Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Sending Oracle audit logs to syslog

Posted on 2009-05-11
Medium Priority
Last Modified: 2013-11-17
Some of my oracle audit logs are located in /optware/oracle/admin/logs/ , each log is generated as a file in this directory. How do I send each of these logs in to the syslog.

Couple days back I have asked the same question and I have received an answer to set the following parameters
AUDIT_SYSLOG_LEVEL=[facility].[level] e.g. ""

But Looks like this is not forwarding anything, Am I missing anything

SQL> show parameter audit;
NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest                      string      /optware/oracle/admin/acceldev
audit_sys_operations                 boolean     FALSE
audit_syslog_level                   string      LOCAL0.INFO
audit_trail                          string      OS

Open in new window

Question by:vishwakarmak
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 68

Expert Comment

ID: 24354075
Hi again,
if I remember well, it was me who told you to use the above parameters.
I don't know how familiar you are with syslog, so here are the steps to be taken at the AIX side -
- edit /etc/syslog.conf and add the line /path/to/log/file
- issue  
touch /path/to/log/file
- issue
refresh -s syslogd
- verify the above by issuing
lssrc -ls syslogd
 Excuse me if you did that already, but I have to ask, as the ORACLE parameters should work as expected!

Author Comment

ID: 24354281
Thanks wmp, Let me try this....

Author Comment

ID: 24354826
Hello wmp,
Thanks again for your valueble solution. But here is the problem, The audit files are written to /optware/oracle/admin/logs/ as different files and syslog logs messages when written to a single file I guess. So what could be the solution in this scenario.

Also these is one imp thing I noticed, When I have set the Parameters I am no more seeing the /logs directory, So looks like it is trying to send the logs but its not knowing where...

So can you tell me how to set so that the audit logs are written to one single file


Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 68

Expert Comment

ID: 24354962
Did you try what I suggested?
Syslog doesn't log files, but messages, and the messages go to the single file you specify in /etc/syslog.conf.
What's in there?
Syslog's log files can only be written if they exist (syslog doesn't create files), thus the 'touch' I suggested.
And, are you sure that you're talking about audit logs going to /optware/oracle/admin/logs/ ?
Where did you configure that directory? I can't see it in your post.

Author Comment

ID: 24357222
Hello WMP,

Continuing to what we are doing my audit is logging into  /optware/oracle/admin/s10dev/audit/ folder and I have many logs inside so I will go ahead and do                                     /optware/oracle/admin/acceldev/audit/*.log  -> in my syslog conf

and will start/stop the syslog, Let me see if this works


Author Comment

ID: 24357679
Hello wmp,

I dont think this will quite work as the syslog file should be something like                                     /var/log/oracle.log

Since we have already told the audit logs to, I think it will route to oracle.log which I created

what do u think of this...???? As this approach also didnot quite work...
LVL 68

Expert Comment

ID: 24358381

first: no asterisks (*) in syslog.conf, only complete filenames!

second: If syslog.conf looks like in your last post, and if you created that file and restarted syslogd, yes, the audit logs will go to /var/log/oracle.log. What's wrong with that? What else do you try to achieve?

Existing old logs in  /optware/oracle/admin/acceldev/audit will not be changed, removed or moved to the syslog file. Those old logs will stay there as they are.



Author Comment

ID: 24359019
Hello WMP,

I am finally able to get the logs in oracle.log but they dont seem to make any sense as here is what I get in the syslog

May 11 15:02:04 sundev13 Oracle Audit[20364]: [ID 748625] LENGTH: "220" SESSIONID:[8] "1 2759424" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[5] "DBMON" USERHOST:[8] "sundev13" ACTION:[3] "100" RETURNCODE:[1] "0" COMMENT$TEXT:[20] "Authenticated by: OS" OS$USERID:[5] "dbmon" PRIV$USED:[1] "5"

But if I cat my log in /optware/oracle/admin/acceldev/audit, Its totally different but I can see the fields, So is there anything on the oracle config that has to be changed to log in clear text


LVL 68

Accepted Solution

woolmilkporc earned 2000 total points
ID: 24359335
I'm afraid there is no chance to get clear text.
This is what ORACLE says: Decoding Operating System Audit Trial Records
Oracle Database encodes the operating system audit trail records. You can decode this information by referring to the appropriate data dictionary tables and error messages.
Table 9-5 describes the information that is encoded and where you can find its decoded version.  
Table 9-5 Encoding Information in Audit Trail Records    Encoded Information How to Decode      
Action code  
Describes the operation performed or attempted, using codes listed in the AUDIT_ACTIONS data dictionary table, with their descriptions.    
Privileges used  
Describes any system privileges used to perform the operation, using codes listed in the SYSTEM_PRIVILEGE_MAP table, with their descriptions.    
Completion code  
Describes the result of the attempted operation, using codes listed in Oracle Database Error Messages, with their descriptions. Successful operations return a value of zero, and unsuccessful operations return an Oracle Database error code corresponding to the reason the operation was unsuccessful.

The complete text is here. Maybe you find some more/more useful information:



Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction Regular patching is part of a system administrator's tasks. However, many patches require that the system be in single-user mode before they can be installed. A cluster patch in particular can take quite a while to apply if the machine…
Java performance on Solaris - Managing CPUs There are various resource controls in operating system which directly/indirectly influence the performance of application. one of the most important resource controls is "CPU".   In a multithreaded…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question