I think the main problem here - and please don't take offense - is that you're pointing and clicking in a GUI but not really sure what you're pointing and clicking at.
Here is an example that creates a server-level audit, then adds a database-level audit specification to track multiple operations on any object in the dbo
schema.
USE master;
GO
-- create aserver audit
CREATE SERVER AUDIT Test_Server_Audit
TO FILE ( FILEPATH = 'C:\temp\' ); -- you may need to change that'
GO
-- turn it on
ALTER SERVER AUDIT Test_Server_Audit WITH (STATE = ON);
GO
-- create a demo database
CREATE DATABASE floob;
GO
USE floob;
GO
CREATE TABLE dbo.blat(x INT);
GO
-- create a database audit specification that monitors for activity
-- against any dbo object:
CREATE DATABASE AUDIT SPECIFICATION Test_Database_Audit
FOR SERVER AUDIT Test_Server_Audit
ADD (SELECT, UPDATE, DELETE, INSERT, EXECUTE ON SCHEMA::dbo BY PUBLIC)
WITH (STATE = ON);
GO
-- do a couple of things:
SELECT * FROM dbo.blat;
DELETE dbo.blat;
GO
-- you should see those couple of things in the audit file:
SELECT * FROM sys.fn_get_audit_file('C:\temp\*.sqlaudit', NULL, NULL);
GO
Now, clean up:
ALTER DATABASE AUDIT SPECIFICATION Test_Database_Audit
WITH (STATE = OFF);
GO
DROP DATABASE AUDIT SPECIFICATION Test_Database_Audit;
GO
USE master;
GO
ALTER DATABASE floob SET SINGLE_USER WITH ROLLBACK IMMEDIATE;
GO
DROP DATABASE floob;
GO
ALTER SERVER AUDIT Test_Server_Audit
WITH (STATE = OFF);
GO
DROP SERVER AUDIT Test_Server_Audit;
GO
I'd start at perhaps a higher conceptual level before pressing a bunch of buttons and hoping that they work.
You have enabled ORA_LOGON_FAILURES
, but have you enabled Unified Auditing properly?
With the default, mixed-mode auditing, setting audit_trail
to none
, prevents logon failures to be audited with ORA_LOGON_FAILURES
enabled.
This is how it works with everything set to default (audit_trail set to DB
by DBCA):
SQL> audit policy ora_logon_failures;
Audit succeeded.
SQL> select count(*) from unified_audit_trail
where unified_audit_policies = 'ORA_LOGON_FAILURES' and return_code = 1017;
COUNT(*)
----------
0
SQL> connect 1/1
ERROR:
ORA-01017: invalid username/password; logon denied
Warning: You are no longer connected to ORACLE.
SQL> connect / as sysdba
Connected.
SQL> select count(*) from unified_audit_trail
where unified_audit_policies = 'ORA_LOGON_FAILURES' and return_code = 1017;
COUNT(*)
----------
1
Also, Unified Audit entires can be buffered in the SGA and be written to disk later and not immediately, in that case, flush manually before querying:
EXEC DBMS_AUDIT_MGMT.flush_unified_audit_trail;
Still, if you configured everything properly, you may have hit:
BUG 19383839 - UNIFIED AUDIT - NO LOGON OR FAILED LOGON ACTION CAPTURED
Edit:
Ok, so I had to test it myself, else I would not have believed it. Opposing to what the documentation states (AUDIT_TRAIL), setting the audit_trail
to none
does have an effect even when using pure Unified Auditing. But this is not intended, it is a bug. The fix is not included in the latest PSU (12.1.0.2.170117), but installing the above one-off patch (19383839) indeed resolved the issue. The problem is, this patch is not available to Windows platform. (I have tested this both on Linux and Windows, because Windows is always a factor you need to consider when working with Oracle.)
Setting audit_trail
to DB
does not reenable mixed-mode, relinking (renaming the DLL) enables pure Unified Auditing and that overrides this, you can confirm this by selecting from AUD$
or DBA_AUDIT_SESSION
. So I suggest that you set audit_trail
to DB
.
Best Answer
In Oracle 12c Mixed Mode is enabled by default which makes the use familiar with Unified Auditing prior to switching to full Unified Auditing. Mixed Mode allows to pre-12c audit functionality to co-exist with new Unified Auditing functionality.
Using Mixed Mode audit data can be found both in the traditional locations as well as in
SYS.UNIFIED_AUDIT_TRAIL
. This is because the Unified Auditing PolicyORA_SECURECONFIG
is enabled by default.You can use the following commands to disable Unified Audit.
NOAUDIT POLICY ORA_SECURECONFIG;
noaudit policy ORA_LOGON_FAILURES;
Unified Auditing is not included in the Oracle 12c kernel so you have enable to manually. But in Mixed Mode it is on though it is not included in the kernel. You can check whether the Unified Auditing is enabled or not using the following query.
select VALUE from V$OPTION where PARAMETER='Unified Auditing';
If you wish to linked the Unified Auditing to kernel then use the following commands.cd $ORACLE_HOME/rdbms/lib make -f ins_rdbms.mk uniaud_on ioracle ORACLE_HOME=$ORACLE_HOME
If you dont set AUDIT_TRAIL=NONE then both auditing mechanisms will run concurrently.
Reference
Link to Oracle Official Documentation.
Mixed Mode Auditing