My Oracle Support Banner

AVDF Cannot Collect Audit Trail For SYSLOG On Linux 8 (Doc ID 2979517.1)

Last updated on JULY 20, 2024

Applies to:

Oracle Audit Vault and Database Firewall - Version 20.9.0.0.0 and later
Information in this document applies to any platform.

Symptoms

Audit vault can't collect Audit Trail for SYSLOG.The content of audit syslog is different on Linux 8 sample as bellow:

On Linux 8:
Aug 2 13:19:47 node02 journal[640537]: Oracle Audit[640537]: LENGTH : '252' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/0' STATUS:[1] '0' DBID:[8] '45475741' SESSIONID:[10] '4294967295' USERHOST:[6] 'node02' CLIENT ADDRESS:[0] '' ACTION NUMBER:[3] '100'

On Linux 7:

syslog samples as bellow:
Jul 30 03:27:13 db-bke journal: Oracle Audit[52292]: LENGTH : '314' ACTION :[72] 'select action from gv$session where sid=:1 and serial#=:2 and inst_id=:3' DATABASE USER:

Note : journal[640537] extra ID is not present

Changes

 SYSLOG audit file format changed in Linux 8 vs Linux 7

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.