Skip Headers
Oracle® Audit Vault Auditor's Guide
Release 10.2.3

Part Number E11058-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

3 Using Oracle Audit Vault Reports

This chapter contains:

3.1 What Are Oracle Audit Vault Reports?

The Oracle Audit Vault reports are automatically generated reports that describe the state of audited activities. They reflect audited data collected from the Oracle Database and Microsoft SQL Server database sources that connect to the Oracle Audit Vault server. For all three of these products, they track the audit events described in Appendix B and Appendix C.

The default reports are organized into various categories, such as Access Reports, Management, and so on. You can create user-defined reports that focus on specific areas or audited events.

Any user who has been granted the AV_AUDITOR role can view and modify the reports.

3.2 Accessing the Oracle Audit Vault Audit Reports

To access the Oracle Audit Vault audit reports:

  1. Log in to the Oracle Audit Vault Console and log in as a user who has been granted the AV_AUDITOR role.

    Section 1.4 explains how to start the Audit Vault Console. The Home page appears.

  2. Click the Audit Report tab in the upper-right corner of the window.

  3. Do one of the following:

    • To use the default reports: Click the Default Reports secondary tab. Figure 3-1 shows the Default Reports page. To view a report, for example, Data Access under the Access Reports category, click its link.

    • To use user-defined reports: Click the Custom Reports secondary tab. If you have created any user-defined reports, click the name of the report in the Report Name column to access the report.

Figure 3-1 displays the Default Reports page.

Figure 3-1 Default Reports Page

Description of Figure 3-1 follows
Description of "Figure 3-1 Default Reports Page "

3.3 Using the Default Access Reports

These reports track general database access activities such as audited SQL statements, Oracle Database Vault activities, application access activities, and user login activities. You can create user-defined reports from these reports; see Section 3.8.

The Access Reports are as follows:

3.3.1 Activity Overview Report

The Activity Overview report page displays all audit trail records. Audit records display based on their audit event time in descending order (newest record first). This report can be very large, but you can always create a user-defined version that filters specific audit data. By default, 15 audit records display per page.

3.3.2 Data Access Report

The Data Access Report displays audited SQL statements, such as Oracle Database data manipulation language (DML) activities, for example, all SELECT, INSERT, UPDATE, or DROP SQL statements.

See Also:

  • Section B.5 for Oracle Database audit events

  • Section C.5 for SQL Server audit events

  • Section 3.6.4 if you want use the Data Change Report to track changes to row data from INSERT or UPDATE statements

3.3.3 Database Vault Report

The Database Vault Report displays audited Oracle Database Vault activity. These audit records are collected from the Oracle Database Vault audit trail.

If the Database Vault Report does not show data, then Oracle Database Vault may not be enabled. To check that Oracle Database Vault is enabled, log in to SQL*Plus and then query the V$OPTION table. Any user can query this table. If Oracle Database Vault is enabled, the query returns TRUE; otherwise it returns FALSE. Remember that you must enter the parameter value, Oracle Database Vault, using case-sensitive letters.

For example:

SQL> SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';
 
PARAMETER                     VALUE
----------------------------- -----------------------
Oracle Database Vault         TRUE

See also Section B.6 for a listing of the Oracle Database Vault audit events.

3.3.4 Distributed Database Report

The Distributed Database Report displays audited distributed database activity, such as Oracle Database CREATE DATABASE LINK or DROP DATABASE LINK statements. (Note that the associated audit events are called peer association events.)

See Also:

3.3.5 Procedure Executions Report

The Procedure Executions Report displays audited application access activity, such as the execution of SQL procedures or functions. (Note that the associated audit events are called service and application utilization events.)

See Also:

3.3.6 User Sessions Report

The User Sessions Report displays audited authentication events for users who log in to the database. This includes the time the user logged on, the login event, and how the user was authenticated.

See Also:

3.4 Using the Default Management Activity Reports

These reports track the use of AUDIT SQL statements, changes to user accounts, actions performed on the underlying packages for applications, actions performed on database objects, roles and privileges, and system management activities such as database shutdowns and startups. You can create user-defined reports from these reports; see Section 3.8.

The Management Activity Reports are as follows:

3.4.1 Account Management Report

The Account Management Report displays account management activity of the user's audited SQL statements. This includes audited changes to user accounts and profiles (setting limits on database resources), for example, when user accounts are created, altered, or deleted, and when database schemas are created.

See Also:

3.4.2 Audit Commands Report

The Audit Command Report displays the use of audit commands, such as Oracle Database AUDIT SQL statements on other SQL statements and on database objects. For example, for Oracle Database, this page tracks AUDIT ALL, AUDIT SELECT ON table_name statements, NOAUDIT statements, and so on.

See Also:

3.4.3 Object Management Report

The Object Management Report displays audited actions performed on database objects. For example, these audit records are created for create, alter, or drop operations on database objects that are performed on a database table.

See Also:

3.4.4 Procedure Management Report

The Procedure Management Report displays audited actions that were performed on the underlying procedures or functions of system services and applications. For example, it lists the audit records that were created for Oracle Database ALTER FUNCTION, ALTER JAVA, or ALTER PACKAGE operations. (Note that the associated audit events are called application management events.)

See Also:

3.4.5 Role and Privilege Management Report

The Role and Privilege Management Report lists audited role and privilege management activity, such as the creating, granting, revoking, and dropping of roles and privileges. It lists the name of the user performing the action, and the user to whom the action applies.

See Also:

3.4.6 System Management Report

The System Management Report displays audited system management activity. For example, it lists activities such as startup and shutdown operations on a database, rollback operations, enable and disable operations on all triggers, and so on. It also lists user-related operations, such as unlocking a user account.

See Also:

3.5 Using the Default System Exception Reports

These reports track audit events, such as exceptions that occur and audit activities that Oracle Audit Vault cannot recognize or place into a category. You can create user-defined reports from these reports; see Section 3.8.

The System Exception Reports are as follows:

3.5.1 Exception Report

The Exception Report displays audited error and exception activity, such as network errors.

See Also:

3.5.2 Invalid Audit Record Report

The Invalid Audit Record Report displays audited activity that Audit Vault could not understand, possibly due to a corrupted audit record.

See Also:

3.5.3 Uncategorized Activity Report

The Uncategorized Activity Report displays audited activity that cannot be categorized. For example, it lists events such as Oracle Database COMMENT, CREATE SUMMARY, or NO-OP events.

See Also:

3.6 Using the Default Compliance Reports

These reports show compliance-related information that may appear in other Oracle Audit Vault reports. They track activities that are typically required to meet standard compliance regulations, such as changes to the database structure or its objects, failed logins, administrator activities, system events, and user logins or logoffs. You can create user-defined reports from these reports; see Section 3.8.

The Compliance Reports are as follows:

3.6.1 Account and Role Changes - Blocked Report

The Account and Role Changes - Blocked Report displays audited activity that identifies all failed attempts to perform security administration changes in the database. For example, these audit records are generated when you enable privilege auditing to audit failed attempts to grant system and table privileges.

3.6.2 Account and Role Changes Report

The Account and Role Changes Report displays audited activity that identifies all successful attempts to perform security administration changes in the database. For example, these audit records are generated when you use statement or object auditing to audit changes to users that were successfully added, dropped, or altered in the database.

3.6.3 Changes to Audit Report

The Changes to Audit Report displays audited activity of audit setting changes, for example, changes to the AUDIT ALL SQL statement.

3.6.4 Data Change Report

The Data Change Report displays changes to row data when an INSERT or UPDATE operation occurs in Oracle Database. This report is especially useful if you are using the REDO collector to extract the before and after values of data updates.

3.6.5 DDL Report

The DDL Report displays audited data definition language (DDL) activities, for example, changes to the database structure that result from SQL ALTER, CREATE, or DROP statements.

3.6.6 Login Failures Report

The Login Failures Report displays audited failed login attempts. These audit records are generated for failed login, proxy authentication only, and super user login attempts.

3.6.7 Login/Logoff Report

The Login/Logoff Report displays audited login and logoff operations of users. For example, these audit records are generated when you audit events, such as login, logoff, super user login, logoff by cleanup, and proxy authentication only.

3.6.8 Object Access Report

The Object Access Report displays audited SQL statements that have been performed on database objects, such as INSERT or UPDATE operations on a specific table.

3.6.9 System Events Report

The System Events Report displays audited system event activities. These audit records are generated when you audit local system processes, such as system startups and shutdowns, or changing database parameters.

3.7 Using the Critical and Warning Alert Reports

These reports track critical and warning alerts. An alert is raised when data in a single audit record matches a predefined alert rule condition. Alerts are grouped by associated source, by event category, and by the severity level of the alert (either warning or critical). You can create user-defined reports from these alerts; see Section 3.8.

The Alert reports are as follows:

3.7.1 All Alerts Report

This report tracks all alerts, both critical and warning alerts.

3.7.2 Critical Alerts Report

This report tracks critical alerts.

3.7.3 Warning Alerts Report

This report tracks warning alerts.

3.8 Controlling the Display of Data in a Report

This section contains:

3.8.1 About Controlling the Display of Report Data

You can control the display of data in a default or user-defined report to focus on a particular set of data. Oracle Audit Vault automatically saves the report settings so that if you leave the page, the report settings are still in place when you return. Optionally, you can save the report to a user-defined report.

3.8.2 Hiding or Showing Columns in a Report

When you hide or show columns in a report, you still can perform operations on hidden columns, such as filtering data based on a column that you have hidden.

This section contains:

3.8.2.1 Hiding the Currently Selected Column

To hide the currently selected column:

  1. In the report, select the column that you want to hide.

  2. In the Column Heading menu, select the Hide Column button.

3.8.2.2 Hiding or Showing Any Column

To hide or show columns in a report:

  1. Access the report that you want.

    Section 3.2 explains how to access a report.

  2. Select the Actions menu (gear) icon on the Search Bar.

    The Actions menu appears.

    Description of actions_menu.gif follows
    Description of the illustration actions_menu.gif

  3. From the Actions menu, select Select Columns.

    The Select Columns dialog box appears under the Search Bar.

    Description of select_cols.gif follows
    Description of the illustration select_cols.gif

  4. To move column names between the Display in Report and Do Not Display boxes:

    • Select the column names to move and then click the move to the left symbol (<) or the move to the right symbol (>) that displays between the column name boxes.

    • Move all columns left or right by using the >> and << buttons.

    • Use the top button (the arrows in a circle) to reset the columns to their original locations in the two boxes.

  5. To set the order of appearance in the report for displayed columns, in the Display in Report box, select the column name, then click the up or down arrow on the right side of the box to reorder its position in the list.

    Report columns names are arranged in a report left to right by their top-to-bottom order in the Display in Report box.

  6. Click Apply.

3.8.3 Filtering Data in a Report

You can filter the report to show all rows based on a particular column, or a subset of of rows, using an expression.

If you need to perform subquery, join, and AND SQL operations, you can create multiple filters as needed. For example, if you want to filter all SYS users who are being audited for the SUPER USER LOGON event, you would create one filter to catch all SYS users, and then a second filter to catch all SUPER USER LOGON events. If two or more of the filters for a report are enabled, then Oracle Audit Vault uses both or all of them (as in an AND operation). You can toggle specific filters on or off, depending on the results you want.

This section contains:

3.8.3.1 Filtering All Rows Based on Data from the Currently Selected Column

This filtering method lets you filter data in all rows based on the currently selected column, for example, all rows that only contain SYS in the User column.

To filter all rows based on data from the current column:

  1. Access the report that you want.

    Section 3.2 explains how to access a report.

  2. Under the report name, select the column that you want to use as a basis for the filter.

    The Column Heading menu appears. This menu shows the row data used in the column you selected. For example, if you had selected the User column, it lists user names found in the source database for this column, such as users APPS, OE, SH, and so on.

    Description of filter_col.gif follows
    Description of the illustration filter_col.gif

  3. In the Column Heading menu, select row data on which you want to base the filter, or enter the row data item in the text area field.

    For example, to only show rows for user SYS, select SYS from the Column Heading menu. Oracle Audit Vault filters the display to only show the data in the filter you created. The filter definitions for the current user session are added above the report columns.

    Description of filter_col2.gif follows
    Description of the illustration filter_col2.gif

  4. To enable or disable the display of the filtered data, select its corresponding check box. To remove a filter, click its Remove Filter icon.

3.8.3.2 Filtering Column and Row Data

You can use the Search Bar to search for row data in one or all columns in the report, for example, all rows that contain the letters SYS (such as SYS, SYSTEM, and so on) in the User column.

To search for row data in one or all columns:

  1. Access the report that you want.

    Section 3.2 explains how to access a report.

  2. If you want to focus the search on a specific column, in the Search Bar, select the Search icon to select from the list available columns.

    By default, Oracle Audit Vault searches all columns.

    Description of filter_search.gif follows
    Description of the illustration filter_search.gif

  3. In the Search Bar text area, enter all or part of the text in the column row that you want, for example, SYS to find all user names that contain the letters SYS.

    The search is not case sensitive, so you can enter the text in any case.

  4. In the Rows list, select the number of rows that you want to appear on each page.

    The default is 15 rows.

  5. Click Go.

3.8.3.3 Filtering Row Data Using an Expression

This method lets you select all rows that meet a WHERE condition, such as all users who are not user SYS. You can create the expression for all columns in the source database table, even those that are not shown in the current report.

To filter row data using an expression:

  1. Access the report that you want.

    Section 3.2 explains how to access a report.

  2. Select the Actions menu (gear) icon on the Search Bar.

  3. Select Filter.

    The Filter dialog box appears under the Search Bar.

  4. Enter the following information:

    • Column: Select the name of the column from the list. Note that you can select all columns, including hidden columns.

    • Operator: Select a SQL operator from the list, for example, > for "greater than" or = for "equals."

    • Expression: Select an expression from the list. The expression lists the row data, for examples, names of users found in the User column. If you type the expression in the Expression box, remember that the expression is case-sensitive. In most cases, use upper-case letters.

    Description of filter_expr.gif follows
    Description of the illustration filter_expr.gif

  5. Click Apply.

    Oracle Audit Vault filters the display of row data based on the expression you created, and then adds the filter definition before the report columns. From here, you can disable or re-enable the display of the filtered data, or remove the filter, if you want.

    Description of filter_expr_mul.gif follows
    Description of the illustration filter_expr_mul.gif

3.8.4 Sorting Data in a Report

You can sort data in ascending or descending order for all columns at once, or by sorting data on a selected column.

This section contains:

3.8.4.1 Sorting Row Data for the Currently Selected Column

To sort row data for the current column:

  1. Select the column on which you want to base the sort.

  2. In the Column Heading menu, select either the Sort Ascending or Sort Descending icon.

3.8.4.2 Sorting Row Data for All Columns

To sort row data for all columns:

  1. Access the report that you want.

    Section 3.2 explains how to access a report.

  2. Select the Actions menu (gear) icon on the Search Bar.

  3. In the Actions Menu, select Sort.

    The Sort dialog box displays under the Search Bar.

    Description of sortrgb.gif follows
    Description of the illustration sortrgb.gif

  4. Enter the following information:

    • Column: For up to six columns, select the columns to sort. By default, the first sort column is Event Time, which is sorted in descending order.

    • Direction: Select either Ascending or Descending.

    • Null Sorting: Select the Null sorting rule for each column (Default, Nulls Always Last, or Nulls Always First). The default is to not sort nulls.

  5. Click Apply.

3.8.5 Highlighting Rows in a Report

You can highlight specific rows in a report by assigning them colors. This enables anyone viewing the report to quickly find areas that are of particular interest.

To highlight rows in the report:

  1. Access the report that you want.

    Section 3.2 explains how to access a report.

  2. Select the Actions menu (gear) icon on the Search Bar.

  3. In the Actions menu, select Highlight.

    The Highlight dialog box appears under the Search Bar.

  4. Enter the following information:

    • Name: Enter a name for this highlight instance. (Optional)

    • Sequence: Enter a sequence number to determine the order the highlight filter rules are to be applied when two or more highlight filter rules are in effect. The default value is 10.

    • Enabled: Select Yes to enable the highlight or select No to disable it.

    • Highlight Type: Select Row to highlight a row or select Cell to highlight a cell.

    • Background Color: Select a background color for the row or cell. Click a color to quick link to a color option, or click the colored icon to the right of the color selection field to display a color selection box from which to choose a different color. Alternatively, you can manually enter the HTML code for a color.

    • Text Color: Select a text color for the row or cell using the same method you used for the background color. (Optional)

    • Highlight Condition: Edit the highlight filter rule expression by identifying the column, the operator, and the expression for each of the three fields in the highlight condition.

      • Column: Select any column name, including hidden columns if you want.

      • Operator: Select an operator from a list of standard Oracle Database operators, such as =, !=, NOT IN, BETWEEN, and so on.

      • Expression: Enter the comparison expression (without quotation marks) based on a known value for that column name to complete the filter expression. For example, entering the filter expression EVENT=SUPER USER LOGON, filters for all values in the Event column that contain the value SUPER USER LOGON.

    Description of highlightrgb.gif follows
    Description of the illustration highlightrgb.gif

  5. Click Apply.

3.8.6 Charting Data in a Report

You can select from four chart styles to chart data in a report. After you create the chart, you can access it whenever you access the report.

To chart data in a report:

  1. Access the report that you want.

    Section 3.2 explains how to access a report.

  2. Select the Actions menu (gear) icon on the Search Bar, and then select Chart.

    The Chart dialog box appears under the Search Bar.

  3. Enter the following information:

    • Chart style: Select from one of the four chart styles: Horizontal Column, Vertical Column, Pie, and Line.

    • Label: Select from the list of columns for this report. You can include hidden columns as well as displayed columns.

    • Value: Select from the list of columns for this report, including hidden columns. If the function you select from the Function list is Count, then you do not need to select a value from the Value column.

    • Function: Select an aggregate function (Sum, Average, Minimum, Maximum, or Count) on which to aggregate the data values.

    • Sort: Select ascending or descending sorting for values and labels.

    • Axis Title for Label: Enter a name for the axis title.

    • Axis Title for Value: Enter a name for the axis value.

    Description of chart.gif follows
    Description of the illustration chart.gif

  4. Click Apply.

    The chart displays, with the Edit Chart and View Report links under the Search Bar. The following example displays a count of users who have logged in, clearly showing that user JSCHAFFER has been very busy.

    Description of charted_data.gif follows
    Description of the illustration charted_data.gif

3.8.7 Adding a Control Break to a Column in a Report

You can create a break group on the selected column. This pulls the column out of the report as a master record. A break group is a way of grouping all rows with the same value under a master record, thus creating groups of master records, one master record for each column value. This is useful for filtering by multiple column values.

To add a control break in a column:

  1. Access the report that you want.

    Section 3.2 explains how to access a report.

  2. Select the column to which you want to add a control break.

  3. In the Column Heading menu, select the Control Break icon.

    The control break is added to the column, and icons for enabling, disabling, and removing the control break are added before the column headings.

3.8.8 Resetting the Report Display Values to Their Default Settings

You can reset the report display values to their original default settings.

To reset the display settings to their defaults:

  1. Access the report that you want.

    Section 3.2 explains how to access a report.

  2. Select the Actions menu (gear) icon on the Search Bar, then select Reset.

  3. In the Reset confirmation dialog box, select Apply.

3.9 Finding Information About Report Data

This section contains:

3.9.1 Finding Detailed Information About an Audit Record

You can find the following detailed information about an individual audit record: information about the source database, audited event, audited objects (such as tables or views), client/user information, host computer on which the user is logged, audited SQL statements, the user session information, and miscellaneous information such as the audit record ID, instance number, and fine-grained audit policy name.

To find detailed information about an audit record:

  1. Access the report that you want.

    Section 3.2 explains how to access a report.

  2. Use the methods described in Section 3.8 to find the audit record.

  3. Select the Audit Record Details icon, which appears to the left of the first column in the report.

    Description of single_row_view.gif follows
    Description of the illustration single_row_view.gif

    A detailed report for the audit record appears.

3.9.2 Finding a Information About the Purpose of a Column

To find information about the purpose of a column:

  1. Access the report that you want.

    Section 3.2 explains how to access a report.

  2. Select the column on which you want information.

  3. In the Column Heading menu, select the Column Information icon.

3.10 Working with User-Defined Reports

This section contains:

3.10.1 About User-Defined Reports

You can create user-defined reports based on the default reports or other user-defined reports. You can create a category for the report independently or when you create the user-defined report.

3.10.2 Creating a Category for User-Defined Reports

Before you create a user-defined report, you may want to create a category in which to assign it. You can create and manage category names on the User-Defined Reports page.

This section contains:

3.10.2.1 Creating a Category Name

To create a category name for user-defined reports:

  1. Under Tasks, click Manage Categories.

  2. On the Categories page, click Create Category.

  3. In the Category Name field, enter the name of the new category.

  4. Click Create.

3.10.2.2 Alphabetizing the Category Name List

To alphabetize the category name list:

  1. Click the Category Name column label name once.

    This positions the direction pointer to point upward (category names appear in ascending order).

  2. Click the Category Name column label name once again to position the direction pointer to point downward (category names appear in descending order).

3.10.2.3 Editing Category Names

To editing category names:

  1. To manage category names, click the Edit icon (pencil) to the left of the category name.

    The Category page displays for the selected category name.

  2. On the Category page, edit the category name by editing the text in the Category Name field.

  3. Click Apply.

3.10.3 Creating a User-Defined Report

You can save the display settings that you have created to a user-defined report. User-defined reports are listed in the Custom Reports secondary tab. Oracle Audit Vault saves the report settings and makes the user-defined report available the next time you log in to Oracle Audit Vault.

When you save a user-defined report, you can save the report under a specific category that you select or create as you save the report. You can also make the user-defined report private or share it among other Audit Vault Auditor users as a public report.

To create a user-defined report:

  1. Access the report that you want.

    Section 3.2 explains how to access a report.

  2. Use the methods described in Section 3.8 to design the display of data as needed.

  3. Select the Actions menu (gear) icon on the Search Bar, and then select Save Report.

    The Save Report dialog box appears, under the Search Bar.

  4. Enter the following information:

    • Name: Enter a name for the report.

    • Category: Select from the list of available categories. If you select New Category, then enter a name for the new category.

      If you need to create a new category, see Section 3.10.2.

    • Description: Enter a brief description for the report.

    • Public: Select this check box to enable the report to be accessible to all Audit Vault Auditor users.

  5. Click Apply.

3.10.4 Accessing a User-Defined Report

To access a user-defined report:

  1. Log in to the Oracle Audit Vault Console as a user who has been granted the AV_AUDITOR role.

  2. Select the Audit Reports tab, and then select the Custom Reports secondary tab.

  3. In the Report Name column, select the link for the report you want to access.

    The report appears. Its report details icon and filter definitions appear after the Search Bar. From here, you can click the Saved Report link to change the report settings, delete the report, or disable and re-enable the report filters.

    Description of user_def_report.gif follows
    Description of the illustration user_def_report.gif

3.11 Downloading a Report to a CSV File

You can download reports to a file that is in a comma-separated values (CSV) format. The CSV file format is a delimited data format with fields separated by the comma character and records separated by newlines.

To download a report to a CSV file:

  1. Access the report that you want.

    Section 3.2 explains how to access a report.

  2. Select the Actions menu (gear) icon on the Search Bar, and then select.

  3. In the Download dialog box, select CSV.

  4. In the File Download dialog box, enter a name for the file.

  5. Click Save to save the file to a location in your file system.