This appendix contains the AVDF events and fields that you can map to in your collection plug-ins.
This appendix covers these topics:
This section discusses the different types of AVDF values:
Core fields are fundamental to all source types and central to the description of an event. These fields are present in most audit records, for reporting, filtering, and so on.
EventTimeUTC: Required: The time stamp that indicates when the event occurred. If the event has more than one time stamp (for example, an event start time stamp and an event end time stamp), then the collection plug-in must assign a time stamp to this field. If this field contains
NULL, then Oracle Audit Vault shuts down the collection plug-in.
UserName: Required: The user who performed the action in the application or system that generated the audit record. If this field contains
NULL, then the audit record is invalid.
CommandClass: Required: The action performed in the event (for example,
DELETE). If this field contains
NULL, then the audit record is invalid. See "Actions".
OSUserName: The user who logged into the operating system that generated the audit record. If the user logged into the operating system as
JOHN but performed the action as
SCOTT, then this field contains
JOHN and the User Name field contains
TargetType: The type of the target object on which the action was performed. For example, if the user selected from a table, then the target type is
TABLE. See "Target Types".
TargetObject: The name of the object on which the action was performed. For example, if the user selected from a table, then the Target Object field contains the name of the table.
TargetOwner: The name of the owner of the target on which the action was performed. For example, if the user had selected from a table owned by user
JOHN, then the Target Owner field contains the user name
ClientIP: The IP address of the host (Host Name) from where the user initiated the action.
ClientHostName: The host computer from where the user initiated the action. For example, if the user performed the action from an application on a server, then this field contains the name of the server.
EventName: The name of the event as is from the audit trail.
EventStatus: The status of the event. There are three possible values for
ErrorId: The error code of an action.
ErrorMessage: The error message of an action.
CommandText: Contains the text of the command that caused the event, which can be a SQL statement, a PL/SQL statement, and so on. This is also a large field.
CommandParam: Contains the parameters of the command that caused the event. This is also a large field.
Large fields are fields that can contain arbitrarily large amounts of data.
For large fields, use the following:
CommandText: Contains the text of the command that caused the event, which can be a SQL statement, a PL/SQL statement, and so on. This is also a core field.
CommandParam: Contains the parameters of the command that caused the event. This is also a core field.
Marker Field of a Record: The marker is a string that uniquely identifies a record in a a trail. During the recovery process, Audit Vault uses this field to filter the duplicate records. The collection plug-in provides the marker field, which is typically a concatenated subset of the fields of an audit record. For example, in Oracle database, the session Id and Entry id (a unique identifier within a session) define a marker.
This section contains lists of target types and actions that Audit Vault is aware of. If you are building a collection plug-in, then you should use these fields in your mapper file, if the fields mapped semantically. Otherwise, you can use your own values.
This section covers the following:
The Action field describes the nature of user activity that triggers generation of an audit record. It is similar to the verb part of a sentence; it describes the activity.
Oracle Audit Vault and Database Firewall strongly recommends mapping audit events to an appropriate value for the Action field, if the user activity semantically maps to it. Audit Vault Server is current aware of the following actions:
User configurable event
TargetType field describes the type of object on which a user action operates. It is similar to a noun that describes the object of a user action.
Oracle Audit Vault and Database Firewall strongly recommends mapping audit events to an appropriate value for the
TargetType field, if the user activity semantically maps to it.
Audit Vault Server is current aware of the following target types:
PUBLIC DATABASE LINK
USER OR PROGRAM UNIT LABEL
MATERIALIZED VIEW LOG
TABLE OR SCHEMA POLICY