Audit Trails
An audit trail represents the collection of audit records from the target database trail such as UNIFIED_AUDIT_TRAIL, which provides documentary evidence of the sequence of activities that happen.
A database audit trail is the source of audit records showing what has happened in the target database. When audit data collection is enabled for the specified database audit trail in an audit trail resource, the audit records are copied from the database's audit trail into Oracle Data Safe in near-real time. You can manage the audit records volume in the target database using the auto purge feature.
About Oracle Data Safe Audit Trails
An audit trail is an audit table in a target database that stores audit
data. The most common audit trail is the
UNIFIED_AUDIT_TRAIL data dictionary
view, which consolidates all Oracle Database audit trails into
one location and in a unified format.
During target database registration, Oracle Data Safe automatically discovers the audit trails on a target database and creates one audit trail resource per target database audit trail. These audit trail resources are listed on the Audit Trails page in Security Center. You can discover new audit trails for a target database at any time and remove audit trail resources in Oracle Data Safe as needed.
When you start an Oracle Data Safe audit trail, Oracle Data Safe begins copying audit records from the target database audit trail into the Oracle Data Safe repository. You can start and stop audit data collection as needed. In most cases, you configure Oracle Data Safe to collect audit data from only one audit trail in your target database, although it is possible to collect from more than one.
Supported Target Database Audit Trails
The following table lists the target database audit trails that Oracle Data
Safe can discover. The SQL_TEXT, SQL_BINDS, and
RLS_INFO columns in UNIFIED_AUDIT_TRAIL and
SYS.AUD$ are truncated to 32KB before being stored in Oracle Data Safe. So are LSQLTEXT, LSQLBIND, and
RLS$INFO in SYS.FGA_LOG$.
Unified audit policy retrieval and provisioning in Oracle Data Safe is supported only on Oracle Database versions 12.2 and above. Traditional audit settings cannot be retrieved and provisioned from Oracle Data Safe,although you can choose to do so within the target database and configure traditional audit trails for collection.
| Database Version | Standard Edition | Enterprise Edition |
|---|---|---|
|
Non-Autonomous Databases, versions 11.2.0.4, 12.1.0.1, 12.1.0.2 |
|
|
|
Non-Autonomous Databases, versions 12.2 and above |
|
Note: SYS.AUD$, SYS.FGA_LOG$*, and
DVSYS.AUDIT_TRAIL$ are available in mixed mode
only.
|
|
Autonomous Databases (latest version) |
(not applicable) |
|
*When you enable auto-purge for an FGA_LOG$ audit trail, you
may encounter an error and the audit trail is in a stopped state. To enable auto purge,
re-run the datasafe_privileges.sql on the target database and restart
the audit trail.
- A
UNIFIED_AUDIT_TRAILcollecting records from theAUDSYS.AUD$UNIFIEDtable of the primary database. For example,TABLE:PRIMARY. - A
UNIFIED_AUDIT_TRAILcollecting audit records from the operating system spillover files of the primary database. For example,FILE:database_unique_name1. - A
UNIFIED_AUDIT_TRAILcollecting audit records from the operating system spillover files of each peer database that is registered. For example,FILE:database_unique_name2.
UNIFIED_AUDIT_TRAIL that point to
the operating system spillover files by the
associated database unique name.
Auto Purge
It is important to properly manage audit data volume on your databases to ensure efficient performance and optimum use of the disk space. As audit trails on your databases grow in volume, querying the audit trail with large volume of audit data may impact performance and lead to space scalability issues. It is best to purge old audit records from the database audit trail periodically after they are collected by Oracle Data Safe. This is why you may want to consider using the auto purge feature.
The Oracle Data Safe auto purge feature in Activity Auditing lets you purge audit records from your target databases on a regularly scheduled basis. The auto purge feature is an operation on a target database. When auto purge is enabled for a target database, audit data in the target database audit trail is deleted every seven days so that it doesn't become too large.
Caution:
Enabling auto purge deletes all audit records in the target database audit trail every seven days, including those older than the initial start date of the audit collection. Records might be deleted even if they are not collected in Oracle Data Safe. After considering this impact, you should enable this feature carefully.
Additionally, the purging of audit records in a database target should only be managed
through Data Safe. Although Data Safe collects audit records frequently, purging audit
data from outside the Data Safe framework (for example, manually running
DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL) has the potential to delete audit
records that Data Safe has not yet collected. If you have created a custom job to
periodically purge audit data, you should consider deleting or disabling that job to avoid
conflicts in purge activity.
If you enable auto purge and want to see additional details like
purgeJobTime, purgeJobStatus, and
purgeJobDetails, re-run the
datasafe_privileges.sql script for AUDIT_COLLECTION on
the target database. See Grant Roles to the Oracle Data Safe Service
Account on Your Target Database for more information.
Auto purge is disabled by default. Even if you disable auto purge in Oracle Data Safe, be aware that your target database may still be purging audit data based on the target database's audit data retention settings. Please refer to your database's documentation for details.
Related Topics