Sybase strongly recommends that you not use single-device auditing for production systems. If you use only a single audit table, you create a window of time while you are archiving audit data and truncating the audit table during which incoming audit records are lost. There is no way to avoid this when using only a single audit table.
If you use only a single audit table, your audit table is likely to fill up. The consequences of this depend on how you have set suspend audit when device full. If you have suspend audit when device full set to on, the audit process is suspended, as are all user processes that cause auditable events. If suspend audit when device full is off, the audit table is truncated, and you lose all the audit records that were in the audit table.
For non-production systems, where the loss of a small number of audit records may be acceptable, you can use a single table for auditing, if you cannot spare the additional disk space for multiple audit tables, or you do not have additional devices to use.
The procedure for using a single audit table is similar to using multiple audit tables, with these exceptions:
During installation, you specify only one system table to use for auditing.
During installation, you specify only one device for the audit system table.
The threshold procedure you create for archiving audit records is different from the one you would create if you were using multiple audit tables.
Figure 18-2 shows how the auditing process works with a single audit table.
Figure 18-2: Auditing with a single audit table
Copyright © 2005. Sybase Inc. All rights reserved. |