How To Purge The UNIFIED AUDIT TRAIL (Doc ID 1582627.1)
| Goal |
| Solution |
APPLIES TO:
Oracle Database - Enterprise Edition - Version 12.1.0.1 and laterOracle Database Cloud Schema Service - Version N/A and later
Gen 1 Exadata Cloud at Customer (Oracle Exadata Database Cloud Machine) - Version N/A and later
Oracle Cloud Infrastructure - Database Service - Version N/A and later
Oracle Database Exadata Express Cloud Service - Version N/A and later
Information in this document applies to any platform.
GOAL
How to purge the UNIFIED_AUDIT_TRAIL table ?
SOLUTION
The unified audit trail can be purged using the DBMS_AUDIT_MGMT package:
sqlplus / as sysdba
SQL> select count(*) from unified_audit_trail;
COUNT(*)
----------
2619
SQL>
BEGIN
DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
use_last_arch_timestamp => FALSE);
END;
/
PL/SQL procedure successfully completed.
SQL> select count(*) from unified_audit_trail;
COUNT(*)
----------
1
You can also use the last_arch_timestamp, if you don't want to purge all the audit record and kept the most recent record:
DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,last_archive_time => TO_TIMESTAMP('10-SEP-0714:10:10.0','DD-MON-RRHH24:MI:SS.FF'));
END;
/
BEGIN
DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
use_last_arch_timestamp => TRUE);
END;
/
Since Unified Auditing caches the audit trail in memory to implement a 'lazy write' feature that helps performance, some of the records eligible for deletion may still linger in the cache, to also first flush this cache add a call to: DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL; before the call to
dbms_audit_mgmt.clean_audit_trail, this will cause more consistent / expected results.
If a purge job needs to be configured for unified audit trail and automatic advancement of the last_archive_timestamp following code can be used
DBMS_AUDIT_MGMT.CREATE_PURGE_JOB(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
audit_trail_purge_interval => 24 /* hours */,
audit_trail_purge_name => 'CLEANUP_AUDIT_TRAIL_UNIFIED',
use_last_arch_timestamp => TRUE);
END;
/
BEGIN
DBMS_SCHEDULER.create_job (
job_name => 'audit_last_archive_time',
job_type => 'PLSQL_BLOCK',
job_action => 'BEGIN
DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, TRUNC(SYSTIMESTAMP)-10);
END;',
start_date => SYSTIMESTAMP,
repeat_interval => 'freq=daily; byhour=0; byminute=0; bysecond=0;',
end_date => NULL,
enabled => TRUE,
comments => 'Automatically set audit last archive time.');
END;
The following code can be used to combine purge job & automatic advancement of archive timestamp in one scheduler code.
BEGIN
DBMS_SCHEDULER.create_job (
job_name => 'PURGE_UNIFIED_AUDIT_JOB',
job_type => 'PLSQL_BLOCK',
job_action => 'BEGIN
DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, SYSTIMESTAMP-31);
DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
use_last_arch_timestamp => TRUE);
END;',
start_date => '',
repeat_interval => 'freq=daily; byhour=3; byminute=10; bysecond=0;',
end_date => NULL,
enabled => TRUE,
comments => 'Purge unified audit trail older than 31 days.');
END;
/
Applicable from 12c to 19c. Archiving audit trail with in the database.
https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/administering-the-audit-trail.html#GUID-DACD856C-F3B2-40A1-9D48-882BBF438FCB
27.2.2 Archiving the Unified and Traditional Database Audit Trails
&
Starting 19c
We can export unified audit trail to dump file using below reference
https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/administering-the-audit-trail.html#GUID-8140CCBF-77EE-4F86-A055-B9F9AB8B4573
27.1.8 Exporting and Importing the Unified Audit Trail Using Oracle Data Pump
Comments
Post a Comment