You can map Oracle Audit Vault and Database Firewall events and fields in your collection plug-ins.
Oracle Audit Vault and Database Firewall values consist of core fields, large fields, marker fields, and extension fields.
Parent topic: Audit Vault Server Fields
Learn about core fields that you use to monitor and filter audit records in Oracle Audit Vault.
Core fields are fundamental to all source types. They are central to the description of an event. These fields are present in most audit records, for reporting, filtering, and so on.
Core Field Definitions
EventTimeUTC: Required: The time stamp that indicates when the event occurred. If the event has more than one time stamp (for example, an event start time stamp and an event end time stamp), then the collection plug-in must assign a time stamp to this field. If this field contains NULL
, then Oracle Audit Vault shuts down the collection plug-in.
UserName: Required: The user who performed the action in the application or system that generated the audit record. If this field contains NULL
, then the audit record is invalid.
CommandClass: Required: The action performed in the event (for example, SELECT
or DELETE
). If this field contains NULL
, then the audit record is invalid.
OSUserName: The user who logged into the operating system that generated the audit record. If the user logged into the operating system as JOHN
but performed the action as SCOTT
, then this field contains JOHN
and the User Name field contains SCOTT
.
TargetType: The type of the target object on which the action was performed. For example, if the user selected from a table, then the target type is TABLE
.
TargetObject: The name of the object on which the action was performed. For example, if the user selected from a table, then the Target Object field contains the name of the table.
TargetOwner: The name of the owner of the target on which the action was performed. For example, if the user had selected from a table owned by user JOHN
, then the Target Owner field contains the user name JOHN
.
ClientIP: The IP address of the host (Host Name) from where the user initiated the action.
ClientId: Client identifier of the user whose actions were audited.
ClientHostName: The host computer from where the user initiated the action. For example, if the user performed the action from an application on a server, then this field contains the name of the server.
TerminalName: Name of the UNIX terminal that was the source of the event.
EventName: The name of the event as is from the audit trail.
EventStatus: The status of the event. There are three possible values for EventStatus:
SUCCESS
, FAILURE
, and UNKNOWN
.
ErrorId: The error code of an action.
ErrorMessage: The error message of an action.
Related Topics
Parent topic: Oracle Audit Vault and Database Firewall Fields
Large fields are fields that can contain arbitrarily large amounts of data.
For large fields, use the following:
CommandText: Contains the text of the command that caused the event, which can be a SQL statement, a PL/SQL statement, and so on. This is also a core field.
CommandParam: Contains the parameters of the command that caused the event. This is also a core field.
Parent topic: Oracle Audit Vault and Database Firewall Fields
Marker Field of a Record: The marker is a string that uniquely identifies a record in a a trail. During the recovery process, Audit Vault uses this field to filter the duplicate records. The collection plug-in provides the marker field, which is typically a concatenated subset of the fields of an audit record. For example, in Oracle database, the session Id and Entry id (a unique identifier within a session) define a marker.
Parent topic: Oracle Audit Vault and Database Firewall Fields
The extension field can store fields that cannot be accommodated in core or large fields, as name-value pairs, separated by delimiter, inside a single Audit Vault field.
The extension field contains CLOB columns. RLS$INFO
column describes row level security policies configured. This is mapped to the extension field in Audit Vault and Database Firewall. In order to populate this column, the user needs to set the AUDIT_TRAIL parameter of the secured target to DB EXTENDED
.
Parent topic: Oracle Audit Vault and Database Firewall Fields
When you build collection plug-ins, you can use the target types and actions that Oracle Audit Vault can detect.
If you are building a collection plug-in, then you should use these fields in your mapper file, if the fields mapped semantically. Otherwise, you can use your own values.
TargetType
field describes the type of object on which a user action operates. It is similar to a noun that describes the object of a user action.Parent topic: Audit Vault Server Fields
The Action field describes the nature of user activity that triggers generation of an audit record. It is similar to the verb part of a sentence; it describes the activity.
Purpose
Describes the nature of user activity that triggers generation of an audit record. .
Oracle Audit Vault and Database Firewall strongly recommends mapping audit events to an appropriate value for the Action field, if the user activity semantically maps to it.
Permitted Actions
Oracle Audit Vault Server is currently aware of the following actions:
ABORT ACCESS ACQUIRE ALTER ANALYZE APPLY ARCHIVE ASSIGN ASSOCIATE AUDIT AUTHENTICATE AUTHORIZE BACKUP BIND BLOCK CACHE CALCULATE CALL CANCEL CLOSE COMMIT COMMUNICATE COMPARE CONFIGURE CONNECT CONTROL CONVERT COPY CREATE DDL DEADLOCK DELETE DEMOTE DENY DENY DISABLE DISASSOCIATE DISCONNECT DML DROP ENABLE EXCEED EXECUTE EXPIRE EXPORT FAIL FILTER FINISH GET GRANT IMPORT INHERIT INITIALIZE INSERT INSTALL INVALID INVALIDATE LOAD LOCK LOGIN LOGOUT MIGRATE MOUNT MOVE NOAUDIT NOTIFY NOTIFY OPEN PAUSE PROMOTE PROXY PUBLISH QUARANTINE RAISE READ RECEIVE RECOVER REDO REFRESH REGISTER RELEASE REMOTE CALL RENAME RENEW REQUEST RESET RESTORE RESUME RETRIEVE REVOKE ROLLBACK ROLLFORWARD SAVEPOINT SEARCH SELECT SEND SET START STOP SUBMIT SUBSCRIBE SUSPEND SYNCHRONIZE TRANSACTION MANAGEMENT TRUNCATE UNDO UNINSTALL UNKNOWN UNLOCK UNMOUNT UNREGISTER UNSUBSCRIBE UPDATE VALIDATE VIOLATE WAIT WRITE
Parent topic: Actions and Target Types
The TargetType
field describes the type of object on which a user action operates. It is similar to a noun that describes the object of a user action.
Purpose
Describes the type of object on which a user action operates.
Oracle Audit Vault and Database Firewall strongly recommends mapping audit events to an appropriate value for the TargetType
field, if the user activity semantically maps to it.
Permitted Objects
Oracle Audit Vault Server is currently aware of the following target types:
ALL TRIGGERS APP ROLE APPLICATION ASSEMBLY AUTHORIZATION BROKER QUEING BUFFERPOOL CHECKPOINT CLUSTER CONNECTION CONTEXT CONTROL FILE DATABASE DATABASE LINK DBA_RECYCLEBIN DEFAULT DIMENSION DIRECTORY EDITION EVALUATION EVENT MONITOR EXPRESSION FLASHBACK FLASHBACK ARCHIVE FUNCTION INDEX INDEXES INDEXTYPE INSTANCE JAVA LIBRARY MATERIALIZED VIEW MATERIALIZED VIEW LOG MESSAGE METHOD MINING MODEL NODE NODEGROUP OBJECT OPERATOR OUTLINE PACKAGE PACKAGE BODY PRIVILEGE PROCEDURE PROFILE PUBLIC DATABASE LINK PUBLIC SYNONYM RESOURCE COST RESTORE POINT REVOKE REWRITE EQUIVALENCE ROLE ROLLBACK SEG RULE SAVEPOINT SAVEPOINT SCHEMA SEQUENCE SESSION STATISTICS SUBSCRIPTION SUMMARY SYNONYM SYSTEM TABLE TABLE OR SCHEMA POLICY TABLESPACE TAPE TRACE TRANSACTION TRIGGER TYPE TYPE BODY UNKNOWN USER USER LOGON USER OR PROGRAM UNIT LABEL USER_RECYCLEBIN VIEW
Parent topic: Actions and Target Types