Auditing Enhancements (Audit Policies and Unified Audit Trail) in Oracle Database 12c

security_image1_smallA little over a year ago I was at the BGOUG Spring Conference and I watched a session by Maja Veselica about auditing in Oracle Database 12c. At the time I noted that I really needed to take a look at this new functionality, as is was quite different to what had come before. Fast forward a year and I’ve finally got around to doing just that. :)

I’ve tried to keep the article quite light and fluffy. The Oracle documentation on this subject is really pretty good, so you should definitely invest some time reading it, but if you need a quick overview to get you started, my article might help. :)

My 12c learning experience continues…



Oracle License Audit

I found out yesterday that we have an Oracle license audit in January, so I spent yesterday having a look at everything we have to check what features we are using…

Our licensing situation is a little different to anywhere I’ve worked before, in that they are based on the number of Full Time Employees (FTEs), not on named users or processors. As a result, we don’t need to worry about the number of installations we have. We just need to make sure we are not using features we are not licensed for.

Database Licenses

The database side is quite easy because we have FTE licenses for Enterprise Edition, Diagnostics and Tuning Pack and Partitioning. I checked the DBA_FEATURE_USAGE_STATISTICS view on each server and everything looks OK.

WebLogic Licenses

On the WebLogic front things are a little trickier. Since many of the licenses were bought in the Oracle Application Server era, we have to make sure we are only using features applicable for the WebLogic Server Basic license, which we have an FTE license for also. There is an overview of the restrictions in the Restricted Primary Services in WebLogic Server document. Also, there is a really handy MOS note, WebLogic Server Basic License Feature Usage Measurement Script (Doc ID 885587.1), which includes a WLST script that checks which features you are using and reports non-compliance with the WebLogic Server Basic license. It’s pretty simple to use. Just do the following for each domain on your server.

$ export MW_HOME=/u01/app/oracle/middleware
$ export DOMAIN_HOME=$MW_HOME/user_projects/domains/ClassicDomain
$ . $DOMAIN_HOME/bin/

$ java weblogic.WLST ./

You are prompted for the AdminServer connection details.

  • Username: weblogic
  • Password: mypassword
  • Admin URL: t3://

It then chucks out a page of output with errors listed for any non-compliance.

Developer/Programmer Licenses

We have people using Oracle Forms, JDeveloper and Pro*C, which we have Named User Plus licenses for. We’ve recently gone through a desktop refresh in our department, so many people have their old PCs hanging about (just in case). The department used to be bigger, so even with the extra PCs hanging around we are over-licensed really, but this will be a good opportunity to convince people to wipe and let go of their old PCs. :)

So after my initial panic, everything looks OK, but I will be interested to see what the license police make of it all. :)



Update: I guess I was not very clear about the purpose of this post. I am not suggesting this is all that is necessary to prepare for an Oracle license audit. I was not suggesting you don’t need the help of  licensing specialists. I currently work for a University, which negotiates its licenses as part of a large group of Universities. As a result, the licensing is very broad. It is quite different to the process individual companies have to go through. This was just a quick fact-finding mission for me, so I didn’t get any nasty surprises in the new year. :)

Thank you to those that commented to pointing out how this post could be misinterpreted. :)

Update 2: We passed the audit with no issues.

Oracle Auditing: Something I should have known…

I wrote about some new bits of 11gR2 auditing a while ago. Well actually it’s a bit of audit vault functionality that was included in 11gR2.

While answering a question today I confidently proclaimed that while you can move the AUD$ and $FGA_LOGS tables to another tablespace, it’s not a great idea and could make things go bang when you come to patch/upgrade the system. Whilst looking up some links for further reading to send to the poster, I noticed note 731908.1, which says the DBMS_AUDIT_MGMT package has been backported to 10gR2.

It’s not included in the database documentation until 11gR2, but it is available from the patches listed in the note if you need it.

Pesky Oracle improving older releases… :)