I have a large database that needs auditing on a very detailed level (every select, update, insert, and delete, along with the actual text of the statement) for about half the users. I know how to do this (here is a related question for anyone interested), but I also realize we cannot do this for any extended amount of time because of how much quickly we would be collective massive amounts of data. So while there is a scheduled downtime coming up that we can implement the auditing, to change it to fine tune it (as management changes the request of what data they desire) or to disable it once we have enough data would require us having to take the database down to disable this. While this wouldn’t be too horrible to do if we were able to schedule a short downtime late at night, it would be really nice if this could be avoided altogether, but every reference I’ve seen so far requires the database to be brought down and back up.
So, my question (which I believe to be general enough for the purposes of this site, even though the back story is specific) is if there is a way to enable/disable/change auditing without shutting down the database.
Edit: Oracle version 11r2. As for AUD$ vs. FGA, I’m not sure what FGA is, but AUD is the table which will hold the data, so I am assuming that one.
AUDIT_TRAIL is an initialisation parameters and needs a database restart. Anyway by default
AUDIT_TRAIL is set to DB. This could be enough.
AUDIT_TRAIL you have just to issue:
AUDIT SELECT TABLE
to start the audit on any table for any select. As you stated this activity has an overhead from the database point of view. you have to pay attention to you
SYSAUX tablespace growth where by default resides the
sys.aud$ table. To move
sys.aud$ you have to do:
SQL> BEGIN DBMS_AUDIT_MGMT.set_audit_trail_location( audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,--this moves table AUD$ audit_trail_location_value => 'AUDIT_TBS'); END; /
FGA is much more than AUDIT and lets you specify the conditions necessary for an audit record to be generated. Furthermore FGA policies are programatically bound to the object (table, view).
Apart from this you should consider a different solution like an third party tool for DAM (Direct Access Monitoring). Oracle has its own solution today called Oracle Firewall. Otherwise you can check for other products like IBM Guardium, DBProtect, etc.