ORA-00983: cannot audit or noaudit SYS user actions

ORA-00983: cannot audit or noaudit SYS user actions

I want to trace the SYSDBA user by enabling the audit at DB level. On running the command for create session for sys user getting the following error:

SQL> audit create session by sys;
audit create session by sys;
*
ERROR at line 1:
ORA-00983: cannot audit or noaudit SYS user actions

Following are the parameter setting done in the database side:
Show parameter audit

NAME                    TYPE         VALUE
----------------------- ----------- ------------------
audit_sys_operations    boolean     TRUE
audit_file_Dest         string      C:\ORACLE\ADMIN\XE\ADUMP
audit_trail             string      DB

Solution
SYS auditing is only written in Operating system file. For that AUDIT_TRAIL must be XML,XML EXtended
For auditing the SYS, please follow following steps:
1. set the parameter AUDIT_SYS_OPERATIONS = TRUE
Alter system set audit_sys_operations=TRUE scope=spfile
2. Set the parameter AUDIT_FILE_DEST for location of OS audit file
Alter system set audit_file_dest='C:\auditlog' scope=spfile
3. Set the Paermater AUDIT_TRAIL = XML or XML,Extended
Alter system set audit_trail='XML' scope=spfile
By setting this parameter you start getting Audit trail in audit file destination location.

Note:
1. For AUDIT_SYS_OPERATIONS = TRUE : All audit records for SYS are written to the operating system file that contains the audit trail, and not to SYS.AUD$ (also viewable as DBA_AUDIT_TRAIL).
2. If we set AUDIT_TRAIL = OS then on Windows system, the OS setting writes the audit trail to the Application area of the Windows Event Viewer.
3. Its better to set AUDIT_TRAIL = XML, to get the output in XML files.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.