1. Developer's Guide
  2. Audit Vault Server Fields

A Audit Vault Server Fields

You can map Oracle Audit Vault and Database Firewall events and fields in your collection plug-ins.

A.1 Oracle Audit Vault and Database Firewall Fields

Oracle Audit Vault and Database Firewall values consist of core fields, large fields, marker fields, and extension fields.

A.1.1 Core Fields

To monitor and filter audit records for all source types in Oracle Audit Vault, you use core fields.

Core fields are fundamental to all source types. They are central to the description of an event. These fields are present in most audit records, for reporting, filtering, and so on.

Core Field Definitions

EventTimeUTC: Required: The time stamp that indicates when the event occurred. If the event has more than one time stamp (for example, an event start time stamp and an event end time stamp), then the collection plug-in must assign a time stamp to this field. If this field contains NULL, then Oracle Audit Vault shuts down the collection plug-in.

UserName: Required: The user who performed the action in the application or system that generated the audit record. If this field contains NULL, then the audit record is invalid.

CommandClass: Required: The action performed in the event (for example, SELECT or DELETE). If this field contains NULL, then the audit record is invalid.

OSUserName: The user who logged into the operating system that generated the audit record. If the user logged into the operating system as JOHN but performed the action as SCOTT, then this field contains JOHN and the User Name field contains SCOTT.

TargetType: The type of the target object on which the action was performed. For example, if the user selected from a table, then the target type is TABLE.

TargetObject: The name of the object on which the action was performed. For example, if the user selected from a table, then the Target Object field contains the name of the table.

TargetOwner: The name of the owner of the target on which the action was performed. For example, if the user had selected from a table owned by user JOHN, then the Target Owner field contains the user name JOHN.

ClientIP: The IP address of the host (Host Name) from where the user initiated the action.

ClientId: Client identifier of the user whose actions were audited.

ClientHostName: The host computer from where the user initiated the action. For example, if the user performed the action from an application on a server, then this field contains the name of the server.

TerminalName: Name of the UNIX terminal that was the source of the event.

EventName: The name of the event as is from the audit trail.

EventStatus: The status of the event. There are three possible values for EventStatus: SUCCESS, FAILURE, and UNKNOWN.

ErrorId: The error code of an action.

ErrorMessage: The error message of an action.

Related Topics

A.1.2 Large Fields

In Oracle Audit Vault, Large fields are fields that can contain arbitrarily large amounts of data.

Large Field Definitions

For large fields, use the following:

  • CommandText: Contains the text of the command that caused the event, which can be a SQL statement, a PL/SQL statement, and so on. This is also a core field.

  • CommandParam: Contains the parameters of the command that caused the event. This is also a core field.

A.1.3 Marker Field

In Oracle Audit Vault, marker fields are fields that uniquely identify a record in a trail.

Marker Field Definitions

Marker Field of a Record: The marker is a string that uniquely identifies a record in a trail. During the recovery process, Oracle Audit Vault uses this field to filter the duplicate records. The collection plug-in provides the marker field, which is typically a concatenated subset of the fields of an audit record. For example, with Oracle Database, the session ID and Entry ID (a unique identifier within a session) define a marker.

A.1.4 Extension Field

Extension fields store fields that cannot be accommodated in core or large fields, as name-value pairs, separated by delimiter, inside a single Audit Vault field.

Extension Field Definition

The extension field contains character large object (CLOB) columns. The RLS$INFO column describes the configured row level security policies. The RLS$INFO information is mapped to the extension field in Oracle Audit Vault and Database Firewall.

Extension Field Values

To populate the extension field column, you must set the AUDIT_TRAIL parameter of the target to DB EXTENDED.

A.2 Actions and Target Types

When you build collection plug-ins, you can use the target types and actions that Oracle Audit Vault can detect.

If you are building a collection plug-in, then you should use these fields in your mapper file, if the fields mapped semantically. Otherwise, you can use your own values.

A.2.1 Actions

The Action field describes the nature of user activity that triggers generation of an audit record. It is similar to the verb part of a sentence, it describes the activity.

Purpose

Describes the nature of user activity that triggers generation of an audit record.

Oracle Audit Vault and Database Firewall strongly recommends mapping audit events to an appropriate value for the Action field, if the user activity semantically maps to it.

Permitted Actions

Audit Vault Server is currently aware of the following actions:


END
ACCESS
ACQUIRE
ALTER
ANALYZE
APPLY
ARCHIVE
ASSIGN
ASSOCIATE
AUDIT
AUTHENTICATE
AUTHORIZE
BACKUP
BIND
BLOCK
CACHE
CALCULATE
CALL
CANCEL
CLOSE
COMMIT
COMMUNICATE
COMPARE
CONFIGURE
CONNECT
CONTROL
CONVERT
COPY
CREATE 
DDL
DEADLOCK
DELETE
DEMOTE
DENY
DENY
DISABLE
DISASSOCIATE
DISCONNECT
DML
DROP
ENABLE
EXCEED
EXECUTE
EXPIRE
EXPORT
FAIL
FILTER
FINISH
GET
GRANT
IMPORT
INHERIT
INITIALIZE
INSERT
INSTALL
INVALID
INVALIDATE
LOAD
LOCK
LOGIN
LOGOUT
MIGRATE
MOUNT
MOVE
NOAUDIT
NOTIFY
NOTIFY
OPEN
PAUSE
PROMOTE
PROXY
PUBLISH
QUARANTINE
RAISE
READ
RECEIVE
RECOVER
REDO
REFRESH
REGISTER
RELEASE
REMOTE CALL
RENAME
RENEW
REQUEST
RESET
RESTORE
RESUME
RETRIEVE
REVOKE
ROLLBACK
ROLLFORWARD
SAVEPOINT
SEARCH
SELECT
SEND
SET
START
STOP
SUBMIT
SUBSCRIBE
SUSPEND
SYNCHRONIZE
TRANSACTION MANAGEMENT
TRUNCATE
UNDO
UNINSTALL
UNKNOWN
UNLOCK
UNMOUNT
UNREGISTER
UNSUBSCRIBE
UPDATE
VALIDATE
VIOLATE
WAIT
WRITE

A.2.2 Target Types

The TargetType field describes the type of object on which a user action operates. It is similar to a noun that describes the object of a user action.

Purpose

Describes the type of object on which a user action operates.

Oracle Audit Vault and Database Firewall strongly recommends mapping audit events to an appropriate value for the TargetType field, if the user activity semantically maps to it.

Permitted Objects

Oracle Audit Vault Server is currently aware of the following target types:

ALL TRIGGERS
APP ROLE
APPLICATION
ASSEMBLY
AUTHORIZATION
BROKER QUEING
BUFFERPOOL
CHECKPOINT
CLUSTER
CONNECTION
CONTEXT
CONTROL FILE
DATABASE
DATABASE LINK
DBA_RECYCLEBIN
DEFAULT
DIMENSION
DIRECTORY
EDITION
EVALUATION
EVENT MONITOR
EXPRESSION
FLASHBACK
FLASHBACK ARCHIVE
FUNCTION
INDEX
INDEXES
INDEXTYPE
INSTANCE
JAVA
LIBRARY
MATERIALIZED VIEW
MATERIALIZED VIEW LOG
MESSAGE
METHOD
MINING MODEL
NODE
NODEGROUP
OBJECT
OPERATOR
OUTLINE
PACKAGE
PACKAGE BODY
PRIVILEGE
PROCEDURE
PROFILE
PUBLIC DATABASE LINK
PUBLIC SYNONYM
RESOURCE COST
RESTORE POINT
REVOKE
REWRITE EQUIVALENCE
ROLE
ROLLBACK SEG
RULE
SAVEPOINT
SAVEPOINT
SCHEMA
SEQUENCE
SESSION
STATISTICS
SUBSCRIPTION
SUMMARY
SYNONYM
SYSTEM
TABLE
TABLE OR SCHEMA POLICY
TABLESPACE
TAPE
TRACE
TRANSACTION
TRIGGER
TYPE
TYPE BODY
UNKNOWN
USER
USER LOGON
USER OR PROGRAM UNIT LABEL
USER_RECYCLEBIN
VIEW