AUDITING - DEFAULT FOR CONNECT INTERNAL

From: Raj Sakthi <rajan_sakthi_at_yahoo.com>
Date: Tue, 20 Mar 2001 10:06:23 -0800
Message-ID: <F001.002D1CBC.20010320082203@fatcity.com>

Hi Folks ,
When I was tracing connect internal in sqlplus I came across this quirk and of course I have to investigate Guess what I found...: )        

Bookmark Fixed font Go to End

Doc ID: Note:107842.1
Audit Trail: Connect Internal
Type: BULLETIN
Status: PUBLISHED
 Content Type: TEXT/PLAIN
Creation Date: 06-MAY-2000
Last Revision Date: 06-JUN-2000
Language: USAENG  

PURPOSE

---

Assist in resolving why Application Log may be filling up,
and/or why Events auditing connects are frequently written to
the Application Log.  

SCOPE & APPLICATION

---

This article is intended for Oracle Support Analysts and Customers
to assist in troubleshooting frequent connect events in the Application Log.

Application Log is Full with Event ID 34 : Audit Trail: Connect Internal

---

In Oracle8i on Windows NT, auditing can be configured so that audit trail
actions are written to the Application Log in the Windows NT Event Viewer.
These Events will be logged into the Application Log with Event ID 34.
Most of these Events are not logged unless the INIT.ORA parameter
AUDIT_TRAIL is set to either OS or DB. The default for this parameter is NONE.

However, auditing of the Events for Connect Internal and/or Connect as SYSDBA
or SYSOPER is enabled by default and cannot be disabled. Therefore, regardless
of whether you have set the AUDIT_TRAIL parameter in the init.ora, Oracle will
still log Events to the Event Viewer every time a Connect Internal or Connect
as SYSDBA/SYSOPER occurs. What you will see in the Application Log in the
Event Viewer is an Event with ID 34 and the Source will be Oracle.<sidname>.
Clicking on the Event will give you a description such as:

Audit trail: ACTION : 'connect internal' OSPRIV : DBA CLIENT USER:
SJESSE\SJESSE CLIENT TERMINAL: SJESSE. This is no cause for concern unless you detect that an unauthorized client
has made a connection. In most cases, a connect internal is a fairly
infrequent occurrence.

However, in instances where frequent connects occur, this can be an annoyance.
Depending on how frequently a Connect Internal Occurs, you may see a number of
these actions in your Application Log. This can cause particular problems when
running Oracle Failsafe. Oracle Failsafe has a polling machanism which does a
Connect Internal at a specified Polling Interval to check if the database is
up. By default, this polling interval is once every minute. Therefore, when
running Oracle Failsafe, because of the auditing of a Connect Internal, the
Application Log is likely to fill up very rapidly with these messages.

Since there is currently no way to disable these audit actions, you will have
to work around this problem. This can be done in a couple of different ways:

1. Increase the size of the application log. By default, this is only 512k. It can be increased to an appropriate size by choosing 'Log Settings' under the LOG menu in the Event Viewer, and then entering an appropriate number for Maximum Log Size.
2. Also in the Log Settings Menu, you can specify if Events should be overwritten, and if so, how frequently. Choosing the option to 'Overwrite Events as Needed' will prevent the Log from filling up. However, be sure to make the Maximum Log Size large enough to avoid overwriting critical events before the log can be checked.
3. If running Oracle Failsafe, you can reduce the frequency of the polling, and therefore the frequency of connects, by increasing the "Is Alive" Interval. As Noted above, this defaults to 60000 Milliseconds, or 1 Minute. To increase this Interval:
4. Log on to Failsafe Manager
5. Find your group and expand it by clicking on the
   (+) beside it.
   
6. Drill down and find the database and highlight it.
7. With the database highlighted, choose the policies tab on the right-hand side and type in a new number for the "Is Alive" Interval. Note that you do NOT need to change the "Looks Alive" Interval as the polling done for this check does NOT do a Connect Internal.

(Click on the Help button in the policies tab for more
information on
"Is Alive" and "Looks Alive" Polling.)

Note also that if you are running in a Failsafe Environment and you choose to
change the Log Settings for the Application Log, you should make these changes
on all nodes in the cluster.

RELATED DOCUMENTS

---

For More information on how Oracle uses the Windows NT Event Viewer for
auditing, refer to the following Notes:

[NOTE:67868.1]
[NOTE:99137.1] See also the Oracle 8i (Release 8.1.6) Administrator's Guide for Windows NT
or the Oracle 8i (Release 8.1.5) Getting Started Guide for Windows NT
.  

---

 

 Copyright (c) 1995,2000 Oracle Corporation. All Rights Reserved. Legal Notices and Terms of Use.

---

Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Raj Sakthi
  INET: rajan_sakthi_at_yahoo.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L


(or the name of mailing list you want to be removed from).  You may

also send the HELP command for other information (like subscribing).

Received on Tue Mar 20 2001 - 12:06:23 CST