Reduce the trace files of Oracle Audit
After disable the AUDIT_TRAIL parameter, the Oracle still use the trace for SYS users. Set the value for AUDIT_SYS_OPERATION parameter to FALSE along with audit_trail.
Set the AUDIT_SYSLOG_LEVEL parameter changes as below to reduce further data valid in linux or unix platforms.
AUDIT_SYSLOG_LEVEL and AUDIT_SYS_OPERATIONS are set for any SQL and PL/SQL run as user SYS may be audited using the syslog facility.
On Windows platform
the parameters AUDIT_SYSLOG_LEVEL and AUDIT_FILE_DEST are not woreked, Since the Windows event log used as the operating system audit trail.
The AUDIT_SYS_OPERATIONS=TRUE value, operations with SYSDBA or SYSOPER privileges are also written to the Windows event log,
You can check this in Event viewer of Windows.
Start ➤ Control Panel ➤ Administrative Tools ➤ Event Viewer ➤ Application ➤ Oracle.ORACLE_SID.
1. Make sure if audit_trial=NONE is set OR else set it to AUDIT_TRAIL=NONE
SQL> show parameter audit
NAME TYPE VALUE
-------------------- ------- ------------------------------
audit_sys_operations boolean TRUE
audit_syslog_level string
audit_trail string NONE
audit_file_dest string /u01/app/Oracle/audit
Note: If required to set audit_trail to NONE, run as
alter system set audit_trail=NONE scope=spfile;
2. set audit_sys_operations = FALSE and audit_syslog_level to ‘SYSLOG.WARNING’
SQL> alter system set audit_sys_operations=FALSE scope=spfile sid='*';
System altered.
-- Used in linux and other OS except windows.
SQL> alter system set audit_syslog_level='SYSLOG.WARNING' sid='*' scope=spfile;
System altered.
3. Verify the parameters
SQL> select name, value from v$parameter where name like 'audit%';
Note:
AUDIT_SYSLOG_LEVEL parameter to specify a facility and priority in the format AUDIT_SYSLOG_LEVEL=facility.priority.
facility: Describes the part of the operating system that is logging the message.
Accepted values are user, local0–local7, syslog, daemon, kern, mail, auth, lpr, news, uucp, and cron.
In RAC Environment
You can also increase the following values: Change check interval value to 300 as you need for further reduce the audit log trace size.
#crsctl modify resource ora.asm -attr "CHECK_INTERVAL=60" -unsupported
#crsctl modify resource ora.diskmon -attr "CHECK_INTERVAL=60" -unsupported