When you enable the security auditing feature, the storage method for auditing records is also configured. Auditing records can be written to internal tables or local disk files. You can view the auditing records at the corresponding location.
View auditing records in auditing files
Security auditing information is asynchronously written to the <installation directory>/audit/ directory. By default, the auditing file is /home/admin/oceanbase/audit/observer_xx_xxxxxx.aud.
Example:
$ pwd
/home/admin/oceanbase/audit
$ cat observer_47454_20200924144931.aud
2020-10-04 13:48:10.635533
LENGTH : '408'
ACTION :[23] 'create table t1(c0 int)'
ACTION_NUMBER:[1] '0'
STATUS:[1] '0'
ENTRYID:[1] '5'
STATEMENTID:[1] '3'
DBID:[16] '1100611139404836'
SESSIONID:[10] '3221505515'
PROXY SESSIONID:[4] '2816'
TENANTID:[4] '1001'
USERID:[16] '1100611139404786'
DATABASE USER:[9] 'AUDITTEST'
CLIENT TENANT:[3] 'ora'
CLIENT USER:[9] 'AUDITTEST'
CLIENT ADDRESS:[13] 'xx.xx.xx.xx'
PROXY CLIENT ADDRESS:[13] 'xx.xx.xx.xx'
Note
The file is automatically truncated if it is too long.
View auditing records in internal tables
Auditing information is directly written to system tables. The internal table __all_tenant_security_audit_record stores auditing records, while __all_virtual_audit_operation and __all_virtual_audit_action store mappings of auditing-related ID and Name values.
You can view auditing records stored in internal tables by using Oracle-compatible dictionary views.
| View | Description |
|---|---|
| DBA_AUDIT_EXISTS | Displays auditing trail entries generated by AUDIT EXISTS and AUDIT NOT EXISTS. |
| DBA_AUDIT_OBJECT | Displays auditing trail entries for all objects in the database. |
| DBA_AUDIT_SESSION | Displays auditing trail entries for all CONNECT and DISCONNECT operations. |
| DBA_AUDIT_STATEMENT | Displays auditing trail entries for GRANT, REVOKE, AUDIT, NOAUDIT, and ALTER SYSTEM statements in the database. |
| DBA_AUDIT_TRAIL | Displays all auditing trail entries. |
| USER_AUDIT_OBJECT | Displays auditing trail entries for objects accessible to the current user. |
| USER_AUDIT_SESSION | Displays auditing trail entries for the current user's connections and disconnections. |
| USER_AUDIT_STATEMENT | Displays auditing trail entries for GRANT, REVOKE, AUDIT, NOAUDIT, and ALTER SYSTEM statements issued by the current user. |
| USER_AUDIT_TRAIL | Displays all auditing trail entries related to the current user. |
View the auditing records in the DBA_AUDIT_TRAIL view. Here is an example:
obclient> SELECT USERNAME,USERHOST,TIMESTAMP,SQL_TEXT FROM SYS.DBA_AUDIT_TRAIL;
+----------+-------------+-----------+-----------------------------------------------------------------+
| USERNAME | USERHOST | TIMESTAMP | SQL_TEXT |
+----------+-------------+-----------+-----------------------------------------------------------------+
| AUD | xx.xx.xx.xx | 29-OCT-20 | DISCONNECT |
| AUD | xx.xx.xx.xx | 29-OCT-20 | CONNECT |
+----------+-------------+-----------+-----------------------------------------------------------------+