Re: userhost of unified_audit_trail shown as cryptic string

From: Stefan Knecht <knecht.stefan_at_gmail.com>
Date: Fri, 27 Apr 2018 10:08:44 +0700
Message-ID: <CAP50yQ_b48FFzQp4ytE3=j1N4Dbfn7-M6QdZ4c+_G2AmxomM+w_at_mail.gmail.com>

What client and its version / platform is coming from that IP?

What do you see in v$session.machine when a client from that IP is connected?

Also, if you start sqlplus on that client (if you can) and connect - do you get the same data? If you do, it might also be interesting to 10046 it and check the SQL of the entry created in the audit tables (the trace file would show you the actual bind variable value that's inserted).

On Thu, Apr 26, 2018 at 8:55 PM, Yong Huang <dmarc-noreply_at_freelists.org> wrote:

> Oracle 12.2.0.1
>
> Column userhost of unified_audit_trail sometimes shows strange values for
> some client hosts, e.g. the first one below
>
> SQL> select os_username, userhost, event_timestamp, return_code,
> authentication_type
> 2 from unified_audit_trail
> 3 where event_timestamp > sysdate - 1/1440 and action_name='LOGON'
> 4 order by 3;
>
> OS_USERNAME USERHOST EVENT_TIMESTAMP
> RETURN_CODE
> -------------------- -----------------------------------
> ------------------------------ -----------
> AUTHENTICATION_TYPE
> ------------------------------------------------------------
> ---------------------------------------
> root 8621ecdafb91 26-APR-18
> 08.49.00.037272 AM 0
> (TYPE=(DATABASE));(CLIENT ADDRESS=((ADDRESS=(PROTOCOL=
> tcp)(HOST=10.74.67.54)(PORT=44462))));
>
> novlua dosrlidmig1 26-APR-18
> 08.49.06.468324 AM 0
> (TYPE=(DATABASE));(CLIENT ADDRESS=((ADDRESS=(PROTOCOL=
> tcp)(HOST=10.74.198.241)(PORT=49776))));
>
> ...
>
> I can find the actual client from the IP address shown in the
> authentication_type string. In this case, IP 10.74.67.54 is reverse
> resolved to dcsrlcs2 plus our domain name. But what is the string under
> userhost? That value is not the MAC address of the host (86-21-ec is not a
> vendor code), not host ID (Linux host ID is 4 bytes instead of 6), not
> ASCII values of part of the host name (ec maps to a non-ASCII character).
> So what is it? We don't have this problem in 11g, and this only happens to
> certain hosts connecting to 12c.
>
> Yong Huang
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

-- 
//
zztat - The Next-Gen Oracle Performance Monitoring and Reaction Framework!
Visit us at zztat.net | _at_zztat_oracle | fb.me/zztat | zztat.net/blog/

--
http://www.freelists.org/webpage/oracle-l

Received on Fri Apr 27 2018 - 05:08:44 CEST

This message: [ Message body ]
Next message: Howard Latham: "NUS TO NUP LICENCE CONVERT"
Previous message: Yong Huang: "Re: utl_recomp grants"
In reply to: Yong Huang: "userhost of unified_audit_trail shown as cryptic string"
In reply to Yong Huang: "userhost of unified_audit_trail shown as cryptic string"
Next in thread: Chris Taylor: "Re: Tuning Advice"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message