View and Manage Audit Trails
You can view details for an audit trail in Oracle Data Safe, start an audit trail to begin collecting audit data, start and stop an audit trail as needed, enable or disable the auto purge feature for an audit trail, and delete an audit trail.
Discover Audit Trails for a Target Database
You can discover new audit trails for a target database from the Audit Profiles Details page.
- Under Security Center, click Activity Auditing.
- Under Related Resources, click Audit Profiles.
- On the right, click the name of the target database for which you want to discover audit trails. The audit profile for the selected target database is displayed.
- Click Discover Trails. The Discover Trails dialog box is displayed.
- Click Confirm. Any new audit trails for the target database that weren't discovered during target registration are discovered and listed on the Audit Profiles Details page under Available Trail Locations.
- (Optional) To view details for an audit trail, click the name of an audit trail. The Audit Trail Details page is displayed, showing you the details for the audit trail.
Here are some situations where you might consider running the discover trails operation:
- If your target database has been upgraded from any
version Oracle Database from 11g to 19c, then
UNIFIED_AUDIT_TRAIL
will be newly discovered by this operation. - If the target database is Oracle Database 12c and
above and is using traditional auditing
(
SYS.AUD$
), and database administrator enables mixed mode auditing, thenUNIFIED_AUDIT_TRAIL
will be newly discovered by this operation. - If the database administrator configures any additional audit trails are configured in the Oracle Database such as Database Vault audit trail or FGA audit trail, then these will be discovered in Oracle Data Safe if you run this operation.
- If you are running Amazon RDS for Oracle, audit
trail is
None
by default. See Security auditing in Amazon RDS for Oracle and Working with DB parameter groups from Amazon to configure the parameter group for audit so that you can use the Audit Trail functionality of Oracle Data Safe. - If you are adding a peer target database to a registered primary Active Data Guard target database after you've already discovered audit trails on the primary database, running the discovery trails operations will discover new trails associated with this newly added peer.
Audit Trail Details
Each audit trail in Oracle Data Safe has the following information:
- Trail name (editable)
- Target database - Target database to which the audit trail applies
- Trail location - Audit trail on the target database
- Trail description (editable)
- Trail OCID - Oracle Cloud Identifier for the audit trail object in Oracle Cloud Infrastructure
- Compartment - Compartment in Oracle Cloud Infrastructure in which the associated target database is stored
- Profile name - Audit profile name for the target database
- Created time - Date and time when the audit trail was created (UTC)
- Updated time - Date and time when the audit trail was last updated (UTC)
-
Collection state - Values are blank if audit collection hasn't started yet
COLLECTING
- trail is actively collecting audit recordsIDLE
- trail can't find any further records on the database to collect and is waiting for new audit records to be generatedNOT_STARTED
- trail has been created when the target database has been registeredRECOVERING
- trail has encountered an error and is trying to come back toCOLLECTING
state. The audit trail will have to re-process some of the audit records to avoid collecting them again.RESUMING
- trail is in the process of going toCOLLECTING
again after being stoppedRETRYING
- trail is trying to enterRESUMING
stateSTARTING
- trail is starting for the first time before moving toCOLLECTING
STOPPED
- trail has been manually stopped and not collecting audit recordsSTOPPING
- trail has been manually stopped and is about to beSTOPPED
STOPPED_FAILED
- the target database for the audit trail has been deletedSTOPPED_NEEDS_ATTN
- trail encountered a non-recoverable error on the target database and requires intervention to correct the error and resume
- Collection start time - Data and time when audit collection started. This field is blank only when the audit trail has never been started.
- Auto purge - Whether the auto purge feature is enabled for the audit trail. Values are Yes or No.
- Purge job status* - Current status of the audit trail purge
job. Values are
SUCCEEDED
orFAILED
. - Purge job last execution time* - Date and time of the last purge job (UTC). The purge job deletes audit data in the target database every seven days to prevent the database's audit trail from becoming too large.
- Purge job details* - Details of the audit trail purge job that ran at the time specificed in the Purge job last execution time column.
- Trail Source - For audit trails for Active Data Guard associated
target databases, this states if the trail source is a
TABLE
orFILE
. - Database unique name - For audit trails for Active Data Guard associated target databases, this states the unique name of the primary database associated with the peer target database.
- Profile name - Name of the associated audit profile.
- Policy name - Name of the associated audit policy.
- Work requests - Operations running in Oracle Cloud Infrastructure that have to do with the audit trail
* To see this information you will need to re-run the
datasafe_privileges.sql
script for AUDIT_COLLECTION
on
the target database. See Grant Roles to the Oracle Data Safe Service
Account on Your Target Database for more information.
Start an Audit Trail
Starting an audit trail for a target database is the same as starting audit collection. You can collect audit data that was created as far back as the data retention period.
Stop an Audit Trail
If an audit trail is reaching the monthly limit and exceeding that limit is a concern, you may want to stop the audit trail in order to avoid additional charges. You can override the default Paid Usage setting at the target level to stop collection of audit records for the current month once the limit is reached. Then the audit trail will resume collection at the start of the billing cycle in the next month.
If you use the Paid Usage option, there is no need to manually stop and start audit record collection for this purpose.