I’ve been really interested to learn about some cool new features within Oracle Database auditing in 12c and have been setting up some fairly basic table level auditing.
The feature which is new to 12c is called Unified Audit Data Trail and with it the new Extended Audit Information. This seeks to do two things –
1. Consolidate audit data from various different features into a single view. Prior to 12c we had SYS auditing, object auditing, Database Vault auditing etc all going to different places. Now we’re seeing all that go into a single view.
2. Make this single view extensible. The old Basic Audit Information format was very fixed in format which isn’t suitable when consolidating all of these features – we’ve got an extensible format now which can support new columns.
Two other really nice new features with the new auditing –
1. Audit data is now read only, even for SYS. This is great as it negates the need to store audit data outside the database just to protect against DBA interference.
2. New memory queue within the SGA so that audit writes are more efficient. Purged to disk every 3 seconds – yes you could potentially lose audit records if the instance crashes somewhere in that 3 seconds. This feature can be turned off if that really bothers you.
With all this comes a new background process – GEN0 – to write the queue to disk every 3 seconds or so.
What I also like is that the Unified Audit Data feature is enabled by default for new 12c databases. Actually there are a couple of different modes the auditing can now run in –
Mixed mode is the default, and means that the old auditing methods and syntax still work. Unified auditing means the old auditing methods and syntax will no longer work, and this mode actually requires a relink in order to enable. I can see the benefits in switching to this at the earliest opportunity though (as far as tidying up distributed audit configuration and trails).