A reader, November 20, 2020 - 12:33 pm UTC
Hello Chris,
We are using traditional auditing with these values:
audit_trail=os
AUDIT_SYSLOG_LEVEL = 'LOCAL1.WARNING'
Yes, the user connected after I executed "audit all by jcantu;"
Knowing this, do you expect Oracle to create an audit log showing the select operation and the table name that the user selected?
We should be moving to the new auditing method soon.
Thanks
November 24, 2020 - 1:41 am UTC
I once wrote a parser for the syslog entries to map them into a database table. I checked back on that code, because it tried to locate/parse any columns from each line of syslog. This is the list I came up with at the time (plus the host and the length tags)
ACTION
AUTH$GRANTEE
CLIENT_TERMINAL
CLIENT_USER
COMMENT$TEXT
DATABASE_USER
DBID
ENTRYID
LOGOFF$DEAD
LOGOFF$LREAD
LOGOFF$LWRITE
LOGOFF$PREAD
OBJ$CREATOR
OBJ$NAME
OBJ$PRIVILEGES
OS$USERID
PRIV$USED
PRIVILEGE
RETURNCODE
SESSIONCPU
SESSIONID
STATEMENT
STATUS
TERMINAL
USERHOST
USERID
NEW$OWNER
NEW$NAME
SES$ACTIONS
SES$LABEL
So whilst you should get object and statement (number), but unless the SQL text is in the action, then I think you're out of luck.
If you audit into the database, then you can get SQL text with:
AUDIT SELECT ANY TABLE BY [myuser] BY ACCESS;
because we have a SQL_TEXT column in DBA_AUDIT_TRAIL