Oracle Module
Fields from Oracle logs.
Module for parsing Oracle Database audit logs
-
oracle.database_audit.priv_used
-
System privilege used to execute the action.
type: integer
-
oracle.database_audit.logoff_pread
-
Physical reads for the session.
type: integer
-
oracle.database_audit.logoff_lread
-
Logical reads for the session.
type: integer
-
oracle.database_audit.logoff_lwrite
-
Logical writes for the session.
type: integer
-
oracle.database_audit.logoff_dead
-
Deadlocks detected during the session.
type: integer
-
oracle.database_audit.sessioncpu
-
Amount of CPU time used by each Oracle session.
type: integer
-
oracle.database_audit.returncode
-
Oracle error code generated by the action.
type: integer
-
oracle.database_audit.statement
-
nth statement in the user session.
type: integer
-
oracle.database_audit.userid
-
Name of the user whose actions were audited.
type: keyword
-
oracle.database_audit.entryid
-
Numeric ID for each audit trail entry in the session. The entry ID is an index of a session’s audit entries that starts at 1 and increases to the number of entries that are written.
type: integer
-
oracle.database_audit.comment_text
-
Text comment on the audit trail entry, providing more information about the statement audited.
type: text
-
oracle.database_audit.os_userid
-
Operating system login username of the user whose actions were audited.
type: keyword
-
oracle.database_audit.terminal
-
Identifier of the user’s terminal.
type: text
-
oracle.database_audit.status
-
Database Audit Status.
type: keyword
-
oracle.database_audit.session_id
-
Indicates the audit session ID number.
type: keyword
-
oracle.database_audit.client.terminal
-
If available, the client terminal type, for example "pty".
type: keyword
-
oracle.database_audit.client.address
-
The IP Address or Domain used by the client.
type: keyword
-
oracle.database_audit.client.user
-
The user running the client or connection to the database.
type: keyword
-
oracle.database_audit.database.user
-
The database user used to authenticate.
type: keyword
-
oracle.database_audit.privilege
-
The privilege group related to the database user.
type: keyword
-
oracle.database_audit.entry.id
-
Indicates the current audit entry number, assigned to each audit trail record. The audit entry.id sequence number is shared between fine-grained audit records and regular audit records.
type: keyword
-
oracle.database_audit.database.host
-
Client host machine name.
type: keyword
-
oracle.database_audit.action
-
The action performed during the audit event. This could for example be the raw query.
type: keyword
-
oracle.database_audit.action_number
-
Action is a numeric value representing the action the user performed. The corresponding name of the action type is in the AUDIT_ACTIONS table. For example, action 100 refers to LOGON.
type: keyword
-
oracle.database_audit.database.id
-
Database identifier calculated when the database is created. It corresponds to the DBID column of the V$DATABASE data dictionary view.
type: keyword
-
oracle.database_audit.length
-
Refers to the total number of bytes used in this audit record. This number includes the trailing newline bytes (\n), if any, at the end of the audit record.
type: long