This appendix contains the AVDF events and fields that you can map to in your collection plug-ins.
This appendix covers these topics:
This section discusses the different types of AVDF values:
Core fields are fundamental to all source types and central to the description of an event. These fields are present in most audit records, for reporting, filtering, and so on.
EventTimeUTC: Required: The time stamp that indicates when the event occurred. If the event has more than one time stamp (for example, an event start time stamp and an event end time stamp), then the collection plug-in must assign a time stamp to this field. If this field contains NULL, then Oracle Audit Vault shuts down the collection plug-in.
UserName: Required: The user who performed the action in the application or system that generated the audit record. If this field contains NULL, then the audit record is invalid.
CommandClass: Required: The action performed in the event (for example, SELECT or DELETE). If this field contains NULL, then the audit record is invalid. See "Actions".
OSUserName: The user who logged into the operating system that generated the audit record. If the user logged into the operating system as JOHN but performed the action as SCOTT, then this field contains JOHN and the User Name field contains SCOTT.
TargetType: The type of the target object on which the action was performed. For example, if the user selected from a table, then the target type is TABLE. See "Target Types".
TargetObject: The name of the object on which the action was performed. For example, if the user selected from a table, then the Target Object field contains the name of the table.
TargetOwner: The name of the owner of the target on which the action was performed. For example, if the user had selected from a table owned by user JOHN, then the Target Owner field contains the user name JOHN.
ClientIP: The IP address of the host (Host Name) from where the user initiated the action.
ClientHostName: The host computer from where the user initiated the action. For example, if the user performed the action from an application on a server, then this field contains the name of the server.
EventName: The name of the event as is from the audit trail.
EventStatus: The status of the event. There are three possible values for EventStatus: SUCCESS, FAILURE, and UNKNOWN.
ErrorId: The error code of an action.
ErrorMessage: The error message of an action.
CommandText: Contains the text of the command that caused the event, which can be a SQL statement, a PL/SQL statement, and so on. This is also a large field.
CommandParam: Contains the parameters of the command that caused the event. This is also a large field.
Large fields are fields that can contain arbitrarily large amounts of data.
For large fields, use the following:
CommandText: Contains the text of the command that caused the event, which can be a SQL statement, a PL/SQL statement, and so on. This is also a core field.
CommandParam: Contains the parameters of the command that caused the event. This is also a core field.
Marker Field of a Record: The marker is a string that uniquely identifies a record in a a trail. During the recovery process, Audit Vault uses this field to filter the duplicate records. The collection plug-in provides the marker field, which is typically a concatenated subset of the fields of an audit record. For example, in Oracle database, the session Id and Entry id (a unique identifier within a session) define a marker.
This section contains lists of target types and actions that Audit Vault is aware of. If you are building a collection plug-in, then you should use these fields in your mapper file, if the fields mapped semantically. Otherwise, you can use your own values.
This section covers the following:
The Action field describes the nature of user activity that triggers generation of an audit record. It is similar to the verb part of a sentence; it describes the activity.
Oracle Audit Vault and Database Firewall strongly recommends mapping audit events to an appropriate value for the Action field, if the user activity semantically maps to it. Audit Vault Server is current aware of the following actions:
Create
Read
Select
Insert
Delete
Remove
Truncate
Update
Modify
Execute
Communicate
Set
Get
Verify
Logon
Logoff
Authorize
Violate
Acquire
Release
Enable
Disable
Backup
Restore
Open
Close
Apply
Grant
Revoke
Deny
Suspend
Resume
Commit
Savepoint
Checkpoint
Rollback
Rollforward
Copy
Move
Rename
Analyze
Audit
Noaudit
Migrate
Validate
Startup
Shutdown
Unmount
Mount
Invalid
Associate
Disassociate
Deny
Proxy
Initialize
Unknown
Subscribe
Unsubscribe
User configurable event
DDL
Control
Undo
Access
Deadlock
DML
Transaction Control
The TargetType field describes the type of object on which a user action operates. It is similar to a noun that describes the object of a user action.
Oracle Audit Vault and Database Firewall strongly recommends mapping audit events to an appropriate value for the TargetType field, if the user activity semantically maps to it.
Audit Vault Server is current aware of the following target types:
DATABASE
OBJECT
OPERATOR
OUTLINE
PROCEDURE
PUBLIC DATABASE LINK
TYPE BODY
CONTROL FILE
FLASHBACK
BROKER QUEING
BUFFERPOOL
SCHEMA
SYSTEM
TRIGGER
PRIVILEGE
EVENT MONITOR
RULE
EVALUATION
USER
STATISTICS
METHOD
CONTEXT
MESSAGE
VIEW
CONNECTION
TAPE
SAVEPOINT
USER OR PROGRAM UNIT LABEL
APP ROLE
EDITION
FLASHBACK ARCHIVE
MATERIALIZED VIEW LOG
NODEGROUP
PACKAGE BODY
RESOURCE COST
ROLE
INDEXTYPE
USER_RECYCLEBIN
SAVEPOINT
ASSEMBLY
CLUSTER
FUNCTION
JAVA
MINING MODEL
PUBLIC SYNONYM
REWRITE EQUIVALENCE
SEQUENCE
SUMMARY
DEFAULT
AUTHORIZATION
INSTANCE
NODE
CHECKPOINT
EXPRESSION
DATABASE LINK
DIMENSION
INDEX
PACKAGE
SYNONYM
TABLE
TABLESPACE
TYPE
DIRECTORY
LIBRARY
RESTORE POINT
ALL TRIGGERS
APPLICATION
TRANSACTION
USER LOGON
REVOKE
UNKNOWN
MATERIALIZED VIEW
SESSION
TABLE OR SCHEMA POLICY
INDEXES
PROFILE
ROLLBACK SEG
TRACE
DBA_RECYCLEBIN
SUBSCRIPTION