1748242 Members
4205 Online
108759 Solutions
New Discussion юеВ

Re: doubt in audting

 
Nirmalkumar
Frequent Advisor

doubt in audting

Hi,

in my database audit_trail parameter is enabled to DB (AUDIT_TRAIL=DB).

and also i enabled statement level auditing
by the giving following queries

audit table by access;
audit insert table by access;
audit select table by access;
audit delete table by access;
audit update table by access;
audit alter table by access;

i found the output by the following select stmt


col username for a15;
col OBJ_NAME for a15;
col action_name for a15;
set pagesize 200;
select USERNAME,to_char(TIMESTAMP,'DD-MON-YY HH24:MI:SS') "ACTION_TIME",
ACTION_NAME,OBJ_NAME,RETURNCODE from dba_audit_trail
where timestamp > (select to_char(sysdate,'DD-MON-YY') from dual);

The output will select audit report for current day.
i have attached the output of select stmt with this thread.

MY DOUBT is

i can found list of output like this

USERNAME ACTION_TIME ACTION_NAME OBJ_NAME RETURNCODE
--------------- ------------------ --------------- --------------- ----------
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 SELECT SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 SELECT SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 SELECT SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 SELECT SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 UPDATE SERIALNUMBER 0
STSDB 29-NOV-07 05:10:35 SELECT SERIALNUMBER 0

i found the same timestamp for repeated for same select stmt with the same user...

please help me to show me one imestamp for the one select stmt for that user

Oracle version =8i

Thanks
Nirmal.




2 REPLIES 2
Wouter Jagers
Honored Contributor

Re: doubt in audting

Hi there,

I'm not a DB specialist and not completely sure if I understand your issue correctly, but if you don't want the same line in your output several times I guess you could change 'select ...' to 'select distinct ...' in your query ?

If you're wondering why there so much data in the audit table itself, that I wouldn't know. Maybe stsdb is actually doing these things multiple times per second ? Note again that I'm not an oracle guru ;-)

Cheers,
Wout
an engineer's aim in a discussion is not to persuade, but to clarify.
Ben Dehner
Trusted Contributor

Re: doubt in audting

To understand the audit trail you really need to understand the application design.

Your audit option is 'by access', so every time a SQL statement hits the target table, it will create a new audit record. If this is a core table in a highly concurrent application, then you should expect to see lots of data in the audit trail. One option is to change the audit to 'by session'. However, if there is some application service with a continuous session, this will generate only one record no matter how many times the table is accessed.

It also depends on how this table is accessed. If this table is hit with bulk updates or select statements against low-cardinality columns, then I would expect to see less access. One select/update will hit multiple rows. If it is updated by high cardinality colums, then I would expect lots of updates as sessions updated one or two specific rows at a time.

Finally, it depends on the way SQL is used on the table. Looking at the above excerpt, I see a single select statement followed by multiple update statements. It may be that the application layer is issuing a single 'select', followed by multiple updates for seperate columns, instead of updating all columns with a single update statement. Although inefficient, this could be an artifact of some application layer that generates the SQL.

Back to my original point, to make sense of the audit trail, you need to understand something about how the application accesses the data and uses the individual tables.
Trust me, I know what I'm doing