Administering Oracle ASM audit trail

Oracle ASM audit records with Syslog

Oracle ASM audit trail records are redirected to the Syslog facility.
With this facility, the Oracle ASM audit trail records are written to /var/log/oraasmaudit.log file.
Log rotation is configured for Oracle ASM audit trail records in /etc/logrotate.d/oraasmaudit configuration file. Audit logs are rotated once every four weeks and will be compressed after they are rotated.

Managing Oracle ASM audit records in Operating system audit trail

Operating system audit trail

Enabling Operating system audit trail

To disable syslog auditing and enable Operating system audit trail, set AUDIT_SYSLOG_LEVEL initialization parameter to NULL and AUDIT_TRAIL initialization parameter to ‘OS’.

Purging Operating system audit trail files

Refer to the audcreatejob, audsettimestamp, and audcleanaudittrail ASMCMD commands for information about managing Oracle ASM audit trails. See ASMCMD Audit Files Management Commands.

Related Topics

Managing Oracle ASM Audit Records in Unified Audit Trail

Unified Audit Trail

See Oracle AI Database Security Guide for more information about unified auditing.
Unified audit trail records are available through
- GV$UNIFIED_AUDIT_TRAIL view for Oracle ASM RAC instances.

Enabling Unified audit trail

See Oracle AI Database Security Guide for more details on enabling unified audit trail.

Purging Unified audit trail files

See Oracle AI Database Security Guide for more information on purging audit trail files.
ASMCMD Audit Files Management Commands provides detailed information about ASMCMD commands to manage Oracle ASM audit trail files.

When viewing RAC ASM generated audit records and the internal table AUDSYS.AUD$UNIFIED is not accessible for any reason then only audit records will be written to spillover files which can be queried using GV$UNIFIED_AUDIT_TRAIL. You should query the UNIFIED_AUDIT_TRAIL view if an instance is OPEN (either READ ONLY or READ WRITE). The UNIFIED_AUDIT_TRAIL view internally fetches records from both the AUDSYS.AUD$UNIFIED table and the GV$UNIFIED_AUDIT_TRAIL view.

Note:

The SYS.AUDIT_ACTIONS table which logs information regarding the ACTION CODE and ACTION NAME is not accessible from non-database instances. Users can cross verify the ACTION_CODE logged by GV$UNIFIED_AUDIT_TRAIL against the ACTION_NAME in SYS.AUDIT_ACTIONSACTION_CODE and ACTION_NAME items that are relevant for ASM instances include:

Figure 3-1 Action Codes and Names

With the introduction of Oracle AI Database 26ai, two new static init.ora parameters are included to configure auditing in ASM Instances:

ASM_UNIFIED_AUDIT_LEVEL: Defines what kind of actions are to be audited.
ASM_UNIFIED_AUDIT_DESTINATION: Specifies where to write the audit records.

After modifying these parameters, the instance must be restarted for the changes to take effect. The allowed set of values for the parameters are as follows:

ASM_UNIFIED_AUDIT_LEVEL:

ALL - ALL actions done on ASM instance will be audited.
BASIC - Only specific important actions, i.e: CONNECT, SHUTDOWN and STARTUP will be audited. (DEFAULT VALUE)

ASM_UNIFIED_AUDIT_DESTINATION :

FILES - Writes the generated audit records to spillover files.
SYSTEMLOG - Writes audit records to configured system log (SYSLOG) location. (DEFAULT VALUE)

Note:

These parameters are applicable to ASM, ASM PROXY and REMOTE ASM as well.

ASM_UNIFIED_AUDIT_DESTINATION works in conjunction with UNIFIED_AUDIT_SYSTEMLOG init.ora parameter which is used to determine the 'facility' and 'priority' values. WhenASM_UNIFIED_AUDIT_DESTINATION has SYSTEMLOG set, we use the values in UNIFIED_AUDIT_SYSTEMLOG to determine where/how to write to SYSTEMLOG.

Note:

With the release of Oracle AI Database 26ai, UNIFIED_AUDIT_SYSTEMLOG is now modifiable in ASM instances as well.

Audit Trail Properties in Operating System and Unified Audit Trail

Table 3-3 Audit Trail Size and Age Properties

Property Name	Description
Audit file max size	Audit file max size can have a minimum value of 1 KB and maximum value of 2000000 KB. The default value is 10000 KB. Oracle ASM instance will stop writing audit records to the audit files upon reaching the file max size limit. The files are renamed and a new file will be created for subsequent audit records.
Audit file max age	Audit file max age can have a minimum value of 1 day and maximum value of 497 days. The default value is 5 days. Oracle ASM instance will stop writing audit records to the audit files upon reaching the file max age limit. The files are renamed and a new file will be created for subsequent audit records.
Audit purge job interval	Audit purge job interval can have a minimum value of 1 hour and maximum value of 999 hours.

Property Name

Description

Audit file max size

Audit file max size can have a minimum value of 1 KB and maximum value of 2000000 KB. The default value is 10000 KB.

Oracle ASM instance will stop writing audit records to the audit files upon reaching the file max size limit. The files are renamed and a new file will be created for subsequent audit records.

Audit file max age

Audit file max age can have a minimum value of 1 day and maximum value of 497 days. The default value is 5 days.

Oracle ASM instance will stop writing audit records to the audit files upon reaching the file max age limit. The files are renamed and a new file will be created for subsequent audit records.

Audit purge job interval

Audit purge job interval can have a minimum value of 1 hour and maximum value of 999 hours.

Note:

Unified Auditing, when enabled in ASM instances, will mandatorily audit only CONNECT and SHUTDOWN. This is the same restriction that existed in Oracle 19c. The UNIFIED_AUDIT_SYSTEMLOG init.ora parameter [when set in ASM instances] will redirect the audit records to syslog and will NOT write a copy of the full audit record to the OS files.