Sys.aud$ Table not accesible over PL/SQL ?

Similar Messages

• Strange issue on deleting some rows on SYS.AUD$ table

  I just found out this strange thing happened on my 10gR2 database. I created a user called AUDIT_LOG and GRANT DELETE, REFERENCES, SELECT ON SYS.AUD$ TO AUDIT_LOG when I logged on as SYS dba.
  (1) Then I logged on as AUDIT_LOG user, tested the following statements:
  SELECT count(*) from sys.aud$ where ntimestamp# < TRUNC (SYSDATE-14);
  COUNT(*)
  2
  DELETE from sys.aud$ where ntimestamp# < TRUNC(SYSDATE-14);
  0 rows deleted
  (2) When I logged on as SYS account, SYS deleted them all,
  DELETE from sys.aud$ where ntimestamp# < TRUNC(SYSDATE-14);
  2 rows deleted
  I don't understand why the AUDIT_LOG user can't delete that two rows?
  Thanks for your help!
  lixidon

  Apologies for misreading the first time. I am wondering if the rows in question were related to audit actions on sys.aud$ itself as those rows should not be deleted by the AUDIT_LOG user (even if the user has been granted delete).
  Here's an excerpt from the Security Guide under the "Protecting the Standard Audit Trail" section:
  Audit records generated as a result of object audit options set for the SYS.AUD$ table can only be deleted from the audit trail by someone connected with administrator privileges, which itself has protection against unauthorized use.
  Here's a quick example illustrating this:
  SQL> connect / as sysdba
  Connected.
  SQL> grant delete, references, select on sys.aud$ to scott;
  Grant succeeded.
  SQL> connect scott/tiger
  Connected.
  SQL> select count(*) from sys.aud$ where sessionid = 30002;
    COUNT(*)
           2
  1 row selected.
  SQL> delete from sys.aud$ where sessionid = 30002;
  2 rows deleted.
  SQL> commit;
  -- now try to delete the sys.aud$ rows related to the above delete
  -- this will not succeed as user scott even though delete has been granted
  -- the session that performed the delete is 422426
  SQL> select count(*) from sys.aud$ where obj$name = 'AUD$' and action# = 7 and sessionid = 422426;
    COUNT(*)
           2
  1 row selected.
  SQL> delete from sys.aud$ where obj$name = 'AUD$' and action# = 7 and sessionid = 422426;
  0 rows deleted.
  SQL>Regards,
  Mark

• Is there a way to include the sys.aud$ table in a full database dp export?

  I am doing an export using the following parfile information:
  userid=/
  directory=datapump_nightly_export
  dumpfile=test_expdp.dmp
  logfile=test_expdp.log
  full=y
  content=all
  However when I run this I do not see the sys.aud$ in the log file. I know I can do a seperate export to specifically get the sys.aud$ table but is there any way to include it in with my full export?
  Thanks in advance for any suggestion.

  here's more background infomation... I have some audits setup on my database for one of my users. Every quarter I have an automated job that runs that creates a usage/statics report for this person using data in aud$. at the end of the job I export the aud$ table and truncate it. However last quarter I found that there was a mistake in my report and my export did not run properly thus my audit data was gone. i also have full datapump exports that run daily but found that aud$ was not there. so that is why I thought I'd like to include sys.aud$ in the full datapump exports.
  i understand why other sys tables would be left out of a full export but aud$ data cannot be reproduced so to me it makes sense to include it in a full export.
  don't worry, we run our true backups using rman which is eventually how I got the aud$ data back by creating a copy of my database up until the time of the truncate. however this was quite time consuming.

• Sys.aud$ table

  Hi,
  I need to get the auditing information for the last seven days fron the auditing table for users other than apps.I tried the below query.Please correct me if it is wrong.The query takes
  a long time to execute and no output dispayed.Please inform me whether the below query is correct and inform me if i need to do any modifications.
  select userid,userhost,terminal,action#,obj$name, NTIMESTAMP# from sys.aud$ where action#=3 and timestamp# >=(sysdate-7) and userid not in ('APPS') order by ntimestamp# desc;
  Regards
  Aram

  You are SELECTing and ORDERing using column NTIMESTAMP#, but WHERE clause is using TIMESTAMP# (different column), most likely leading to a poor execution plan. Is the statement you posted syntactically correct ?
  MOS Doc 1025314.6 - Descriptions of Action Code and Privileges Used in Fields in SYS.AUD$ Table
  HTH
  Srini

• What is sessionid field in SYS.AUD$ table

  Hi,
  Can anyone say,what is sessionid field in sys.aud$ table..It seems different than the sessions

  Look at the session value in sys.aud$ table.
  QL> select sessionid from sys.aud$ where rownum<10;
  SESSIONID
  459521060
  459521607
  459521661
  459521901
  459521954
  459522004
  459522052
  459522262
  459522424
  It seems that,its not asession id.Mostly sessionid length ll be in3-4.

• Export  "sys.aud$"  table as system user using datapump

  Friends,
  I want to export (using datapump 'expdp') the sys user's AUD$ table (sys.aud$) as the system
  user . But it shows the following error :
  bash-3.00$ expdp system/sys123@onlinete directory=test_dir TABLES=sys.AUD$ DUMPFILE=sysaud.$Date.dmp logfile=audit.$date.log
  Export: Release 10.2.0.1.0 - 64bit Production on Wednesday, 14 January, 2009 13:30:56
  Copyright (c) 2003, 2005, Oracle. All rights reserved.
  Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bit Production
  With the Partitioning, OLAP and Data Mining options
  Starting "SYSTEM"."SYS_EXPORT_TABLE_01": system/********@onlinete directory=test_dir TABLES=sys.AUD$ DUMPFILE=sysaud..dmp logfile=audit..log
  Estimate in progress using BLOCKS method...
  Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
  Total estimation using BLOCKS method: 0 KB
  ORA-39165: Schema SYS was not found.
  ORA-39166: Object AUD$ was not found.
  ORA-31655: no data or metadata objects selected for job
  Job "SYSTEM"."SYS_EXPORT_TABLE_01" completed with 3 error(s) at 13:31:01
  It also shows error when I take it as SYS user :
  bash-3.00$ expdp sys/sys123@onlinete directory=test_dir TABLES=sys.AUD$ DUMPFILE=sysaud.$Date.dmp logfile=audit.$date.log
  Export: Release 10.2.0.1.0 - 64bit Production on Wednesday, 14 January, 2009 13:35:19
  Copyright (c) 2003, 2005, Oracle. All rights reserved.
  UDE-00008: operation generated ORACLE error 28009
  ORA-28009: connection as SYS should be as SYSDBA or SYSOPER
  Username: sys/sys123 as sysdba
  Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bit Production
  With the Partitioning, OLAP and Data Mining options
  Starting "SYS"."SYS_EXPORT_TABLE_01": sys/******** AS SYSDBA directory=test_dir TABLES=sys.AUD$ DUMPFILE=sysaud..dmp logfile=audit..log
  Estimate in progress using BLOCKS method...
  Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
  Total estimation using BLOCKS method: 0 KB
  ORA-39165: Schema SYS was not found.
  ORA-39166: Object AUD$ was not found.
  ORA-31655: no data or metadata objects selected for job
  Job "SYS"."SYS_EXPORT_TABLE_01" completed with 3 error(s) at 13:35:29
  I dont understand the problem why it is not working . Need advice plz ... ...

  But that's not fair..
  Imagine the situation, where I figured out that some data was edited a year ago, but I don't know by whom.. Audit was enabled at that time, I was exporting (using the regular exp) AUD$ table during the year, everything is good.. BUT.. Two months ago I upgraded my DB to 11g. Hence I cannot use imp in order to restore the table and see what was going on a year ago.. That means that I always have to have an ability to create 10g database in order to use my AUD$ export??
  Is there any other way of backing up this table? Sop far I was doing exp+truncate, but since 11g release where exp/imp are not supported I am trying to think about another way of dealing with the audit...
  does anybody have ideas about it?
  thanks,
  M

• Querying the sys.aud$ table

  can any one tell me which column of the sys.aud$ (audit trail) table is the one that shows when the grant occurred.
  I did a desc sys.aud$ ,but i cannot tell which one is the right column.
  thanks in advance

  you can see view DBA_AUDIT_TRAIL, column timestamp.

• Query remote table not working in PL/SQL

  I have a problem that is killing me to figure out. Basically we trying to query a remote table through PL/SQL and it comes back with invalid column name for the table. But the table exists in the remote database and has the column. The query works fine from the same database outside of PL/SQL, just not in PL/SQL. I'll setup a test case below.
  We have local database called DB1 and remote database called DB2. The table we are querying is called EMP.
  First we create database link:
  create database link DB2.WORLD connect to...
  Test the link:
  select ENAME from [email protected];
  ENAME
  SHAWN
  Works fine.
  Now we put this query inside a PL/SQL block:
  declare
  l_ename varchar2(20);
  begin
  select ename into l_ename from [email protected];
  end;
  This fails with the following error:
  select ename
  ERROR at line 274:
  ORA-06550: line 274, column 7:
  PL/SQL: ORA-00904: invalid column name
  ORA-06550: line 271, column 3:
  PL/SQL: SQL Statement ignored
  ORA-06550: line 279, column 9:
  PL/SQL: ORA-00904: invalid column name
  ORA-06550: line 277, column 3:
  PL/SQL: SQL Statement ignored
  Now, I've tried changing how we select from the remote table, I've put the select statement in a cursor, tried creating a synonym which points to the remote table and selecting using the synonym in PL/SQL, it always returns the same error. But always works outside of PL/SQL.
  Now the user we are connecting to the remote database as, has select on the EMP table, through a role, along with 30 other tables, all the other tables are able to be selected through the database link, in PL/SQL, it's just this one table.
  Additionally I can go to another database, and create the same database link, and the query in PL/SQL works fine to the remote table. It's just this one table, from this one database, that doesn't work just in PL/SQL. Any ideas would be appreciated, I've exhausted everything.
  Also, creating a copy of the table using "create table as select * from..." we can select from the copy of the table using PL/SQL through the database link. The problem is this is a central warehouse table, and is used my multiple applications and updated constantly, so dropping a recreating this table is a last resort.
  Yes, this process did work, for over a year, then suddenly it stopped. Of course, no one made any changes to either database, that's always the case. I know the code didn't change though, it was still timestamped from a year ago.
  Thanks in advance.

  Could this be a variant on an old favourite, viz privileges being granted through roles. We cannot use objects in PL/SQL if our privileges are assigned through a role.
  Maybe what has changed is that instead of being granted privileges on EMP@DB2 directly the privileges have been re-organised so that your user has them granted through a role.
  Cheers, APC

• How to find SQL Statement fired using SYS.AUD$ - Database Auditing

  Dear Friends
  I am having Oracle 9i Database and have configured it with database auditing option by setting the following parameter in init.ora file
  AUDIT_TRAIL = "DB"
  I want to audit SELECT, INSERT , UPDATE and DELETE operations on PRACTICE.EMP table for which I did :
  1) Logged in as SYS
  2) SQL> AUDIT SELECT, INSERT, UPDATE, DELETE
  ON PRACTICE.EMP
  BY ACCESS
  WHENEVER SUCCESSFUL;
  Audit Succedded
  Now how should I find out the SQL statement that does the insert, update or delete operation on the EMP table using SYS.AUD$ table
  Thanks

  Hi,
  It's contents can be viewed directly or via the following views:
  * DBA_AUDIT_EXISTS
  * DBA_AUDIT_OBJECT
  * DBA_AUDIT_SESSION
  * DBA_AUDIT_STATEMENT
  * DBA_AUDIT_TRAIL
  * DBA_OBJ_AUDIT_OPTS
  * DBA_PRIV_AUDIT_OPTS
  * DBA_STMT_AUDIT_OPTS
  The audit trail contains a lot of data, but the following are most likely to be of interest:
  * Username : Oracle Username.
  * Terminal : Machine that the user performed the action from.
  * Timestamp : When the action occured.
  * Object Owner : The owner of the object that was interacted with.
  * Object Name : The name of the object that was interacted with.
  * Action Name : The action that occured against the object. (INSERT, UPDATE, DELETE, SELECT, EXECUTE)
  So, take a look at action_name column from DBA_AUDIT_TRAIL view.
  Cheers
  Legatti

• Auditing SYS.AUD$ in Oracle 10g

  We created a new 10g database and imported our 9i database schema into it. One of our application teams, used to run reports on the SYS.AUD$ table in Oracle 9i.
  Currently in the new 10g database, they said they get an error saying table does not exist, which is probably to do with privileges and easily sorted.
  However, when I checked the SYS.AUD$ table, there were no records in the table. When I then did a SHOW PARAMETER AUDIT, I got the following output
  SQL> show parameter audit
  NAME                                 TYPE        VALUE
  audit_file_dest                      string      /Oracle10/admin/hpmslive/adump
  audit_sys_operations                 boolean     FALSE
  audit_syslog_level                   string
  audit_trail                          string      DBI checked the /Oracle10/admin/hpmslive/adump directory and it contained lots of .aud files. So basically I think that is where the audit data is going. However why is it going to the OS, inspite of me having clearly said AUDIT_TRAIL=DB. I checked the AUDIT_FILE_DEST parameter and it says AUDIT_FILE_DEST specifies the operating system directory into which the audit trail is written when the AUDIT_TRAIL initialization parameter is set to os, xml, or xml,extended.
  Considering that the AUDIT_TRAIL is set to DB, why is the audit being written to the AUDIT_FILE_DEST?
  Regards
  S Dhavan

  You can answer the question on why audit_file_destination is set by looking in the Reference manual:
  AUDIT_FILE_DEST specifies the operating system directory into which the audit trail is
  written when the AUDIT_TRAIL initialization parameter is set to os, xml, or xml,extended.
  The audit records will be written in XML format if the AUDIT_TRAIL initialization parameter
  is set to XML. It is also the location to which mandatory auditing information is written and,
  if so specified by the AUDIT_SYS_OPERATIONS initialization parameter, audit records for
  user SYS.It is not a factor for your issue as you are writing to sys.aud$ based on whatever audit rules you have configured on the new instance.
  HTH -- Mark D Powell --
  edit (twice) in attemp to add CR to eliminate need to scrool
  Edited by: Mark D Powell on Dec 22, 2009 9:14 AM
  Edited by: Mark D Powell on Dec 22, 2009 9:16 AM

• Deleting records from sys.aud$ from stored procedure

  We have a stored procedure that is trying to move records from the sys.aud$ table to a historical table (in an attempt to keep sys.aud$ to a more manageable size, I guess -- full disclosure I did not write this proc). The basic flow is:
  select count(*) into rowcount from sys.aud$
  if (rowcount > 1000) {
  copy all rows from sys.aud$ to historical table
  delete from sys.aud$
  I am told this proc used to work just fine in the murky past (I am new to the client) but has now not worked for some time. When we try and compile the proc, we get the error
  "table or view does not exist," and the highlighted line is the "delete from sys.aud$". The "select count(*) from sys.aud$" line appears to cause no issue, but the proc will not compile as is. If I comment out the "delete from sys.aud$" line, however, the proc compiles just fine.
  Confusingly, if I log in as the same account that owns this proc, I can run both the select count(*) from sys.aud$ AND delete from sys.aud$ clauses with no complaints at all (altering slightly to work with only 1 record at a time, of course), but I cannot get the same to compile within a stored proc.
  I assume this is permissions related? Can anyone point me to the permissions the owner requires to be able to delete from sys.aud$ within a stored procedure? Or is there something else that needs to be done here? Any pointers much appreciated.
  Thanks.

  956928 wrote:
  We have a stored procedure that is trying to move records from the sys.aud$ table to a historical table (in an attempt to keep sys.aud$ to a more manageable size, I guess -- full disclosure I did not write this proc). The basic flow is:
  select count(*) into rowcount from sys.aud$
  if (rowcount > 1000) {
  copy all rows from sys.aud$ to historical table
  delete from sys.aud$
  I am told this proc used to work just fine in the murky past (I am new to the client) but has now not worked for some time. When we try and compile the proc, we get the error
  "table or view does not exist," and the highlighted line is the "delete from sys.aud$". The "select count(*) from sys.aud$" line appears to cause no issue, but the proc will not compile as is. If I comment out the "delete from sys.aud$" line, however, the proc compiles just fine.
  Confusingly, if I log in as the same account that owns this proc, I can run both the select count(*) from sys.aud$ AND delete from sys.aud$ clauses with no complaints at all (altering slightly to work with only 1 record at a time, of course), but I cannot get the same to compile within a stored proc.
  I assume this is permissions related? Can anyone point me to the permissions the owner requires to be able to delete from sys.aud$ within a stored procedure? Or is there something else that needs to be done here? Any pointers much appreciated.
  Thanks.privileges acquired via ROLE do NOT apply within named PL/SQL procedures.
  GRANT DELETE ON SYS.AUD$ TO <your_schema>;

• AUDIT SYS.AUD$

  Hi All,
  We have audit in our database and we execute the following commands:
  SQL> AUDIT ALL on SYS.AUD$;
  Audit succeeded.
  SQL> SELECT * from DBA_OBJ_AUDIT_OPTS;
  OWNER                          OBJECT_NAME                    OBJECT_TYPE             ALT AUD COM DEL GRA IND INS LOC REN SEL UPD REF EXE CRE REA WRI FBK
  SYS                            AUD$                           TABLE                   S/S S/S S/S S/S S/S S/S S/S S/S S/S S/S S/S -/- -/- -/- -/- -/- S/S
  SQL> show parameter audit
  NAME                                 TYPE        VALUE
  audit_file_dest                      string      /opt/oracle/admin/INS_D_PS_NGB
                                                   _OFM/adump
  audit_sys_operations                 boolean     FALSE
  audit_syslog_level                   string
  audit_trail                          string      DB
  The problem is, client is saying audit is not completed as its not showing for all actions :
  WRI REA CRE EXE REF it still showing -/-
  how to enable audit for all above actions also?
  Please suggest. thanks.
  Regards,
  Ankit

  Ankit, not all auditable operations apply to all object types such as you cannot use the execute privilege against a table.  Take another look at the what privileges are not showing.
  HTH -- Mark D Powell --

• Moving sys.aud$ to a different tablespace other than system

  Hi,
  I have a 10g RAC database system with a high volume of activity and would like to monitor a large slice of it using audit.
  I have reviewed all options of audit trails and chose “db, extended” to be the most suitable for my purposes!
  I’ve noticed that all audit data goes to sys.aud$ table in system tablespace.
  I have 3 questions:
  1. What is the logic behind putting this table in systems tablespace and not sysaux (10g)?
  2. Can I move sys.aud$ table to a different tablespace (should I expect trouble for doing so)?
  3. Is there any RAC implication if I move sys.aud$ table to a different tablespace?
  Regards,
  Tal Olier
  [email protected]

  That's true, it's not recommanded to move a sys table... but we can find some good explanation for this one for aud$ table.<br>
  See Metalink Note 72460.1 : Moving AUD$ to another tablespace and adding triggers to AUD$<br>
  Or google search give some good results.<br>
  Nicolas.

• EM shows alert "User SYS logged on from node but no entry in SYS.AUD$

  Hello,
  When i look on the alert page of my databases i see sometimes the following message "User SYS logged on from <node>.
  I have setup several audit actions, like "create session" to track sessions.
  But in table SYS.AUD$ i see many records, but not the one of user SYS.
  Why? Anyone an idea?
  Best regards,
  hvdtol

  i understand it is comming from metrics, but i don't understand why i can see it in the sys.aud$ table.
  hvdtol

• Aud$ table in system schema????

  Dear all.
  Facts: oracle 9204 enterprise. Data guard config.
  OS. AIX 5.3
  Some weeks ago i started to manage a database with the facts describe above. Well. I was viewing the config and i saw a strange configuration...
  My table AUD$ is in the system schema.
  There aren't AUD$ table in SYS schema.
  Exists a synonym sys.aud$ for system.aud$.
  I knew that this table exists en SYS schema and from time to time we can move the records into another schema for storage and performance. But in SYSTEM schema?
  Or exists a parameter in 9i that can i configure that ???
  Thanks a lot !!!!
  ps. apologize my english is not very well !!! =)

  It is quite possible that the AUD$ table was moved from the SYS schema into the SYSTEM schema. See these MOS Docs
  1019377.6 - Script to move SYS.AUD$ table out of SYSTEM tablespace
  72460.1 - Moving AUD$ to Another Tablespace and Adding Triggers to AUD$
  HTH
  Srini