Skip to Main Content

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, Mark.

Asked: October 24, 2016 - 10:24 pm UTC

Last updated: October 25, 2016 - 1:23 am UTC

Version: 11.2.0.3

Viewed 1000+ times

You Asked

Hi Guys,

I have two questions with regard to Oracle database auditing via syslog.


1. When auditing via OS syslog, what is the ideal value for the AUDIT_SYSLOG_LEVEL parameter, where AUDIT_SYSLOG_LEVEL = facility.priority
It is the priortity component which confuses me. What is the difference between "info", "warning" and "alert" from an Oracle perspective?
e.g. local0.info vs local0.warning


2. Will this incur a significant performance overhead?

I understand that database auditing does require additional system resources - although relatively inexpensive. Oracle's whitepaper "Database Auditing (Performance Guidelines)" states that writing audit records to OS files, whether that be character based or XML based, has the least impact to system resources. Could you please confirm if this is still the case?

The exact performance impact on any given database cannot be assessed without testing since the performance degradation is proportional to the number of audited statements. Is there anything in AWR with regard to the amount of cpu time spent on writing audit logs?

Thanks,
Mark

P.S. Love the APEX design!

and Connor said...

1)

From an Oracle perspective, none. Where it might be of benefit for you is the actions you take based on (say) OS level tools that monitor and/or consolidate syslog information. For example, at a client site I worked at, we used "notice" simply because not much else used that, and it was used to isolate certain events.

2)

It will be about the same as any other OS file based operation. Performance impact and/or bottlenecks will be a function of the OS's capacity to do the operation well, not the database. But if you look under diagnostic_dest, then you'll see that the database writes a *lot* of OS files all the time. A little more into the syslog is *unlikely* to be a significant factor, if noticeable at all.

I dont know of anything in AWR that tracks it.

Is this answer out of date? If it is, please let us know via a Comment
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

Performance

Get all the information about database performance in the Database Performance guide.