Preparation for audit analysis
This section describes two methods to analyze database server audit records:
- The first method displays audit data as it appears in the audit trail, which you can subject to your own audit-analysis tools. This method guarantees accuracy because no processing is done on the raw audit records.
- The second method converts the audit records into a form that can be uploaded into a table that the database server manages. You can then use SQL to generate reports based on this data. With the SQL-based method, you can create and use customized forms and reports to manipulate and selectively view audit data, which provides a flexible and powerful audit-analysis procedure. Be sure, however, that records are not deleted or modified from either the intermediate file or from the database before analysis.
Important: The SQL-based procedure is more convenient
but remains untrusted because users can use SQL data-manipulation
statements to tamper with the records that are copied into a table.
Both methods rely on a utility called onshowaudit, which Audit analysis and The onaudit utility: Configure audit masks describe. For either method, you can extract audit events for specific users, database servers, or both.
To perform audit analysis, first have audit records in your database server. The onshowaudit utility does not remove data from the audit trail. It only reads records from the audit trail and allows them to be viewed or manipulated with standard SQL utilities.
To clear or remove audit logs, delete the files that contain the audit trail.