Oracle fields

Oracle Module

oracle

Fields from Oracle logs.

database_audit

Module for parsing Oracle Database audit logs

oracle.database_audit.priv_used

System privilege used to execute the action.

type: integer

oracle.database_audit.logoff_pread

Physical reads for the session.

type: integer

oracle.database_audit.logoff_lread

Logical reads for the session.

type: integer

oracle.database_audit.logoff_lwrite

Logical writes for the session.

type: integer

oracle.database_audit.logoff_dead

Deadlocks detected during the session.

type: integer

oracle.database_audit.sessioncpu

Amount of CPU time used by each Oracle session.

type: integer

oracle.database_audit.returncode

Oracle error code generated by the action.

type: integer

oracle.database_audit.statement

nth statement in the user session.

type: integer

oracle.database_audit.userid

Name of the user whose actions were audited.

type: keyword

oracle.database_audit.entryid

Numeric ID for each audit trail entry in the session. The entry ID is an index of a session’s audit entries that starts at 1 and increases to the number of entries that are written.

type: integer

oracle.database_audit.comment_text

Text comment on the audit trail entry, providing more information about the statement audited.

type: text

oracle.database_audit.os_userid

Operating system login username of the user whose actions were audited.

type: keyword

oracle.database_audit.terminal

Identifier of the user’s terminal.

type: text

oracle.database_audit.status

Database Audit Status.

type: keyword

oracle.database_audit.session_id

Indicates the audit session ID number.

type: keyword

oracle.database_audit.client.terminal

If available, the client terminal type, for example "pty".

type: keyword

oracle.database_audit.client.address

The IP Address or Domain used by the client.

type: keyword

oracle.database_audit.client.user

The user running the client or connection to the database.

type: keyword

oracle.database_audit.database.user

The database user used to authenticate.

type: keyword

oracle.database_audit.privilege

The privilege group related to the database user.

type: keyword

oracle.database_audit.entry.id

Indicates the current audit entry number, assigned to each audit trail record. The audit entry.id sequence number is shared between fine-grained audit records and regular audit records.

type: keyword

oracle.database_audit.database.host

Client host machine name.

type: keyword

oracle.database_audit.action

The action performed during the audit event. This could for example be the raw query.

type: keyword

oracle.database_audit.action_number

Action is a numeric value representing the action the user performed. The corresponding name of the action type is in the AUDIT_ACTIONS table. For example, action 100 refers to LOGON.

type: keyword

oracle.database_audit.database.id

Database identifier calculated when the database is created. It corresponds to the DBID column of the V$DATABASE data dictionary view.

type: keyword

oracle.database_audit.length

Refers to the total number of bytes used in this audit record. This number includes the trailing newline bytes (\n), if any, at the end of the audit record.

type: long