DBMS_AUDIT_MGMT not purging audit files for AVDF 12 Secure Target Database (or Audit Vault 10.3 Source Database) using CLEAN_AUDIT_TRAIL (Doc ID 1329116.1)

Last updated on FEBRUARY 04, 2020

Applies to:

Goal

This document explains how Audit Vault (AV) works toghether with dbms_audit_mgmt package to purge audit records from the source databases, specifically we discuss the processing and removal of filesystem audit files. This can be used for both AVDF 12.1 and AV 10.3 (when using this note for AV 10.3 replace the words trail and secured target with collector and source database respectively).

The number of the audit records in the audit file destination directory of a database has a serious impact on the performance and stability of the AV trails. Because of this it is important that these audit records are purged as soon as the audit data was moved to the Audit Vault repository. The recommended way of removing the audit records is to use a cleanup job created via the DBMS_AUDIT_MGMT package (See <Note 731908.1>). The cleanup process workflow is the following:

1) The trail, after moving the audit data to the AV repository and finishing with the audit files of a certain time period, is setting a new value for LAST_ARCHIVE_TS in the source database. This signals the fact that it is safe to delete / remove all the files that are older than that timestamp.

2) The purge job is starting regularly and compares the value of LAST_ARCHIVE_TS with the timestamps of all the existing audit records/audit files. All the records/files that are older than LAST_ARCHIVE_TS are removed.


The current note presents some basic diagnostic steps in case the automatic audit files cleanup for an Audit Vault source database is not working as expected. 
 

Solution

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.