Querying the sys.aud$ table
can any one tell me which column of the sys.aud$ (audit trail) table is the one that shows when the grant occurred.
I did a desc sys.aud$ ,but i cannot tell which one is the right column.
thanks in advance
you can see view DBA_AUDIT_TRAIL, column timestamp.
Similar Messages
-
Is there a way to include the sys.aud$ table in a full database dp export?
I am doing an export using the following parfile information:
userid=/
directory=datapump_nightly_export
dumpfile=test_expdp.dmp
logfile=test_expdp.log
full=y
content=all
However when I run this I do not see the sys.aud$ in the log file. I know I can do a seperate export to specifically get the sys.aud$ table but is there any way to include it in with my full export?
Thanks in advance for any suggestion.here's more background infomation... I have some audits setup on my database for one of my users. Every quarter I have an automated job that runs that creates a usage/statics report for this person using data in aud$. at the end of the job I export the aud$ table and truncate it. However last quarter I found that there was a mistake in my report and my export did not run properly thus my audit data was gone. i also have full datapump exports that run daily but found that aud$ was not there. so that is why I thought I'd like to include sys.aud$ in the full datapump exports.
i understand why other sys tables would be left out of a full export but aud$ data cannot be reproduced so to me it makes sense to include it in a full export.
don't worry, we run our true backups using rman which is eventually how I got the aud$ data back by creating a copy of my database up until the time of the truncate. however this was quite time consuming. -
Sys.aud$ Table not accesible over PL/SQL ?
I try to do the follow.
When you start the auditing with specific command like AUDIT
SESSION; it will produce many many rows in the sys.aud$ table.
This is the reason while we need to maintain the data witch exist
then in thsi table.
I did try it to do this with a separate user like AUDITER.
I gave them from the sys user the follow permissions:
GRANT select, delete, update , insert to AUDITER;
If i try now to select from SYS.AUD$ it works if i do it with a
separet select statement like :
SELECT * FROM SYS.AUD$.
If i make a PROCEDURE like folow :
PROCEDURE proceed_audit as
CURSOR audtab is select * from sys.aud$
BEGIN
END;
Oracle generate the message :
PLS-00201: identifier 'SYS.AUD$' must be declared
I don't anderstand this message, becose this object exists and in
"SQL" i can use it.
Can anyone help me ?
Thanks
P.S. it's the Oracle version 8.1.7iAre you sure the user that is executing the PL/SQL block has
direct grants to the tables you are referencing? I.E. NOT
through a role? PL/SQL requires the user to have direct grants
to the object it references. Granting DBA to the user won't have
any affect on the execution of the PL/SQL -
Strange issue on deleting some rows on SYS.AUD$ table
I just found out this strange thing happened on my 10gR2 database. I created a user called AUDIT_LOG and GRANT DELETE, REFERENCES, SELECT ON SYS.AUD$ TO AUDIT_LOG when I logged on as SYS dba.
(1) Then I logged on as AUDIT_LOG user, tested the following statements:
SELECT count(*) from sys.aud$ where ntimestamp# < TRUNC (SYSDATE-14);
COUNT(*)
2
DELETE from sys.aud$ where ntimestamp# < TRUNC(SYSDATE-14);
0 rows deleted
(2) When I logged on as SYS account, SYS deleted them all,
DELETE from sys.aud$ where ntimestamp# < TRUNC(SYSDATE-14);
2 rows deleted
I don't understand why the AUDIT_LOG user can't delete that two rows?
Thanks for your help!
lixidonApologies for misreading the first time. I am wondering if the rows in question were related to audit actions on sys.aud$ itself as those rows should not be deleted by the AUDIT_LOG user (even if the user has been granted delete).
Here's an excerpt from the Security Guide under the "Protecting the Standard Audit Trail" section:
Audit records generated as a result of object audit options set for the SYS.AUD$ table can only be deleted from the audit trail by someone connected with administrator privileges, which itself has protection against unauthorized use.
Here's a quick example illustrating this:
SQL> connect / as sysdba
Connected.
SQL> grant delete, references, select on sys.aud$ to scott;
Grant succeeded.
SQL> connect scott/tiger
Connected.
SQL> select count(*) from sys.aud$ where sessionid = 30002;
COUNT(*)
2
1 row selected.
SQL> delete from sys.aud$ where sessionid = 30002;
2 rows deleted.
SQL> commit;
-- now try to delete the sys.aud$ rows related to the above delete
-- this will not succeed as user scott even though delete has been granted
-- the session that performed the delete is 422426
SQL> select count(*) from sys.aud$ where obj$name = 'AUD$' and action# = 7 and sessionid = 422426;
COUNT(*)
2
1 row selected.
SQL> delete from sys.aud$ where obj$name = 'AUD$' and action# = 7 and sessionid = 422426;
0 rows deleted.
SQL>Regards,
Mark -
Hi,
I need to get the auditing information for the last seven days fron the auditing table for users other than apps.I tried the below query.Please correct me if it is wrong.The query takes
a long time to execute and no output dispayed.Please inform me whether the below query is correct and inform me if i need to do any modifications.
select userid,userhost,terminal,action#,obj$name, NTIMESTAMP# from sys.aud$ where action#=3 and timestamp# >=(sysdate-7) and userid not in ('APPS') order by ntimestamp# desc;
Regards
AramYou are SELECTing and ORDERing using column NTIMESTAMP#, but WHERE clause is using TIMESTAMP# (different column), most likely leading to a poor execution plan. Is the statement you posted syntactically correct ?
MOS Doc 1025314.6 - Descriptions of Action Code and Privileges Used in Fields in SYS.AUD$ Table
HTH
Srini -
Dba_scheduler_jobs for clearing the sys audit table
Hi.
can u please tell me how to purge a sys.aud$ table records once its reached more than once lakh ... these 1 lakh is the threshold and other more data will be peridiodically purged by automated dba_scheduler_jobs.
My db is - 10g
so i need to always retain 1lakh rows on the table..extra data will be purged...once breaching the threshold...i don know how to write..since i am new to this oracle.can anyone help?
ThanksSee these MOS Docs
How To Shrink AUD$ IN ORACLE 10G (Doc ID 1080112.1)
New Feature DBMS_AUDIT_MGMT To Manage And Purge Audit Information (Doc ID 731908.1)
How to Truncate, Delete, or Purge Rows from the Audit Trail Table SYS.AUD$ (Doc ID 73408.1)
Srini -
What is sessionid field in SYS.AUD$ table
Hi,
Can anyone say,what is sessionid field in sys.aud$ table..It seems different than the sessionsLook at the session value in sys.aud$ table.
QL> select sessionid from sys.aud$ where rownum<10;
SESSIONID
459521060
459521607
459521661
459521901
459521954
459522004
459522052
459522262
459522424
It seems that,its not asession id.Mostly sessionid length ll be in3-4. -
Export "sys.aud$" table as system user using datapump
Friends,
I want to export (using datapump 'expdp') the sys user's AUD$ table (sys.aud$) as the system
user . But it shows the following error :
bash-3.00$ expdp system/sys123@onlinete directory=test_dir TABLES=sys.AUD$ DUMPFILE=sysaud.$Date.dmp logfile=audit.$date.log
Export: Release 10.2.0.1.0 - 64bit Production on Wednesday, 14 January, 2009 13:30:56
Copyright (c) 2003, 2005, Oracle. All rights reserved.
Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bit Production
With the Partitioning, OLAP and Data Mining options
Starting "SYSTEM"."SYS_EXPORT_TABLE_01": system/********@onlinete directory=test_dir TABLES=sys.AUD$ DUMPFILE=sysaud..dmp logfile=audit..log
Estimate in progress using BLOCKS method...
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
Total estimation using BLOCKS method: 0 KB
ORA-39165: Schema SYS was not found.
ORA-39166: Object AUD$ was not found.
ORA-31655: no data or metadata objects selected for job
Job "SYSTEM"."SYS_EXPORT_TABLE_01" completed with 3 error(s) at 13:31:01
It also shows error when I take it as SYS user :
bash-3.00$ expdp sys/sys123@onlinete directory=test_dir TABLES=sys.AUD$ DUMPFILE=sysaud.$Date.dmp logfile=audit.$date.log
Export: Release 10.2.0.1.0 - 64bit Production on Wednesday, 14 January, 2009 13:35:19
Copyright (c) 2003, 2005, Oracle. All rights reserved.
UDE-00008: operation generated ORACLE error 28009
ORA-28009: connection as SYS should be as SYSDBA or SYSOPER
Username: sys/sys123 as sysdba
Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bit Production
With the Partitioning, OLAP and Data Mining options
Starting "SYS"."SYS_EXPORT_TABLE_01": sys/******** AS SYSDBA directory=test_dir TABLES=sys.AUD$ DUMPFILE=sysaud..dmp logfile=audit..log
Estimate in progress using BLOCKS method...
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
Total estimation using BLOCKS method: 0 KB
ORA-39165: Schema SYS was not found.
ORA-39166: Object AUD$ was not found.
ORA-31655: no data or metadata objects selected for job
Job "SYS"."SYS_EXPORT_TABLE_01" completed with 3 error(s) at 13:35:29
I dont understand the problem why it is not working . Need advice plz ... ...But that's not fair..
Imagine the situation, where I figured out that some data was edited a year ago, but I don't know by whom.. Audit was enabled at that time, I was exporting (using the regular exp) AUD$ table during the year, everything is good.. BUT.. Two months ago I upgraded my DB to 11g. Hence I cannot use imp in order to restore the table and see what was going on a year ago.. That means that I always have to have an ability to create 10g database in order to use my AUD$ export??
Is there any other way of backing up this table? Sop far I was doing exp+truncate, but since 11g release where exp/imp are not supported I am trying to think about another way of dealing with the audit...
does anybody have ideas about it?
thanks,
M -
Querying the schema for table name with column value!
In my schema i have 500+ tables and other objects.
i have a column with the name BO_PRODUCT_CODE.
I wants to know in what tables the value of BO_PRODUCT_CODE='FX03'.
i have query the user_tab_columns which gives me the result with 90 tables having the column BO_PRODUCT_CODE.
What is query which will give me the exact number/name of the table whose column value is FX03. ie, BO_PRODUCT_CODE='FX03'.Hi you can use this approach:
BEGIN
v_str VARCHAR2(250);
v_count NUMBER :=0;
DECLARE
FOR loop_tbl IN ( SELECT DISTINCT table_name FROM USER_TAB_COLUMNS
WHERE column_name ='BO_PRODUCT_CODE' )
LOOP
v_str := 'SELECT COUNT(*) FROM ' || loop_tbl.table_name || ' WHERE BO_PRODUCT_CODE=||'''' ||'FX03' || '''' '
EXECUTE IMMEDIATE v_str INTO v_count ;
IF v_count > 0 THEN
DBMS_OUTPUT.PUT_LINE ('Table Name :'|| loop_tbl.table_name || ' Count :'||v_count);
END IF;
v_count :=0;
END LOOP;
EXCEPTION
WHEN others THEN
DBMS_OUTPUT.PUT_LINE(SQLERRM);
END;
Please remove if any syntax error.
Regards -
How to query the apex base tables .
Hi,
I need to apex tables from whic w can query the following.
a. workspace information , workspace id's
b. application information , application id's and schemas to which the application is linked to
c. application users
Thanks in advance.
Regards
NikhilNikhil,
apex_workspaces, apex_applications and apex_workspace_apex_users views will give you the required information.
also apex_dictionary view will give you list of all available apex views.
Thanks,
Manish -
Query the Manage Sessions Table in OBIEE
Hi All,
First I should ask, is it possible to get the information you see on Administration -> Manage Sessions, using a query to the database ?
If not, I would appreciate Ideas to get the best time to reboot OPMCTL on a system that is working almost 24Hrs, is never a constant when users are not working on the system. The idea is to not reboot OPMCTL when there are active sessions.
Creative Ideas welcome
Thanks.Hope you are on Oracle DB if yes, write a simple query on db tables (V$session and V$session_logops) based on the moudle filter 'nqserver' which gives all Active SESSIONS
SELECT SID, Serial#, UserName, Status, SchemaName, Logon_Time
FROM V$Session
WHERE
Status=‘ACTIVE’ AND MODULE LIKE '%nqserver%' AND
UserName='BI_USER';
For more information refer : Oracle Business Intelligence
Thanks,
Saichand -
How can I import NT ACL into the SYS.USER$ table ?
Hi guys,
the version of Oracle i'm using is a 8.0.5.
I'd like to grant access to my database through the Access Control List of my PDC. Is there a way to import this list to do so ?
for the moment I have to create Users in Oracle and define their identification externally.
Help !Update... For anyone looking for a similar solution:
I ended up adding more to my logon script I have it check for a user's mozilla profile first and if not found it will use command line "firefox.exe -createprofile default" to make one. After that I just copy a working cert8.db to that new profile. Then when the user opens firefox for first time, it will detect this new profile, and it will load it along with the correct CA Certs intact...
Also, for existing profiles my script just uses nss certutil to add my proxy CA Certificate to the users profile cert8db. -
Auditing SYS.AUD$ in Oracle 10g
We created a new 10g database and imported our 9i database schema into it. One of our application teams, used to run reports on the SYS.AUD$ table in Oracle 9i.
Currently in the new 10g database, they said they get an error saying table does not exist, which is probably to do with privileges and easily sorted.
However, when I checked the SYS.AUD$ table, there were no records in the table. When I then did a SHOW PARAMETER AUDIT, I got the following output
SQL> show parameter audit
NAME TYPE VALUE
audit_file_dest string /Oracle10/admin/hpmslive/adump
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string DBI checked the /Oracle10/admin/hpmslive/adump directory and it contained lots of .aud files. So basically I think that is where the audit data is going. However why is it going to the OS, inspite of me having clearly said AUDIT_TRAIL=DB. I checked the AUDIT_FILE_DEST parameter and it says AUDIT_FILE_DEST specifies the operating system directory into which the audit trail is written when the AUDIT_TRAIL initialization parameter is set to os, xml, or xml,extended.
Considering that the AUDIT_TRAIL is set to DB, why is the audit being written to the AUDIT_FILE_DEST?
Regards
S DhavanYou can answer the question on why audit_file_destination is set by looking in the Reference manual:
AUDIT_FILE_DEST specifies the operating system directory into which the audit trail is
written when the AUDIT_TRAIL initialization parameter is set to os, xml, or xml,extended.
The audit records will be written in XML format if the AUDIT_TRAIL initialization parameter
is set to XML. It is also the location to which mandatory auditing information is written and,
if so specified by the AUDIT_SYS_OPERATIONS initialization parameter, audit records for
user SYS.It is not a factor for your issue as you are writing to sys.aud$ based on whatever audit rules you have configured on the new instance.
HTH -- Mark D Powell --
edit (twice) in attemp to add CR to eliminate need to scrool
Edited by: Mark D Powell on Dec 22, 2009 9:14 AM
Edited by: Mark D Powell on Dec 22, 2009 9:16 AM -
EM shows alert "User SYS logged on from node but no entry in SYS.AUD$
Hello,
When i look on the alert page of my databases i see sometimes the following message "User SYS logged on from <node>.
I have setup several audit actions, like "create session" to track sessions.
But in table SYS.AUD$ i see many records, but not the one of user SYS.
Why? Anyone an idea?
Best regards,
hvdtoli understand it is comming from metrics, but i don't understand why i can see it in the sys.aud$ table.
hvdtol -
Deleting records from sys.aud$ from stored procedure
We have a stored procedure that is trying to move records from the sys.aud$ table to a historical table (in an attempt to keep sys.aud$ to a more manageable size, I guess -- full disclosure I did not write this proc). The basic flow is:
select count(*) into rowcount from sys.aud$
if (rowcount > 1000) {
copy all rows from sys.aud$ to historical table
delete from sys.aud$
I am told this proc used to work just fine in the murky past (I am new to the client) but has now not worked for some time. When we try and compile the proc, we get the error
"table or view does not exist," and the highlighted line is the "delete from sys.aud$". The "select count(*) from sys.aud$" line appears to cause no issue, but the proc will not compile as is. If I comment out the "delete from sys.aud$" line, however, the proc compiles just fine.
Confusingly, if I log in as the same account that owns this proc, I can run both the select count(*) from sys.aud$ AND delete from sys.aud$ clauses with no complaints at all (altering slightly to work with only 1 record at a time, of course), but I cannot get the same to compile within a stored proc.
I assume this is permissions related? Can anyone point me to the permissions the owner requires to be able to delete from sys.aud$ within a stored procedure? Or is there something else that needs to be done here? Any pointers much appreciated.
Thanks.956928 wrote:
We have a stored procedure that is trying to move records from the sys.aud$ table to a historical table (in an attempt to keep sys.aud$ to a more manageable size, I guess -- full disclosure I did not write this proc). The basic flow is:
select count(*) into rowcount from sys.aud$
if (rowcount > 1000) {
copy all rows from sys.aud$ to historical table
delete from sys.aud$
I am told this proc used to work just fine in the murky past (I am new to the client) but has now not worked for some time. When we try and compile the proc, we get the error
"table or view does not exist," and the highlighted line is the "delete from sys.aud$". The "select count(*) from sys.aud$" line appears to cause no issue, but the proc will not compile as is. If I comment out the "delete from sys.aud$" line, however, the proc compiles just fine.
Confusingly, if I log in as the same account that owns this proc, I can run both the select count(*) from sys.aud$ AND delete from sys.aud$ clauses with no complaints at all (altering slightly to work with only 1 record at a time, of course), but I cannot get the same to compile within a stored proc.
I assume this is permissions related? Can anyone point me to the permissions the owner requires to be able to delete from sys.aud$ within a stored procedure? Or is there something else that needs to be done here? Any pointers much appreciated.
Thanks.privileges acquired via ROLE do NOT apply within named PL/SQL procedures.
GRANT DELETE ON SYS.AUD$ TO <your_schema>;
Maybe you are looking for
-
Can I backup and restore my itunes media using a hard drive?
Can I backup and restore files if I used a hard drive? I do not want to backup my entire itunes library of >200 GB to individual CDs and DVDs, if I can help it; it will take forever. Hence the above question. Thanks!
-
BEO Calendar not displaying certain dates
Hello I'm trying to set up a calender which includes, amongst other dates, 30 November 2009. However, because November 2009 spans 6 weeks (1st on week 1, 30th on week 6) the 30th is not displayed. Is there any way to overcome this as it will mean th
-
How to factory unlock iphone4 bought from australia ?
how to factory unlock iphone4 bought from australia ?
-
Oracle Hyperion Query and Reporting Runtime Setup
Experts, We are in the process to implementing Hyperion application (IR & FR), and we are looking for a way to setup some security governance on reports/queries that run for more than an hr. We were told that there is no "out of box" solution from Hy
-
how to download the alv report output list to excel?