Disable Audit trail but trace still generated in Oracle

Leave a reply

Reduce the trace files of Oracle Audit

After disable the AUDIT_TRAIL parameter, the Oracle still use the trace for SYS users. Set the value for AUDIT_SYS_OPERATION parameter to FALSE along with audit_trail.
Set the AUDIT_SYSLOG_LEVEL parameter changes as below to reduce further data valid in linux or unix platforms.
AUDIT_SYSLOG_LEVEL and AUDIT_SYS_OPERATIONS are set for any SQL and PL/SQL run as user SYS may be audited using the syslog facility.

On Windows platform
the parameters AUDIT_SYSLOG_LEVEL and AUDIT_FILE_DEST are not woreked, Since the Windows event log used as the operating system audit trail.
The AUDIT_SYS_OPERATIONS=TRUE value, operations with SYSDBA or SYSOPER privileges are also written to the Windows event log,
You can check this in Event viewer of Windows.
Start ➤ Control Panel ➤ Administrative Tools ➤ Event Viewer ➤ Application ➤ Oracle.ORACLE_SID.

1. Make sure if audit_trial=NONE is set OR else set it to AUDIT_TRAIL=NONE

SQL> show parameter audit
NAME TYPE VALUE
-------------------- ------- ------------------------------
audit_sys_operations boolean TRUE
audit_syslog_level string
audit_trail string NONE
audit_file_dest string /u01/app/Oracle/audit

Note: If required to set audit_trail to NONE, run as

alter system set audit_trail=NONE scope=spfile;

2. set audit_sys_operations = FALSE and audit_syslog_level to ‘SYSLOG.WARNING’

SQL> alter system set audit_sys_operations=FALSE scope=spfile sid='*';
System altered.

-- Used in linux and other OS except windows.
SQL> alter system set audit_syslog_level='SYSLOG.WARNING' sid='*' scope=spfile;
System altered.

3. Verify the parameters

SQL> select name, value from v$parameter where name like 'audit%';

Note:
AUDIT_SYSLOG_LEVEL parameter to specify a facility and priority in the format AUDIT_SYSLOG_LEVEL=facility.priority.
facility: Describes the part of the operating system that is logging the message.
Accepted values are user, local0–local7, syslog, daemon, kern, mail, auth, lpr, news, uucp, and cron.

In RAC Environment
You can also increase the following values: Change check interval value to 300 as you need for further reduce the audit log trace size.

#crsctl modify resource ora.asm -attr "CHECK_INTERVAL=60" -unsupported
#crsctl modify resource ora.diskmon -attr "CHECK_INTERVAL=60" -unsupported

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.