Enabling and disabling auditing  Establishing and managing single-table auditing

Chapter 18: Auditing

Single-table auditing

Sybase strongly recommends that you not use single-device auditing for production systems. If you use only a single audit table, you create a window of time while you are archiving audit data and truncating the audit table during which incoming audit records are lost. There is no way to avoid this when using only a single audit table.

If you use only a single audit table, your audit table is likely to fill up. The consequences of this depend on how you have set suspend audit when device full. If you have suspend audit when device full set to on, the audit process is suspended, as are all user processes that cause auditable events. If suspend audit when device full is off, the audit table is truncated, and you lose all the audit records that were in the audit table.

For non-production systems, where the loss of a small number of audit records may be acceptable, you can use a single table for auditing, if you cannot spare the additional disk space for multiple audit tables, or you do not have additional devices to use.

The procedure for using a single audit table is similar to using multiple audit tables, with these exceptions:

Figure 18-2 shows how the auditing process works with a single audit table.

Figure 18-2: Auditing with a single audit table

Graphic showing the work flow for using a single audit table. The work flow is: user processes update the audit queue wich in turn updates the audit processes. These updates are added to the current audit table. This audit tables is moved to the archive when full, and is saved to the normal dump and load device.



Copyright © 2005. Sybase Inc. All rights reserved. Establishing and managing single-table auditing

View this book as PDF