November 20, 2020 - 12:33 pm UTC
Reviewer: A reader
We are using traditional auditing with these values:
AUDIT_SYSLOG_LEVEL = 'LOCAL1.WARNING'
Yes, the user connected after I executed "audit all by jcantu;"
Knowing this, do you expect Oracle to create an audit log showing the select operation and the table name that the user selected?
We should be moving to the new auditing method soon.
November 24, 2020 - 1:41 am UTC
I once wrote a parser for the syslog entries to map them into a database table. I checked back on that code, because it tried to locate/parse any columns from each line of syslog. This is the list I came up with at the time (plus the host and the length tags)
So whilst you should get object and statement (number), but unless the SQL text is in the action, then I think you're out of luck.
If you audit into the database, then you can get SQL text with:
AUDIT SELECT ANY TABLE BY [myuser] BY ACCESS;
because we have a SQL_TEXT column in DBA_AUDIT_TRAIL