description Source Event Audit Vault Event

Ad Hoc Audit record

AD HOC AUDIT RECORD

UNKNOWN

Table C-22 lists the Sybase ASE unknown or uncategorized event attributes.

Table C-22 Sybase ASE Unknown or Uncategorized Event Attributes

Attribute Name Data Type

COMMENT_TEXT

VARCHAR2(4000)

CONTEXTID

VARCHAR2(4000)

CURRENT_VALUE

VARCHAR2(4000)

DATABASE_ID

NUMBER

DATABASE_NAME

VARCHAR2(4000)

ENDUSER

VARCHAR2(4000)

EVENT_MOD

VARCHAR2(4000)

EVENT_STATUS

VARCHAR2(30)

EVENT_TIME

TIMESTAMP WITH LOCAL TIME ZONE

HOST_IP

VARCHAR2(255)

HOST_NAME

VARCHAR2(255)

HOST_TERMINAL

VARCHAR2(255)

KEYWORD

VARCHAR2(4000)

OBJECT_ID

NUMBER

OSUSER_NAME

VARCHAR2(4000)

PARENT_CONTEXTID

VARCHAR2(4000)

PREVIOUS_VALUE

VARCHAR2(4000)

PRIVILEGES_USED

VARCHAR2(4000)

PROCESS#

NUMBER

PROXY_INFORMATION

VARCHAR2(4000)

SEQUENCE

VARCHAR2(4000)

SOURCE_EVENTID

VARCHAR2(255)

SUB_CONTEXTID

VARCHAR2(4000)

TARGET_OBJECT

VARCHAR2(4000)

TARGET_OWNER

VARCHAR2(4000)

THREAD#

NUMBER

TOOLS_USED

VARCHAR2(4000)

USER_GUID

VARCHAR2(4000)

USERNAME

VARCHAR2(4000)

C.14 User Session Events

User session events track audited authentication events for users who log in to the database. The User Sessions Report, described in Section 3.3.2.7, uses these events.

Table C-23 lists the Sybase ASE user session source database events and the equivalent Oracle Audit Vault events.

Table C-23 Sybase ASE User Session Audit Events

Event Name Description Source Event Audit Vault Event

Connect to command

CONNECT TO COMMAND

CREATE SESSION

Log In

LOG IN

LOGON

Log Out

LOG OUT

LOGOFF

Setuser Command

SETUSER COMMAND

IMPERSONATION

Table C-24 lists the Sybase ASE user session event attributes.

Table C-24 Sybase ASE User Session Event Attributes

Attribute Name Data Type

AUTHENTICATION_METHOD

VARCHAR2(255)

COMMENT_TEXT

VARCHAR2(4000)

CONTEXTID

VARCHAR2(4000)

CURRENT_VALUE

VARCHAR2(4000)

DATABASE_ID

NUMBER

DATABASE_NAME

VARCHAR2(4000)

ENDUSER

VARCHAR2(4000)

EVENT_MOD

VARCHAR2(4000)

EVENT_STATUS

VARCHAR2(30)

EVENT_TIME

TIMESTAMP WITH LOCAL TIME ZONE

HOST_IP

VARCHAR2(255)

HOST_NAME

VARCHAR2(255)

HOST_TERMINAL

VARCHAR2(255)

KEYWORD

VARCHAR2(4000)

OBJECT_ID

NUMBER

OSUSER_NAME

VARCHAR2(4000)

PARENT_CONTEXTID

VARCHAR2(4000)

PREVIOUS_VALUE

VARCHAR2(4000)

PRIVILEGES_USED

VARCHAR2(4000)

PROCESS#

NUMBER

PROXY_INFORMATION

VARCHAR2(4000)

SEQUENCE

VARCHAR2(4000)

SOURCE_EVENTID

VARCHAR2(255)

SUB_CONTEXTID

VARCHAR2(4000)

TARGET_OBJECT

VARCHAR2(4000)

TARGET_OWNER

VARCHAR2(4000)

THREAD#

NUMBER

TOOLS_USED

VARCHAR2(4000)

USER_GUID

VARCHAR2(4000)

USERNAME

VARCHAR2(4000)