on 09-01-2014 11:23 AM
Hello,
I have a technical question concerning the setting of parameter audit_syslog_level:
we are recommended to audit events err, crit, alert and emerg.
But in parameter audit_syslog_level I can only define one combination, for example:
audit_syslog_level=local6.err
This I define in /etc/syslog.conf too:
local6.err /var/log/oraclaudit.log
Will this adjustment log critical, alert and emergency events too or just errors?
Syntax: AUDIT_SYSLOG_LEVEL = 'facility_clause.priority_clause'
facility_clause::=
{ USER | LOCAL[0 | 1 | 2 | 3 | 4 | 5 | 6 | 7] | SYSLOG | DAEMON | KERN | MAIL | AUTH | LPR | NEWS | UUCP | CRON }
priority_clause::=
{ NOTICE | INFO | DEBUG | WARNING | ERR | CRIT | ALERT | EMERG }
Regards,
Julia
Hi Julia,
As per Oracle documentation it will capture only error messages. This should be good enough for Audit as well as it will control the log file size.
http://docs.oracle.com/cd/B28359_01/server.111/b28320/initparams016.htm#REFRN10263
Regards,
Deepak Kori
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Deepak,
and how we can achieve that critical, alert and emerg messages are logged too?
If you use this parameter, it is best to assign a file corresponding to every combination of facility and priority (especially KERN.EMERG) in syslog.conf .
=> that sounds like there could be a possiblity to log each event?!
The logfile size has to be set in /etc/syslog.conf, right?
Regards,
Julia
Hello Depak,
in oracle audit parameters I can just set one entry.
Even if I type:
alter system set audit_syslog_level='local4.err' scope=spfile;
alter system set audit_syslog_level='local5.crit' scope=spfile;
alter system set audit_syslog_level='local6.alert' scope=spfile;
alter system set audit_syslog_level='local7.emerg' scope=spfile;
only last entry is set:
SQL> show parameter audit;
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /oracle/SID/saptrace/audit
audit_sys_operations boolean TRUE
audit_syslog_level string LOCAL7.EMERG
audit_trail string OS
In /etc/syslog.conf I configured all paths.
So: how can I set auditing of more than one case?
Regards,
Julia
Hi Julia,
My mistake.
You need to enter only 1 value which is required from audit perspective.
You need to define the path where to store the logs against that parameter under syslog file.
Syslog Daemon will compare the values set against audit_syslog_level with the values specified in syslog.conf file to detemine where to store the logs.
Hope this helps.
Regards,
Deepak Kori
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.