My Oracle Support Banner

Setting up, Interpreting Auditing Using the Windows Event Viewer (Doc ID 99137.1)

Last updated on OCTOBER 26, 2023

Applies to:

Oracle Database Cloud Schema Service - Version N/A and later
Gen 1 Exadata Cloud at Customer (Oracle Exadata Database Cloud Machine) - Version N/A and later
Oracle Database Exadata Express Cloud Service - Version N/A and later
Oracle Cloud Infrastructure - Database Service - Version N/A and later
Oracle Database Cloud Exadata Service - Version N/A and later
Microsoft Windows (32-bit)

Purpose

This document explains how to setup and interpret Operating System Auditing of Oracle Database activity by using the Windows Event Viewer.

Some examples are :
 'Instance O901 has been terminated',
 'All processes in instance v1020 stopped',
 'Shutdown normal performed on instance v1020',
 'Audit trail:ACTION :'shutdown' ',
 'Initializing PGA fro process RECO in instance v1020',
 'Audit trail: ACTION : 'CONNECT' DATABASE USER: '/' PRIVILEGE : SYSDBA
  CLIENT USER: user1\user1 CLIENT TERMINAL: term1 STATUS: 0 .',
 'AUDIT trail: 'startup'AUDIT_TRAIL:os',
 'Audit trail: SESSIONID:"471" ENTRYID:"1" STATEMENT:"1" USERID:"USER1"
  TERMINAL:"term1" ACTION:"100" RETURNCODE:"0" COMMENT$TEXT:
  "Authenticated by DATABASE; Client address:
  (ADDRESS=(PROTOCOL=tcp)(HOST=<IP_ADDRESS>)(PORT=<PORT_MUMBER>))"
  OSUSERID:"Administrator" PRIV$USED:5

Scope

Intended audience: A Quick Start in Auditing
Refer to the references mentioned below for further information about the many auditing possibilities within Oracle. This note just gives the user an impression and some examples of how to audit and interpret when sending auditing information to the Windows Event Log.

Details

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.