cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Settings of audit_syslog_level

j_bayrhammer
Participant

on ‎09-01-2014 11:23 AM

0 Kudos

Hello,

I have a technical question concerning the setting of parameter audit_syslog_level:

we are recommended to audit events err, crit, alert and emerg.

But in parameter audit_syslog_level I can only define one combination, for example:

audit_syslog_level=local6.err

This I define in /etc/syslog.conf too:

local6.err /var/log/oraclaudit.log

Will this adjustment log critical, alert and emergency events too or just errors?

AUDIT_SYSLOG_LEVEL

Syntax: AUDIT_SYSLOG_LEVEL = 'facility_clause.priority_clause'

facility_clause::=

{ USER | LOCAL[0 | 1 | 2 | 3 | 4 | 5 | 6 | 7] | SYSLOG | DAEMON | KERN | MAIL | AUTH | LPR | NEWS | UUCP | CRON }

priority_clause::=

{ NOTICE | INFO | DEBUG | WARNING | ERR | CRIT | ALERT | EMERG }

Regards,

Julia

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

former_member188883
Active Contributor
‎09-01-2014 11:28 AM
0 Kudos

Hi Julia,

As per Oracle documentation it will capture only error messages. This should be good enough for Audit as well as it will control the log file size.

http://docs.oracle.com/cd/B28359_01/server.111/b28320/initparams016.htm#REFRN10263

Regards,

Deepak Kori

Show replies
Show replies
j_bayrhammer
Participant
‎09-01-2014 11:37 AM
0 Kudos

Hello Deepak,

and how we can achieve that critical, alert and emerg messages are logged too?

If you use this parameter, it is best to assign a file corresponding to every combination of facility and priority (especially KERN.EMERG) in syslog.conf .

=> that sounds like there could be a possiblity to log each event?!

The logfile size has to be set in /etc/syslog.conf, right?

Regards,

Julia

former_member188883
Active Contributor
‎09-01-2014 11:43 AM
0 Kudos

Hi Julia,

You need to create individual entries in the configuration for each type of log that needs to be captured.

For example

AUDIT_SYSLOG_LEVEL = 'KERN.EMERG';

AUDIT_SYSLOG_LEVEL = 'LOCAL1.WARNING';

Yes the file size can be limited with value specified under syslog.conf.

Regards,

Deepak Kori

j_bayrhammer
Participant
‎09-01-2014 12:20 PM
0 Kudos

Hello Depak,

in oracle audit parameters I can just set one entry.

Even if I type:

alter system set audit_syslog_level='local4.err' scope=spfile;

alter system set audit_syslog_level='local5.crit' scope=spfile;

alter system set audit_syslog_level='local6.alert' scope=spfile;

alter system set audit_syslog_level='local7.emerg' scope=spfile;

only last entry is set:

SQL> show parameter audit;

NAME                                 TYPE        VALUE

------------------------------------ ----------- ------------------------------

audit_file_dest                      string      /oracle/SID/saptrace/audit

audit_sys_operations                 boolean     TRUE

audit_syslog_level                   string      LOCAL7.EMERG

audit_trail                          string      OS

In /etc/syslog.conf I configured all paths.

So: how can I set auditing of more than one case?

Regards,

Julia

former_member188883
Active Contributor
‎09-01-2014 12:34 PM
0 Kudos

Hi Julia,

My mistake.

You need to enter only 1 value which is required from audit perspective.

You need to define the path where to store the logs against that parameter under syslog file.

Syslog Daemon will compare the values set against audit_syslog_level with the values specified in syslog.conf file to detemine where to store the logs.

Hope this helps.

Regards,

Deepak Kori

j_bayrhammer
Participant
‎09-01-2014 12:44 PM
0 Kudos

Hello Deepak,

our auditor recommends us to log error, critical, alert and emergency messages. We have to log all four events!

So we not only need to log err but also crit, alert and emerg.

How can I tell oracle audit parameters to log all these 4 events?

Regards,

Julia

Ask a Question