When enabling security audit, you also set the storage location for audit records: local disk files or internal tables. This topic describes how to view audit records at the specified location.
Limitations
Currently, only the Oracle mode of OceanBase Database supports the security audit feature.
View the audit records in a local disk file
The audit records are asynchronously written to <installation directory>/audit/, by default located at /home/admin/oceanbase/audit/observer_xx_xxxxxx.aud.
Here is an example. To view the audit records in a local disk file, execute the following statement:
$ pwd
/home/admin/oceanbase/audit
$ cat observer_47454_20200924144931.aud
2020-10-04 13:48:10.635533
LENGTH : '408'
ACTION :[23] 'create table t1(c0 int)'
ACTION_NUMBER:[1] '0'
STATUS:[1] '0'
ENTRYID:[1] '5'
STATEMENTID:[1] '3'
DBID:[16] '1100611139404836'
SESSIONID:[10] '3221505515'
PROXY SESSIONID:[4] '2816'
TENANTID:[4] '1001'
USERID:[16] '1100611139404786'
DATABASE USER:[9] 'AUDITTEST'
CLIENT TENANT:[3] 'ora'
CLIENT USER:[9] 'AUDITTEST'
CLIENT ADDRESS:[13] 'xx.xx.xx.xx'
PROXY CLIENT ADDRESS:[13] 'xx.xx.xx.xx'
Note
A file will be automatically truncated if it is too long.
View the audit records in an internal table
The audit records are directly written to system tables. The internal table __all_tenant_security_audit_record stores the audit records, while the internal table __all_virtual_audit_operation or __all_virtual_audit_action stores the mappings of audit-related IDs and Names.
View the audit records in an internal table by using a series of Oracle-compatible dictionary views.
| Dictionary view | Description |
|---|---|
| DBA_AUDIT_EXISTS | Displays audit trail entries generated by AUDIT EXISTS and AUDIT NOT EXISTS. |
| DBA_AUDIT_OBJECT | Displays audit trail entries for all objects in the database. |
| DBA_AUDIT_SESSION | Displays audit trail entries related to CONNECT and DISCONNECT. |
| DBA_AUDIT_STATEMENT | Displays audit trail entries related to GRANT, REVOKE, AUDIT, NOAUDIT, and ALTER SYSTEM in the database. |
| DBA_AUDIT_TRAIL | Displays all audit trail entries. |
| USER_AUDIT_OBJECT | Displays audit trail entries for objects accessible to the current user. |
| USER_AUDIT_SESSION | Displays audit trail entries for connections and disconnections of the current user. |
| USER_AUDIT_STATEMENT | Displays audit trail entries for the GRANT, REVOKE, AUDIT, NOAUDIT, and ALTER SYSTEM statements issued by the current user. |
| USER_AUDIT_TRAIL | Displays all audit trail entries related to the current user. |
Here is an example. To view the audit records in the DBA_AUDIT_TRAIL view, execute the following statement:
obclient> SELECT USERNAME,USERHOST,TIMESTAMP,SQL_TEXT FROM SYS.DBA_AUDIT_TRAIL;
+----------+-------------+-----------+-----------------------------------------------------------------+
| USERNAME | USERHOST | TIMESTAMP | SQL_TEXT |
+----------+-------------+-----------+-----------------------------------------------------------------+
| AUD | xx.xx.xx.xx | 29-OCT-20 | DISCONNECT |
| AUD | xx.xx.xx.xx | 29-OCT-20 | CONNECT |
+----------+-------------+-----------+-----------------------------------------------------------------+