Reading SYS.AUD$

Similar Messages

• Is there a way to include the sys.aud$ table in a full database dp export?

  I am doing an export using the following parfile information:
  userid=/
  directory=datapump_nightly_export
  dumpfile=test_expdp.dmp
  logfile=test_expdp.log
  full=y
  content=all
  However when I run this I do not see the sys.aud$ in the log file. I know I can do a seperate export to specifically get the sys.aud$ table but is there any way to include it in with my full export?
  Thanks in advance for any suggestion.

  here's more background infomation... I have some audits setup on my database for one of my users. Every quarter I have an automated job that runs that creates a usage/statics report for this person using data in aud$. at the end of the job I export the aud$ table and truncate it. However last quarter I found that there was a mistake in my report and my export did not run properly thus my audit data was gone. i also have full datapump exports that run daily but found that aud$ was not there. so that is why I thought I'd like to include sys.aud$ in the full datapump exports.
  i understand why other sys tables would be left out of a full export but aud$ data cannot be reproduced so to me it makes sense to include it in a full export.
  don't worry, we run our true backups using rman which is eventually how I got the aud$ data back by creating a copy of my database up until the time of the truncate. however this was quite time consuming.

• Moving sys.aud$ to a different tablespace other than system

  Hi,
  I have a 10g RAC database system with a high volume of activity and would like to monitor a large slice of it using audit.
  I have reviewed all options of audit trails and chose “db, extended” to be the most suitable for my purposes!
  I’ve noticed that all audit data goes to sys.aud$ table in system tablespace.
  I have 3 questions:
  1. What is the logic behind putting this table in systems tablespace and not sysaux (10g)?
  2. Can I move sys.aud$ table to a different tablespace (should I expect trouble for doing so)?
  3. Is there any RAC implication if I move sys.aud$ table to a different tablespace?
  Regards,
  Tal Olier
  [email protected]

  That's true, it's not recommanded to move a sys table... but we can find some good explanation for this one for aud$ table.<br>
  See Metalink Note 72460.1 : Moving AUD$ to another tablespace and adding triggers to AUD$<br>
  Or google search give some good results.<br>
  Nicolas.

• What is sessionid field in SYS.AUD$ table

  Hi,
  Can anyone say,what is sessionid field in sys.aud$ table..It seems different than the sessions

  Look at the session value in sys.aud$ table.
  QL> select sessionid from sys.aud$ where rownum<10;
  SESSIONID
  459521060
  459521607
  459521661
  459521901
  459521954
  459522004
  459522052
  459522262
  459522424
  It seems that,its not asession id.Mostly sessionid length ll be in3-4.

• Querying the sys.aud$ table

  can any one tell me which column of the sys.aud$ (audit trail) table is the one that shows when the grant occurred.
  I did a desc sys.aud$ ,but i cannot tell which one is the right column.
  thanks in advance

  you can see view DBA_AUDIT_TRAIL, column timestamp.

• Deleting records from sys.aud$ from stored procedure

  We have a stored procedure that is trying to move records from the sys.aud$ table to a historical table (in an attempt to keep sys.aud$ to a more manageable size, I guess -- full disclosure I did not write this proc). The basic flow is:
  select count(*) into rowcount from sys.aud$
  if (rowcount > 1000) {
  copy all rows from sys.aud$ to historical table
  delete from sys.aud$
  I am told this proc used to work just fine in the murky past (I am new to the client) but has now not worked for some time. When we try and compile the proc, we get the error
  "table or view does not exist," and the highlighted line is the "delete from sys.aud$". The "select count(*) from sys.aud$" line appears to cause no issue, but the proc will not compile as is. If I comment out the "delete from sys.aud$" line, however, the proc compiles just fine.
  Confusingly, if I log in as the same account that owns this proc, I can run both the select count(*) from sys.aud$ AND delete from sys.aud$ clauses with no complaints at all (altering slightly to work with only 1 record at a time, of course), but I cannot get the same to compile within a stored proc.
  I assume this is permissions related? Can anyone point me to the permissions the owner requires to be able to delete from sys.aud$ within a stored procedure? Or is there something else that needs to be done here? Any pointers much appreciated.
  Thanks.

  956928 wrote:
  We have a stored procedure that is trying to move records from the sys.aud$ table to a historical table (in an attempt to keep sys.aud$ to a more manageable size, I guess -- full disclosure I did not write this proc). The basic flow is:
  select count(*) into rowcount from sys.aud$
  if (rowcount > 1000) {
  copy all rows from sys.aud$ to historical table
  delete from sys.aud$
  I am told this proc used to work just fine in the murky past (I am new to the client) but has now not worked for some time. When we try and compile the proc, we get the error
  "table or view does not exist," and the highlighted line is the "delete from sys.aud$". The "select count(*) from sys.aud$" line appears to cause no issue, but the proc will not compile as is. If I comment out the "delete from sys.aud$" line, however, the proc compiles just fine.
  Confusingly, if I log in as the same account that owns this proc, I can run both the select count(*) from sys.aud$ AND delete from sys.aud$ clauses with no complaints at all (altering slightly to work with only 1 record at a time, of course), but I cannot get the same to compile within a stored proc.
  I assume this is permissions related? Can anyone point me to the permissions the owner requires to be able to delete from sys.aud$ within a stored procedure? Or is there something else that needs to be done here? Any pointers much appreciated.
  Thanks.privileges acquired via ROLE do NOT apply within named PL/SQL procedures.
  GRANT DELETE ON SYS.AUD$ TO <your_schema>;

• AUDIT SYS.AUD$

  Hi All,
  We have audit in our database and we execute the following commands:
  SQL> AUDIT ALL on SYS.AUD$;
  Audit succeeded.
  SQL> SELECT * from DBA_OBJ_AUDIT_OPTS;
  OWNER                          OBJECT_NAME                    OBJECT_TYPE             ALT AUD COM DEL GRA IND INS LOC REN SEL UPD REF EXE CRE REA WRI FBK
  SYS                            AUD$                           TABLE                   S/S S/S S/S S/S S/S S/S S/S S/S S/S S/S S/S -/- -/- -/- -/- -/- S/S
  SQL> show parameter audit
  NAME                                 TYPE        VALUE
  audit_file_dest                      string      /opt/oracle/admin/INS_D_PS_NGB
                                                   _OFM/adump
  audit_sys_operations                 boolean     FALSE
  audit_syslog_level                   string
  audit_trail                          string      DB
  The problem is, client is saying audit is not completed as its not showing for all actions :
  WRI REA CRE EXE REF it still showing -/-
  how to enable audit for all above actions also?
  Please suggest. thanks.
  Regards,
  Ankit

  Ankit, not all auditable operations apply to all object types such as you cannot use the execute privilege against a table.  Take another look at the what privileges are not showing.
  HTH -- Mark D Powell --

• How to find SQL Statement fired using SYS.AUD$ - Database Auditing

  Dear Friends
  I am having Oracle 9i Database and have configured it with database auditing option by setting the following parameter in init.ora file
  AUDIT_TRAIL = "DB"
  I want to audit SELECT, INSERT , UPDATE and DELETE operations on PRACTICE.EMP table for which I did :
  1) Logged in as SYS
  2) SQL> AUDIT SELECT, INSERT, UPDATE, DELETE
  ON PRACTICE.EMP
  BY ACCESS
  WHENEVER SUCCESSFUL;
  Audit Succedded
  Now how should I find out the SQL statement that does the insert, update or delete operation on the EMP table using SYS.AUD$ table
  Thanks

  Hi,
  It's contents can be viewed directly or via the following views:
  * DBA_AUDIT_EXISTS
  * DBA_AUDIT_OBJECT
  * DBA_AUDIT_SESSION
  * DBA_AUDIT_STATEMENT
  * DBA_AUDIT_TRAIL
  * DBA_OBJ_AUDIT_OPTS
  * DBA_PRIV_AUDIT_OPTS
  * DBA_STMT_AUDIT_OPTS
  The audit trail contains a lot of data, but the following are most likely to be of interest:
  * Username : Oracle Username.
  * Terminal : Machine that the user performed the action from.
  * Timestamp : When the action occured.
  * Object Owner : The owner of the object that was interacted with.
  * Object Name : The name of the object that was interacted with.
  * Action Name : The action that occured against the object. (INSERT, UPDATE, DELETE, SELECT, EXECUTE)
  So, take a look at action_name column from DBA_AUDIT_TRAIL view.
  Cheers
  Legatti

• Auditing SYS.AUD$ in Oracle 10g

  We created a new 10g database and imported our 9i database schema into it. One of our application teams, used to run reports on the SYS.AUD$ table in Oracle 9i.
  Currently in the new 10g database, they said they get an error saying table does not exist, which is probably to do with privileges and easily sorted.
  However, when I checked the SYS.AUD$ table, there were no records in the table. When I then did a SHOW PARAMETER AUDIT, I got the following output
  SQL> show parameter audit
  NAME                                 TYPE        VALUE
  audit_file_dest                      string      /Oracle10/admin/hpmslive/adump
  audit_sys_operations                 boolean     FALSE
  audit_syslog_level                   string
  audit_trail                          string      DBI checked the /Oracle10/admin/hpmslive/adump directory and it contained lots of .aud files. So basically I think that is where the audit data is going. However why is it going to the OS, inspite of me having clearly said AUDIT_TRAIL=DB. I checked the AUDIT_FILE_DEST parameter and it says AUDIT_FILE_DEST specifies the operating system directory into which the audit trail is written when the AUDIT_TRAIL initialization parameter is set to os, xml, or xml,extended.
  Considering that the AUDIT_TRAIL is set to DB, why is the audit being written to the AUDIT_FILE_DEST?
  Regards
  S Dhavan

  You can answer the question on why audit_file_destination is set by looking in the Reference manual:
  AUDIT_FILE_DEST specifies the operating system directory into which the audit trail is
  written when the AUDIT_TRAIL initialization parameter is set to os, xml, or xml,extended.
  The audit records will be written in XML format if the AUDIT_TRAIL initialization parameter
  is set to XML. It is also the location to which mandatory auditing information is written and,
  if so specified by the AUDIT_SYS_OPERATIONS initialization parameter, audit records for
  user SYS.It is not a factor for your issue as you are writing to sys.aud$ based on whatever audit rules you have configured on the new instance.
  HTH -- Mark D Powell --
  edit (twice) in attemp to add CR to eliminate need to scrool
  Edited by: Mark D Powell on Dec 22, 2009 9:14 AM
  Edited by: Mark D Powell on Dec 22, 2009 9:16 AM

• Sys.aud$ table

  Hi,
  I need to get the auditing information for the last seven days fron the auditing table for users other than apps.I tried the below query.Please correct me if it is wrong.The query takes
  a long time to execute and no output dispayed.Please inform me whether the below query is correct and inform me if i need to do any modifications.
  select userid,userhost,terminal,action#,obj$name, NTIMESTAMP# from sys.aud$ where action#=3 and timestamp# >=(sysdate-7) and userid not in ('APPS') order by ntimestamp# desc;
  Regards
  Aram

  You are SELECTing and ORDERing using column NTIMESTAMP#, but WHERE clause is using TIMESTAMP# (different column), most likely leading to a poor execution plan. Is the statement you posted syntactically correct ?
  MOS Doc 1025314.6 - Descriptions of Action Code and Privileges Used in Fields in SYS.AUD$ Table
  HTH
  Srini

• Sys.aud$ Table not accesible over PL/SQL ?

  I try to do the follow.
  When you start the auditing with specific command like AUDIT
  SESSION; it will produce many many rows in the sys.aud$ table.
  This is the reason while we need to maintain the data witch exist
  then in thsi table.
  I did try it to do this with a separate user like AUDITER.
  I gave them from the sys user the follow permissions:
  GRANT select, delete, update , insert to AUDITER;
  If i try now to select from SYS.AUD$ it works if i do it with a
  separet select statement like :
  SELECT * FROM SYS.AUD$.
  If i make a PROCEDURE like folow :
  PROCEDURE proceed_audit as
  CURSOR audtab is select * from sys.aud$
  BEGIN
  END;
  Oracle generate the message :
  PLS-00201: identifier 'SYS.AUD$' must be declared
  I don't anderstand this message, becose this object exists and in
  "SQL" i can use it.
  Can anyone help me ?
  Thanks
  P.S. it's the Oracle version 8.1.7i

  Are you sure the user that is executing the PL/SQL block has
  direct grants to the tables you are referencing? I.E. NOT
  through a role? PL/SQL requires the user to have direct grants
  to the object it references. Granting DBA to the user won't have
  any affect on the execution of the PL/SQL

• Strange issue on deleting some rows on SYS.AUD$ table

  I just found out this strange thing happened on my 10gR2 database. I created a user called AUDIT_LOG and GRANT DELETE, REFERENCES, SELECT ON SYS.AUD$ TO AUDIT_LOG when I logged on as SYS dba.
  (1) Then I logged on as AUDIT_LOG user, tested the following statements:
  SELECT count(*) from sys.aud$ where ntimestamp# < TRUNC (SYSDATE-14);
  COUNT(*)
  2
  DELETE from sys.aud$ where ntimestamp# < TRUNC(SYSDATE-14);
  0 rows deleted
  (2) When I logged on as SYS account, SYS deleted them all,
  DELETE from sys.aud$ where ntimestamp# < TRUNC(SYSDATE-14);
  2 rows deleted
  I don't understand why the AUDIT_LOG user can't delete that two rows?
  Thanks for your help!
  lixidon

  Apologies for misreading the first time. I am wondering if the rows in question were related to audit actions on sys.aud$ itself as those rows should not be deleted by the AUDIT_LOG user (even if the user has been granted delete).
  Here's an excerpt from the Security Guide under the "Protecting the Standard Audit Trail" section:
  Audit records generated as a result of object audit options set for the SYS.AUD$ table can only be deleted from the audit trail by someone connected with administrator privileges, which itself has protection against unauthorized use.
  Here's a quick example illustrating this:
  SQL> connect / as sysdba
  Connected.
  SQL> grant delete, references, select on sys.aud$ to scott;
  Grant succeeded.
  SQL> connect scott/tiger
  Connected.
  SQL> select count(*) from sys.aud$ where sessionid = 30002;
    COUNT(*)
           2
  1 row selected.
  SQL> delete from sys.aud$ where sessionid = 30002;
  2 rows deleted.
  SQL> commit;
  -- now try to delete the sys.aud$ rows related to the above delete
  -- this will not succeed as user scott even though delete has been granted
  -- the session that performed the delete is 422426
  SQL> select count(*) from sys.aud$ where obj$name = 'AUD$' and action# = 7 and sessionid = 422426;
    COUNT(*)
           2
  1 row selected.
  SQL> delete from sys.aud$ where obj$name = 'AUD$' and action# = 7 and sessionid = 422426;
  0 rows deleted.
  SQL>Regards,
  Mark

• EM shows alert "User SYS logged on from node but no entry in SYS.AUD$

  Hello,
  When i look on the alert page of my databases i see sometimes the following message "User SYS logged on from <node>.
  I have setup several audit actions, like "create session" to track sessions.
  But in table SYS.AUD$ i see many records, but not the one of user SYS.
  Why? Anyone an idea?
  Best regards,
  hvdtol

  i understand it is comming from metrics, but i don't understand why i can see it in the sys.aud$ table.
  hvdtol

• What is the cause of a null username in sys.aud$

  I have two records in sys.aud$ with a null username. They are a logon and a alter user. What does that mean? Was it a connect / as sysdba?

  I found your other post in the JDBC forum, and I now understand what you're trying to do. Off the top of my head, I see no solution, other than parsing all the column names sent into the PreparedStatement against the MetaData about the table(s), views, what have you.
  Other than that, you would have to add a third arraylist of column types, but that makes calling the functions more difficult.
  Lastaly, and not a good option even if it worked, some vendors have extensions off of JDBC (e.g. Oracle). You can cast sql objects into their objects, and they may provide a generic setNull, dont' know, haven't looked, just thought of it as a possiility. Of course, then you're not pure JDBC anymore.....
  We'll see if anyone else has any ideas.
  bRi

• Export  "sys.aud$"  table as system user using datapump

  Friends,
  I want to export (using datapump 'expdp') the sys user's AUD$ table (sys.aud$) as the system
  user . But it shows the following error :
  bash-3.00$ expdp system/sys123@onlinete directory=test_dir TABLES=sys.AUD$ DUMPFILE=sysaud.$Date.dmp logfile=audit.$date.log
  Export: Release 10.2.0.1.0 - 64bit Production on Wednesday, 14 January, 2009 13:30:56
  Copyright (c) 2003, 2005, Oracle. All rights reserved.
  Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bit Production
  With the Partitioning, OLAP and Data Mining options
  Starting "SYSTEM"."SYS_EXPORT_TABLE_01": system/********@onlinete directory=test_dir TABLES=sys.AUD$ DUMPFILE=sysaud..dmp logfile=audit..log
  Estimate in progress using BLOCKS method...
  Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
  Total estimation using BLOCKS method: 0 KB
  ORA-39165: Schema SYS was not found.
  ORA-39166: Object AUD$ was not found.
  ORA-31655: no data or metadata objects selected for job
  Job "SYSTEM"."SYS_EXPORT_TABLE_01" completed with 3 error(s) at 13:31:01
  It also shows error when I take it as SYS user :
  bash-3.00$ expdp sys/sys123@onlinete directory=test_dir TABLES=sys.AUD$ DUMPFILE=sysaud.$Date.dmp logfile=audit.$date.log
  Export: Release 10.2.0.1.0 - 64bit Production on Wednesday, 14 January, 2009 13:35:19
  Copyright (c) 2003, 2005, Oracle. All rights reserved.
  UDE-00008: operation generated ORACLE error 28009
  ORA-28009: connection as SYS should be as SYSDBA or SYSOPER
  Username: sys/sys123 as sysdba
  Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bit Production
  With the Partitioning, OLAP and Data Mining options
  Starting "SYS"."SYS_EXPORT_TABLE_01": sys/******** AS SYSDBA directory=test_dir TABLES=sys.AUD$ DUMPFILE=sysaud..dmp logfile=audit..log
  Estimate in progress using BLOCKS method...
  Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
  Total estimation using BLOCKS method: 0 KB
  ORA-39165: Schema SYS was not found.
  ORA-39166: Object AUD$ was not found.
  ORA-31655: no data or metadata objects selected for job
  Job "SYS"."SYS_EXPORT_TABLE_01" completed with 3 error(s) at 13:35:29
  I dont understand the problem why it is not working . Need advice plz ... ...

  But that's not fair..
  Imagine the situation, where I figured out that some data was edited a year ago, but I don't know by whom.. Audit was enabled at that time, I was exporting (using the regular exp) AUD$ table during the year, everything is good.. BUT.. Two months ago I upgraded my DB to 11g. Hence I cannot use imp in order to restore the table and see what was going on a year ago.. That means that I always have to have an ability to create 10g database in order to use my AUD$ export??
  Is there any other way of backing up this table? Sop far I was doing exp+truncate, but since 11g release where exp/imp are not supported I am trying to think about another way of dealing with the audit...
  does anybody have ideas about it?
  thanks,
  M