Auditing an Oracle database for security issues is very important. provides all of the information and tools that you will need Click here for details of Limited's detailed Oracle database security audit service Click here for details of Limited's Oracle Security Training Courses
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Welcome, Guest. Please Login.
Feb 25th, 2021, 3:07am
News: If you would like to register contact the forum admin
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Auditing
(Moderator: Pete Finnigan)
   Auditing/Reporting DBA Actions
« No topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: Auditing/Reporting DBA Actions  (Read 7231 times)
Pete Finnigan Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male
Posts: 309
Auditing/Reporting DBA Actions
« on: Nov 28th, 2014, 3:53pm »
Quote | Modify

Hi, I wonder if anyone can give me some advice here.
Apologies as this is quite long.
This is on Windows platform 2008 R2 64 bit and 10g/11g databases running Enterprise Edition 64bit
I have set up auditing on one of our databases as per compliance requirement.
I am auditing sys operations which are written to the Event Log on the Windows server.
I have a filter log set up filtering on Event ID 34 in Windows
Unfortunately there appears to be a lot of messages regarding backups.  I'm trying to create a process so that it would be easy to spot sysdba logins and actions.
Loads of messages about internal commands relating to what Datapump is doing does not seem helpful to me.
I just ran an rman crosscheck, report obsolete, delete obsolete and a few other clean up commands.
This has caused around 100 records to be written to the event log.
I have set up a test database to audit out to XML to see if this is any better.
Trying to filter out results, everything done by SYSDBA comes in with an ACTION of 0  (UNKNOWN)
Why is this?
Alter database backup controlfile to trace as normal user is recorded as Action 35 (ALTER DATABASE)

Alter database backup controlfile to trace as SYSDBA is recorded as Action 0 (UNKNOWN)

I presume something like Audit Vault would give some nice clear reports about what is going on but there is no appetite to spend any more money on tools at the moment.  
Does anyone know how to make auditing SYSDBA events manageable?
IP Logged

Pete Finnigan (
Oracle Security Web site:
Oracle security blog:
Pages: 1  Reply | Notify of replies | Send Topic | Print

« No topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright 2000-2004 Yet another Bulletin Board