View and Manage Audit Trails

You can view details for an audit trail in Oracle Data Safe, start an audit trail to begin collecting audit data, start and stop an audit trail as needed, enable or disable the auto purge feature for an audit trail, and delete an audit trail.

Discover Audit Trails for a Target Database

You can discover new audit trails for a target database from the Audit Profiles Details page.

  1. Under Security Center, click Activity Auditing.
  2. Under Related Resources, click Audit Profiles.
  3. On the right, click the name of the target database for which you want to discover audit trails. The audit profile for the selected target database is displayed.
  4. Click Discover Trails. The Discover Trails dialog box is displayed.
  5. Click Confirm. Any new audit trails for the target database that weren't discovered during target registration are discovered and listed on the Audit Profiles Details page under Available Trail Locations.
  6. (Optional) To view details for an audit trail, click the name of an audit trail. The Audit Trail Details page is displayed, showing you the details for the audit trail.

Here are some situations where you might consider running the discover trails operation:

  • If your target database has been upgraded from any version Oracle Database from 11g to 19c, then UNIFIED_AUDIT_TRAIL will be newly discovered by this operation.
  • If the target database is Oracle Database 12c and above and is using traditional auditing (SYS.AUD$), and database administrator enables mixed mode auditing, then UNIFIED_AUDIT_TRAIL will be newly discovered by this operation.
  • If the database administrator configures any additional audit trails are configured in the Oracle Database such as Database Vault audit trail or FGA audit trail, then these will be discovered in Oracle Data Safe if you run this operation.
  • If you are running Amazon RDS for Oracle, audit trail is None by default. See Security auditing in Amazon RDS for Oracle and Working with DB parameter groups from Amazon to configure the parameter group for audit so that you can use the Audit Trail functionality of Oracle Data Safe.
  • If you are adding a peer target database to a registered primary Active Data Guard target database after you've already discovered audit trails on the primary database, running the discovery trails operations will discover new trails associated with this newly added peer.

Audit Trail Details

Each audit trail in Oracle Data Safe has the following information:

  • Trail name (editable)
  • Target database - Target database to which the audit trail applies
  • Trail location - Audit trail on the target database
  • Trail description (editable)
  • Trail OCID - Oracle Cloud Identifier for the audit trail object in Oracle Cloud Infrastructure
  • Compartment - Compartment in Oracle Cloud Infrastructure in which the associated target database is stored
  • Profile name - Audit profile name for the target database
  • Created time - Date and time when the audit trail was created (UTC)
  • Updated time - Date and time when the audit trail was last updated (UTC)
  • Collection state - Values are blank if audit collection hasn't started yet
    • COLLECTING - trail is actively collecting audit records
    • IDLE - trail can't find any further records on the database to collect and is waiting for new audit records to be generated
    • NOT_STARTED - trail has been created when the target database has been registered
    • RECOVERING - trail has encountered an error and is trying to come back to COLLECTING state. The audit trail will have to re-process some of the audit records to avoid collecting them again.
    • RESUMING - trail is in the process of going to COLLECTING again after being stopped
    • RETRYING - trail is trying to enter RESUMING state
    • STARTING - trail is starting for the first time before moving to COLLECTING
    • STOPPED - trail has been manually stopped and not collecting audit records
    • STOPPING - trail has been manually stopped and is about to be STOPPED
    • STOPPED_FAILED - the target database for the audit trail has been deleted
    • STOPPED_NEEDS_ATTN - trail encountered a non-recoverable error on the target database and requires intervention to correct the error and resume
    .
  • Collection start time - Data and time when audit collection started. This field is blank only when the audit trail has never been started.
  • Auto purge - Whether the auto purge feature is enabled for the audit trail. Values are Yes or No.
  • Purge job status* - Current status of the audit trail purge job. Values are SUCCEEDED or FAILED.
  • Purge job last execution time* - Date and time of the last purge job (UTC). The purge job deletes audit data in the target database every seven days to prevent the database's audit trail from becoming too large.
  • Purge job details* - Details of the audit trail purge job that ran at the time specificed in the Purge job last execution time column.
  • Trail Source - For audit trails for Active Data Guard associated target databases, this states if the trail source is a TABLE or FILE.
  • Database unique name - For audit trails for Active Data Guard associated target databases, this states the unique name of the primary database associated with the peer target database.
  • Profile name - Name of the associated audit profile.
  • Policy name - Name of the associated audit policy.
  • Work requests - Operations running in Oracle Cloud Infrastructure that have to do with the audit trail

* To see this information you will need to re-run the datasafe_privileges.sql script for AUDIT_COLLECTION on the target database. See Grant Roles to the Oracle Data Safe Service Account on Your Target Database for more information.

View an Audit Trail

  1. Under Security Center, click Activity Auditing.
  2. Under Related Resources, click Audit Trails.
    For each audit trail in Oracle Data Safe, you can view the target database name, the audit trail name, whether or not the audit trail needs attention, source audit trail location (for example, SYS.AUD$ or UNIFIED_AUDIT_TRAIL), collection state, when the target database was registered, when audit data collection started, and whether auto purge is enabled.
    The Audit Trails page is displayed, tabling all of the audit trails to which you have access.
  3. (Optional) Under Filters select a target database from the Target Databases list to narrow the scope of displayed audit trails.
  4. (Optional) Under Filters select a collection state from the Collection State list to narrow the scope of displayed audit trails.
  5. On the right, locate the audit trails for your target database. You can refer to the Trail Location column to distinguish between the different source audit trails.
    For UNIFIED_AUDIT_TRAILs pointing to the operating system spillover file of Active Data Guard associated target databases, you will see a database icon next to the trail location.
  6. To view more information about an audit trail, click the name of your target database on the audit trail's row.
    The Audit Trail Details page is displayed.
  7. View the details for the audit trail.

Start an Audit Trail

Starting an audit trail for a target database is the same as starting audit collection. You can collect audit data that was created as far back as the data retention period.

  1. Under Security Center, click Activity Auditing.
  2. Under Related Resources, click Audit Trails.
    The Audit Trails page is displayed.
  3. Click the name of your target database on the row for the audit trail that you want to start.
    For UNIFIED_AUDIT_TRAILs pointing to the operating system spillover file of Active Data Guard associated target databases, you will see a database icon next to the trail location.
  4. Click Start.
    The Start Audit Trail dialog box is displayed.
  5. Click the Select Start Date box and select a date and time.
  6. (Optional) To enable the auto purge feature, select Auto Purge.
  7. Click Start.

    When collection begins, the Collection State field is updated.

    For audit trials pointing to an operating system spillover file of an Active Data Guard associated database, it may take some time for the audit trail to start collecting.

Stop an Audit Trail

If an audit trail is reaching the monthly limit and exceeding that limit is a concern, you may want to stop the audit trail in order to avoid additional charges. You can override the default Paid Usage setting at the target level to stop collection of audit records for the current month once the limit is reached. Then the audit trail will resume collection at the start of the billing cycle in the next month.

If you use the Paid Usage option, there is no need to manually stop and start audit record collection for this purpose.

  1. Under Security Center, click Activity Auditing.
  2. Under Related Resources, click Audit Trails.
    The Audit Trails page is displayed.
  3. Click the name of your target database on the row for the audit trail that you want to stop.
    For UNIFIED_AUDIT_TRAILs pointing to the operating system spillover file of Active Data Guard associated target databases, you will see a database icon next to the trail location.
  4. Click Stop. A dialog box is displayed, asking you to confirm.
  5. Click Yes.
    Audit data collection into the audit trail is immediately stopped.

Resume Audit Data Collection

You can resume audit trails whose collection state is STOPPED.

  1. Under Security Center, click Activity Auditing.
  2. Under Related Resources, click Audit Trails.
    The Audit Trails page is displayed.
  3. Click the name of your target database on the appropriate audit trail row.
    For UNIFIED_AUDIT_TRAILs pointing to the operating system spillover file of Active Data Guard associated target databases, you will see a database icon next to the trail location.
  4. Click Resume.

Update Auto Purge

You can enable or disable auto purge for a target database at any time.

  1. Under Security Center, click Activity Auditing.
  2. Under Related Resources, click Audit Trails.
    The Audit Trails page is displayed.
  3. Click the name of your target database on the appropriate audit trail row.
    For UNIFIED_AUDIT_TRAILs pointing to the operating system spillover file of Active Data Guard associated target databases, you will see a database icon next to the trail location.
  4. Click Update Auto Purge.
    The Update Auto Purge dialog box is displayed.
  5. Select Auto Purge to enable it for the target database or deselect it to disable it.
  6. Click Update Auto Purge.
    The auto purge is immediately enabled or disabled in Oracle Data Safe. The auto purge job on the target database will be eventually created when audit trail is active.

    Note:

    The audit records collected for a deleted trail will be archived and purged according to retention policy. Creating the same trail again in Oracle Data Safe might result into duplicate collection of records.

Delete an Audit Trail

Oracle Data Safe automatically discovers all the audit trails on your target database during target database registration. In Oracle Data Safe, you can delete the audit trails that your target database is not using.

  1. Under Security Center, click Activity Auditing.
  2. Under Related Resources, click Audit Trails.
    The Audit Trails page is displayed.
  3. Click the name of your target database on the appropriate audit trail row.
    For UNIFIED_AUDIT_TRAILs pointing to the operating system spillover file of Active Data Guard associated target databases, you will see a database icon next to the trail location.
  4. From the More Actions menu, select Delete.
    A Delete Trail dialog box is displayed.
  5. Click Delete Trail to confirm.
    The audit trail is permanently deleted.