Audit Trails

An audit trail represents the collection of audit records from the target database trail such as UNIFIED_AUDIT_TRAIL, which provides documentary evidence of the sequence of activities that happen.

A database audit trail is the source of audit records showing what has happened in the target database. When audit data collection is enabled for the specified database audit trail in an audit trail resource, the audit records are copied from the database's audit trail into Oracle Data Safe in near-real time. You can manage the audit records volume in the target database using the auto purge feature.

About Oracle Data Safe Audit Trails

An audit trail is an audit table in a target database that stores audit data. The most common audit trail is the UNIFIED_AUDIT_TRAIL data dictionary view, which consolidates all Oracle Database audit trails into one location and in a unified format.

During target database registration, Oracle Data Safe automatically discovers the audit trails on a target database and creates one audit trail resource per target database audit trail. These audit trail resources are listed on the Audit Trails page in Security Center. You can discover new audit trails for a target database at any time and remove audit trail resources in Oracle Data Safe as needed.

When you start an Oracle Data Safe audit trail, Oracle Data Safe begins copying audit records from the target database audit trail into the Oracle Data Safe repository. You can start and stop audit data collection as needed. In most cases, you configure Oracle Data Safe to collect audit data from only one audit trail in your target database, although it is possible to collect from more than one.

Supported Target Database Audit Trails

The following table lists the target database audit trails that Oracle Data Safe can discover. The SQL_TEXT, SQL_BINDS, and RLS_INFO columns in UNIFIED_AUDIT_TRAIL and SYS.AUD$ are truncated to 32KB before being stored in Oracle Data Safe. So are LSQLTEXT, LSQLBIND, and RLS$INFO in SYS.FGA_LOG$.

Unified audit policy retrieval and provisioning in Oracle Data Safe is supported only on Oracle Database versions 12.2 and above. Traditional audit settings cannot be retrieved and provisioned from Oracle Data Safe,although you can choose to do so within the target database and configure traditional audit trails for collection.

Database Version Standard Edition Enterprise Edition

Non-Autonomous Databases, versions 11.2.0.4, 12.1.0.1, 12.1.0.2

SYS.AUD$

SYS.AUD$

SYS.FGA_LOG$*

DVSYS.AUDIT_TRAIL$ (when Database Vault is enabled)

Non-Autonomous Databases, versions 12.2 and above

UNIFIED_AUDIT_TRAIL

SYS.AUD$

UNIFIED_AUDIT_TRAIL**

SYS.AUD$

SYS.FGA_LOG$*

DVSYS.AUDIT_TRAIL$ (when Database Vault is enabled)

Note:

SYS.AUD$, SYS.FGA_LOG$*, and DVSYS.AUDIT_TRAIL$ are available in mixed mode only.

Autonomous Databases (latest version)

(not applicable)

UNIFIED_AUDIT_TRAIL**

*When you enable auto-purge for an FGA_LOG$ audit trail, you may encounter an error and the audit trail is in a stopped state. To enable auto purge, re-run the datasafe_privileges.sql on the target database and restart the audit trail.

For Active Data Guard associated target databases, you will see:
  • A UNIFIED_AUDIT_TRAIL collecting records from the AUDSYS.AUD$UNIFIED table of the primary database. For example, TABLE:PRIMARY.
  • A UNIFIED_AUDIT_TRAIL collecting audit records from the operating system spillover files of the primary database. For example, FILE:database_unique_name1.
  • A UNIFIED_AUDIT_TRAIL collecting audit records from the operating system spillover files of each peer database that is registered. For example, FILE:database_unique_name2.
You can distinguish the UNIFIED_AUDIT_TRAIL that point to the operating system spillover files by the associated database unique name.

Auto Purge

It is important to properly manage audit data volume on your databases to ensure efficient performance and optimum use of the disk space. As audit trails on your databases grow in volume, querying the audit trail with large volume of audit data may impact performance and lead to space scalability issues. It is best to purge old audit records from the database audit trail periodically after they are collected by Oracle Data Safe. This is why you may want to consider using the auto purge feature.

The Oracle Data Safe auto purge feature in Activity Auditing lets you purge audit records from your target databases on a regularly scheduled basis. The auto purge feature is an operation on a target database. When auto purge is enabled for a target database, audit data in the target database audit trail is deleted every seven days so that it doesn't become too large.

Caution:

Enabling auto purge deletes all audit records in the target database audit trail every seven days, including those older than the initial start date of the audit collection. Records might be deleted even if they are not collected in Oracle Data Safe. After considering this impact, you should enable this feature carefully.

Additionally, the purging of audit records in a database target should only be managed through Data Safe. Although Data Safe collects audit records frequently, purging audit data from outside the Data Safe framework (for example, manually running DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL) has the potential to delete audit records that Data Safe has not yet collected. If you have created a custom job to periodically purge audit data, you should consider deleting or disabling that job to avoid conflicts in purge activity.

If you enable auto purge and want to see additional details like purgeJobTime, purgeJobStatus, and purgeJobDetails, re-run the datasafe_privileges.sql script for AUDIT_COLLECTION on the target database. See Grant Roles to the Oracle Data Safe Service Account on Your Target Database for more information.

Auto purge is disabled by default. Even if you disable auto purge in Oracle Data Safe, be aware that your target database may still be purging audit data based on the target database's audit data retention settings. Please refer to your database's documentation for details.