When enabling security audit, you must specify the storage location for audit records. You can choose between two methods: writing them into a local disk file or writing them into an internal table. You can view the audit records in the specified location.
Limitations
Currently, only the Oracle mode of OceanBase Database supports security audit.
View the audit records in a disk file
Audit records are asynchronously written to <installation directory>/audit/, and by default stored in /home/admin/oceanbase/audit/observer_xx_xxxxxx.aud.
Example:
$ pwd
/home/admin/oceanbase/audit
$ cat observer_47454_20200924144931.aud
2020-10-04 13:48:10.635533
LENGTH : '408'
ACTION :[23] 'create table t1(c0 int)'
ACTION_NUMBER:[1] '0'
STATUS:[1] '0'
ENTRYID:[1] '5'
STATEMENTID:[1] '3'
DBID:[16] '1100611139404836'
SESSIONID:[10] '3221505515'
PROXY SESSIONID:[4] '2816'
TENANTID:[4] '1001'
USERID:[16] '1100611139404786'
DATABASE USER:[9] 'AUDITTEST'
CLIENT TENANT:[3] 'ora'
CLIENT USER:[9] 'AUDITTEST'
CLIENT ADDRESS:[13] 'xx.xx.xx.xx'
PROXY CLIENT ADDRESS:[13] 'xx.xx.xx.xx'
Note:
A file that is too long will be automatically truncated.
View the audit records in an internal table
Audit records are directly written to system tables. The internal table __all_tenant_security_audit_record stores audit records. The internal table __all_virtual_audit_operation or __all_virtual_audit_action stores the mappings of audit-related IDs and names.
View the audit records in an internal table by using Oracle-compatible dictionary views.
| Dictionary views | Features |
|---|---|
| DBA_AUDIT_EXISTS | Displays the audit trail entries generated by AUDIT EXISTS and AUDIT NOT EXISTS. |
| DBA_AUDIT_OBJECT | Displays the audit trail entries for all objects in the database. |
| DBA_AUDIT_SESSION | Displays all the audit trail entries for CONNECT and DISCONNECT. |
| DBA_AUDIT_STATEMENT | Displays the audit trail entries for the GRANT, REVOKE, AUDIT, NOAUDIT, and ALTER SYSTEM statements in the database. |
| DBA_AUDIT_TRAIL | Displays all audit trail entries. |
| USER_AUDIT_OBJECT | Displays the audit trail entries for objects that the current user can access. |
| USER_AUDIT_SESSION | Displays the audit trail entries for the current user's connections and disconnections. |
| USER_AUDIT_STATEMENT | Displays the audit trail entries for the GRANT, REVOKE, AUDIT, NOAUDIT, and ALTER SYSTEM statements issued by the current user. |
| USER_AUDIT_TRAIL | Displays all audit trail entries related to the current user. |
View the audit records in the DBA_AUDIT_TRAIL table. Here is an example:
obclient> SELECT USERNAME,USERHOST,TIMESTAMP,SQL_TEXT FROM SYS.DBA_AUDIT_TRAIL;
+----------+-------------+-----------+-----------------------------------------------------------------+
| USERNAME | USERHOST | TIMESTAMP | SQL_TEXT |
+----------+-------------+-----------+-----------------------------------------------------------------+
| AUD | xx.xx.xx.xx | 29-OCT-20 | DISCONNECT |
| AUD | xx.xx.xx.xx | 29-OCT-20 | CONNECT |
+----------+-------------+-----------+-----------------------------------------------------------------+