A Audit Vault Server Fields
You can map Oracle Audit Vault and Database Firewall events and fields in your collection plug-ins.
A.1 Oracle Audit Vault and Database Firewall Fields
Oracle Audit Vault and Database Firewall values consist of core fields, large fields, marker fields, and extension fields.
A.1.1 Core Fields
To monitor and filter audit records for all source types in Oracle Audit Vault, you use core fields.
Core fields are fundamental to all source types. They are central to the description of an event. These fields are present in most audit records, for reporting, filtering, and so on.
Core Field Definitions
EventTimeUTC: Required: The time stamp that indicates when
the event occurred. If the event has more than one time stamp (for example, an event
start time stamp and an event end time stamp), then the collection plug-in
must assign a time stamp to this field. If this field contains
NULL
, then Oracle Audit Vault shuts down the collection
plug-in.
UserName: Required: The user who performed the action in the
application or system that generated the audit record. If this field contains
NULL
, then the audit record is invalid.
CommandClass: Required: The action performed in the event
(for example, SELECT
or DELETE
). If this field
contains NULL
, then the audit record is invalid.
OSUserName: The user who logged into the operating system
that generated the audit record. If the user logged into the operating system as
JOHN
but performed the action as SCOTT
, then
this field contains JOHN
and the User Name field contains
SCOTT
.
TargetType: The type of the target object on which the action
was performed. For example, if the user selected from a table, then the target type
is TABLE
.
TargetObject: The name of the object on which the action was performed. For example, if the user selected from a table, then the Target Object field contains the name of the table.
TargetOwner: The name of the owner of the target on which the
action was performed. For example, if the user had selected from a table owned by
user JOHN
, then the Target Owner field contains the user name
JOHN
.
ClientIP: The IP address of the host (Host Name) from where the user initiated the action.
ClientId: Client identifier of the user whose actions were audited.
ClientHostName: The host computer from where the user initiated the action. For example, if the user performed the action from an application on a server, then this field contains the name of the server.
TerminalName: Name of the UNIX terminal that was the source of the event.
EventName: The name of the event as is from the audit trail.
EventStatus: The status of the event. There are three
possible values for EventStatus:
SUCCESS
, FAILURE
, and UNKNOWN
.
ErrorId: The error code of an action.
ErrorMessage: The error message of an action.
Related Topics
A.1.2 Large Fields
In Oracle Audit Vault, Large fields are fields that can contain arbitrarily large amounts of data.
Large Field Definitions
For large fields, use the following:
-
CommandText: Contains the text of the command that caused the event, which can be a SQL statement, a PL/SQL statement, and so on. This is also a core field.
-
CommandParam: Contains the parameters of the command that caused the event. This is also a core field.
A.1.3 Marker Field
In Oracle Audit Vault, marker fields are fields that uniquely identify a record in a trail.
Marker Field Definitions
Marker Field of a Record: The marker is a string that uniquely identifies a record in a trail. During the recovery process, Oracle Audit Vault uses this field to filter the duplicate records. The collection plug-in provides the marker field, which is typically a concatenated subset of the fields of an audit record. For example, with Oracle Database, the session ID and Entry ID (a unique identifier within a session) define a marker.
A.1.4 Extension Field
Extension fields store fields that cannot be accommodated in core or large fields, as name-value pairs, separated by delimiter, inside a single Audit Vault field.
Extension Field Definition
The extension field contains character large object (CLOB) columns. The
RLS$INFO
column describes the configured row level security
policies. The RLS$INFO information is mapped to the extension field in Oracle Audit
Vault and Database Firewall.
Extension Field Values
To populate the extension field column, you must set the AUDIT_TRAIL parameter of the target to DB
EXTENDED
.
A.2 Actions and Target Types
When you build collection plug-ins, you can use the target types and actions that Oracle Audit Vault can detect.
If you are building a collection plug-in, then you should use these fields in your mapper file, if the fields mapped semantically. Otherwise, you can use your own values.
A.2.1 Actions
The Action field describes the nature of user activity that triggers generation of an audit record. It is similar to the verb part of a sentence, it describes the activity.
Purpose
Describes the nature of user activity that triggers generation of an audit record.
Oracle Audit Vault and Database Firewall strongly recommends mapping audit events to an appropriate value for the Action field, if the user activity semantically maps to it.
Permitted Actions
Audit Vault Server is currently aware of the following actions:
END
ACCESS
ACQUIRE
ALTER
ANALYZE
APPLY
ARCHIVE
ASSIGN
ASSOCIATE
AUDIT
AUTHENTICATE
AUTHORIZE
BACKUP
BIND
BLOCK
CACHE
CALCULATE
CALL
CANCEL
CLOSE
COMMIT
COMMUNICATE
COMPARE
CONFIGURE
CONNECT
CONTROL
CONVERT
COPY
CREATE
DDL
DEADLOCK
DELETE
DEMOTE
DENY
DENY
DISABLE
DISASSOCIATE
DISCONNECT
DML
DROP
ENABLE
EXCEED
EXECUTE
EXPIRE
EXPORT
FAIL
FILTER
FINISH
GET
GRANT
IMPORT
INHERIT
INITIALIZE
INSERT
INSTALL
INVALID
INVALIDATE
LOAD
LOCK
LOGIN
LOGOUT
MIGRATE
MOUNT
MOVE
NOAUDIT
NOTIFY
NOTIFY
OPEN
PAUSE
PROMOTE
PROXY
PUBLISH
QUARANTINE
RAISE
READ
RECEIVE
RECOVER
REDO
REFRESH
REGISTER
RELEASE
REMOTE CALL
RENAME
RENEW
REQUEST
RESET
RESTORE
RESUME
RETRIEVE
REVOKE
ROLLBACK
ROLLFORWARD
SAVEPOINT
SEARCH
SELECT
SEND
SET
START
STOP
SUBMIT
SUBSCRIBE
SUSPEND
SYNCHRONIZE
TRANSACTION MANAGEMENT
TRUNCATE
UNDO
UNINSTALL
UNKNOWN
UNLOCK
UNMOUNT
UNREGISTER
UNSUBSCRIBE
UPDATE
VALIDATE
VIOLATE
WAIT
WRITE
A.2.2 Target Types
The TargetType
field describes the type of object on which a user
action operates. It is similar to a noun that describes the object of a user
action.
Purpose
Describes the type of object on which a user action operates.
Oracle Audit Vault and Database Firewall strongly recommends mapping audit events to an appropriate value for the TargetType
field, if the user activity semantically maps to it.
Permitted Objects
Oracle Audit Vault Server is currently aware of the following target types:
ALL TRIGGERS
APP ROLE
APPLICATION
ASSEMBLY
AUTHORIZATION
BROKER QUEING
BUFFERPOOL
CHECKPOINT
CLUSTER
CONNECTION
CONTEXT
CONTROL FILE
DATABASE
DATABASE LINK
DBA_RECYCLEBIN
DEFAULT
DIMENSION
DIRECTORY
EDITION
EVALUATION
EVENT MONITOR
EXPRESSION
FLASHBACK
FLASHBACK ARCHIVE
FUNCTION
INDEX
INDEXES
INDEXTYPE
INSTANCE
JAVA
LIBRARY
MATERIALIZED VIEW
MATERIALIZED VIEW LOG
MESSAGE
METHOD
MINING MODEL
NODE
NODEGROUP
OBJECT
OPERATOR
OUTLINE
PACKAGE
PACKAGE BODY
PRIVILEGE
PROCEDURE
PROFILE
PUBLIC DATABASE LINK
PUBLIC SYNONYM
RESOURCE COST
RESTORE POINT
REVOKE
REWRITE EQUIVALENCE
ROLE
ROLLBACK SEG
RULE
SAVEPOINT
SAVEPOINT
SCHEMA
SEQUENCE
SESSION
STATISTICS
SUBSCRIPTION
SUMMARY
SYNONYM
SYSTEM
TABLE
TABLE OR SCHEMA POLICY
TABLESPACE
TAPE
TRACE
TRANSACTION
TRIGGER
TYPE
TYPE BODY
UNKNOWN
USER
USER LOGON
USER OR PROGRAM UNIT LABEL
USER_RECYCLEBIN
VIEW