View and Manage Audit Reports
You can view and schedule audit reports, set filters and modify columns in audit reports, download audit reports as PDF or XLS files, as well as create, update, and delete custom audit reports.
Use Audit Reports to Create Custom Alerts
You can leverage the convenience of Audit reports to create custom alert policy. Apply the filters in the All Activity report to narrow down the conditions for alerting and create a new custom alert policy or add a rule to an existing custom alert policy based on the filtered conditions.
Related Topics
Create a Custom Alert Policy From the All Activity Audit Report
You can leverage the convenience of Audit reports to create custom alert policy. Apply the filters in the All Activity report to narrow down the conditions for alerting and create a new custom alert policy based on the filtered conditions.
To create a custom alert policy:
- Under Security center, click Activity auditing.
- Under Related resources, click Audit reports.
- Select the All activity report from the list.
- Use basic or advanced filtering to filter the all
activity report as desired for the alert policy.
Tip:
Don't create filters that only apply to specific target databases or times as this will cause errors when creating the policy.See the Alert condition supported fields table below for the list of valid fields.
See Basic Filtering in an Audit Report and Advanced Filtering in an Audit Report for more information.
- Click Create as alert rule to use the currently applied filters as the conditions for a custom alert.
- Select Create an alert policy.
- Fill in the following required fields:
Field Name Description Policy name Display name of the alert policy you're creating. Compartment The compartment where the alert policy will be created. Alert policies can be applied to target databases regardless of the compartment. You will associate the alert policy to the target database in a later step. See Associate and Apply Alert Policies to Target Databases for more information.
Severity Critical, High, Medium, or Low The designated severity level will be visible if an alert is generated.
Rule name Display name of the alert rule. A rule defines the logic that will cause the alert to trigger. An alert policy can have up to five custom rules. You can only create one rule in this workflow, but you can create more in a later step. See Add an Alert Rule to an Existing Alert Policy From Activity Auditing or Manage the Alert Rules of an Existing Alert Policy Manually for more information.
Rule expression SCIM query This will show the System for Cross-Domain Identity Management (SCIM) syntax for the filters you applied earlier and defines the logic for your custom alert. You can use Copy rule from an existing alert policy to copy the SCIM syntax from a single existing policy.
See Supported Operators and Tips for Using System for Cross-Domain Identity Management (SCIM) for more information.
- Click Submit.
Table 4-1 Alert condition supported fields
Field | Description |
---|---|
Audit type
(auditType) |
The type of auditing:
STANDARD , FINE_GRAINED ,
XS , DATABASE_VAULT ,
LABEL_SECURITY , RMAN ,
DATAPUMP , DIRECT_PATH_API
|
Client host
(clientHostname) |
The host name of the client application that was the source of the event causing the alert. |
Client ID
(clientId) |
The client identifier in each Oracle session. |
Client IP
(clientIp) |
The IP address of the client application that was the source of the event causing the alert. |
Client program
(clientProgram) |
The application from which the audit event was generated. For example SQL Plus or SQL Developer. |
DB user
(dbUserName) |
The name of the database user whose actions were audited. |
Error code
(errorCode) |
Oracle Error code generated by the action. Zero indicates the action was successful. |
Error message
(errorMessage) |
The detailed message on why the error occurred. |
Event
(eventName) |
The name of the event executed by the
user on the target database. For example ALTER
SEQUENCE , CREATE TRIGGER , or
CREATE INDEX .
|
External user
(externalUserId) |
The user ID of the external user of the audit event. |
Location
(auditLocation) |
The location of the audit. Currently the value is audit table. |
Object(objectName) |
Name of the object on the database
affected by the action, for example, a table name, file name, or a
directory name. Must be in upper case, for example,
ALTER_TABLE .
|
Object owner
(objectOwner) |
The schema name of the object affected by the action. |
Object type
(objectType) |
Type of object in the source database
affected by the action. For example PL/SQL ,
SYNONYM , or PACKAGE
BODY .
|
Operation
(operation) |
The name of the action executed by the
user on the target database. For example ALTER ,
CREATE , or DROP .
|
Operation status
(operationStatus) |
Status of the event: Success or
Failure |
OS user
(osUserName) |
The name of the operating system user for the database session. |
Terminal
(osTerminal) |
The operating system terminal of the user session. |
Unified audit policies
(auditPolicies) |
List of audit policies that caused the current audit event. |
Add an Alert Rule to an Existing Alert Policy From Activity Auditing
After applying filters to the All activity report in Activity Auditing, you can add a rule to an existing custom alert policy based on the filters.
- Under Security center, click Activity auditing.
- Under Related resources, click Audit reports.
- Select the All activity report from the list.
- Use basic or advanced filtering to filter the all activity
report as desired for the alert policy.
Tip:
Don't create filters that only apply to specific target databases or times as this will cause errors when creating the rule.See the Alert condition supported fields table below for the list of valid fields.
See Basic Filtering in an Audit Report and Advanced Filtering in an Audit Report for more information.
- Click Create as alert rule to use the currently applied filters as the conditions for a custom alert.
- Select Create as alert rule to use
the currently applied filters as the conditions for an additional
rule of an existing alert policy.
An alert policy can have up to five alert rules. The policy will trigger if any of the rules are met.
- Fill in the following required fields:
Field Name Description Compartment Select the compartment where the alert policy you're adding the rule to is stored. Policy name Select the name of the alert policy. The list is populated based on the compartment that is selected. Rule name Display name of the alert rule. A rule defines the logic that will cause the alert to trigger. An alert policy can have up to five custom rules. You can only create one rule in this workflow, but you can create more in a later step. See Add an Alert Rule to an Existing Alert Policy From Activity Auditing or Manage the Alert Rules of an Existing Alert Policy Manually for more information.
Rule expression SCIM query This will show the System for Cross-Domain Identity Management (SCIM) syntax for the filters you applied earlier and defines the logic for your custom alert. You can use Copy rule from an existing alert policy to copy the SCIM syntax from a single existing policy.
See Supported Operators and Tips for Using System for Cross-Domain Identity Management (SCIM) for more information.
- Click Submit.
Table 4-2 Alert condition supported fields
Field | Description |
---|---|
Audit type
(auditType) |
The type of auditing:
STANDARD , FINE_GRAINED ,
XS , DATABASE_VAULT ,
LABEL_SECURITY , RMAN ,
DATAPUMP , DIRECT_PATH_API
|
Client host
(clientHostname) |
The host name of the client application that was the source of the event causing the alert. |
Client ID
(clientId) |
The client identifier in each Oracle session. |
Client IP
(clientIp) |
The IP address of the client application that was the source of the event causing the alert. |
Client program
(clientProgram) |
The application from which the audit event was generated. For example SQL Plus or SQL Developer. |
DB user
(dbUserName) |
The name of the database user whose actions were audited. |
Error code
(errorCode) |
Oracle Error code generated by the action. Zero indicates the action was successful. |
Error message
(errorMessage) |
The detailed message on why the error occurred. |
Event
(eventName) |
The name of the event executed by the
user on the target database. For example ALTER
SEQUENCE , CREATE TRIGGER , or
CREATE INDEX .
|
External user
(externalUserId) |
The user ID of the external user of the audit event. |
Location
(auditLocation) |
The location of the audit. Currently the value is audit table. |
Object(objectName) |
Name of the object on the database
affected by the action, for example, a table name, file name, or a
directory name. Must be in upper case, for example,
ALTER_TABLE .
|
Object owner
(objectOwner) |
The schema name of the object affected by the action. |
Object type
(objectType) |
Type of object in the source database
affected by the action. For example PL/SQL ,
SYNONYM , or PACKAGE
BODY .
|
Operation
(operation) |
The name of the action executed by the
user on the target database. For example ALTER ,
CREATE , or DROP .
|
Operation status
(operationStatus) |
Status of the event: Success or
Failure |
OS user
(osUserName) |
The name of the operating system user for the database session. |
Terminal
(osTerminal) |
The operating system terminal of the user session. |
Unified audit policies
(auditPolicies) |
List of audit policies that caused the current audit event. |
Modifying Columns in an Audit Report
To add or remove columns in the report, do the following:
- View a predefined or custom audit report.
- Click Manage Columns.
The Manage Columns window is displayed.
- Select columns that you want displayed in the report.
- Deselect columns that you want to hide in the report.
- Click Apply Changes.
Basic Filtering in an Audit Report
To apply basic filters in the report, do the following:
- View a predefined or custom audit report.
- Click Another Filter.
- Select a filter type, operator, and enter a value. All columns that are available in the report are available as filter types.
- Click Apply.
- Repeat steps two through four to apply additional filters.
To remove a filter, click the X beside the filter row.
Note:
Only some totals in your report are single-click filtersAdvanced Filtering in an Audit Report
Advanced filtering of audit data can provide flexibility in the way that data is analyzed and reviewed, by allowing organizations to specify complex conditions and multiple criteria that must be met in order for data to be included or excluded from the analysis.
To apply advanced filters in the report, do the following:
- View a predefined or custom audit report.
- Click Show Advanced SCIM Query Builder.
- Use the provided filter builder and
dropdowns to type in your filter(s). Advanced filtering uses System for
Cross-Domain Identity Management (SCIM) syntax and supported operators include:
co
: matches resources with an attribute that contains a given stringeq
: matches resources with an attribute that is equal to a given value (not case sensitive)eq_cs
: matches resources with an attribute that is equal to a given value (case sensitive)ew
: matches resources with an attribute that ends with a given stringge
: matches resources with an attribute that is greater than or equal to a given valuegt
: matches resources with an attribute that is greater than a given valuein
: matches resources with an attribute that is equal to any of given values in listle
: matches resources with an attribute that is less than or equal to a given valuelt
: matches resources with an attribute that is less than a given valuene
: matches resources with an attribute that is not equal to a given valuenot_in
: matches resources with an attribute that is not equal to any of given values in listpr
: matches resources with an attribute if it has a given valuesw
: matches resources with an attribute that starts with a given string
Operators can be grouped using parentheses to specify the order.
Filters can also be combined using logical operators such as
and
andor
.Note:
If you have any basic filters currently applied they will appear in the query builder as well. - Click Apply.
To clear the query builder, click Clear. This will clear any basic filters applied as well.
Example 4-1 Failed login advanced filter
((operation eq "LOGIN" OR operation eq "LOGON") and operationStatus eq "FAILURE")
Example 4-2 User creation or modification advanced filter
(operation eq "CREATE" OR operation eq "DROP" OR operation eq "ALTER") AND (objectType
eq "USER")
Example 4-3 Changes in audit policy advanced filter
(operation eq "AUDIT") OR (operation eq "NOAUDIT") OR (operation eq "CREATE" AND
objectType eq "AUDIT POLICY") OR (operation eq "ALTER" AND objectType eq "AUDIT POLICY")
OR (operation eq "DROP" AND objectType eq "AUDIT POLICY") OR (operation eq "EXECUTE" AND
objectName eq "DBMS_FGA")
Tips for Using the Filter Builder to Create Advanced Filters
- Pressing the escape key while in advanced filtering mode will clear the whole query.
- Pressing the space key will display the drop down with the list of available attributes or operators.
- Pressing the space key after entering a
value like
targetname (demo_tgt)
will enclose the string with quotes:("demo_tgt")
. - Pressing enter will close the drop down listing the operators and attribute names.
- If a value like alert name has spaces in it, typing space will enclose the first
word within quotes,
"alert name"
. You will have to move the cursor back to the enclosed string and continue typing the rest of the string value. - If you build a filter in advanced filtering that can't be displayed in basic filters, you can't switch back to basic filtering mode. For example, advanced filters with the or condition can't be displayed in basic filtering.
- A custom report with basic filter can be updated with advanced filter and saved.
For more information about SCIM, see the protocol documentation at https://www.rfc-editor.org/rfc/rfc7644.
For more information about filtering in SCIM, see the filtering section of the protocol documentation at https://www.rfc-editor.org/rfc/rfc7644#section-3.4.2.2.
Download an Audit Report
Downloading the latest report can be done from either the list of Audit Reports or the details of the audit report. In addition you can download any report from the past three months from either the Audit Report History list or the details of the scheduled or generated audit report.
Download the latest audit report from a list of Audit Reports:
- Under Security Center, click Activity Auditing.
- Under Related Resources, click Audit Reports. The Audit Reports page is displayed, showing you a list of standard audit reports.
- On the Predefined Reports or Custom Reports tab, locate the row that has the report you want to download.
- In the Latest Report column, click the download button (downward pointing arrow). The report is downloaded to your browser.
- Using your browser's options, open and view the report, or save it to your local computer.
Download the latest audit report from the details page of the Audit Report:
- Under Security Center, click Activity Auditing.
- Under Related Resources, click Audit Reports. The Audit Reports page is displayed, showing you a list of standard audit reports.
- Select an audit report from either the Predefined Reports or Custom Reports tab.
- Click the Download Report button. The latest report will be downloaded.
- Using your browser's options, open and view the report, or save it to your local computer.
Download an audit report from the Audit Report History list
- Under Security Center, click Activity Auditing.
- Under Related Resources, click Audit Report History. The Audit Report History page is displayed, showing you a list of scheduled and generated audit reports from the last three months.
- Locate the row that has the report you want to download and click the button in the Download Report column. The report will be downloaded.
Download an audit report from the Audit Report History details page
- Under Security Center, click Activity Auditing.
- Under Related Resources, click Audit Report History. The Audit Report History page is displayed, showing you a list of scheduled and generated audit reports from the last three months.
- Click on the name of an audit report from the list.
- Click the Download Report button. The report will be downloaded.
Generate and Download a PDF or XLS Audit Report
You can generate and download a predefined audit report as a PDF or XLS document. You need to first generate the report before you can download it.
Create a Custom Audit Report
You can create a custom audit report from a predefined or existing custom audit report. You may want to do this if you have specific filters set and columns displayed that you want to preserve. Or, you may want to change the filters and columns in the custom report. During creation, you can save the report to a compartment of your choice.
Delete a Custom Audit Report
Important:
Be careful when you delete a custom audit report, because you can't recover one after it's deleted.Schedule a Predefined or Custom Audit Report
You can create a schedule for a predefined or custom audit report to generate a PDF or XLS report.
View Audit Report History
The Audit Report History page lists all the PDF/XLS audit reports that are automatically generated via a schedule or on-demand by users. On this page, you can view the list of reports generated during the past three months, details about those reports, and download reports. Oracle Data Safe stores PDF/XLS audit reports for up to three months.