Database Connector

Oracle Connector

Connect DB Audit to your Oracle databases for comprehensive activity monitoring, SQL auditing, and compliance reporting. Zero performance impact with our lightweight collector.

Native Deep Integration

Zero Agent Architecture

No software to install on your database servers

Unified Audit Trail

Leverages Oracle native auditing

<1% Performance Impact

Lightweight read-only collection

What You Can Monitor

Real-Time Query Monitoring

Capture every SQL and PL/SQL statement executed against your Oracle database with microsecond precision.

User Activity Tracking

Track all user sessions, authentication events, privilege grants, and role assignments.

Schema Change Detection

Detect and alert on DDL operations including CREATE, ALTER, DROP, and GRANT statements.

Data Access Patterns

Analyze query patterns to identify unusual data access or potential data exfiltration.

Requirements

Oracle Version 12c or higher (19c+ recommended)
Network Access TCP port 1521 (or custom port)
Authentication Password, Kerberos, or Oracle Wallet
Required Privileges SELECT_CATALOG_ROLE, AUDIT_VIEWER

Configuration Reference

Basic Connection

Field Type Required Description
name string Yes A unique name to identify this connection
host string Yes Oracle server hostname or SCAN address
port number Yes Oracle listener port
service_name string Yes Oracle service name or SID
username string Yes Database username for authentication
password password Yes Database password (stored encrypted)

SSL/TLS Configuration

Field Type Default Description
ssl_enabled boolean false Enable TLS/SSL encryption
wallet_location string - Path to Oracle Wallet for SSL/TLS
ssl_server_dn string - Server distinguished name for verification

Log Collection

Field Type Default Description
log_collection_type select native_audit Method for collecting audit logs
audit_trail select unified Audit trail type
polling_interval number 5 Seconds between log collection polls
batch_size number 100 Maximum events per batch
audit_file_dest string - Path to Oracle OS audit file directory (AUDIT_FILE_DEST)
file_format select auto OS audit file format to parse
syslog_enabled boolean false Also read audit records forwarded to syslog
syslog_facility string - Syslog facility for audit records (e.g., LOCAL0)

Log Collection Methods

DB Audit supports multiple methods for collecting audit logs from Oracle.

Unified Audit (Native)

Recommended

Direct integration with Oracle Unified Audit for comprehensive tracking of all database activities.

Real-time event capture
Full SQL text logging
Fine-grained auditing
Minimal performance impact

Custom Query

Query custom audit tables or views for specialized audit data collection.

Flexible data sources
Legacy audit support
Custom audit tables
Third-party audit tools

OS Audit Trail (File-Based)

Collect audit records written as OS files to the AUDIT_FILE_DEST directory, including mandatory SYSDBA/SYSOPER events.

Captures SYSDBA/SYSOPER events
No DB connection required
Works during startup/shutdown
Syslog integration available
1

Create Audit User

Create a dedicated read-only user for DB Audit with access to audit views and system statistics. 

-- Create a dedicated audit user with minimal privileges
CREATE USER dbaudit_reader IDENTIFIED BY "your_secure_password"
  DEFAULT TABLESPACE users
  QUOTA UNLIMITED ON users;

-- Grant essential privileges for audit data access
GRANT CREATE SESSION TO dbaudit_reader;
GRANT SELECT_CATALOG_ROLE TO dbaudit_reader;
GRANT AUDIT_VIEWER TO dbaudit_reader;

-- For Unified Audit access
GRANT SELECT ON UNIFIED_AUDIT_TRAIL TO dbaudit_reader;
GRANT SELECT ON DBA_AUDIT_TRAIL TO dbaudit_reader;
GRANT SELECT ON V_$SESSION TO dbaudit_reader;
GRANT SELECT ON V_$SQL TO dbaudit_reader;

-- For Fine-Grained Auditing policies
GRANT EXECUTE ON DBMS_FGA TO dbaudit_reader;
Security Best Practice

Use Oracle Wallet for password storage and rotation. Never embed credentials in configuration files.

2

Configure Unified Auditing

Create audit policies to capture the activities you need to monitor. Oracle 12c+ supports Unified Auditing for comprehensive tracking. 

-- Enable Unified Auditing (Oracle 12c+)
-- Check current audit configuration
SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';

-- Create audit policy for all database actions
CREATE AUDIT POLICY dbaudit_all_actions
  ACTIONS ALL;

-- Enable the policy for all users
AUDIT POLICY dbaudit_all_actions;

-- Create policy for privileged users
CREATE AUDIT POLICY dbaudit_priv_users
  ACTIONS ALL
  WHEN 'SYS_CONTEXT(''USERENV'', ''SESSION_USER'') IN (''SYS'', ''SYSTEM'')'
  EVALUATE PER SESSION;

AUDIT POLICY dbaudit_priv_users;

-- Create policy for sensitive table access
CREATE AUDIT POLICY dbaudit_sensitive_data
  ACTIONS SELECT, INSERT, UPDATE, DELETE
  ON HR.EMPLOYEES, HR.SALARIES
  WHEN 'SYS_CONTEXT(''USERENV'', ''IP_ADDRESS'') IS NOT NULL'
  EVALUATE PER STATEMENT;

AUDIT POLICY dbaudit_sensitive_data;
Note

Unified Auditing requires a database restart to fully enable. Plan this during a maintenance window.

3

Configure DB Audit Collector

Add your Oracle connection to the DB Audit configuration file. 

databases:
  - name: production-oracle
    type: oracle
    host: oracle-db.example.com
    port: 1521
    service_name: ORCL
    username: dbaudit_reader
    password: ${ORACLE_PASSWORD}

    # SSL/TLS Configuration (recommended for production)
    ssl: true
    wallet_location: /etc/dbaudit/wallet

    # Connection settings
    connect_timeout: 30

    # Monitoring options
    options:
      audit_trail: unified
      track_queries: true
      track_connections: true
      track_ddl: true
      track_dml: true
      track_privileged_users: true
      sample_rate: 1.0
4

Test Connection

Verify your configuration before deploying. 

# Test connection with SQL*Plus
sqlplus dbaudit_reader/your_password@//oracle-db.example.com:1521/ORCL

# Verify audit access
SELECT COUNT(*) FROM UNIFIED_AUDIT_TRAIL WHERE ROWNUM < 10;

# Check audit policies
SELECT POLICY_NAME, ENABLED_OPT FROM AUDIT_UNIFIED_ENABLED_POLICIES;

# Verify DB Audit collector can connect
dbaudit-collector test-connections --config /etc/dbaudit/config.yaml

Audit Trail Maintenance

Critical for Production Databases

Oracle's Unified Audit Trail grows continuously and must be regularly purged to prevent tablespace exhaustion. Without proper maintenance, audit data can consume hundreds of gigabytes and severely impact database performance. Oracle recommends archiving and purging audit records on a regular basis.

Warning: Unmanaged Audit Trails Cause Production Outages

The UNIFIED_AUDIT_TRAIL view queries the internal AUDSYS.AUD$UNIFIED table. If this table grows too large, queries against it become extremely slow, and SYSAUX tablespace can fill up causing database hangs. Set up automated purging before enabling audit policies.

1. Check Current Audit Trail Size

First, assess your current audit trail size and partition structure. 

-- Check current audit trail size
SELECT
  TABLESPACE_NAME,
  ROUND(SUM(BYTES)/1024/1024, 2) AS SIZE_MB
FROM DBA_SEGMENTS
WHERE OWNER = 'AUDSYS'
GROUP BY TABLESPACE_NAME;

-- View partition information
SELECT
  PARTITION_NAME,
  HIGH_VALUE,
  NUM_ROWS,
  ROUND(BYTES/1024/1024, 2) AS SIZE_MB
FROM DBA_TAB_PARTITIONS p
JOIN DBA_SEGMENTS s ON p.PARTITION_NAME = s.PARTITION_NAME
WHERE p.TABLE_OWNER = 'AUDSYS'
  AND p.TABLE_NAME = 'AUD$UNIFIED'
ORDER BY PARTITION_POSITION;

-- Check last archive timestamps
SELECT * FROM DBA_AUDIT_MGMT_LAST_ARCH_TS;

2. Move Audit Data to Dedicated Tablespace

Oracle stores audit data in SYSAUX by default. Move it to a dedicated tablespace for better management and to prevent SYSAUX from filling up. 

-- Move audit data to dedicated tablespace (recommended)
-- First create a dedicated tablespace
CREATE TABLESPACE AUDIT_DATA
  DATAFILE '/u01/oradata/ORCL/audit_data01.dbf' SIZE 10G
  AUTOEXTEND ON NEXT 1G MAXSIZE 50G;

-- Move the unified audit trail
BEGIN
  DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION(
    audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
    audit_trail_location_value => 'AUDIT_DATA'
  );
END;
/
Best Practice

Moving to a dedicated tablespace also allows you to reclaim space after purging. The only supported way to recover space from purged audit tables is to rebuild them by moving to a different tablespace.

3. Configure Partition Interval

The unified audit table is interval range partitioned. Smaller partitions make purging more efficient as entire partitions can be dropped instead of deleting individual rows. 

-- Change partition interval to daily (recommended for high-volume)
BEGIN
  DBMS_AUDIT_MGMT.ALTER_PARTITION_INTERVAL(
    interval_number    => 1,
    interval_frequency => 'DAY'
  );
END;
/

-- Or weekly for moderate volume
BEGIN
  DBMS_AUDIT_MGMT.ALTER_PARTITION_INTERVAL(
    interval_number    => 7,
    interval_frequency => 'DAY'
  );
END;
/

-- Default is monthly
BEGIN
  DBMS_AUDIT_MGMT.ALTER_PARTITION_INTERVAL(
    interval_number    => 1,
    interval_frequency => 'MONTH'
  );
END;
/

Daily

High-volume systems generating millions of audit records per day

Weekly

Medium-volume systems with consistent audit load

Monthly

Low-volume systems or development environments

4. Manual Purge (One-Time Cleanup)

Use DBMS_AUDIT_MGMT to manually purge old audit records. This is useful for initial cleanup or when you need to purge outside the regular schedule. 

-- Set batch size for efficient deletion
BEGIN
  DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY(
    audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
    audit_trail_property => DBMS_AUDIT_MGMT.DB_DELETE_BATCH_SIZE,
    audit_trail_property_value => 100000
  );
END;
/

-- Set last archive timestamp (retain last 30 days)
BEGIN
  DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(
    audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
    last_archive_time => SYSTIMESTAMP - INTERVAL '30' DAY
  );
END;
/

-- Execute the purge
BEGIN
  DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL(
    audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
    use_last_arch_timestamp => TRUE
  );
END;
/
How Purging Works

When a partition's HIGH_VALUE is before the archive timestamp, the entire partition is dropped (very fast). For the current partition, individual records are deleted in batches based on DB_DELETE_BATCH_SIZE.

5. Create Automated Daily Purge Job Recommended

Set up an automated job to purge audit records daily. This ensures your audit trail never grows unbounded. 

-- Create automated daily purge job (recommended)
-- This job runs every 24 hours to clean audit records older than 30 days

BEGIN
  -- Create the purge job
  DBMS_AUDIT_MGMT.CREATE_PURGE_JOB(
    audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
    audit_trail_purge_interval => 24,  -- Run every 24 hours
    audit_trail_purge_name => 'DAILY_UNIFIED_AUDIT_PURGE',
    use_last_arch_timestamp => TRUE
  );
END;
/

-- Create a scheduler job to update the archive timestamp before each purge
BEGIN
  DBMS_SCHEDULER.CREATE_JOB(
    job_name => 'UPDATE_AUDIT_ARCHIVE_TS',
    job_type => 'PLSQL_BLOCK',
    job_action => '
      BEGIN
        DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(
          audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
          last_archive_time => SYSTIMESTAMP - INTERVAL ''30'' DAY
        );
      END;',
    start_date => SYSTIMESTAMP,
    repeat_interval => 'FREQ=DAILY; BYHOUR=2; BYMINUTE=0',  -- Run at 2 AM
    enabled => TRUE,
    comments => 'Update archive timestamp for audit purge - retain 30 days'
  );
END;
/

-- Verify jobs are created
SELECT JOB_NAME, STATE, ENABLED
FROM DBA_SCHEDULER_JOBS
WHERE JOB_NAME LIKE '%AUDIT%';

6. Monitor Purge Jobs

Regularly verify that purge jobs are running successfully and tablespace usage is under control. 

-- Check purge job status
SELECT
  JOB_NAME,
  JOB_ACTION,
  STATE,
  LAST_START_DATE,
  NEXT_RUN_DATE,
  RUN_COUNT,
  FAILURE_COUNT
FROM DBA_SCHEDULER_JOBS
WHERE JOB_NAME LIKE '%AUDIT%';

-- View purge job history
SELECT
  JOB_NAME,
  LOG_DATE,
  STATUS,
  ERROR#,
  ADDITIONAL_INFO
FROM DBA_SCHEDULER_JOB_RUN_DETAILS
WHERE JOB_NAME LIKE '%AUDIT%'
ORDER BY LOG_DATE DESC
FETCH FIRST 10 ROWS ONLY;

-- Check current archive timestamps
SELECT
  AUDIT_TRAIL,
  RAC_INSTANCE,
  LAST_ARCHIVE_TS
FROM DBA_AUDIT_MGMT_LAST_ARCH_TS;

-- Monitor tablespace usage after purge
SELECT
  TABLESPACE_NAME,
  ROUND(USED_SPACE * 8192 / 1024 / 1024, 2) AS USED_MB,
  ROUND(TABLESPACE_SIZE * 8192 / 1024 / 1024, 2) AS TOTAL_MB,
  ROUND(USED_PERCENT, 2) AS USED_PCT
FROM DBA_TABLESPACE_USAGE_METRICS
WHERE TABLESPACE_NAME = 'AUDIT_DATA';

7. Manage Purge Jobs

Enable, disable, or drop purge jobs as needed. 

-- Disable the purge job temporarily
BEGIN
  DBMS_AUDIT_MGMT.SET_PURGE_JOB_STATUS(
    audit_trail_purge_name => 'DAILY_UNIFIED_AUDIT_PURGE',
    audit_trail_status_value => DBMS_AUDIT_MGMT.PURGE_JOB_DISABLE
  );
END;
/

-- Re-enable the purge job
BEGIN
  DBMS_AUDIT_MGMT.SET_PURGE_JOB_STATUS(
    audit_trail_purge_name => 'DAILY_UNIFIED_AUDIT_PURGE',
    audit_trail_status_value => DBMS_AUDIT_MGMT.PURGE_JOB_ENABLE
  );
END;
/

-- Drop a purge job completely
BEGIN
  DBMS_AUDIT_MGMT.DROP_PURGE_JOB(
    audit_trail_purge_name => 'DAILY_UNIFIED_AUDIT_PURGE'
  );
END;
/

Key DBMS_AUDIT_MGMT Procedures

Procedure Purpose
SET_LAST_ARCHIVE_TIMESTAMP Set cutoff date - records before this will be purged
CLEAN_AUDIT_TRAIL Execute purge based on archive timestamp
CREATE_PURGE_JOB Create automated scheduled purge job
ALTER_PARTITION_INTERVAL Change partition frequency (DAY, MONTH, YEAR)
SET_AUDIT_TRAIL_LOCATION Move audit tables to different tablespace
SET_AUDIT_TRAIL_PROPERTY Configure batch size and other properties

OS Audit Trail (File-Based)

Collect Audit Records from Filesystem

Oracle can write audit records as files to the AUDIT_FILE_DEST directory on the database server. This includes mandatory SYSDBA/SYSOPER events that cannot be disabled, plus all audit data when AUDIT_TRAIL is set to OS, XML, or XML,EXTENDED. The DB Audit agent can collect these files directly from the filesystem.

Why Use OS Audit Trail?

OS audit trail is essential when you need to capture events that occur outside normal database operation: privileged connections (SYSDBA/SYSOPER), startup and shutdown events, and scenarios where the database itself may be unavailable. It also avoids storing audit data inside the database, which can be important for separation of duties.

Mandatory OS Audits (Always Written)

Oracle always writes the following events to OS audit files in the AUDIT_FILE_DEST directory, regardless of the AUDIT_TRAIL setting. These cannot be disabled:

  • CONNECT AS SYSDBA
  • CONNECT AS SYSOPER
  • Database startup
  • Database shutdown

OS Audit File Formats

Extension AUDIT_TRAIL Value SQL Text Description
.aud OS No Plain text audit records
.xml XML No XML format without SQL statements
.xml XML,EXTENDED Yes XML with full SQL text and bind variables (Recommended)

1. Check Current AUDIT_FILE_DEST Location

Verify where Oracle is currently writing OS audit files and what format is configured. 

-- Check current OS audit settings
SELECT NAME, VALUE
FROM V$PARAMETER
WHERE NAME IN ('audit_trail', 'audit_file_dest', 'audit_syslog_level')
ORDER BY NAME;

-- Check if OS audit files are being generated
SELECT AUDIT_TRAIL FROM DBA_AUDIT_MGMT_CONFIG_PARAMS
WHERE PARAMETER_NAME = 'AUDIT TRAIL TYPE';

-- View the current AUDIT_FILE_DEST location
SHOW PARAMETER audit_file_dest;

2. Configure Oracle to Write OS Audit Files

Set AUDIT_TRAIL to XML,EXTENDED for the most comprehensive file-based audit data, including full SQL text. 

-- Set AUDIT_TRAIL to write XML files with full SQL text
-- This requires a database restart to take effect
ALTER SYSTEM SET audit_trail=XML,EXTENDED SCOPE=SPFILE;

-- Optionally change the audit file destination
-- Default: $ORACLE_BASE/admin/$ORACLE_SID/adump
ALTER SYSTEM SET audit_file_dest='/u01/oracle/audit' SCOPE=SPFILE;

-- Restart the database for changes to take effect
SHUTDOWN IMMEDIATE;
STARTUP;

-- Verify the new settings
SHOW PARAMETER audit_trail;
SHOW PARAMETER audit_file_dest;
Restart Required

Changes to AUDIT_TRAIL and AUDIT_FILE_DEST require a database restart. Plan this during a maintenance window.

3. Configure Audit Events

Mandatory events (SYSDBA/SYSOPER connections, startup/shutdown) are always captured. Add additional audit policies for the operations you need to track. 

-- These events are ALWAYS written to OS audit files,
-- regardless of AUDIT_TRAIL setting:
--   * CONNECT AS SYSDBA
--   * CONNECT AS SYSOPER
--   * Database startup
--   * Database shutdown
--
-- To audit additional operations via OS files, create policies:

-- Audit all logon/logoff events
AUDIT SESSION;

-- Audit privileged operations
AUDIT ALTER SYSTEM;
AUDIT ALTER DATABASE;
AUDIT CREATE USER;
AUDIT DROP USER;
AUDIT ALTER USER;

-- Audit DML on sensitive tables
AUDIT SELECT ON HR.EMPLOYEES BY ACCESS;
AUDIT INSERT ON HR.EMPLOYEES BY ACCESS;
AUDIT UPDATE ON HR.EMPLOYEES BY ACCESS;
AUDIT DELETE ON HR.EMPLOYEES BY ACCESS;

4. Optional: Syslog Integration Linux/Unix Only

Oracle can forward OS audit records to syslog in addition to writing files. This enables centralized log collection and integration with existing log management infrastructure. 

-- Forward OS audit records to syslog (Linux/Unix only)
-- Set the syslog facility and level
ALTER SYSTEM SET audit_syslog_level='LOCAL0.WARNING' SCOPE=SPFILE;

-- Restart for changes to take effect
-- After restart, Oracle sends audit records to syslog AND to files

-- Configure rsyslog to collect Oracle audit messages
-- Add to /etc/rsyslog.d/oracle-audit.conf:
--
--   # Oracle audit log forwarding
--   local0.*    /var/log/oracle/audit.log
--
-- Then restart rsyslog:
--   sudo systemctl restart rsyslog
--
-- Verify syslog is receiving audit records:
--   tail -f /var/log/oracle/audit.log

5. Configure DB Audit Agent

Configure the DB Audit agent to collect OS audit files from the AUDIT_FILE_DEST directory. 

# DB Audit agent configuration for OS audit file collection
databases:
  - name: production-oracle
    type: oracle

    # OS Audit Trail collection (file-based)
    log_collection_type: os_audit

    # Path to Oracle AUDIT_FILE_DEST directory
    audit_file_dest: /u01/oracle/audit

    # File format: aud, xml, or auto (auto-detect)
    file_format: auto

    # Polling interval in seconds
    polling_interval: 10

    # Optional: also collect from syslog
    syslog_enabled: false
    # syslog_facility: LOCAL0

    options:
      # Track file position to avoid reprocessing
      track_position: true
      # Include mandatory SYSDBA/SYSOPER events
      include_mandatory: true
      # Parse XML extended fields (SQL text, bind variables)
      parse_extended: true
File Permissions

The DB Audit agent process must have read access to the AUDIT_FILE_DEST directory and its files. Add the agent user to the Oracle OS group or set appropriate ACLs.

6. Verify Collection is Working

Confirm that the agent is successfully reading and processing OS audit files. 

# Check that the agent can read the audit directory
ls -la /u01/oracle/audit/

# Verify audit files are being generated
ls -lt /u01/oracle/audit/*.xml | head -10

# Check the DB Audit agent status
dbaudit-agent status

# View recent collected OS audit events
dbaudit-agent logs --source os_audit --tail 20

# Test file access permissions
dbaudit-agent test-permissions --path /u01/oracle/audit/

OS Audit File Management

File Rotation

Oracle creates new audit files per session. Implement a cron job or logrotate policy to archive and remove old files. The DB Audit agent tracks processed files, so rotation won't cause data loss.

Disk Space Monitoring

OS audit files can accumulate quickly on busy systems. Monitor disk usage on the AUDIT_FILE_DEST partition and set up alerts before space runs out.

Warning: Disk Space

If the AUDIT_FILE_DEST filesystem fills up, Oracle will be unable to write new audit records. On some configurations this can cause database operations to hang. Always monitor disk space and implement automated cleanup.

AWS RDS Oracle & CloudWatch

Managed Oracle with CloudWatch Logs Integration

Amazon RDS for Oracle can publish audit logs to CloudWatch Logs, enabling centralized log management and integration with DB Audit. This section covers how to configure auditing on RDS Oracle and connect it to DB Audit via CloudWatch.

Important: CloudWatch Publishing Limitation

Only audit records created as OS files (.aud) or XML files (.xml) are published to CloudWatch. Records stored in DB or DB,EXTENDED audit trails are NOT published. Use XML,EXTENDED to capture full SQL text in CloudWatch.

audit_trail Parameter Values

Value CloudWatch SQL Text Description
NONE N/A N/A Auditing disabled (default)
OS Yes No OS files (.aud format)
XML Yes No XML files without SQL text
XML,EXTENDED Yes Yes XML with full SQL text and bind variables (Recommended)
DB No No Database table (not published to CloudWatch)
DB,EXTENDED No Yes Database table with SQL (not published to CloudWatch)

1. Configure RDS Parameter Group

Create a custom parameter group and set audit_trail to XML,EXTENDED to capture full SQL statements. 

# Create a custom parameter group for audit settings
aws rds create-db-parameter-group \
  --db-parameter-group-name oracle-audit-params \
  --db-parameter-group-family oracle-ee-19 \
  --description "Oracle parameter group with audit enabled"

# Enable XML audit trail with extended SQL capture
aws rds modify-db-parameter-group \
  --db-parameter-group-name oracle-audit-params \
  --parameters "ParameterName=audit_trail,ParameterValue=XML,EXTENDED,ApplyMethod=pending-reboot"

# Apply the parameter group to your instance
aws rds modify-db-instance \
  --db-instance-identifier my-oracle-instance \
  --db-parameter-group-name oracle-audit-params \
  --apply-immediately
Reboot Required

Changes to audit_trail require a database reboot to take effect. Plan this during a maintenance window.

2. Enable CloudWatch Logs Export

Configure your RDS instance to publish audit logs to CloudWatch Logs. 

# Enable CloudWatch Logs export for audit logs
aws rds modify-db-instance \
  --db-instance-identifier my-oracle-instance \
  --cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit","alert","trace","listener"]}'

# Create a new instance with CloudWatch logging enabled
aws rds create-db-instance \
  --db-instance-identifier my-oracle-instance \
  --db-instance-class db.m5.large \
  --engine oracle-ee \
  --engine-version 19.0.0.0.ru-2024-04.rur-2024-04.r1 \
  --master-username admin \
  --manage-master-user-password \
  --allocated-storage 100 \
  --db-parameter-group-name oracle-audit-params \
  --cloudwatch-logs-export-configuration '["audit","alert","trace","listener"]'

# Disable audit log publishing (if needed)
aws rds modify-db-instance \
  --db-instance-identifier my-oracle-instance \
  --cloudwatch-logs-export-configuration '{"DisableLogTypes":["audit"]}'

CloudWatch Log Group Structure

Audit logs are published to: /aws/rds/instance/<instance-id>/audit

Other available log types: alert, trace, listener, oemagent

3. Create Unified Audit Policies

Configure audit policies to capture the activities you need to monitor. RDS Oracle 12c+ supports Unified Auditing. 

-- Check if unified auditing is enabled (RDS Oracle 12c+)
SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';

-- Create audit policy for privileged operations
CREATE AUDIT POLICY rds_priv_audit
  PRIVILEGES CREATE ANY TABLE, DROP ANY TABLE, ALTER ANY TABLE,
             CREATE USER, DROP USER, ALTER USER,
             GRANT ANY PRIVILEGE, GRANT ANY ROLE
  ROLES DBA;

-- Create policy for schema object access
CREATE AUDIT POLICY rds_data_access
  ACTIONS SELECT, INSERT, UPDATE, DELETE
  ON HR.EMPLOYEES, HR.SALARIES, FINANCE.TRANSACTIONS;

-- Create policy for all logon/logoff events
CREATE AUDIT POLICY rds_session_audit
  ACTIONS LOGON, LOGOFF;

-- Enable the policies
AUDIT POLICY rds_priv_audit;
AUDIT POLICY rds_data_access;
AUDIT POLICY rds_session_audit;

-- Verify enabled policies
SELECT POLICY_NAME, ENABLED_OPT, USER_NAME
FROM AUDIT_UNIFIED_ENABLED_POLICIES;

4. Configure IAM Permissions

Grant DB Audit permission to read CloudWatch Logs and RDS log files. 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams",
        "logs:GetLogEvents",
        "logs:FilterLogEvents"
      ],
      "Resource": [
        "arn:aws:logs:*:*:log-group:/aws/rds/instance/*/audit:*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "rds:DescribeDBInstances",
        "rds:DescribeDBLogFiles",
        "rds:DownloadDBLogFilePortion"
      ],
      "Resource": "*"
    }
  ]
}
Use IAM Roles

If running DB Audit on EC2 or ECS, attach an IAM role instead of using access keys. This is more secure and handles credential rotation automatically.

5. Configure DB Audit for RDS Oracle

Configure DB Audit to collect logs from CloudWatch and optionally query the UNIFIED_AUDIT_TRAIL directly. 

# DB Audit configuration for RDS Oracle via CloudWatch
databases:
  - name: production-rds-oracle
    type: oracle

    # RDS endpoint
    host: my-oracle-instance.xxxx.us-east-1.rds.amazonaws.com
    port: 1521
    service_name: ORCL
    username: dbaudit_reader
    password: ${RDS_ORACLE_PASSWORD}

    # SSL is enabled by default for RDS
    ssl: true

    options:
      # Use CloudWatch as the log source
      log_source: cloudwatch

      # CloudWatch configuration
      cloudwatch:
        region: us-east-1
        log_group: /aws/rds/instance/my-oracle-instance/audit

        # AWS credentials (use IAM role if running on EC2/ECS)
        # access_key_id: ${AWS_ACCESS_KEY_ID}
        # secret_access_key: ${AWS_SECRET_ACCESS_KEY}

        # Or use IAM role (recommended)
        use_iam_role: true

      # Polling interval for CloudWatch logs
      polling_interval: 30

      # Also query UNIFIED_AUDIT_TRAIL directly for real-time data
      query_unified_audit: true

6. Query Audit Logs in CloudWatch

Use CloudWatch Logs Insights to analyze audit data directly in the AWS Console. 

# View audit logs in CloudWatch Logs Insights
# Log group: /aws/rds/instance/<instance-id>/audit

# Query for failed login attempts
fields @timestamp, @message
| filter @message like /ORA-01017|ORA-28000|ORA-28001/
| sort @timestamp desc
| limit 100

# Query for DDL operations
fields @timestamp, @message
| filter @message like /CREATE|DROP|ALTER|TRUNCATE/
| sort @timestamp desc
| limit 100

# Query for specific user activity
fields @timestamp, @message
| filter @message like /USERNAME="ADMIN"/
| sort @timestamp desc
| limit 50

RDS Audit Log Retention

RDS Instance Storage

Audit logs are retained on the RDS instance for 7 days by default. Older logs are automatically deleted.

CloudWatch Logs

Configure retention in CloudWatch (1 day to 10 years). Set based on your compliance requirements.

No Manual Purge Needed

Unlike self-managed Oracle, RDS automatically manages audit log retention on the instance. However, you should still configure CloudWatch Logs retention and consider exporting to S3 for long-term storage.

Compliance Support

DB Audit's Oracle connector helps you meet audit requirements for major compliance frameworks.

SOC 2
Access logging
HIPAA
PHI access audit
PCI DSS
Cardholder data
GDPR
Data access rights

Troubleshooting

ORA-12541: TNS:no listener

Verify the Oracle listener is running and the host/port are correct. Check tnsnames.ora configuration.

ORA-01017: invalid username/password

Verify credentials are correct. Oracle passwords are case-sensitive by default in 11g+.

ORA-00942: table or view does not exist

Grant SELECT_CATALOG_ROLE to the audit user for access to system views.

No audit data appearing

Verify audit policies are enabled with SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES.

OS audit files not being collected

Verify the DB Audit agent has read permissions on the AUDIT_FILE_DEST directory. Check the directory path matches your config with SHOW PARAMETER audit_file_dest. Ensure AUDIT_TRAIL is set to OS, XML, or XML,EXTENDED.

Next Steps

Configure Alerts & Rules
View All Database Connectors
Forward to Your SIEM

Ready to Audit Your Oracle Database?

Start monitoring your Oracle databases in minutes. No agents to install on your database servers.

Start Free Trial Contact Sales