Oracle Cloud Infrastructure Documentation

View and Manage Audit Reports

You can view and schedule audit reports, set filters and modify columns in audit reports, download audit reports as PDF, XLS, or JSON files, as well as create, update, and delete custom audit reports.

View a Predefined or Custom Audit Report

  1. Under Data Safe - Database Security, select Activity auditing.

  2. Under Activity auditing, select Audit reports.

  3. To view a predefined audit report, on the Predefined reports tab, click the report name that you want to view.

    The predefined report is displayed.

  4. To view a custom audit report, click the Custom Reports tab, click the report name that you want to view.

    Your custom report is displayed.

  5. View totals in the report.

    Each report has its own set of total values.

  6. View individual audit events in the report.

    By default, Oracle Data Safe shows the audit data for the past one week in a predefined audit report.

  7. To view more detail for a particular event, click ... and View details for the particular event.

    For some details, you can copy their values to the clipboard.

    Note

    Note: If the audit report takes longer to process, the report is being generated in the background. You can remain on this page and wait for the report to generate, or navigate to the Audit Report History page, where a link to the report in JSON format will be available. For more information, see View Audit Report History.

Add or Remove Columns in an Audit Report

  1. View a predefined or custom audit report.

  2. Select the manage columns icon, Manage columns icon.

    The Manage Columns window appears.

  3. Select columns that you want displayed in the report.

  4. Deselect columns that you want to hide in the report.

  5. Select Apply Changes.

Apply Basic Filters in an Audit Report

To apply basic filters in the report, do the following:

  1. Under Data Safe - Database Security, select Activity auditing.

  2. Under Activity auditing, select Audit reports.

  3. View a predefined or custom audit report.

  4. Under the Actions menu, select Filter audit events.

  5. Select a filter type, operator, and enter a value. All columns that are available in the report are available as filter types.

    Note

    Note: Using Attribute Sets is only available for predefined audit reports and custom audit reports created after September 2025.

  6. Select Add filter and repeat step 3 to apply additional filters.

  7. Select Update.

  8. To remove a filter, select the X beside the filter.

Apply Advanced Filters in an Audit Report

Advanced filtering of audit data can provide flexibility in the way that data is analyzed and reviewed, by allowing organizations to specify complex conditions and multiple criteria that must be met in order for data to be included or excluded from the analysis. Advanced filtering uses System for Cross-Domain Identity Management (SCIM) syntax. For more information about SCIM, see System for Cross-Domain Identity Management (SCIM) Syntax.

  1. View a predefined or custom audit report.

  2. Under the Actions menu, select Filter audit events.

  3. Select Show Advanced SCIM Query Builder.

  4. Use the provided filter builder and dropdowns to type in your filter(s).

  5. Select Update.

  6. To clear the query builder, select Clear. This will clear any basic filters applied as well.

Example: Failed login advanced filter

<pre class="copy"><code>((operation eq &quot;LOGIN&quot; OR operation eq &quot;LOGON&quot;) and operationStatus eq &quot;FAILURE&quot;)</code></pre>

Example: User creation or modification advanced filter

<pre class="copy"><code>(operation eq &quot;CREATE&quot; OR operation eq &quot;DROP&quot; OR operation eq &quot;ALTER&quot;) AND (objectType     eq &quot;USER&quot;)</code></pre>

Example: Changes in audit policy advanced filter

<pre class="copy"><code>(operation eq &quot;AUDIT&quot;) OR (operation eq &quot;NOAUDIT&quot;) OR (operation eq &quot;CREATE&quot; AND     objectType eq &quot;AUDIT POLICY&quot;) OR (operation eq &quot;ALTER&quot; AND objectType eq &quot;AUDIT POLICY&quot;)     OR (operation eq &quot;DROP&quot; AND objectType eq &quot;AUDIT POLICY&quot;) OR (operation eq &quot;EXECUTE&quot; AND     objectName eq &quot;DBMS_FGA&quot;)</code></pre>

Use Audit Reports to Create Custom Alerts

You can leverage the convenience of Audit reports to create custom alert policy. Apply the filters in the All Activity report to narrow down the conditions for alerting and create a new custom alert policy or add a rule to an existing custom alert policy based on the filtered conditions.

Related Topics

Create a Custom Alert Policy From the All Activity Audit Report

You can leverage the convenience of Audit reports to create custom alert policy. Apply the filters in the All Activity report to narrow down the conditions for alerting and create a new custom alert policy based on the filtered conditions.

  1. Under Data Safe - Database Security, select Activity auditing.

  2. Under Activity auditing, select Audit reports.

  3. Select the All activity report from the list.

  4. Use basic or advanced filtering to filter the all activity report as desired for the alert policy.

    Don't create filters that only apply to specific target databases or times as this will cause errors when creating the policy. See the Alert condition supported fields table below for the list of valid fields. See Apply Basic Filters in an Audit Report and Apply Advanced Filters in an Audit Report.

  5. Under the Actions menu, select Create as alert rule to use the currently applied filters as the conditions for a custom alert.

  6. Select Create an alert policy.

  7. Fill in the following required fields, and then select Create.

    Field Name Description
    Policy name Display name of the alert policy you’re creating.
    Compartment The compartment where the alert policy will be created. Alert policies can be applied to target databases regardless of the compartment. You will associate the alert policy to the target database in a later step. See Associate and Apply Alert Policies to Target Databases.
    Severity Value are Critical, High, Medium, or Low. The designated severity level will be visible if an alert is generated.
    Rule name Display name of the alert rule. A rule defines the logic that will cause the alert to trigger. An alert policy can have up to five custom rules. You can only create one rule in this workflow, but you can create more in a later step. See Add an Alert Rule to an Existing Alert Policy From Activity Auditing or Manage the Alert Rules of an Existing Alert Policy Manually.
    Rule expression SCIM query {::nomarkdown}This will show the System for Cross-Domain Identity Management (SCIM) syntax for the filters you applied earlier and defines the logic for your custom alert. You can use Copy rule from an existing alert policy to copy the SCIM syntax from a single existing policy.

Alert condition supported fields

The following table describes alert condition supported fields.

Field Description
Audit type (auditType) The type of auditing: STANDARD, FINE_GRAINED, XS, DATABASE_VAULT, LABEL_SECURITY, RMAN, DATAPUMP, DIRECT_PATH_API
Client host (clientHostname) The host name of the client application that was the source of the event causing the alert.
Client ID (clientId) The client identifier in each Oracle session.
Client IP (clientIp) The IP address of the client application that was the source of the event causing the alert.
Client program (clientProgram) The application from which the audit event was generated. For example SQL Plus or SQL Developer.
DB user (dbUserName) The name of the database user whose actions were audited.
Error code (errorCode) Oracle Error code generated by the action. Zero indicates the action was successful.
Error message (errorMessage) The detailed message on why the error occurred.
Event (eventName) The name of the event executed by the user on the target database. For example ALTER SEQUENCE, CREATE TRIGGER, or CREATE INDEX.
External user (externalUserId) The user ID of the external user of the audit event.
Location (auditLocation) The location of the audit. Currently the value is audit table.
Object(objectName) Name of the object on the database affected by the action, for example, a table name, file name, or a directory name. Must be in upper case, for example, ALTER_TABLE.
Object owner (objectOwner) The schema name of the object affected by the action.
Object type (objectType) Type of object in the source database affected by the action. For example PL/SQL, SYNONYM, or PACKAGE BODY.
Operation (operation) The name of the action executed by the user on the target database. For example ALTER, CREATE, or DROP.
Operation status (operationStatus) Status of the event: Success or Failure
OS user (osUserName) The name of the operating system user for the database session.
Terminal (osTerminal) The operating system terminal of the user session.
Unified audit policies (auditPolicies) List of audit policies that caused the current audit event.

Add an Alert Rule to an Existing Alert Policy From Activity Auditing

After applying filters to the All activity report in Activity Auditing, you can add a rule to an existing custom alert policy based on the filters.

  1. Under Data Safe - Database Security, select Activity auditing.

  2. Under Activity auditing, select Audit reports.

  3. Select the All activity report from the list.

  4. Use basic or advanced filtering to filter the all activity report as desired for the alert policy.

    Don't create filters that only apply to specific target databases or times as this will cause errors when creating the rule. See Alert condition supported fields for the list of valid fields. See Apply Basic Filters in an Audit Report and Apply Advanced Filters in an Audit Report.

  5. Under the Actions menu, select Create as alert rule to use the currently applied filters as the conditions for a custom alert.

  6. Select Create as alert rule to use the currently applied filters as the conditions for an additional rule of an existing alert policy.

    An alert policy can have up to five alert rules. The policy will trigger if any of the rules are met.

  7. Fill in the following required fields, and then select Create.

    Field Name Description
    Compartment Select the compartment where the alert policy you’re adding the rule to is stored.
    Policy name Select the name of the alert policy. The list is populated based on the compartment that is selected.
    Rule name Display name of the alert rule. A rule defines the logic that will cause the alert to trigger. An alert policy can have up to five custom rules. You can only create one rule in this workflow, but you can create more in a later step. See Add an Alert Rule to an Existing Alert Policy From Activity Auditing or Manage the Alert Rules of an Existing Alert Policy Manually.
    Rule expression SCIM query This will show the System for Cross-Domain Identity Management (SCIM) syntax for the filters you applied earlier and defines the logic for your custom alert. You can use Copy rule from an existing alert policy to copy the SCIM syntax from a single existing policy.

Download an Audit Report

Downloading the latest report can be done from either the list of Audit Reports or the details of the audit report. In addition you can download any report from the past three months from either the Audit Report History list or the details of the scheduled or generated audit report.

Download the Latest Audit Report from a List of Audit Reports

  1. Under Data Safe - Database Security, select Activity auditing.

  2. Under Activity auditing, select Audit reports.

  3. On the Predefined Reports or Custom Reports tab, locate the row that has the report you want to download.

  4. Locate the row that has the report you want to download, click ... and Download Report column. The report will be downloaded.

  5. Using your browser's options, open and view the report, or save it to your local computer.

Download the Latest Audit Report from the Details page of the Audit Report

  1. Under Data Safe - Database Security, select Activity auditing.

  2. Under Activity auditing, select Audit reports.

  3. Select an audit report from either the Predefined Reports or Custom Reports tab.

  4. Under the Actions menu, select the Download report. The latest report will be downloaded.

  5. Using your browser's options, open and view the report, or save it to your local computer.

Download an Audit Report from the Audit Report History List

  1. Under Data Safe - Database Security, select Activity auditing.

  2. Under Activity auditing, select Audit report history.

  3. Locate the row that has the report you want to download, click ... and Download Report column. The report will be downloaded.

Download an Audit Report from the Audit Report History Details Page

  1. Under Data Safe - Database Security, select Activity auditing.

  2. Under Activity auditing, select Audit report history.

  3. Click on the name of an audit report from the list.

  4. Under the Actions menu, select Download report. The report will be downloaded.

Generate and Download a PDF or XLS Audit Report

You can generate and download a predefined audit report as a PDF or XLS document. You need to first generate the report before you can download it.

  1. Under Data Safe - Database Security, select Activity auditing.

  2. Under Activity auditing, select Audit reports.

  3. On the Predefined Reports tab, click the report name for which you want to generate a PDF or XLS report.

    The report page is displayed.

  4. Under the Actions menu, select Generate report.

    The Generate Report dialog box is displayed.

  5. For Report Format, select PDF or XLS.

  6. Enter a display name for the report.

  7. (Optional) Enter a report description.

  8. Select a compartment in which to store your report.

  9. (Optional) Set filters on the audit data as needed:

    • Specify a maximum number of rows (row limit) to display in the report. If unspecified, the default row limit is 200 rows.

    • Select specific target databases.

    • Set a report start time and end time.

  10. Click Generate report.

    The report is generated and saved to the specified compartment.

  11. When the report is finished generating, do one of the following:

    • In the Generate Report dialog box next to To download report please, click the click here link. A dialog box is displayed where you can specify whether you want to open or save the file.

    • Click Close to close the Generate Report dialog box, and then select Download report in the Actions menu. A dialog box is displayed where you can specify whether you want to open or save the file.

Create a Custom Audit Report

You can create a custom audit report from a predefined or existing custom audit report. You may want to do this if you have specific filters set and columns displayed that you want to preserve. Or, you may want to change the filters and columns in the custom report. During creation, you can save the report to a compartment of your choice.

  1. Under Data Safe - Database Security, select Activity auditing.

  2. Under Activity auditing, select Audit reports.

    The Audit Reports page is displayed, showing you a list of standard audit reports.

  3. On the Predefined Reports tab, click the predefined report name from which you want to create your custom report.

    The report page is displayed.

  4. Under the Actions menu, select Create custom report.

    The Custom Report dialog box is displayed.

  5. Enter a report name.

  6. (Optional) Enter a report description.

  7. Select the compartment to which you want to save your report.

  8. Click Create Custom Report.

    The audit data and filters that are currently displayed on the page are saved in the custom report. The custom report is listed on the Custom Reports tab.

Update a Custom Audit Report

  1. Under Data Safe - Database Security, select Activity auditing.

  2. Under Activity auditing, select Audit reports.

  3. Click the Custom Reports tab.

  4. In the Name column, click the name of the custom report that you want to update.

    Your custom report is displayed.

  5. Modify the report as needed.

  6. Under the Actions menu, select Save report.

    The report is updated.

Delete a Custom Audit Report

Caution: Be careful when you delete a custom audit report, because you can’t recover one after it's deleted.

  1. Under Data Safe - Database Security, select Activity auditing.

  2. Under Activity auditing, select Audit reports.

  3. Click the Custom Reports tab.

  4. In the Name column, click the name of the custom report that you want to delete.

    Your custom report is displayed.

  5. Under the Actions menu, select Delete report.

    The Delete Report dialog box is displayed.

  6. Click Delete Report to confirm the deletion.

Schedule a Predefined or Custom Audit Report

You can create a schedule for a predefined or custom audit report to generate a PDF or XLS report.

  1. Under Data Safe - Database Security, select Activity auditing.

  2. Under Activity auditing, select Audit reports.

    The Audit Reports page is displayed, showing you a list of standard audit reports.

  3. To view a predefined audit report, on the Predefined Reports tab, in the Report Name column, click the report name that you want to view.

    The predefined report is displayed.

  4. To view a custom audit report, click theCustom Report tab. In the Report Name column, click the name of your custom report.

    Your custom report is displayed.

  5. Under the Actions menu, select Manage report schedule.

    The Manage Report Schedule panel is displayed, pre-loaded with either the default or modified schedule.

  6. (Optional) In the Schedule Report Name box, enter a name for the PDF or XLS report.

  7. Select a compartment to store the reports generated by the schedule.

  8. For Report Format, select either a PDF or XLS output.

  9. Select a Schedule Frequency.

    • If you select weekly, select the day of the week in the Every field.

    • If you select monthly, select the day of the month in the Day field.

  10. In Time (in UTC), select a schedule time.

  11. In Events Time Span, select the time span for the audit records.

    For example, selecting Last Months and entering 14 pulls events from the last 14 months from the time the report is run.

  12. (Optional) Specify a row limit. If unspecified, the default row limit is 200 rows.

  13. Click Save Schedule.

    You can access the generated PDF/XLS reports on the Audit Report History page.

View Audit Report History

The Audit Report History page lists all the PDF/XLS/JSON audit reports that are automatically generated via a schedule or on-demand by users. On this page, you can view the list of reports generated during the past three months, details about those reports, and download reports. Oracle Data Safe stores PDF/XLS audit reports for up to three months and JSON format reports for up to 1 week. JSON format reports are generated when online audit report generation takes longer than expected.

  1. Under Data Safe - Database Security, select Activity auditing.

  2. Under Activity auditing, select Audit report history.

    The Audit report history table is displayed. It contains the following information:

    • Report Name - The name of the audit report.

    • Lifecycle State - Either ACTIVE or UPDATING, shows if the report is currently accessible or if it is being updated.

    • Report Definition - Specifies the name of the report that provides data for this scheduled or generated report.

    • Generated Time - The time the report was created.

    • Report Type - Generated or Scheduled. Where generated reports are on-demand reports produced outside of the scheduling system and scheduled reports are those produced by the scheduling system.

    • File Format - PDF, XLS, or JSON

    • Download Report - Option to download the report.

  3. (Optional) Filter the list of results by selecting the Search and Filter field. Narrow down the report history page based on the Report definition, Report type, File format, and Created.

Move an Audit Report to a Different Compartment

Any scheduled or generated audit report from the past three months can be moved to a different compartment that you have access to from Audit Report History.

  1. Under Data Safe - Database Security, select Activity auditing.

  2. Under Activity auditing, select Audit report history.

    The Audit Report History table is displayed.

  3. Click on the name of an audit report from the list.

  4. Under the Actions menu, select Move resource.

  5. In the move resource dialog box, select the compartment to move the audit report to. You must have the appropriate DATA_SAFE_REPORT_MOVE permissions for the selected compartment.

  6. Click Move Resource.

    The audit report and Archive Data Retrieval will be moved to the selected compartment immediately.

Related Topics