Just a quick update to my blog post from September 2014:
Any changes in Oracle Database 126.96.36.199?
Yes. Significant changes happen to Unified Auditing in Oracle Database 188.8.131.52. Mostly internally as the mechanism used to dump the audit records in Oracle 12.1.0.x when Unified Auditing was on turned out to be very good for write performance, but not so good when you tried to read data. See my blog post from a few weeks ago how to deal with this performance implication and a potential patch:
But I’d like to understand if the so called “Mixed Mode” is still existent in Oracle Database 184.108.40.206, meaning you can have the old audit trail enabled but the database is still auditing some activities via the newer Unified Auditing policies.
Comparison Oracle 220.127.116.11 vs Oracle 18.104.22.168
Quick check in Oracle 22.214.171.124:
SQL> column policy_name format a25 SQL> column user_name format a14 SQL> column enabled format a7 SQL> set line 200 SQL> set pages 1000 SQL> SELECT policy_name, enabled_opt, user_name FROM audit_unified_enabled_policies; POLICY_NAME ENABLED_ USER_NAME ------------------------- -------- -------------- ORA_SECURECONFIG BY ALL USERS ORA_LOGON_FAILURES BY ALL USERS
And now the same query in Oracle 126.96.36.199:
SQL> column policy_name format a25 SQL> column user_name format a14 SQL> column enabled format a7 SQL> set line 200 SQL> set pages 0 SQL> SELECT policy_name, enabled_opt, user_name FROM audit_unified_enabled_policies 2 ; ORA_SECURECONFIG BY ALL USERS ORA_LOGON_FAILURES BY ALL USERS SQL> set pages 1000 SQL> r 1 SELECT policy_name, enabled_opt, user_name 2* FROM audit_unified_enabled_policies POLICY_NAME ENABLED_ USER_NAME ------------------------- -------- -------------- ORA_SECURECONFIG BY ALL USERS ORA_LOGON_FAILURES BY ALL USERS
As in Oracle 12.1.0.x, in Oracle Database 188.8.131.52 two default Unified Auditing Policies are enabled. And still I’d recommend to turn them off if you are either going to use the old auditing via audit_trail or don’t want to have auditing at all.
SQL> noaudit policy ORA_SECURECONFIG; Noaudit succeeded. SQL> noaudit policy ORA_LOGON_FAILURES; Noaudit succeeded. SQL> SELECT policy_name, enabled_opt, user_name FROM audit_unified_enabled_policies; no rows selected
Again, to be clear, I’m not saying that you shouldn’t use the new Unified Auditing. But disable the Mixed Mode. Use the real (and enabled, i.e. linked into your kernel) Unified Auditing instead if you would like to audit in Oracle Database 184.108.40.206. Or stay with the old auditing if it does what you want and expect.
Sorry but what you posted is not determining whether UNIFIED Auditing is on in 12c. What you are showind is mealry that in 12c there are two audit_policies enabled. Thes audit_policies are to replace the audit_sys_operation parameter.
TO chedk if unified auditing is enabled chece the show parameter “%Audit%”
Please read: https://mikedietrichde.com/2014/09/02/unified-auditing-is-it-on-or-off-in-oracle-12c/
which I linked twice from this blog post you are referring to.
audit_sys_operation is still true in 12c.
I have some doubts, on Standby Site, Do i need to enable Unified Audit Trail too?, there’s a procedure first on primary and then on standby? Do i need to disable transport redo?
Btw, my env is Oracle 18c RDBMS on linux 7.6, two nodes RAC Primary and two nodes RAC Standby (ADG)
Thanks in advance
the settings from the primary should be automatically propagated to the standby. Otherwise you’d miss a lot of things after a switchover or failover.
Nothing extra to be set except for making sure that you have linked UNIAUD into the kernel on both sides if you use it beyond the mixed mode.
Thanks Mike. You’re right. First activate UAT on Prym site (both nodes) and did some audit test and then check that both sites were having same records of audit trail in unified_audit_trail view. After that activate UAT on the binaries of stby site.
Thanks for your feedback!!
Thank you for this post. Is it possible to check if oracle executable has been linking with uniaud_on from the executable itself (without starting the instance)? And how?
I don’t really know.
I checked in /u01/app/oracle/product/19/rdbms/lib
which of the libs may be uniaud – but I couldn’t identify it.
You can do it, please check https://anjo.pt/keyword-oracle/2019/10/02/check-if-unified-audit-is-enabled-without-database-running/