Administering Oracle ASM audit trail

Oracle ASM audit records with Syslog

Oracle ASM audit trail records are redirected to the Syslog facility.
With this facility, the Oracle ASM audit trail records are written to /var/log/oraasmaudit.log file.
Log rotation is configured for Oracle ASM audit trail records in /etc/logrotate.d/oraasmaudit configuration file. Audit logs are rotated once every four weeks and will be compressed after they are rotated.

Managing Oracle ASM audit records in Operating system audit trail

Operating system audit trail

Enabling Operating system audit trail

To disable syslog auditing and enable Operating system audit trail, set AUDIT_SYSLOG_LEVEL initialization parameter to NULL and AUDIT_TRAIL initialization parameter to ‘OS’.

Purging Operating system audit trail files

Refer to the audcreatejob, audsettimestamp, and audcleanaudittrail ASMCMD commands for information about managing Oracle ASM audit trails. See ASMCMD Audit Files Management Commands.

Related Topics

Managing Oracle ASM audit records in Unified audit trail

Unified audit trail

See Oracle Database Security Guide for more information about unified auditing.
Unified audit trail records are available through
- GV$UNIFIED_AUDIT_TRAIL view for Oracle ASM RAC instances.

Enabling Unified audit trail

See Oracle Database Security Guide for more details on enabling unified audit trail.

Purging Unified audit trail files

See Oracle Database Security Guide for more information on purging audit trail files.
ASMCMD Audit Files Management Commands provides detailed information about ASMCMD commands to manage Oracle ASM audit trail files.

Audit Trail Properties in Operating System and Unified Audit Trail

Table 3-3 Audit Trail Size and Age Properties

Property Name	Description
Audit file max size	Audit file max size can have a minimum value of 1 KB and maximum value of 2000000 KB. The default value is 10000 KB. Oracle ASM instance will stop writing audit records to the audit files upon reaching the file max size limit. The files are renamed and a new file will be created for subsequent audit records.
Audit file max age	Audit file max age can have a minimum value of 1 day and maximum value of 497 days. The default value is 5 days. Oracle ASM instance will stop writing audit records to the audit files upon reaching the file max age limit. The files are renamed and a new file will be created for subsequent audit records.
Audit purge job interval	Audit purge job interval can have a minimum value of 1 hour and maximum value of 999 hours.

Property Name

Description

Audit file max size

Audit file max size can have a minimum value of 1 KB and maximum value of 2000000 KB. The default value is 10000 KB.

Oracle ASM instance will stop writing audit records to the audit files upon reaching the file max size limit. The files are renamed and a new file will be created for subsequent audit records.

Audit file max age

Audit file max age can have a minimum value of 1 day and maximum value of 497 days. The default value is 5 days.

Oracle ASM instance will stop writing audit records to the audit files upon reaching the file max age limit. The files are renamed and a new file will be created for subsequent audit records.

Audit purge job interval

Audit purge job interval can have a minimum value of 1 hour and maximum value of 999 hours.

Note:

Unified Auditing, when enabled in ASM instances, will mandatorily audit only CONNECT and SHUTDOWN as opposed to auditing all the activities that are done in the ASM instances in 19c. This is a behaviour change in 23ai. The UNIFIED_AUDIT_SYSTEMLOG init.ora parameter [when set in ASM instances] will redirect the audit records to syslog and will NOT write a copy of the full audit record to the OS files.