Sunday, 12 October 2014

Invalid record in Event name in Audit vault

Issue: If we set audit_trail=DB,extended then audit vault report is showing correct data in Event Name. But if we change it to XML,extended then somtimes it shows Invalid record in Event name in Audit vault.Attached audit vault report for your reference.
Also,there is some time lag while getting the data into the audit vault report.


SQL> select command_class, event_name, length(command_text) from avsys.event_log where event_name like '%INVALID%';

COMMAND_CLASS EVENT_NAME LENGTH(COMMAND_TEXT)
-------------------------------------------------- -------------------------------------------------- --------------------
UNKNOWN EVENT INVALID RECORD 1311
UNKNOWN EVENT INVALID RECORD 1311
UNKNOWN EVENT INVALID RECORD 1311
UNKNOWN EVENT INVALID RECORD 1311
UNKNOWN EVENT INVALID RECORD 176
UNKNOWN EVENT INVALID RECORD 51
UNKNOWN EVENT INVALID RECORD 112
UNKNOWN EVENT INVALID RECORD 249
UNKNOWN EVENT INVALID RECORD
UNKNOWN EVENT INVALID RECORD
UNKNOWN EVENT INVALID RECORD
UNKNOWN EVENT INVALID RECORD
UNKNOWN EVENT INVALID RECORD
UNKNOWN EVENT INVALID RECORD
UNKNOWN EVENT INVALID RECORD 171
UNKNOWN EVENT INVALID RECORD 171


Impact of changing the DB to XML:
1) Parsing XML files is slower than reading data from a table like AUD$. There is no surprise that the data is not collected very fast when the audit_trail parameter was set to XML,EXTENDED.

2) Using XML rather than DB is riskier. There were many bugs in the past because of which the XML tags were not set correctly and as such the parsers had issues. Furthermore , parsing an XML file is much slower than reading a row of the AUD$ table.


This issue is caused by bug 17048003. The developers are trying to solve this in 12.1.3. As an workaround we can set the audit_trail parameter to DB,EXTENDED and have table trail collecting the data from the AUD$ table.