Querying the sys.aud$ table

can any one tell me which column of the sys.aud$ (audit trail) table is the one that shows when the grant occurred.
I did a desc sys.aud$ ,but i cannot tell which one is the right column.
thanks in advance

you can see view DBA_AUDIT_TRAIL, column timestamp.

Similar Messages

  • Is there a way to include the sys.aud$ table in a full database dp export?

    I am doing an export using the following parfile information:
    userid=/
    directory=datapump_nightly_export
    dumpfile=test_expdp.dmp
    logfile=test_expdp.log
    full=y
    content=all
    However when I run this I do not see the sys.aud$ in the log file. I know I can do a seperate export to specifically get the sys.aud$ table but is there any way to include it in with my full export?
    Thanks in advance for any suggestion.

    here's more background infomation... I have some audits setup on my database for one of my users. Every quarter I have an automated job that runs that creates a usage/statics report for this person using data in aud$. at the end of the job I export the aud$ table and truncate it. However last quarter I found that there was a mistake in my report and my export did not run properly thus my audit data was gone. i also have full datapump exports that run daily but found that aud$ was not there. so that is why I thought I'd like to include sys.aud$ in the full datapump exports.
    i understand why other sys tables would be left out of a full export but aud$ data cannot be reproduced so to me it makes sense to include it in a full export.
    don't worry, we run our true backups using rman which is eventually how I got the aud$ data back by creating a copy of my database up until the time of the truncate. however this was quite time consuming.

  • Sys.aud$ Table not accesible over PL/SQL ?

    I try to do the follow.
    When you start the auditing with specific command like AUDIT
    SESSION; it will produce many many rows in the sys.aud$ table.
    This is the reason while we need to maintain the data witch exist
    then in thsi table.
    I did try it to do this with a separate user like AUDITER.
    I gave them from the sys user the follow permissions:
    GRANT select, delete, update , insert to AUDITER;
    If i try now to select from SYS.AUD$ it works if i do it with a
    separet select statement like :
    SELECT * FROM SYS.AUD$.
    If i make a PROCEDURE like folow :
    PROCEDURE proceed_audit as
    CURSOR audtab is select * from sys.aud$
    BEGIN
    END;
    Oracle generate the message :
    PLS-00201: identifier 'SYS.AUD$' must be declared
    I don't anderstand this message, becose this object exists and in
    "SQL" i can use it.
    Can anyone help me ?
    Thanks
    P.S. it's the Oracle version 8.1.7i

    Are you sure the user that is executing the PL/SQL block has
    direct grants to the tables you are referencing? I.E. NOT
    through a role? PL/SQL requires the user to have direct grants
    to the object it references. Granting DBA to the user won't have
    any affect on the execution of the PL/SQL

  • Strange issue on deleting some rows on SYS.AUD$ table

    I just found out this strange thing happened on my 10gR2 database. I created a user called AUDIT_LOG and GRANT DELETE, REFERENCES, SELECT ON SYS.AUD$ TO AUDIT_LOG when I logged on as SYS dba.
    (1) Then I logged on as AUDIT_LOG user, tested the following statements:
    SELECT count(*) from sys.aud$ where ntimestamp# < TRUNC (SYSDATE-14);
    COUNT(*)
    2
    DELETE from sys.aud$ where ntimestamp# < TRUNC(SYSDATE-14);
    0 rows deleted
    (2) When I logged on as SYS account, SYS deleted them all,
    DELETE from sys.aud$ where ntimestamp# < TRUNC(SYSDATE-14);
    2 rows deleted
    I don't understand why the AUDIT_LOG user can't delete that two rows?
    Thanks for your help!
    lixidon

    Apologies for misreading the first time. I am wondering if the rows in question were related to audit actions on sys.aud$ itself as those rows should not be deleted by the AUDIT_LOG user (even if the user has been granted delete).
    Here's an excerpt from the Security Guide under the "Protecting the Standard Audit Trail" section:
    Audit records generated as a result of object audit options set for the SYS.AUD$ table can only be deleted from the audit trail by someone connected with administrator privileges, which itself has protection against unauthorized use.
    Here's a quick example illustrating this:
    SQL> connect / as sysdba
    Connected.
    SQL> grant delete, references, select on sys.aud$ to scott;
    Grant succeeded.
    SQL> connect scott/tiger
    Connected.
    SQL> select count(*) from sys.aud$ where sessionid = 30002;
      COUNT(*)
             2
    1 row selected.
    SQL> delete from sys.aud$ where sessionid = 30002;
    2 rows deleted.
    SQL> commit;
    -- now try to delete the sys.aud$ rows related to the above delete
    -- this will not succeed as user scott even though delete has been granted
    -- the session that performed the delete is 422426
    SQL> select count(*) from sys.aud$ where obj$name = 'AUD$' and action# = 7 and sessionid = 422426;
      COUNT(*)
             2
    1 row selected.
    SQL> delete from sys.aud$ where obj$name = 'AUD$' and action# = 7 and sessionid = 422426;
    0 rows deleted.
    SQL>Regards,
    Mark

  • Sys.aud$ table

    Hi,
    I need to get the auditing information for the last seven days fron the auditing table for users other than apps.I tried the below query.Please correct me if it is wrong.The query takes
    a long time to execute and no output dispayed.Please inform me whether the below query is correct and inform me if i need to do any modifications.
    select userid,userhost,terminal,action#,obj$name, NTIMESTAMP# from sys.aud$ where action#=3 and timestamp# >=(sysdate-7) and userid not in ('APPS') order by ntimestamp# desc;
    Regards
    Aram

    You are SELECTing and ORDERing using column NTIMESTAMP#, but WHERE clause is using TIMESTAMP# (different column), most likely leading to a poor execution plan. Is the statement you posted syntactically correct ?
    MOS Doc 1025314.6 - Descriptions of Action Code and Privileges Used in Fields in SYS.AUD$ Table
    HTH
    Srini

  • Dba_scheduler_jobs for clearing the sys audit table

    Hi.
    can u please tell me how to purge a sys.aud$ table records once its reached more than once lakh ... these 1 lakh is the threshold and other more data will be peridiodically purged by automated dba_scheduler_jobs.
    My db is - 10g
    so i need to always retain 1lakh rows on the table..extra data will be purged...once breaching the threshold...i don know how to write..since i am new to this oracle.can anyone help?
    Thanks

    See these MOS Docs
    How To Shrink AUD$ IN ORACLE 10G (Doc ID 1080112.1)
    New Feature DBMS_AUDIT_MGMT To Manage And Purge Audit Information (Doc ID 731908.1)
    How to Truncate, Delete, or Purge Rows from the Audit Trail Table SYS.AUD$ (Doc ID 73408.1)
    Srini

  • What is sessionid field in SYS.AUD$ table

    Hi,
    Can anyone say,what is sessionid field in sys.aud$ table..It seems different than the sessions

    Look at the session value in sys.aud$ table.
    QL> select sessionid from sys.aud$ where rownum<10;
    SESSIONID
    459521060
    459521607
    459521661
    459521901
    459521954
    459522004
    459522052
    459522262
    459522424
    It seems that,its not asession id.Mostly sessionid length ll be in3-4.

  • Export  "sys.aud$"  table as system user using datapump

    Friends,
    I want to export (using datapump 'expdp') the sys user's AUD$ table (sys.aud$) as the system
    user . But it shows the following error :
    bash-3.00$ expdp system/sys123@onlinete directory=test_dir TABLES=sys.AUD$ DUMPFILE=sysaud.$Date.dmp logfile=audit.$date.log
    Export: Release 10.2.0.1.0 - 64bit Production on Wednesday, 14 January, 2009 13:30:56
    Copyright (c) 2003, 2005, Oracle. All rights reserved.
    Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bit Production
    With the Partitioning, OLAP and Data Mining options
    Starting "SYSTEM"."SYS_EXPORT_TABLE_01": system/********@onlinete directory=test_dir TABLES=sys.AUD$ DUMPFILE=sysaud..dmp logfile=audit..log
    Estimate in progress using BLOCKS method...
    Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
    Total estimation using BLOCKS method: 0 KB
    ORA-39165: Schema SYS was not found.
    ORA-39166: Object AUD$ was not found.
    ORA-31655: no data or metadata objects selected for job
    Job "SYSTEM"."SYS_EXPORT_TABLE_01" completed with 3 error(s) at 13:31:01
    It also shows error when I take it as SYS user :
    bash-3.00$ expdp sys/sys123@onlinete directory=test_dir TABLES=sys.AUD$ DUMPFILE=sysaud.$Date.dmp logfile=audit.$date.log
    Export: Release 10.2.0.1.0 - 64bit Production on Wednesday, 14 January, 2009 13:35:19
    Copyright (c) 2003, 2005, Oracle. All rights reserved.
    UDE-00008: operation generated ORACLE error 28009
    ORA-28009: connection as SYS should be as SYSDBA or SYSOPER
    Username: sys/sys123 as sysdba
    Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bit Production
    With the Partitioning, OLAP and Data Mining options
    Starting "SYS"."SYS_EXPORT_TABLE_01": sys/******** AS SYSDBA directory=test_dir TABLES=sys.AUD$ DUMPFILE=sysaud..dmp logfile=audit..log
    Estimate in progress using BLOCKS method...
    Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
    Total estimation using BLOCKS method: 0 KB
    ORA-39165: Schema SYS was not found.
    ORA-39166: Object AUD$ was not found.
    ORA-31655: no data or metadata objects selected for job
    Job "SYS"."SYS_EXPORT_TABLE_01" completed with 3 error(s) at 13:35:29
    I dont understand the problem why it is not working . Need advice plz ... ...

    But that's not fair..
    Imagine the situation, where I figured out that some data was edited a year ago, but I don't know by whom.. Audit was enabled at that time, I was exporting (using the regular exp) AUD$ table during the year, everything is good.. BUT.. Two months ago I upgraded my DB to 11g. Hence I cannot use imp in order to restore the table and see what was going on a year ago.. That means that I always have to have an ability to create 10g database in order to use my AUD$ export??
    Is there any other way of backing up this table? Sop far I was doing exp+truncate, but since 11g release where exp/imp are not supported I am trying to think about another way of dealing with the audit...
    does anybody have ideas about it?
    thanks,
    M

  • Querying the schema for table name with column value!

    In my schema i have 500+ tables and other objects.
    i have a column with the name BO_PRODUCT_CODE.
    I wants to know in what tables the value of BO_PRODUCT_CODE='FX03'.
    i have query the user_tab_columns which gives me the result with 90 tables having the column BO_PRODUCT_CODE.
    What is query which will give me the exact number/name of the table whose column value is FX03. ie, BO_PRODUCT_CODE='FX03'.

    Hi you can use this approach:
    BEGIN
    v_str VARCHAR2(250);
    v_count NUMBER :=0;
    DECLARE
    FOR loop_tbl IN ( SELECT DISTINCT table_name FROM USER_TAB_COLUMNS
    WHERE column_name ='BO_PRODUCT_CODE' )
    LOOP
    v_str := 'SELECT COUNT(*) FROM ' || loop_tbl.table_name || ' WHERE BO_PRODUCT_CODE=||'''' ||'FX03' || '''' '
    EXECUTE IMMEDIATE v_str INTO v_count ;
    IF v_count > 0 THEN
    DBMS_OUTPUT.PUT_LINE ('Table Name :'|| loop_tbl.table_name || ' Count :'||v_count);
    END IF;
    v_count :=0;
    END LOOP;
    EXCEPTION
    WHEN others THEN
    DBMS_OUTPUT.PUT_LINE(SQLERRM);
    END;
    Please remove if any syntax error.
    Regards

  • How to query the apex base tables .

    Hi,
    I need to apex tables from whic w can query the following.
    a. workspace information , workspace id's
    b. application information , application id's and schemas to which the application is linked to
    c. application users
    Thanks in advance.
    Regards
    Nikhil

    Nikhil,
    apex_workspaces, apex_applications and apex_workspace_apex_users views will give you the required information.
    also apex_dictionary view will give you list of all available apex views.
    Thanks,
    Manish

  • Query the Manage Sessions Table in OBIEE

    Hi All,
    First I should ask, is it possible to get the information you see on Administration -> Manage Sessions, using a query to the database ?
    If not, I would appreciate Ideas to get the best time to reboot OPMCTL on a system that is working almost 24Hrs, is never a constant when users are not working on the system. The idea is to not reboot OPMCTL when there are active sessions.
    Creative Ideas welcome
    Thanks.

    Hope you are on Oracle DB if yes, write a simple query on db tables (V$session and V$session_logops) based on the moudle filter 'nqserver' which gives all Active SESSIONS
    SELECT SID, Serial#, UserName, Status, SchemaName, Logon_Time
    FROM V$Session
    WHERE
    Status=‘ACTIVE’ AND MODULE LIKE '%nqserver%' AND
    UserName='BI_USER';
    For more information refer : Oracle Business Intelligence
    Thanks,
    Saichand

  • How can I import NT ACL into the SYS.USER$ table ?

    Hi guys,
    the version of Oracle i'm using is a 8.0.5.
    I'd like to grant access to my database through the Access Control List of my PDC. Is there a way to import this list to do so ?
    for the moment I have to create Users in Oracle and define their identification externally.
    Help !

    Update... For anyone looking for a similar solution:
    I ended up adding more to my logon script I have it check for a user's mozilla profile first and if not found it will use command line "firefox.exe -createprofile default" to make one. After that I just copy a working cert8.db to that new profile. Then when the user opens firefox for first time, it will detect this new profile, and it will load it along with the correct CA Certs intact...
    Also, for existing profiles my script just uses nss certutil to add my proxy CA Certificate to the users profile cert8db.

  • Auditing SYS.AUD$ in Oracle 10g

    We created a new 10g database and imported our 9i database schema into it. One of our application teams, used to run reports on the SYS.AUD$ table in Oracle 9i.
    Currently in the new 10g database, they said they get an error saying table does not exist, which is probably to do with privileges and easily sorted.
    However, when I checked the SYS.AUD$ table, there were no records in the table. When I then did a SHOW PARAMETER AUDIT, I got the following output
    SQL> show parameter audit
    NAME                                 TYPE        VALUE
    audit_file_dest                      string      /Oracle10/admin/hpmslive/adump
    audit_sys_operations                 boolean     FALSE
    audit_syslog_level                   string
    audit_trail                          string      DBI checked the /Oracle10/admin/hpmslive/adump directory and it contained lots of .aud files. So basically I think that is where the audit data is going. However why is it going to the OS, inspite of me having clearly said AUDIT_TRAIL=DB. I checked the AUDIT_FILE_DEST parameter and it says AUDIT_FILE_DEST specifies the operating system directory into which the audit trail is written when the AUDIT_TRAIL initialization parameter is set to os, xml, or xml,extended.
    Considering that the AUDIT_TRAIL is set to DB, why is the audit being written to the AUDIT_FILE_DEST?
    Regards
    S Dhavan

    You can answer the question on why audit_file_destination is set by looking in the Reference manual:
    AUDIT_FILE_DEST specifies the operating system directory into which the audit trail is
    written when the AUDIT_TRAIL initialization parameter is set to os, xml, or xml,extended.
    The audit records will be written in XML format if the AUDIT_TRAIL initialization parameter
    is set to XML. It is also the location to which mandatory auditing information is written and,
    if so specified by the AUDIT_SYS_OPERATIONS initialization parameter, audit records for
    user SYS.It is not a factor for your issue as you are writing to sys.aud$ based on whatever audit rules you have configured on the new instance.
    HTH -- Mark D Powell --
    edit (twice) in attemp to add CR to eliminate need to scrool
    Edited by: Mark D Powell on Dec 22, 2009 9:14 AM
    Edited by: Mark D Powell on Dec 22, 2009 9:16 AM

  • EM shows alert "User SYS logged on from node but no entry in SYS.AUD$

    Hello,
    When i look on the alert page of my databases i see sometimes the following message "User SYS logged on from <node>.
    I have setup several audit actions, like "create session" to track sessions.
    But in table SYS.AUD$ i see many records, but not the one of user SYS.
    Why? Anyone an idea?
    Best regards,
    hvdtol

    i understand it is comming from metrics, but i don't understand why i can see it in the sys.aud$ table.
    hvdtol

  • Deleting records from sys.aud$ from stored procedure

    We have a stored procedure that is trying to move records from the sys.aud$ table to a historical table (in an attempt to keep sys.aud$ to a more manageable size, I guess -- full disclosure I did not write this proc). The basic flow is:
    select count(*) into rowcount from sys.aud$
    if (rowcount > 1000) {
    copy all rows from sys.aud$ to historical table
    delete from sys.aud$
    I am told this proc used to work just fine in the murky past (I am new to the client) but has now not worked for some time. When we try and compile the proc, we get the error
    "table or view does not exist," and the highlighted line is the "delete from sys.aud$". The "select count(*) from sys.aud$" line appears to cause no issue, but the proc will not compile as is. If I comment out the "delete from sys.aud$" line, however, the proc compiles just fine.
    Confusingly, if I log in as the same account that owns this proc, I can run both the select count(*) from sys.aud$ AND delete from sys.aud$ clauses with no complaints at all (altering slightly to work with only 1 record at a time, of course), but I cannot get the same to compile within a stored proc.
    I assume this is permissions related? Can anyone point me to the permissions the owner requires to be able to delete from sys.aud$ within a stored procedure? Or is there something else that needs to be done here? Any pointers much appreciated.
    Thanks.

    956928 wrote:
    We have a stored procedure that is trying to move records from the sys.aud$ table to a historical table (in an attempt to keep sys.aud$ to a more manageable size, I guess -- full disclosure I did not write this proc). The basic flow is:
    select count(*) into rowcount from sys.aud$
    if (rowcount > 1000) {
    copy all rows from sys.aud$ to historical table
    delete from sys.aud$
    I am told this proc used to work just fine in the murky past (I am new to the client) but has now not worked for some time. When we try and compile the proc, we get the error
    "table or view does not exist," and the highlighted line is the "delete from sys.aud$". The "select count(*) from sys.aud$" line appears to cause no issue, but the proc will not compile as is. If I comment out the "delete from sys.aud$" line, however, the proc compiles just fine.
    Confusingly, if I log in as the same account that owns this proc, I can run both the select count(*) from sys.aud$ AND delete from sys.aud$ clauses with no complaints at all (altering slightly to work with only 1 record at a time, of course), but I cannot get the same to compile within a stored proc.
    I assume this is permissions related? Can anyone point me to the permissions the owner requires to be able to delete from sys.aud$ within a stored procedure? Or is there something else that needs to be done here? Any pointers much appreciated.
    Thanks.privileges acquired via ROLE do NOT apply within named PL/SQL procedures.
    GRANT DELETE ON SYS.AUD$ TO <your_schema>;

Maybe you are looking for