View and Manage Audit Reports

You can view and schedule audit reports, set filters and modify columns in audit reports, download audit reports as PDF or XLS files, as well as create, update, and delete custom audit reports.

View a Predefined or Custom Audit Report

  1. Under Security Center, click Activity Auditing.
  2. Under Related Resources, click Audit Reports.
    The Audit Reports page is displayed, showing you a list of standard audit reports.
  3. To view a predefined audit report, on the Predefined Reports tab, click the report name that you want to view.
    The predefined report is displayed.
  4. To view a custom audit report, click the Custom Reports tab. In the Report Name column, click the name of your custom report.
    Your custom report is displayed.
  5. View totals in the report.
    The report totals are clickable. Some of them show you a list and some of them toggle a filter in the list of audit events. For example, if you click the total for DB Users, a dialog box is displayed showing you the list of database user names. Click Close to close the dialog box.
    Each report has its own set of total values.
  6. View individual audit events in the report.
    By default, Oracle Data Safe shows the audit data for the past one week in a predefined audit report.
  7. To view more detail for a particular event, click the down arrow to expand the row and show details for the particular event.
    For some details, you can copy their values to the clipboard.

Use Audit Reports to Create Custom Alerts

You can leverage the convenience of Audit reports to create custom alert policy. Apply the filters in the All Activity report to narrow down the conditions for alerting and create a new custom alert policy or add a rule to an existing custom alert policy based on the filtered conditions.

Create a Custom Alert Policy From the All Activity Audit Report

You can leverage the convenience of Audit reports to create custom alert policy. Apply the filters in the All Activity report to narrow down the conditions for alerting and create a new custom alert policy based on the filtered conditions.

To create a custom alert policy:

  1. Under Security center, click Activity auditing.
  2. Under Related resources, click Audit reports.
  3. Select the All activity report from the list.
  4. Use basic or advanced filtering to filter the all activity report as desired for the alert policy.

    Tip:

    Don't create filters that only apply to specific target databases or times as this will cause errors when creating the policy.

    See the Alert condition supported fields table below for the list of valid fields.

    See Basic Filtering in an Audit Report and Advanced Filtering in an Audit Report for more information.

  5. Click Create as alert rule to use the currently applied filters as the conditions for a custom alert.
  6. Select Create an alert policy.
  7. Fill in the following required fields:
    Field Name Description
    Policy name Display name of the alert policy you're creating.
    Compartment The compartment where the alert policy will be created. Alert policies can be applied to target databases regardless of the compartment.

    You will associate the alert policy to the target database in a later step. See Associate and Apply Alert Policies to Target Databases for more information.

    Severity Critical, High, Medium, or Low

    The designated severity level will be visible if an alert is generated.

    Rule name Display name of the alert rule. A rule defines the logic that will cause the alert to trigger.

    An alert policy can have up to five custom rules. You can only create one rule in this workflow, but you can create more in a later step. See Add an Alert Rule to an Existing Alert Policy From Activity Auditing or Manage the Alert Rules of an Existing Alert Policy Manually for more information.

    Rule expression SCIM query This will show the System for Cross-Domain Identity Management (SCIM) syntax for the filters you applied earlier and defines the logic for your custom alert.

    You can use Copy rule from an existing alert policy to copy the SCIM syntax from a single existing policy.

    See Supported Operators and Tips for Using System for Cross-Domain Identity Management (SCIM) for more information.

  8. Click Submit.

Table 4-1 Alert condition supported fields

Field Description
Audit type (auditType) The type of auditing: STANDARD, FINE_GRAINED, XS, DATABASE_VAULT, LABEL_SECURITY, RMAN, DATAPUMP, DIRECT_PATH_API
Client host (clientHostname) The host name of the client application that was the source of the event causing the alert.
Client ID (clientId) The client identifier in each Oracle session.
Client IP (clientIp) The IP address of the client application that was the source of the event causing the alert.
Client program (clientProgram) The application from which the audit event was generated. For example SQL Plus or SQL Developer.
DB user (dbUserName) The name of the database user whose actions were audited.
Error code (errorCode) Oracle Error code generated by the action. Zero indicates the action was successful.
Error message (errorMessage) The detailed message on why the error occurred.
Event (eventName) The name of the event executed by the user on the target database. For example ALTER SEQUENCE, CREATE TRIGGER, or CREATE INDEX.
External user (externalUserId) The user ID of the external user of the audit event.
Location (auditLocation) The location of the audit. Currently the value is audit table.
Object(objectName) Name of the object on the database affected by the action, for example, a table name, file name, or a directory name. Must be in upper case, for example, ALTER_TABLE.
Object owner (objectOwner) The schema name of the object affected by the action.
Object type (objectType) Type of object in the source database affected by the action. For example PL/SQL, SYNONYM, or PACKAGE BODY.
Operation (operation) The name of the action executed by the user on the target database. For example ALTER, CREATE, or DROP.
Operation status (operationStatus) Status of the event: Success or Failure
OS user (osUserName) The name of the operating system user for the database session.
Terminal (osTerminal) The operating system terminal of the user session.
Unified audit policies (auditPolicies) List of audit policies that caused the current audit event.

Add an Alert Rule to an Existing Alert Policy From Activity Auditing

After applying filters to the All activity report in Activity Auditing, you can add a rule to an existing custom alert policy based on the filters.

  1. Under Security center, click Activity auditing.
  2. Under Related resources, click Audit reports.
  3. Select the All activity report from the list.
  4. Use basic or advanced filtering to filter the all activity report as desired for the alert policy.

    Tip:

    Don't create filters that only apply to specific target databases or times as this will cause errors when creating the rule.

    See the Alert condition supported fields table below for the list of valid fields.

    See Basic Filtering in an Audit Report and Advanced Filtering in an Audit Report for more information.

  5. Click Create as alert rule to use the currently applied filters as the conditions for a custom alert.
  6. Select Create as alert rule to use the currently applied filters as the conditions for an additional rule of an existing alert policy.

    An alert policy can have up to five alert rules. The policy will trigger if any of the rules are met.

  7. Fill in the following required fields:
    Field Name Description
    Compartment Select the compartment where the alert policy you're adding the rule to is stored.
    Policy name Select the name of the alert policy. The list is populated based on the compartment that is selected.
    Rule name Display name of the alert rule. A rule defines the logic that will cause the alert to trigger.

    An alert policy can have up to five custom rules. You can only create one rule in this workflow, but you can create more in a later step. See Add an Alert Rule to an Existing Alert Policy From Activity Auditing or Manage the Alert Rules of an Existing Alert Policy Manually for more information.

    Rule expression SCIM query This will show the System for Cross-Domain Identity Management (SCIM) syntax for the filters you applied earlier and defines the logic for your custom alert.

    You can use Copy rule from an existing alert policy to copy the SCIM syntax from a single existing policy.

    See Supported Operators and Tips for Using System for Cross-Domain Identity Management (SCIM) for more information.

  8. Click Submit.

Table 4-2 Alert condition supported fields

Field Description
Audit type (auditType) The type of auditing: STANDARD, FINE_GRAINED, XS, DATABASE_VAULT, LABEL_SECURITY, RMAN, DATAPUMP, DIRECT_PATH_API
Client host (clientHostname) The host name of the client application that was the source of the event causing the alert.
Client ID (clientId) The client identifier in each Oracle session.
Client IP (clientIp) The IP address of the client application that was the source of the event causing the alert.
Client program (clientProgram) The application from which the audit event was generated. For example SQL Plus or SQL Developer.
DB user (dbUserName) The name of the database user whose actions were audited.
Error code (errorCode) Oracle Error code generated by the action. Zero indicates the action was successful.
Error message (errorMessage) The detailed message on why the error occurred.
Event (eventName) The name of the event executed by the user on the target database. For example ALTER SEQUENCE, CREATE TRIGGER, or CREATE INDEX.
External user (externalUserId) The user ID of the external user of the audit event.
Location (auditLocation) The location of the audit. Currently the value is audit table.
Object(objectName) Name of the object on the database affected by the action, for example, a table name, file name, or a directory name. Must be in upper case, for example, ALTER_TABLE.
Object owner (objectOwner) The schema name of the object affected by the action.
Object type (objectType) Type of object in the source database affected by the action. For example PL/SQL, SYNONYM, or PACKAGE BODY.
Operation (operation) The name of the action executed by the user on the target database. For example ALTER, CREATE, or DROP.
Operation status (operationStatus) Status of the event: Success or Failure
OS user (osUserName) The name of the operating system user for the database session.
Terminal (osTerminal) The operating system terminal of the user session.
Unified audit policies (auditPolicies) List of audit policies that caused the current audit event.

Modifying Columns in an Audit Report

To add or remove columns in the report, do the following:

  1. View a predefined or custom audit report.
  2. Click Manage Columns.

    The Manage Columns window is displayed.

  3. Select columns that you want displayed in the report.
  4. Deselect columns that you want to hide in the report.
  5. Click Apply Changes.

Basic Filtering in an Audit Report

To apply basic filters in the report, do the following:

  1. View a predefined or custom audit report.
  2. Click Another Filter.
  3. Select a filter type, operator, and enter a value. All columns that are available in the report are available as filter types.
  4. Click Apply.
  5. Repeat steps two through four to apply additional filters.

To remove a filter, click the X beside the filter row.

To filter the report based on a total category (for example, Login Successes), click the total. The list of audit events in the table at the bottom of the report is automatically updated. To remove the filter, click the total again.

Note:

Only some totals in your report are single-click filters

Advanced Filtering in an Audit Report

Advanced filtering of audit data can provide flexibility in the way that data is analyzed and reviewed, by allowing organizations to specify complex conditions and multiple criteria that must be met in order for data to be included or excluded from the analysis.

To apply advanced filters in the report, do the following:

  1. View a predefined or custom audit report.
  2. Click Show Advanced SCIM Query Builder.
  3. Use the provided filter builder and dropdowns to type in your filter(s). Advanced filtering uses System for Cross-Domain Identity Management (SCIM) syntax and supported operators include:
    • co: matches resources with an attribute that contains a given string
    • eq: matches resources with an attribute that is equal to a given value (not case sensitive)
    • eq_cs: matches resources with an attribute that is equal to a given value (case sensitive)
    • ew: matches resources with an attribute that ends with a given string
    • ge: matches resources with an attribute that is greater than or equal to a given value
    • gt: matches resources with an attribute that is greater than a given value
    • in: matches resources with an attribute that is equal to any of given values in list
    • le: matches resources with an attribute that is less than or equal to a given value
    • lt: matches resources with an attribute that is less than a given value
    • ne: matches resources with an attribute that is not equal to a given value
    • not_in : matches resources with an attribute that is not equal to any of given values in list
    • pr: matches resources with an attribute if it has a given value
    • sw: matches resources with an attribute that starts with a given string

    Operators can be grouped using parentheses to specify the order.

    Filters can also be combined using logical operators such as and and or.

    Note:

    If you have any basic filters currently applied they will appear in the query builder as well.
  4. Click Apply.

To clear the query builder, click Clear. This will clear any basic filters applied as well.

Example 4-1 Failed login advanced filter

((operation eq "LOGIN" OR operation eq "LOGON") and operationStatus eq "FAILURE")

Example 4-2 User creation or modification advanced filter

(operation eq "CREATE" OR operation eq "DROP" OR operation eq "ALTER") AND (objectType
      eq "USER")

Example 4-3 Changes in audit policy advanced filter

(operation eq "AUDIT") OR (operation eq "NOAUDIT") OR (operation eq "CREATE" AND
      objectType eq "AUDIT POLICY") OR (operation eq "ALTER" AND objectType eq "AUDIT POLICY")
      OR (operation eq "DROP" AND objectType eq "AUDIT POLICY") OR (operation eq "EXECUTE" AND
      objectName eq "DBMS_FGA")

Tips for Using the Filter Builder to Create Advanced Filters

  • Pressing the escape key while in advanced filtering mode will clear the whole query.
  • Pressing the space key will display the drop down with the list of available attributes or operators.
  • Pressing the space key after entering a value like targetname (demo_tgt) will enclose the string with quotes: ("demo_tgt").
  • Pressing enter will close the drop down listing the operators and attribute names.
  • If a value like alert name has spaces in it, typing space will enclose the first word within quotes, "alert name". You will have to move the cursor back to the enclosed string and continue typing the rest of the string value.
  • If you build a filter in advanced filtering that can't be displayed in basic filters, you can't switch back to basic filtering mode. For example, advanced filters with the or condition can't be displayed in basic filtering.
  • A custom report with basic filter can be updated with advanced filter and saved.

For more information about SCIM, see the protocol documentation at https://www.rfc-editor.org/rfc/rfc7644.

For more information about filtering in SCIM, see the filtering section of the protocol documentation at https://www.rfc-editor.org/rfc/rfc7644#section-3.4.2.2.

Download an Audit Report

Downloading the latest report can be done from either the list of Audit Reports or the details of the audit report. In addition you can download any report from the past three months from either the Audit Report History list or the details of the scheduled or generated audit report.

Download the latest audit report from a list of Audit Reports:

  1. Under Security Center, click Activity Auditing.
  2. Under Related Resources, click Audit Reports. The Audit Reports page is displayed, showing you a list of standard audit reports.
  3. On the Predefined Reports or Custom Reports tab, locate the row that has the report you want to download.
  4. In the Latest Report column, click the download button (downward pointing arrow). The report is downloaded to your browser.
  5. Using your browser's options, open and view the report, or save it to your local computer.

Download the latest audit report from the details page of the Audit Report:

  1. Under Security Center, click Activity Auditing.
  2. Under Related Resources, click Audit Reports. The Audit Reports page is displayed, showing you a list of standard audit reports.
  3. Select an audit report from either the Predefined Reports or Custom Reports tab.
  4. Click the Download Report button. The latest report will be downloaded.
  5. Using your browser's options, open and view the report, or save it to your local computer.

Download an audit report from the Audit Report History list

  1. Under Security Center, click Activity Auditing.
  2. Under Related Resources, click Audit Report History. The Audit Report History page is displayed, showing you a list of scheduled and generated audit reports from the last three months.
  3. Locate the row that has the report you want to download and click the button in the Download Report column. The report will be downloaded.

Download an audit report from the Audit Report History details page

  1. Under Security Center, click Activity Auditing.
  2. Under Related Resources, click Audit Report History. The Audit Report History page is displayed, showing you a list of scheduled and generated audit reports from the last three months.
  3. Click on the name of an audit report from the list.
  4. Click the Download Report button. The report will be downloaded.

Generate and Download a PDF or XLS Audit Report

You can generate and download a predefined audit report as a PDF or XLS document. You need to first generate the report before you can download it.

  1. Under Security Center, click Activity Auditing.
  2. Under Related Resources, click Audit Reports.
    The Audit Reports page is displayed, showing you a list of standard audit reports.
  3. On the Predefined Reports tab, click the report name for which you want to generate a PDF or XLS report.
    The report page is displayed.
  4. Click Generate Report.
    The Generate Report dialog box is displayed.
  5. For Report Format, select PDF or XLS.
  6. Enter a display name for the report.
  7. (Optional) Enter a report description.
  8. Select a compartment in which to store your report.
  9. (Optional) Set filters on the audit data as needed:
    • Specify a maximum number of rows (row limit) to display in the report. If unspecified, the default row limit is 200 rows.
    • Select specific target databases.
    • Set a report start time and end time.
  10. Click Generate Report.
    The report is generated and saved to the specified compartment.
  11. When the report is finished generating, do one of the following:
    • In the Generate Report dialog box next to To download report please, click the click here link. A dialog box is displayed where you can specify whether you want to open or save the file.
    • Click Close to close the Generate Report dialog box, and then click Download Report. A dialog box is displayed where you can specify whether you want to open or save the file.

Create a Custom Audit Report

You can create a custom audit report from a predefined or existing custom audit report. You may want to do this if you have specific filters set and columns displayed that you want to preserve. Or, you may want to change the filters and columns in the custom report. During creation, you can save the report to a compartment of your choice.

  1. Under Security Center, click Activity Auditing.
  2. Under Related Resources, click Audit Reports.
    The Audit Reports page is displayed, showing you a list of standard audit reports.
  3. On the Predefined Reports tab, click the predefined report name from which you want to create your custom report.
    The report page is displayed.
  4. Click Create Custom Report.
    The Custom Report dialog box is displayed.
  5. Enter a report name.
  6. (Optional) Enter a report description.
  7. Select the compartment to which you want to save your report.
  8. Click Create Custom Report.
    The audit data and filters that are currently displayed on the page are saved in the custom report. The custom report is listed on the Custom Reports tab.

Update a Custom Audit Report

  1. Under Security Center, click Activity Auditing.
  2. Under Related Resources, click Audit Reports.
  3. Click the Custom Reports tab.
  4. In the Report Name column, click the name of the custom report that you want to update.
    Your custom report is displayed.
  5. Modify the report as needed.
  6. Click Save Report.
    The report is updated.

Delete a Custom Audit Report

Important:

Be careful when you delete a custom audit report, because you can't recover one after it's deleted.
  1. Under Security Center, click Activity Auditing.
  2. Under Related Resources, click Audit Reports.
  3. Click the Custom Reports tab.
  4. In the Report Name column, click the name of the custom report that you want to delete.
    Your custom report is displayed.
  5. Click Delete Report.
    The Delete Report dialog box is displayed.
  6. Click Delete Report to confirm the deletion.

Schedule a Predefined or Custom Audit Report

You can create a schedule for a predefined or custom audit report to generate a PDF or XLS report.

  1. Under Security Center, click Activity Auditing.
  2. Under Related Resources, click Audit Reports.
    The Audit Reports page is displayed, showing you a list of standard audit reports.
  3. To view a predefined audit report, on the Predefined Reports tab, in the Report Name column, click the report name that you want to view.
    The predefined report is displayed.
  4. To view a custom audit report, click the Custom Report tab. In the Report Name column, click the name of your custom report.
    Your custom report is displayed.
  5. Click Manage Report Schedule.
    The Manage Report Schedule panel is displayed, pre-loaded with either the default or modified schedule.
  6. (Optional) In the Schedule Report Name box, enter a name for the PDF or XLS report.
  7. Select a compartment to store the reports generated by the schedule.
  8. For Report Format, select either a PDF or XLS output.
  9. Select a Schedule Frequency.
    • If you select weekly, select the day of the week in the Every field.
    • If you select monthly, select the day of the month in the Day field.
  10. In Time (in UTC), select a schedule time.
  11. In Events Time Span, select the time span for the audit records.
    For example, selecting Last Months and entering 14 pulls events from the last 14 months from the time the report is run.
  12. (Optional) Specify a row limit. If unspecified, the default row limit is 200 rows.
  13. Click Save Schedule.
    You can access the generated PDF/XLS reports on the Audit Report History page.

View Audit Report History

The Audit Report History page lists all the PDF/XLS audit reports that are automatically generated via a schedule or on-demand by users. On this page, you can view the list of reports generated during the past three months, details about those reports, and download reports. Oracle Data Safe stores PDF/XLS audit reports for up to three months.

  1. Under Security Center, click Activity Auditing.
  2. Under Related Resources, click Audit Report History.
    The Audit Report History table is displayed. It contains the following information:
    • Report Name - The name of the audit report.
    • Lifecycle State - Either ACTIVE or UPDATING, shows if the report is currently accessible or if it is being updated.
    • Report Definition - Specifies the name of the report that provides data for this scheduled or generated report.
    • Generated Time - The time the report was created.
    • Report Type - Generated or Scheduled. Where generated reports are on-demand reports produced outside of the scheduling system and scheduled reports are those produced by the scheduling system.
    • File Format - PDF or XLS
    • Download Report - Option to download the report.
  3. (Optional) Under Filters, narrow down the report history page based on the Report definition, Report type, and Time period.

Move an Audit Report to a Different Compartment

Any scheduled or generated audit report from the past three months can be moved to a different compartment that you have access to from Audit Report History.

  1. Under Security Center, click Activity Auditing.
  2. Under Related Resources, click Audit Report History.
    The Audit Report History table is displayed.
  3. Click on the name of an audit report from the list.
  4. Click Move Resource.
  5. In the move resource dialog box, select the compartment to move the audit report to. You must have the appropriate DATA_SAFE_REPORT_MOVE permissions for the selected compartment.
  6. Click Move Resource.
    The audit report and Archive Data Retrieval will be moved to the selected compartment immediately.