Oracle XE audit_trail不会为所有用户保存

Question

I enabled auditing on my Oracle XE server via the following run by the sys user:

SQL> ALTER SYSTEM SET audit_sys_operations=true SCOPE=spfile;
SQL> ALTER SYSTEM SET audit_trail=XML,EXTENDED SCOPE=spfile;
SQL> SHUTDOWN IMMEDIATE
SQL> STARTUP

When I run queries as the sys user, an xml file records the queries in the default location (eg, /u01/app/oracle/admin/XE/adump/xe_ora_2339_1.xml ). However, if I run a query as a different user (eg, test_user ), no updates occur in any of the files in the adump directory.

I've confirmed that the parameter is set for the test_user :

SQL> show parameter audit;
NAME                     TYPE    VALUE
------------------------ ------- ------------------------------
audit_file_dest          string  /u01/app/oracle/admin/XE/adump
audit_sys_operations     boolean TRUE
audit_syslog_level       string
audit_trail              string  XML, EXTENDED

I also tried restarting my sqlplus session (ie, reconnecting with the test_user ), as well as disabling audit_sys_operations , and the issue remains.

Version info: Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production (via this docker image ).

Answer 1

My issue was that, in addition to enabling auditing, I also needed to specify what to audit with the AUDIT command. In my case, I wanted everything, so I added the following (commands mentioned in this tutorial ):

SQL> AUDIT ALL;  # note: it seems like the next two statements would be included with "all", but I didn't verify this.
SQL> AUDIT SELECT TABLE, UPDATE TABLE, INSERT TABLE, DELETE TABLE;
SQL> AUDIT EXECUTE PROCEDURE;

Note that with AUDIT_TRAIL=XML,EXTENDED (and maybe all the file-based auditing settings?), it looks there is some buffering of writing the XML file, as I didn't get a query showing up until my test user disconnected, so if you are missing a log entry, try logging the user out to see if it shows up.