RE: SYS.AUD$ USERHOST column all NULL?

From: Don Granaman <DonGranaman_at_solutionary.com>
Date: Mon, 16 Apr 2012 10:25:54 -0500
Message-ID: <FD98CB0EE75EEA438CAF4DA2E6071C42108267A7DA_at_MAIL.solutionary.com>

The meaning of USERHOST changed between 9.2 and 10g. In 10g and later, it means the host from which the connection was originated (e.g. the client). In 9.2 and earlier, it means something else entirely. From the docs (for DBA_AUDIT_TRAIL, but they mean the same thing) at http://docs.oracle.com/cd/B10501_01/server.920/a96536/ch2205.htm:

"Numeric instance ID for the Oracle instance from which the user is accessing the database. Used only in environments with distributed file systems and shared database files."

So in 9i this is not going to give you what you want anyway - and it is (typically) only available in RAC systems. That is probably why you are seeing nulls.

-----Original Message-----

From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Kenneth Fowler Sent: Monday, April 16, 2012 10:09 AM
To: oracle-l_at_freelists.org
Subject: SYS.AUD$ USERHOST column all NULL?

List,

I am trying to create a report that will identify inappropriate access against SYS.AUD$ across many databases. In order to do this I am reporting on any access except SELECT and DELETE (where the delete originates from a known job used to maintain the audit table).

To determine if the delete originates from the known job used to maintain the audit table, I am using a selection criteria including columns OS_USERNAME, USERNAME and USERHOST. This works fine in most cases except that, for a handful of 9i databases, I have noticed that USERHOST is always NULL which breaks my strategy...

SQL> select version from v$instance;

VERSION

9.2.0.8.0

SQL> select count(*) from sys.aud$;

COUNT(*)

54229

SQL> select count(*) from sys.aud$ where userhost is null;

COUNT(*)

54229

This is on Solaris 9. I checked MOS and google but did not get any hits. This is occurring for about 10 databases that are all 9.2.0.6, 9.2.0.7, 9.2.0.8. Has anyone seen this behavior? Any fix?

Thanks,
Ken.
--

http://www.freelists.org/webpage/oracle-l

--

http://www.freelists.org/webpage/oracle-l Received on Mon Apr 16 2012 - 10:25:54 CDT

This message: [ Message body ]
Next message: Tefft, Michael J: "RE: SQL Profiles and Performance"
Previous message: Christoph: "Associative array fragmentation?"
In reply to: Kenneth Fowler: "SYS.AUD$ USERHOST column all NULL?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message