Results 1 to 2 of 2
  1. #1
    Join Date
    Jan 2015
    Posts
    2

    Question Answered: Auditing Sybase ASE 15

    Hi,

    I am currently configuring the auditing for Sybase. I am planning to collect the DB user activity through a third party logging solution. The agent can either use a DB query to read from the audit table or read from a file stored locally to collect the events generated and written by Sybase.
    Our DBA has informed me that auditing is already enabled on Sybase. He says he can write the events to a file.
    I am looking to audit the DB commands run by the DB users.
    Taking performance into consideration as it is a critical database, which option is more suited, reading directly from the Audit table or reading from a file generated by Sybase.

    If I go with reading directly from the DB table how should I frame the query?

    Thanks

  2. Best Answer
    Posted by Martijnvs

    "The performance depends on how much auditdata is generated.
    If you use the typical configration of 2 audittables in the sybsecuritydatabase and an archivetable in an auditarchivedatabase, you can create a view on all 3 tables:
    Code:
    create view dbo.vw_audit
    (event, eventmod, spid, eventtime, sequence, suid, 
    dbid, objid, xactid, loginname, dbname, objname, 
    objowner, extrainfo, nodeid)
    as
        select event, eventmod, spid, eventtime, sequence, suid, 
        dbid, objid, xactid, loginname, dbname, objname, objowner, extrainfo, nodeid 
        from auditarchive..audit_data
        union
        select event, eventmod, spid, eventtime, sequence, suid, 
        dbid, objid, xactid, loginname, dbname, objname, objowner, extrainfo, nodeid 
        from sybsecurity.dbo.sysaudits_01
        union
        select event, eventmod, spid, eventtime, sequence, suid, 
        dbid, objid, xactid, loginname, dbname, objname, objowner, extrainfo, nodeid 
        from sybsecurity.dbo.sysaudits_02
    This way you select all data, both archived and in the audittables. Depending on what data you are looking for you can use where-clauses."


  3. #2
    Join Date
    Jan 2004
    Posts
    545
    Provided Answers: 4
    The performance depends on how much auditdata is generated.
    If you use the typical configration of 2 audittables in the sybsecuritydatabase and an archivetable in an auditarchivedatabase, you can create a view on all 3 tables:
    Code:
    create view dbo.vw_audit
    (event, eventmod, spid, eventtime, sequence, suid, 
    dbid, objid, xactid, loginname, dbname, objname, 
    objowner, extrainfo, nodeid)
    as
        select event, eventmod, spid, eventtime, sequence, suid, 
        dbid, objid, xactid, loginname, dbname, objname, objowner, extrainfo, nodeid 
        from auditarchive..audit_data
        union
        select event, eventmod, spid, eventtime, sequence, suid, 
        dbid, objid, xactid, loginname, dbname, objname, objowner, extrainfo, nodeid 
        from sybsecurity.dbo.sysaudits_01
        union
        select event, eventmod, spid, eventtime, sequence, suid, 
        dbid, objid, xactid, loginname, dbname, objname, objowner, extrainfo, nodeid 
        from sybsecurity.dbo.sysaudits_02
    This way you select all data, both archived and in the audittables. Depending on what data you are looking for you can use where-clauses.
    I'm not crazy, I'm an aeroplane!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •