Audit Files Generated on Delphix Connected Systems (KBA1526)
KBA
KBA# 1526Applicable Delphix Versions
This article applies to all versions of the Delphix Engine.
Issue
Oracle systems connected to a Delphix Engines have audit files generated in $ORACLE_HOME/rdbms/admin with the following naming scheme
delphix_sid_ora_<number>_<number>.aud
These files will have similar content:
System name: Linux Node name: rh73-ora-src Release: 3.10.0-514.el7.x86_64 Version: #1 SMP Wed Oct 19 11:24:13 EDT 2016 Machine: x86_64 Storage: ? Instance name: delphix_sid Redo thread mounted by this instance: 0 <none> Oracle process number: 0 Unix process pid: 14313, image: Mon Aug 28 22:35:14 2017 -07:00 LENGTH : '160' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[8] 'ora12102' CLIENT TERMINAL:[13] 'Not Available' STATUS:[1] '0' DBID:[0] ''
Note that there will be multiple files generated every time the monitor runs.
Explanation
Oracle RDBMS will create audit files for all attempts to connect "as sysdba" to an instance that is not running to the following directories, in order of preference. This fuctionality cannot be disabled.
- $ORACLE_BASE/admin/ORACLE_SID/adump
- $ORACLE_HOME/rdbms/audit
As part of the Environment Monitoring, the Delphix Engine will regularly check that the environment user is able to start sqlplus and connect "as sysdba". This is done by setting an ORACLE_SID of "delphix_sid", then attempting to execute "sqlplus / as sysdba". It is this action that results in the Oracle auditing facility generating the mentioned files.
Resolution
This is normal and expected behavior from both the Delphix Engine and Oracle RDBMS. Oracle note 1299033.1 covers the details for Oracle Auditing, including this behavior.
These files should be manually or automatically removed as dictated by your organizations auditing policy.