6.247 UNIFIED_AUDIT_TRAIL

When unified auditing is enabled in Oracle Database, the audit records are populated in this new audit trail. This view displays audit records in tabular form by retrieving the audit records from the audit trail.

Be aware that if the audit trail mode is QUEUED, then audit records are not written to disk until the in-memory queues are full. The following procedure explicitly flushes the queues to disk, so that you can see the audit trail records in the UNIFIED_AUDIT_TRAIL view:

EXEC SYS.DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL;

Note:

This view is populated only in an Oracle Database where unified auditing is enabled.

Column Datatype NULL Description

AUDIT_TYPE

VARCHAR2(64)

 

Type of auditing:

  • Standard

  • FineGrainedAudit

  • XS

  • Database Vault

  • Label Security

  • RMAN_AUDIT

  • Datapump

  • Direct path API

SESSIONID

NUMBER

 

Audit session identifier

PROXY_SESSIONID

NUMBER

 

Audit session identifier of proxying session

OS_USERNAME

VARCHAR2(30)

 

Name of the operating system user for the database session

USERHOST

VARCHAR2(128)

 

Name of the host machine from which the session was spawned

TERMINAL

VARCHAR2(30)

 

The operating system terminal of the user session

INSTANCE_ID

NUMBER

 

Instance number as specified in the initialization parameter file, init.ora

DBID

NUMBER

 

Database identifier of the audited database

AUTHENTICATION_TYPE

VARCHAR2(1024)

 

Type of authentication for the session user

DBUSERNAME

VARCHAR2(30)

 

Database user name of the user whose actions were audited

DBPROXY_USERNAME

VARCHAR2(30)

 

Proxying user name, in the case of proxy authentication

EXTERNAL_USERID

VARCHAR2(1024)

 

External user name, in the case of network or external authentication

GLOBAL_USERID

VARCHAR2(32)

 

Global user identifier for the user, for a user logged in as an enterprise user

CLIENT_PROGRAM_NAME

VARCHAR2(48)

 

Name of the program used for the database session

DBLINK_INFO

VARCHAR2(4000)

 

Value of SYS_CONTEXT('USERENV','DBLINK_INFO'). Valid if the connection was via a database link.

XS_USER_NAME

VARCHAR2(128)

 

Name of the Real Application Security user

XS_SESSIONID

RAW(33)

 

Identifer of the Real Application Security session

ENTRY_ID

NUMBER

 

Numeric ID for each audit trail entry in the session

STATEMENT_ID

NUMBER

 

Numeric ID for each statement run (a statement may cause many actions)

EVENT_TIMESTAMP

TIMESTAMP(6) WITH LOCAL TIME ZONE

 

Timestamp of the creation of the audit trail entry in local time zone

ACTION_NAME

VARCHAR2(64)

 

Name of the action executed by the user. The name should be read in conjunction with the AUDIT_TYPE to understand the real action.

RETURN_CODE

NUMBER

 

Oracle error code generated by the action. Zero if the action succeeded

OS_PROCESS

VARCHAR2(16)

 

Operating system process identifier of the Oracle database process

TRANSACTION_ID

RAW(8)

 

Transaction identifier of the transaction in which the object is modified

SCN

NUMBER

 

System change number (SCN) of the query at the time of the event

EXECUTION_ID

VARCHAR2(64)

 

Execution context identifier for each action

OBJECT_SCHEMA

VARCHAR2(30)

 

Schema name of object affected by the action

OBJECT_NAME

VARCHAR2(128)

 

Name of the object affected by the action

SQL_TEXT

CLOB

 

SQL associated with the event

SQL_BINDS

CLOB

 

List of bind variables, if any, associated with SQL_TEXT

APPLICATION_CONTEXTS

VARCHAR2(4000)

 

Semicolon-seperated list of Application Context Namespace, Attribute, Value information in (APPCTX_NSPACE,APPCTX_ATTRIBUTE=<value>) format

CLIENT_IDENTIFIER

VARCHAR2(64)

 

Client identifier in each Oracle session

NEW_SCHEMA

VARCHAR2(30)

 

The schema of the object named in the NEW_NAME column

NEW_NAME

VARCHAR2(128)

 

New name of object after RENAME, or name of underlying object (for example, CREATE INDEX owner.obj_name ON new_owner.new_name)

OBJECT_EDITION

VARCHAR2(30)

 

Name of the edition containing the audited object

SYSTEM_PRIVILEGE_USED

VARCHAR2(1024)

 

Comma-separated list of system privileges used to execute the action

SYSTEM_PRIVILEGE

VARCHAR2(40)

 

System privilege granted/revoked by a GRANT/REVOKE statement

AUDIT_OPTION

VARCHAR2(40)

 

AUDIT/NOAUDIT SQL command

OBJECT_PRIVILEGES

VARCHAR2(19)

 

Object privileges granted/revoked by a GRANT/REVOKE statement

ROLE

VARCHAR2(30)

 

Roles granted or revoked or set by GRANT/REVOKE/SET ROLE command

TARGET_USER

VARCHAR2(30)

 

User on whom the GRANT/REVOKE/AUDIT/NOAUDIT statement was executed

EXCLUDED_USER

VARCHAR2(30)

 

User who was excluded when the AUDIT/NOAUDIT statement was executed

EXCLUDED_SCHEMA

VARCHAR2(30)

 

Displays the schema of the excluded objects

EXCLUDED_OBJECT

VARCHAR2(128)

 

Displays object excluded from the action

ADDITIONAL_INFO

VARCHAR2(4000)

 

Text comment on the audit trail entry, if any

UNIFIED_AUDIT_POLICIES

VARCHAR2(4000)

 

Lists the audit policies that caused the current audit record. For example, if SELECT ON SCOTT.EMP was configured from policy SCOTT_EMP_POL, for the SELECT event this column will display SCOTT_EMP_POL.

If more than one policy was configured, the list of policies that caused the event to be recorded in the audit trail are displayed in a comma-separated list.

FGA_POLICY_NAME

VARCHAR2(30)

 

Fine-grained auditing (FGA) policy name that generated this FGA audit record

XS_INACTIVITY_TIMEOUT

NUMBER

 

Inactivity timeout of the Real Application Security session

XS_ENTITY_TYPE

VARCHAR2(32)

 

Type of the Real Application Security entity. Possible values are USER, ROLE, ROLESET, SECURITYCLASS, ACL, DATASECURITY, and NSTEMPLATE.

XS_TARGET_PRINCIPAL_NAME

VARCHAR2(30)

 

Target principal name in Real Application Security operations. Possible operations are set verifier, set password, add proxy, remove proxy, switch user, assign user, create session,and grant roles.

XS_PROXY_USER_NAME

VARCHAR2(30)

 

Name of the Real Application Security proxy user

XS_DATASEC_POLICY_NAME

VARCHAR2(30)

 

Name of the Real Application Security data security policy enabled or disabled

XS_SCHEMA_NAME

VARCHAR2(30)

 

Name of the schema in enable, disable data security policy and global callback operation

XS_CALLBACK_EVENT_TYPE

VARCHAR2(32)

 

Real Application Security global callback event type

XS_PACKAGE_NAME

VARCHAR2(30)

 

Real Application Security callback package name for the global callback

XS_PROCEDURE_NAME

VARCHAR2(30)

 

Real Application Security callback procedure name for the global callback

XS_ENABLED_ROLE

VARCHAR2(30)

 

The role that is enabled

XS_COOKIE

VARCHAR2(1024)

 

Real Application Security session cookie

XS_NS_NAME

VARCHAR2(30)

 

Name of the Real Application Security session namespace

XS_NS_ATTRIBUTE

VARCHAR2(4000)

 

Name of the Real Application Security session namespace attribute

XS_NS_ATTRIBUTE_OLD_VAL

VARCHAR2(4000)

 

The old value of the Real Application Security session namespace attribute

XS_NS_ATTRIBUTE_NEW_VAL

VARCHAR2(4000)

 

The new value of the Real Application Security session namespace

DV_ACTION_CODE

NUMBER

 

Numeric action type code for Database Vault

DV_ACTION_NAME

VARCHAR2(30)

 

Name of the action whose numeric code appears in the DV_ACTION_CODE column

DV_EXTENDED_ACTION_CODE

NUMBER

 

Numeric action type code for Database Vault administration

DV_GRANTEE

VARCHAR2(30)

 

Name of the user whose Database Vault authorization was modified

DV_RETURN_CODE

NUMBER

 

Database Vault specific error code

DV_ACTION_OBJECT_NAME

VARCHAR2(128)

 

The unique name of the Database Vault object that was modified

DV_RULE_SET_NAME

VARCHAR2(90)

 

The unique name of the rule set that was executing and caused the audit event to trigger

DV_COMMENT

VARCHAR2(4000)

 

Text comment on the audit trail entry, providing more information about the statement audited

DV_FACTOR_CONTEXT

VARCHAR2(4000)

 

An XML document that contains all of the factor identifiers for the current session at the point when the audit event was triggered

DV_OBJECT_STATUS

VARCHAR2(1)

 

Indicates whether a particular Database Vault object is enabled or disabled. For example, if a Database Vault administrator enables or disables a realm, then this event will be audited and the DV_OBJECT_STATUS value will show the status of the realm after the event occurred. Possible values for this column are:

  • Y - The object is enabled

  • N - The object is disabled

OLS_POLICY_NAME

VARCHAR2(30)

 

Name of the Oracle Label Security (OLS) policy for which this audit record is generated

OLS_GRANTEE

VARCHAR2(30)

 

Name of the user whose OLS authorization was modified

OLS_MAX_READ_LABEL

VARCHAR2(4000)

 

Maximum read label assigned to a user

OLS_MAX_WRITE_LABEL

VARCHAR2(4000)

 

Maximum write label assigned to a user

OLS_MIN_WRITE_LABEL

VARCHAR2(4000)

 

Minimum write label assigned to a user

OLS_PRIVILEGES_GRANTED

VARCHAR2(30)

 

OLS privileges assigned to a user or a trusted stored procedure

OLS_PROGRAM_UNIT_NAME

VARCHAR2(30)

 

Name of the trusted stored procedure whose authorization was modified or was executed

OLS_PRIVILEGES_USED

VARCHAR2(128)

 

OLS privileges used for an event

OLS_STRING_LABEL

VARCHAR2(4000)

 

String representation of the OLS label

OLS_LABEL_COMPONENT_TYPE

VARCHAR2(12)

 

Type of the OLS label component

OLS_LABEL_COMPONENT_NAME

VARCHAR2(30)

 

Name of the OLS label component

OLS_PARENT_GROUP_NAME

VARCHAR2(30)

 

Name of the parent of the OLS group

OLS_OLD_VALUE

VARCHAR2(4000)

 

Old value for OLS ALTER events

OLS_NEW_VALUE

VARCHAR2(4000)

 

New value for OLS ALTER events

RMAN_SESSION_RECID

NUMBER

 

RMAN session identifier. Together with RMAN_SESSION_STAMP uniquely identifies an RMAN job (note that this is not same as user session ID; the value is a recid in controlfile that identifies RMAN job)

RMAN_SESSION_STAMP

NUMBER

 

Timestamp for the session

RMAN_OPERATION

VARCHAR2(20)

 

The RMAN operation executed by the job. One row will be added for each distinct operation within an RMAN session. For example, a backup job would contain BACKUP in the RMAN_OPERATION column.

RMAN_OBJECT_TYPE

VARCHAR2(20)

 

Type of objects involved for backup or restore/recover or change/delete/crosscheck commands.

It contains one of the following values. If RMAN command does not satisfy one of them, then preference is given in order, from top to bottom of the list:

  • DB FULL

  • RECVR AREA

  • DB INCR

  • DATAFILE FULL

  • DATAFILE INCR

  • ARCHIVELOG

  • CONTROLFILE

  • SPFILE

RMAN_DEVICE_TYPE

VARCHAR2(5)

 

Device involved in the RMAN job. It may be DISK or SBT_TAPE or * (An * indicates that more than one location is involved).

For a backup job, it will be the output device type. For other commands (such as restore or crosscheck), it will be the input device type.

DP_TEXT_PARAMETERS1

VARCHAR2(512)

 

Parameters during a Data Pump operation that have a text/string value. This may contain the values for:

  • ACCESS METHODS

  • DATA OPTIONS

  • DUMPER DIRECTORY

  • JOB_TYPE

  • JOB VERSION

  • MASTER TABLE

  • METADATA_JOB_MODE

  • PARTITION OPTIONS

  • REMOTE LINK

  • TABLE EXISTS

For descriptions and more information about the settings that can appear for these Data Pump text parameters, see Table 6-2.

DP_BOOLEAN_PARAMETERS1

VARCHAR2(512)

 

Parameters during a Data Pump operation that have a boolean value. This may contain the values for:

  • DATA_ONLY - Boolean value for whether or not the operation processed data only (as opposed to metadata only, or metadata and data combined)

  • DUMPFILE_PRESENT - Denotes whether a dump file exists. Typically, it indicates whether a network export in which no dumpfile is required.

  • JOB_RESTARTED - Boolean that indicates if the export or import job had to be restarted

  • MASTER_ONLY - Indicates whether the import job imported just the master table and then stopped the job so that the contents of the master table can be examined

  • METADATA_ONLY - Boolean value for whether or not the operation processed metadata only (as opposed to data only, or metadata and data combined)

DIRECT_PATH_NUM_COLUMNS_LOADED

NUMBER

 

Shows the number of columns that were loaded using the SQL*Loader direct path load method

Table 6-2 Data Pump Text Parameter Descriptions

Parameter Description

ACCESS METHOD

The method used to load the data. Settings can be:

  • AUTOMATIC: Enables Oracle Data Pump to determine the optimal load method

  • DIRECT_PATH : Uses the direct path API to pass the data to be loaded.

  • EXTERNAL_TABLE: Loads data using the external tables option.

  • CONVENTIONAL: Loads the data using SQL INSERT statements

DATA OPTIONS

Indicates how certain types of data were handled during import operations. Settings are in bit-mask format, which are as follows:

  • 1 (SKIP_CONSTRAINT_ERRORS): Specifies that the import operation proceeded even if non-deferred constraint violations were encountered.

  • 2 (XML_CLOBS): Allows for the export of the XML type data as a CLOB. This setting is deprecated in Oracle Database 12c Release 1 (12.1). See Oracle Database Utilities for more information.

  • 8 (DISABLE_APPEND_HINT): The import operation did not use the APPEND hint while loading a data object.

  • 16 (REJECT_ROWS_WITH_REPL_CHAR): Warnings are issued when the replacement character may be used and an option was added to reject data rows where the replacement character was used during a Data Pump import. This situation can occur if different character sets are used for the export/import process

DUMPER DIRECTORY

Not in use

JOB_TYPE

Is either EXPORT or IMPORT

JOB VERSION

Specifies the version of database objects that were imported

MASTER TABLE

Indicates the name of the master table. By default, it appears as follows for export operations:

schema_name.SYS_EXPORT_TABLE_n

For import operations, it appears as follows:

schema_name.SYS_IMPORT_TABLE_n

The n represents a numeric value of 01. If 01 is in use, the number is incremented with 02, 03, and so on.

METADATA_JOB_MODE

Type of export or import operation. For example a table export would be TABLE_EXPORT

PARTITION OPTIONS

Indicates how table partitions were created during an import operation. Settings can be:

  • NONE: The tables were created as they existed on the system from which the export operation was performed.

  • DEPARTITION: Each partition or subpartition was promoted to a new individual table.

  • MERGE: All partitions and subpartitions were merged into one table

REMOTE LINK

Indicates that the export was performed from a (source) database identified by a valid database link. The data from the source database instance was written to a dump file set on the connected database instance.

TABLE EXISTS

Indicates the action that was taken on an import operation when the target table already existed. The values are as follows:

  • REPLACE

  • TRUNCATE

  • SKIP

  • APPEND

See Also:

Oracle Database PL/SQL Packages and Types Reference for more information about the DBMS_AUDIT_MGMT package