That's what I am seeing too after 19c upgrade: the records are now in
UNIFIED_AUDIT_TRAIL, instead of the old SYS.AUD$. (In my case AUDIT_TRAIL
parameter is DB). The new unified trail has to be explicitly and
independently cleaned with DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL using
parameter AUDIT_TRAIL_TYPE set to DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED.
Also noticed that in 19c default no longer logs successful logons. It only
logs failed logons. In pre-19c the default was logging successful
logons too, which I relied upon to troubleshoot connection storms.
One other audit change gotcha I hit when moving to 19c - the two Unified
policies that are supposed to be enabled by default on all 19c databases (
ORA_SECURECONFIG and ORA_LOGON_FAILURES) , were not enabled in 19c PDB when
the PDB was created by remote cloning from pre-19c and then upgrading to
19c. In contrast, the two policies did get enabled when a new PDB was
created from scratch by dbca. This document has some confusing wording on
this :
https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/configuring-audit-policies.html#GUID-AC30632D-80E0-40BB-91AF-0416A904A707
. It is easy to check with AUDIT_UNIFIED_ENABLED_POLICIES while in PDB.
One other audit consideration to keep an eye on, when switching from
non-CDB to CDB architecture in combination with 19c upgrade: with CDB the
unified policies have to be enabled in each PDB. Enabling them in root will
only audit root.
And as was already mentioned before, it makes sense in each PDB to manually
update partitioning interval from pre-19c 1-month to 1 day, using
DBMS_AUDIT_MGMT.ALTER_PARTITION_INTERVAL. I read somewhere that 1-day
interval was supposed to be a 19c new default, but on all of my upgraded
19c it was 1-month.
Cheers,
Albert Balbekov
On Fri, Jan 28, 2022 at 11:00 AM Beckstrom, Jeffrey <jbeckstrom@xxxxxxxxx>
wrote:
System was linked with installation defaults. Apparently, in 19c, unified
is on by default and overrides the database audit trail parameters since we
are seeing the statement level auditing in the unified view and not the OS
files.
*From:* Douglas Dunyan <dmdunyan@xxxxxxxxx>
*Sent:* Friday, January 28, 2022 1:40 PM
*To:* Beckstrom, Jeffrey <jbeckstrom@xxxxxxxxx>
*Cc:* Amit Grover <amitgrover27@xxxxxxxxx>; oracle-l@xxxxxxxxxxxxx
*Subject:* Re: [EXTERNAL]-RE: [EXTERNAL]-database audit trail and unified
audit trail
Greets -
I think I read the default configuration is Mixed Mode unified
auditing. For pure unified auditing, you have to relink oracle with
uniaud_on. Have you relinked yet ? Maybe that's your issue....
FWIW unified audit trail is a view, and you can only remove records
using the supplied packages. As far as unified audit goes, I am stumped,
trying to figure out a system that has 130,000+ records in the view, but
event_timestamp is null, so the package doesn't purge those rows...
HTH
D
On Fri, Jan 28, 2022 at 11:31 AM Beckstrom, Jeffrey <jbeckstrom@xxxxxxxxx>
wrote:
We have a logon trigger that turns on statement auditing for selected
sessions. Looks like those are now going to the unified audit table instead
of the os dest specified by the init.ora parameter. Does that make sense
since unified is on?
*From:* Amit Grover <amitgrover27@xxxxxxxxx>
*Sent:* Friday, January 28, 2022 1:17 PM
*To:* Beckstrom, Jeffrey <jbeckstrom@xxxxxxxxx>
*Subject:* Re: [EXTERNAL]-database audit trail and unified audit trail
Remove the default Unified audit policies or set up a job to clear the
unified audit trail, would be two options to go.
Also check the location of the unified audit, get it moved outside of
Sysaux and maybe change the table partition from default(monthly) to daily,
if you do want to use it, as a start.
Best Regards
Amit Grover
2065966629
On Fri, Jan 28, 2022 at 9:14 AM Beckstrom, Jeffrey <jbeckstrom@xxxxxxxxx>
wrote:
Prior to upgrading to 19c, we were generating a database audit trail.
With 19c, seems like unified audit trail is turned on.
Do we have to purge BOTH the database audit trail and the unified audit
trail. The database audit trail was going to OS files.
Jeffrey Beckstrom
Greater Cleveland Regional Transit Authority
1240 W. 6th Street
Cleveland, Ohio 44113
