Oracle – How to Get More Information from Audit Trail

auditoracle

I just turned on auditing for an Oracle 11g database. I'm interested in getting more information about each event; for example, when I see a CREATE_INDEX event, I'd like to know which field was indexed. Is there any way to do that?

Best Answer

Sure, use one of the below settings:

AUDIT_TRAIL

db, extended

Performs all actions of AUDIT_TRAIL=db, and also populates the SQL bind and SQL text CLOB-type columns of the SYS.AUD$ table, when available. These two columns are populated only when this parameter is specified.

xml, extended

Performs all actions of AUDIT_TRAIL=xml, and includes SQL text and SQL bind information in the audit trail.

alter system set AUDIT_TRAIL=db, extended scope=spfile;
shutdown immediate
startup

Related Solutions

Oracle Logs – Difference Between Alert Log and Archive Log in Oracle Databases

Alert log is a database log file where you can find various messages about your database, like time of startup, some db parameters, log file switch, possible errors that can occur etc.

Archive logs are archived redo(online) log files. In redo log files are all changes that happened to your data. If your database is in archivelog mode, than redo logs can't be overwritten, they are archived in some other location when they are full. Redo and archive logs are used in various database recovery scenarios.

So your Oracle expert probably used LogMiner(or some similar tool) to search through archive log files to find something like truncate table some_table;

Way to track data deleted from database

Provided Minimal Supplemental Logging was turned on before the incident occurred that you want to research (it is off by default since there is a minor performance hit by having it on) which you can check via: select supplemental_log_data_min from v$database;, then Logminer is the tool for this.

Start logminer:

execute dbms_logmnr_d.build(options=> dbms_logmnr_d.store_in_redo_logs);

Load the archive logs that you want to view into Logminer:

begin
   dbms_logmnr.start_logmnr(
     starttime => TO_TIMESTAMP('2017-03-02 07:00:00', 'YYYY-MM-DD HH24:MI:SS'), 
     endtime => TO_TIMESTAMP('2017-03-02 15:00:00', 'YYYY-MM-DD HH24:MI:SS'), 
     options => dbms_logmnr.dict_from_online_catalog + dbms_logmnr.continuous_mine);
end;

The above assumes that the ArchiveLogs are still on disk. If you've backed them up, you'll have to unpack them from the backup and register them with the database first.

Query the Redo

select timestamp, operation, username, session#, scn, sql_redo
   from v$logmnr_contents where sql_redo like '<SOME SEARCH CRITERIA>';

End your logminer session

exec dbms_logmnr.end_logmnr;

You can read about Logminer from the docs.

If supplemental Logging is turned off, you may still be able to get the information you need by determining when the incident occurred using flashback queries to narrow down the exact time of the incident (provided you have a large enough Undo and retention policies are adequate):

select * from <SOMETABLE> 
  AS OF TIMESTAMP TO_TIMESTAMP('2017-03-02 09:30:00', 'YYYY-MM-DD HH:MI:SS')

Then query the audit trail to find out when the shared schema user logged on around the above timeframe:

select * from dba_audit_trail where username = '<SOME USER>' order by timestamp;

The above assumes that you are logging audit information to the DB (show parameter audit_trail;). You can read about auditing from the docs.

Best Answer

Related Solutions

Oracle Logs – Difference Between Alert Log and Archive Log in Oracle Databases

Way to track data deleted from database

Related Question