We have audit_trail set to OS as well (we audit create session)... What I did was write a custom monitoring script to capture the OS information of the user logging in as "/ as sysdba" (we use it for SOX compliance) Is this the kind of info you're looking for? Thanks, ________________________________ From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Mercadante, Thomas F (LABOR) Sent: Wednesday, April 15, 2009 12:33 PM To: oracledbaquestions@xxxxxxxxx Cc: oracle-l@xxxxxxxxxxxxx Subject: RE: constant logging in as / as sysdba ? My guess is it's either pmon or smon. Is it happening like every few minutes? Put a database logon trigger in place and capture the program name. ________________________________ From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Dba DBA Sent: Wednesday, April 15, 2009 2:56 PM To: oracle-l@xxxxxxxxxxxxx Subject: constant logging in as / as sysdba ? I am trying to figure out what is logging in constantly as / as sysdba. We are on Solaris iwth Oracle 10.1. We are using Solaris clustering(this is OS clustering and not RAC). However, I turned the cluster off and then turned Oracle on manually. The / as sysdba connection continues to happen every minute. By default Oracle logs all / as sysdba connections. I then increased my auditing to try to find out what is going on. So I did audit all by access and I set my audit_trail to the OS. I am I am getting is the following: Wed Apr 15 14:54:17 2009 ACTION : 'CONNECT' DATABASE USER: '/' PRIVILEGE : SYSDBA CLIENT USER: oracle CLIENT TERMINAL: STATUS: 0 The session does not appear to do anything. I would think audit all by access would catch this. To test it, I logged in as / as sysdba and shutdown the database. my actions were logged. We do not have kron jobs running. anyone experience this before ? anything about solaris? could it be an oracle process logging in?