1 of 19
https://oracle-base.com/articles/11g/auditing-enhancements-11gr2#purgi...
This package has also been backported to previous versions down to 10g Release 2.
See Oracle Support Note 731908.1.
Related articles.
Fine Grained Auditing (9i) (/articles/9i/security-enhancements-9i#FineGrainedAuditing)
Auditing in Oracle 10g Release 2 (/articles/10g/auditing-10gr2)
Fine Grained Auditing Enhancements (10g) (/articles/10g/database-securityenhancements-10g#fga)
Uniform Audit Trail (10g) (/articles/10g/database-security-enhancements10g#uniform_audit_trail)
Audit Trail Contents (10g) (/articles/10g/database-security-enhancements10g#audit_trail_contents)
Auditing Enhancements (Unified Audit Trail) in Oracle Database 12c Release 1 (/articles
/12c/auditing-enhancements-12cr1)
2 of 19
https://oracle-base.com/articles/11g/auditing-enhancements-11gr2#purgi...
Let's see this in action. First check the current location of the audit trail tables.
CONN / AS SYSDBA
SELECT table_name, tablespace_name
FROM
dba_tables
WHERE table_name IN ('AUD$', 'FGA_LOG$')
ORDER BY table_name;
TABLE_NAME
-----------------------------AUD$
FGA_LOG$
TABLESPACE_NAME
-----------------------------SYSTEM
SYSTEM
SQL>
3 of 19
https://oracle-base.com/articles/11g/auditing-enhancements-11gr2#purgi...
BEGIN
DBMS_AUDIT_MGMT.set_audit_trail_location(
audit_trail_type
=> DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
audit_trail_location_value => 'AUDIT_AUX');
END;
/
PL/SQL procedure successfully completed.
SQL>
-- Check locations.
SELECT table_name, tablespace_name
FROM
dba_tables
WHERE table_name IN ('AUD$', 'FGA_LOG$')
ORDER BY table_name;
TABLE_NAME
-----------------------------AUD$
FGA_LOG$
TABLESPACE_NAME
-----------------------------AUDIT_AUX
SYSTEM
SQL>
4 of 19
https://oracle-base.com/articles/11g/auditing-enhancements-11gr2#purgi...
BEGIN
DBMS_AUDIT_MGMT.set_audit_trail_location(
audit_trail_type
=> DBMS_AUDIT_MGMT.AUDIT_TRAIL_FGA_STD,
audit_trail_location_value => 'AUDIT_AUX');
END;
/
PL/SQL procedure successfully completed.
SQL>
-- Check locations.
SELECT table_name, tablespace_name
FROM
dba_tables
WHERE table_name IN ('AUD$', 'FGA_LOG$')
ORDER BY table_name;
TABLE_NAME
-----------------------------AUD$
FGA_LOG$
TABLESPACE_NAME
-----------------------------AUDIT_AUX
AUDIT_AUX
SQL>
Finally, we move them both back to their original location in a single step.
https://oracle-base.com/articles/11g/auditing-enhancements-11gr2#purgi...
BEGIN
DBMS_AUDIT_MGMT.set_audit_trail_location(
audit_trail_type
=> DBMS_AUDIT_MGMT.AUDIT_TRAIL_DB_STD,
audit_trail_location_value => 'SYSTEM');
END;
/
PL/SQL procedure successfully completed.
SQL>
-- Check locations.
SELECT table_name, tablespace_name
FROM
dba_tables
WHERE table_name IN ('AUD$', 'FGA_LOG$')
ORDER BY table_name;
TABLE_NAME
-----------------------------AUD$
FGA_LOG$
TABLESPACE_NAME
-----------------------------SYSTEM
SYSTEM
SQL>
The time it takes to move the audit trail tables depends on the amount of data currently in the
audit trail tables, and the resources available on your system.
5 of 19
6 of 19
https://oracle-base.com/articles/11g/auditing-enhancements-11gr2#purgi...
OS_FILE_MAX_AGE ).
AUDIT_TRAIL_PROPERTY_VALUE : The required value for the property.
PARAMETER_VALUE
-------------------10000
10000
5
5
AUDIT_TRAIL
-------------------OS AUDIT TRAIL
XML AUDIT TRAIL
OS AUDIT TRAIL
XML AUDIT TRAIL
SQL>
These defaults mean that OS and XML audit trail files will grow to a maximum of 10,000Kb, at
which point a new file will be created. In addition, files older than 5 days will not be written to
any more, even if they are below the maximum file size. Instead, a new file will be created and
written to. Here are some examples of changing the settings.
https://oracle-base.com/articles/11g/auditing-enhancements-11gr2#purgi...
PARAMETER_VALUE
-------------------15000
10000
5
5
AUDIT_TRAIL
-------------------OS AUDIT TRAIL
XML AUDIT TRAIL
OS AUDIT TRAIL
XML AUDIT TRAIL
SQL>
7 of 19
PARAMETER_VALUE
-------------------15000
10000
5
10
AUDIT_TRAIL
-------------------OS AUDIT TRAIL
XML AUDIT TRAIL
OS AUDIT TRAIL
XML AUDIT TRAIL
8 of 19
https://oracle-base.com/articles/11g/auditing-enhancements-11gr2#purgi...
SQL>
The CLEAR_AUDIT_TRAIL_PROPERTY procedure can be used to remove the size and age
restrictions, or reset them to the default values. Setting the USE_DEFAULT_VALUES parameter
value to FALSE removes the restrictions, while setting it to TRUE returns the restriction to the
default value.
https://oracle-base.com/articles/11g/auditing-enhancements-11gr2#purgi...
-- Reset the max size default values for both OS and XML audit file.
BEGIN
DBMS_AUDIT_MGMT.clear_audit_trail_property(
audit_trail_type
=> DBMS_AUDIT_MGMT.AUDIT_TRAIL_FILES,
audit_trail_property => DBMS_AUDIT_MGMT.OS_FILE_MAX_SIZE,
use_default_values
=> TRUE );
END;
/
SELECT *
FROM
dba_audit_mgmt_config_params
WHERE parameter_name LIKE 'AUDIT FILE MAX%';
PARAMETER_NAME
-----------------------------AUDIT FILE MAX SIZE
AUDIT FILE MAX SIZE
AUDIT FILE MAX AGE
AUDIT FILE MAX AGE
PARAMETER_VALUE
-------------------10000
10000
5
10
AUDIT_TRAIL
-------------------OS AUDIT TRAIL
XML AUDIT TRAIL
OS AUDIT TRAIL
XML AUDIT TRAIL
SQL>
-- Remove the max age restriction for both OS and XML audit file.
BEGIN
DBMS_AUDIT_MGMT.clear_audit_trail_property(
audit_trail_type
=> DBMS_AUDIT_MGMT.AUDIT_TRAIL_FILES,
audit_trail_property => DBMS_AUDIT_MGMT.OS_FILE_MAX_AGE,
use_default_values
=> FALSE );
END;
/
SELECT *
FROM
dba_audit_mgmt_config_params
WHERE parameter_name LIKE 'AUDIT FILE MAX%';
PARAMETER_NAME
-----------------------------AUDIT FILE MAX SIZE
AUDIT FILE MAX SIZE
AUDIT FILE MAX AGE
AUDIT FILE MAX AGE
SQL>
9 of 19
PARAMETER_VALUE
-------------------10000
10000
NOT SET
NOT SET
AUDIT_TRAIL
-------------------OS AUDIT TRAIL
XML AUDIT TRAIL
OS AUDIT TRAIL
XML AUDIT TRAIL
https://oracle-base.com/articles/11g/auditing-enhancements-11gr2#purgi...
-- Reset the max age default values for both OS and XML audit file.
BEGIN
DBMS_AUDIT_MGMT.clear_audit_trail_property(
audit_trail_type
=> DBMS_AUDIT_MGMT.AUDIT_TRAIL_FILES,
audit_trail_property => DBMS_AUDIT_MGMT.OS_FILE_MAX_AGE,
use_default_values
=> TRUE );
END;
/
SELECT *
FROM
dba_audit_mgmt_config_params
WHERE parameter_name LIKE 'AUDIT FILE MAX%';
PARAMETER_NAME
-----------------------------AUDIT FILE MAX SIZE
AUDIT FILE MAX SIZE
AUDIT FILE MAX AGE
AUDIT FILE MAX AGE
PARAMETER_VALUE
-------------------10000
10000
5
5
AUDIT_TRAIL
-------------------OS AUDIT TRAIL
XML AUDIT TRAIL
OS AUDIT TRAIL
XML AUDIT TRAIL
SQL>
If you are using Oracle Audit Vault, use that to manage your audit trail, not this
functionality.
/cd/E11882_01/appdev.112/e40758/d_audit_mgmt.htm#BABCEJJI)).
DEFAULT_CLEANUP_INTERVAL : The default interval in hours, after which the cleanup
procedure should be called again (1-999).
10 of 19
11 of 19
https://oracle-base.com/articles/11g/auditing-enhancements-11gr2#purgi...
1. It claims that initializing the database audit trails move the AUD$ and FGA_LOG$ tables
from the SYSTEM tablespace to the SYSAUX tablespace, unless they have already been
moved out of the SYSTEM tablespace. This doesn't seem to be the case as the example
below will show. Even though it doesn't happen automatically, it makes sense to move the
audit tables into the SYSAUX tablespace or their own dedicated tablespace. This is fixed
from 11.2.0.2 onward.
2. It claims it is not necessary to initialize the OS audit trails, yet in the example below you
can clearly see the default cleanup intervals being set by the initialization process.
The following code checks the current parameter settings, initializes the audit management
infrastructure for all audit trails with a default interval of 12 hours and rechecks the settings.
https://oracle-base.com/articles/11g/auditing-enhancements-11gr2#purgi...
PARAMETER_VALUE
-------------------SYSTEM
SYSTEM
10000
10000
5
5
10000
10000
1000
1000
AUDIT_TRAIL
-------------------STANDARD AUDIT TRAIL
FGA AUDIT TRAIL
OS AUDIT TRAIL
XML AUDIT TRAIL
OS AUDIT TRAIL
XML AUDIT TRAIL
STANDARD AUDIT TRAIL
FGA AUDIT TRAIL
OS AUDIT TRAIL
XML AUDIT TRAIL
SQL>
BEGIN
DBMS_AUDIT_MGMT.init_cleanup(
audit_trail_type
=> DBMS_AUDIT_MGMT.AUDIT_TRAIL_ALL,
default_cleanup_interval => 12 /* hours */);
END;
/
PL/SQL procedure successfully completed.
SQL>
SELECT * FROM dba_audit_mgmt_config_params;
PARAMETER_NAME
-----------------------------DB AUDIT TABLESPACE
DB AUDIT TABLESPACE
AUDIT FILE MAX SIZE
AUDIT FILE MAX SIZE
AUDIT FILE MAX AGE
AUDIT FILE MAX AGE
DB AUDIT CLEAN BATCH SIZE
12 of 19
PARAMETER_VALUE
-------------------SYSTEM
SYSTEM
10000
10000
5
5
10000
AUDIT_TRAIL
-------------------STANDARD AUDIT TRAIL
FGA AUDIT TRAIL
OS AUDIT TRAIL
XML AUDIT TRAIL
OS AUDIT TRAIL
XML AUDIT TRAIL
STANDARD AUDIT TRAIL
13 of 19
https://oracle-base.com/articles/11g/auditing-enhancements-11gr2#purgi...
10000
1000
1000
12
PARAMETER_NAME
-----------------------------DEFAULT CLEAN UP INTERVAL
DEFAULT CLEAN UP INTERVAL
DEFAULT CLEAN UP INTERVAL
PARAMETER_VALUE
-------------------12
12
12
AUDIT_TRAIL
-------------------STANDARD AUDIT TRAIL
FGA AUDIT TRAIL
XML AUDIT TRAIL
Notice that the 'DB AUDIT TABLESPACE' for the database audit trails are unchanged and the
'DEFAULT CLEAN UP INTERVAL' for all four audit trails has been set.
The current initialization status of a specific audit trail can be checked using the
IS_CLEANUP_INITIALIZED .
SET SERVEROUTPUT ON
BEGIN
IF DBMS_AUDIT_MGMT.is_cleanup_initialized(DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD) THEN
DBMS_OUTPUT.put_line('YES');
ELSE
DBMS_OUTPUT.put_line('NO');
END IF;
END;
/
YES
PL/SQL procedure successfully completed.
SQL>
Timestamp Management
The next thing to consider before purging the audit trail is how much data you wish to purge.
The DBMS_AUDIT_MGMT package allows us to purge all the records, or all the records older than a
14 of 19
https://oracle-base.com/articles/11g/auditing-enhancements-11gr2#purgi...
specific timestamp. The timestamp in question is specified individually for each audit trail using
the SET_LAST_ARCHIVE_TIMESTAMP procedure, which accepts three parameters.
AUDIT_TRAIL_TYPE : The audit trail whose timestamp is to be set (Constants (
http://docs.oracle.com/cd/E11882_01/appdev.112/e40758
/d_audit_mgmt.htm#BABCEJJI)). Only individual audit trails are valid, not the constants
that specify multiples.
LAST_ARCHIVE_TIME : Records or files older than this time will be deleted.
RAC_INSTANCE_NUMBER : Optionally specify the RAC node for OS audit trails. If unset it
assumes the current instance.
The following code specifies a timestamp of 5 days ago for the standard database audit trail.
The setting is then checked by querying the DBA_AUDIT_MGMT_LAST_ARCH_TS view.
BEGIN
DBMS_AUDIT_MGMT.set_last_archive_timestamp(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
last_archive_time => SYSTIMESTAMP-5);
END;
/
COLUMN audit_trail FORMAT A20
COLUMN last_archive_ts FORMAT A40
SELECT * FROM dba_audit_mgmt_last_arch_ts;
AUDIT_TRAIL
RAC_INSTANCE LAST_ARCHIVE_TS
-------------------- ------------ ---------------------------------------STANDARD AUDIT TRAIL
0 13-DEC-09 01.57.54.000000 PM +00:00
SQL>
The timestamps for each audit trail can be cleared to allow a complete purge using the
CLEAR_LAST_ARCHIVE_TIMESTAMP procedure.
BEGIN
DBMS_AUDIT_MGMT.clear_last_archive_timestamp(
audit_trail_type
=> DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD);
END;
/
Manual Purge
The CLEAN_AUDIT_TRAIL procedure is the basic mechanism for manually purging the audit trail.
https://oracle-base.com/articles/11g/auditing-enhancements-11gr2#purgi...
/cd/E11882_01/appdev.112/e40758/d_audit_mgmt.htm#BABCEJJI)).
USE_LAST_ARCH_TIMESTAMP : Set to FALSE to purge all records/files, or TRUE to only purge
records/files older than the timestamp specified for the audit trail.
The following code queries the last archive timestamp and total number of audit records,
deletes standard database audit records older than the last archive timestamp, then returns the
number of records again.
SELECT * FROM dba_audit_mgmt_last_arch_ts;
AUDIT_TRAIL
RAC_INSTANCE LAST_ARCHIVE_TS
-------------------- ------------ ---------------------------------------STANDARD AUDIT TRAIL
0 13-DEC-09 01.57.54.000000 PM +00:00
SQL>
SELECT COUNT(*) FROM aud$;
COUNT(*)
---------2438
SQL>
BEGIN
DBMS_AUDIT_MGMT.clean_audit_trail(
audit_trail_type
=> DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
use_last_arch_timestamp => TRUE);
END;
/
PL/SQL procedure successfully completed.
SELECT COUNT(*) FROM aud$;
COUNT(*)
---------76
SQL>
15 of 19
16 of 19
https://oracle-base.com/articles/11g/auditing-enhancements-11gr2#purgi...
Automated Purging
The CREATE_PURGE_JOB procedure allows you to schedule a job to call the CLEAN_AUDIT_TRAIL
procedure. When creating a purge job you can specify 4 parameters.
AUDIT_TRAIL_TYPE : The audit trail to be purged by the scheduled job (Constants (
http://docs.oracle.com/cd/E11882_01/appdev.112/e40758
/d_audit_mgmt.htm#BABCEJJI)).
AUDIT_TRAIL_PURGE_INTERVAL : The interval in hours between purges.
AUDIT_TRAIL_PURGE_NAME : A name for the purge job.
USE_LAST_ARCH_TIMESTAMP : Set to FALSE to purge all records/files, or TRUE to only purge
records/files older than the timestamp specified for the audit trail.
The following code schedules a purge of all audit trails every 24 hours. The resulting job is
visible in the DBA_SCHEDULER_JOBS view.
BEGIN
DBMS_AUDIT_MGMT.create_purge_job(
audit_trail_type
=> DBMS_AUDIT_MGMT.AUDIT_TRAIL_ALL,
audit_trail_purge_interval => 24 /* hours */,
audit_trail_purge_name
=> 'PURGE_ALL_AUDIT_TRAILS',
use_last_arch_timestamp
=> TRUE);
END;
/
PL/SQL procedure successfully completed.
SQL>
SELECT job_action
FROM
dba_scheduler_jobs
WHERE job_name = 'PURGE_ALL_AUDIT_TRAILS';
JOB_ACTION
-------------------------------------------------------------------------------BEGIN DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL(15, TRUE); END;
SQL>
The job can be disabled and enabled using the SET_PURGE_JOB_STATUS procedure.
17 of 19
https://oracle-base.com/articles/11g/auditing-enhancements-11gr2#purgi...
BEGIN
DBMS_AUDIT_MGMT.set_purge_job_status(
audit_trail_purge_name
=> 'PURGE_ALL_AUDIT_TRAILS',
audit_trail_status_value => DBMS_AUDIT_MGMT.PURGE_JOB_DISABLE);
DBMS_AUDIT_MGMT.set_purge_job_status(
audit_trail_purge_name
=> 'PURGE_ALL_AUDIT_TRAILS',
audit_trail_status_value => DBMS_AUDIT_MGMT.PURGE_JOB_ENABLE);
END;
/
The interval of the purge job can be altered using the SET_PURGE_JOB_INTERVAL procedure.
BEGIN
DBMS_AUDIT_MGMT.SET_PURGE_JOB_INTERVAL(
audit_trail_purge_name
=> 'PURGE_ALL_AUDIT_TRAILS',
audit_trail_interval_value => 48);
END;
/
18 of 19
https://oracle-base.com/articles/11g/auditing-enhancements-11gr2#purgi...
BEGIN
DBMS_SCHEDULER.create_job (
job_name
=> 'audit_last_archive_time',
job_type
=> 'PLSQL_BLOCK',
job_action
=> 'BEGIN
DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(DBMS_AUDIT_MGMT.AUDIT
DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(DBMS_AUDIT_MGMT.AUDIT
DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(DBMS_AUDIT_MGMT.AUDIT
DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(DBMS_AUDIT_MGMT.AUDIT
END;',
start_date
=> SYSTIMESTAMP,
repeat_interval => 'freq=daily; byhour=0; byminute=0; bysecond=0;',
end_date
=> NULL,
enabled
=> TRUE,
comments
=> 'Automatically set audit last archive time.');
END;
/
https://oracle-base.com/articles/11g/auditing-enhancements-11gr2#purgi...
19 of 19