Purging a Database Audit Trail AUD$

  1. Purging a Subset of Records from the Database Audit Trail

    You can manually remove records from the database audit trail tables. This method can be useful if you want to remove a specific subset of records. You can use this method if the database audit trail table is in any tablespace, including the SYSTEM tablespace.
    For example, to delete audit records that were created later than the evening of February 28, 2009 but before March 28, 2009, enter the following statement:
    DELETE FROM SYS.AUD$
       WHERE NTIMESTAMP# > TO_TIMESTAMP ('28-FEB-09 09.07.59.907000 PM') AND
       NTIMESTAMP# < TO_TIMESTAMP ('28-MAR-09 09.07.59.907000 PM');
    Alternatively, to delete all audit records from the audit trail, enter the following statement:
    DELETE FROM SYS.AUD$;
    Only the user SYS or a user to whom SYS granted the DELETE privilege on SYS.AUD$ can delete records from the database audit trail.
    Note:
    If the audit trail is full and connections are being audited (that is, if the AUDIT SESSION statement is set), then typical users cannot connect to the database because the associated audit record for the connection cannot be inserted into the audit trail. In this case, connect as SYS with the SYSDBA privilege, and make space available in the audit trail. Remember that operations by SYS are not recorded in the standard audit trail, but they are audited if you set the AUDIT_SYS_OPERATIONS parameter to TRUE.
    After you delete the rows from the database audit trail table, the freed space is available for reuse by that table. (The SYS.AUD$ table is allocated only as many extents as are necessary to maintain current audit trail records.) You do not need to do anything to make this space available to the table for reuse. If you want to use this space for another table, then follow these steps:


    Move the AUD$ table to an auto segment space managed tablespace.
    For example:
    BEGIN
      DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION
       (audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_DB_STD,
       audit_trail_location_value => 'USERS');
    END;
    /
     
  2. Run the following statements:
    ALTER TABLE SYSTEM.AUD$ ENABLE ROW MOVEMENT;
    ALTER TABLE SYSTEM.AUD$ SHRINK SPACE CASCADE;
  3. If you must move the AUD$ table back to the SYSTEM tablespace, then run the following statement:
    BEGIN
     DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION
      (audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_DB_STD,
      audit_trail_location_value => 'SYSTEM');
    END;
    /
If you want to both delete all the rows from the database audit trail table and free the used space for other tablespace objects, use the TRUNCATE TABLE statement. For example:
TRUNCATE TABLE SYS.AUD$;
Note:
SYS.AUD$ and SYS.FGA_LOG$ are the only SYS objects that can ever be directly modified.
 
 
Reference :
http://docs.oracle.com/cd/E11882_01/network.112/e16543/auditing.htm#DBSEG473
http://www.oracle-base.com/articles/11g/auditing-enhancements-11gr2.php
 

Comments

Post a Comment

Popular posts from this blog

chr function and its values - CHR and ASCII values

chr function returns the ascii letter for that integer. We know that there are 255 ascii characters defined. SQL> select chr(65) as CHR from dual; CHR – A Below code print all 255 ascii characters Sample code to check the values : begin   for i in 1..255 loop       dbms_output.put_line( 'CHR('||i||')' ||'=='|| chr(i) );     end loop;     end;     / This output might differ actually based on the chacterset you have choosen while installing you Database. DBMS_OUTPUT :    CHR(1)== CHR(2)== CHR(3)== CHR(4)== CHR(5)== CHR(6)== CHR(7)== CHR(8)== CHR(9)==    CHR(10)== CHR(11)== CHR(12)== CHR(13)== CHR(14)== CHR(15)== CHR(16)== CHR(17)== CHR(18)== CHR(19)== CHR(20)== CHR(21)== CHR(22)== CHR(23)== CHR(24)== CHR(25)== CHR(26)== CHR(27)== CHR(28)== CHR(29)== CHR(30)== CHR(31)== CHR(32)== CHR(33)==! CHR(34)==" CHR(35)==# CHR(36)==$ CHR(37)==% CHR(38)==& CHR(39)==' CHR(40)==( CHR(41)==) CHR(42...
Read more

RMAN-06820: WARNING: failed to archive current log at primary database

RMAN archive log backup at the standby site is throws the following errors ******************************************************************************** RMAN-06820: WARNING: failed to archive current log at primary database ORACLE error from target database: ORA-17629: Cannot connect to the remote database server ******************************************************************************** RMAN> backup database plus archivelog tag 'FULL_AL_BKP'; Starting backup at 29-FEB-16 RMAN-06820: WARNING: failed to archive current log at primary database ORACLE error from target database: ORA-17629: Cannot connect to the remote database server ORA-17627: ORA-00942: table or view does not exist allocated channel: ORA_DISK_1 channel ORA_DISK_1: SID=48 device type=DISK skipping archived logs of thread 1 from sequence 192 to 201; already backed up Finished backup at 29-FEB-16 Starting backup at 29-FEB-16 using channel ORA_DISK_1 channel ORA_DISK_1: starting compressed full datafile b...
Read more

IMPDP TABLE_EXISTS_ACTION = APPEND, REPLACE, [SKIP] and TRUNCATE

  IMPDP  TABLE_EXISTS_ACTION PARAMETER EXPLAINED  Data Pump IMPDP TABLE_EXISTS_ACTION = APPEND, REPLACE, [SKIP] and TRUNCATE In conventional import utility (IMP) we have ignore =y option which will ignore the error when the object is already exist with the same name. When it comes to the data pump there is one enhanced option of ignore=y which is called TABLE_EXISTS_ACTION. The values for this parameter give 4 different options to handle the existing table and data. $ impdp help=y     TABLE_EXISTS_ACTION     Action to take if imported object already exists.     Valid keywords are: APPEND , REPLACE , [ SKIP ] and TRUNCATE .     SKIP : Default value for this parameter is SKIP. This parameter is exactly same as the IGNORE=Y option in conventional import utility.     APPEND : This option appends the data from the data dump. The extra rows in the dump will be appended to the table and the existing dat...
Read more