I activated a ORA_LOGON_FAILURES
policy and I've tried to execute
select * from unified_audit_trail where unified_audit_policies = 'ORA_LOGON_FAILURES';
But it doesn't work. All my failed attempts to log in weren't audited. So what do I do wrong?
Best Answer
You have enabled
ORA_LOGON_FAILURES
, but have you enabled Unified Auditing properly?With the default, mixed-mode auditing, setting
audit_trail
tonone
, prevents logon failures to be audited withORA_LOGON_FAILURES
enabled.This is how it works with everything set to default (audit_trail set to
DB
by DBCA):Also, Unified Audit entires can be buffered in the SGA and be written to disk later and not immediately, in that case, flush manually before querying:
Still, if you configured everything properly, you may have hit:
BUG 19383839 - UNIFIED AUDIT - NO LOGON OR FAILED LOGON ACTION CAPTURED
Edit:
Ok, so I had to test it myself, else I would not have believed it. Opposing to what the documentation states (AUDIT_TRAIL), setting the
audit_trail
tonone
does have an effect even when using pure Unified Auditing. But this is not intended, it is a bug. The fix is not included in the latest PSU (12.1.0.2.170117), but installing the above one-off patch (19383839) indeed resolved the issue. The problem is, this patch is not available to Windows platform. (I have tested this both on Linux and Windows, because Windows is always a factor you need to consider when working with Oracle.)Setting
audit_trail
toDB
does not reenable mixed-mode, relinking (renaming the DLL) enables pure Unified Auditing and that overrides this, you can confirm this by selecting fromAUD$
orDBA_AUDIT_SESSION
. So I suggest that you setaudit_trail
toDB
.