databaseActivityEventList fields for Amazon RDS for Oracle databaseActivityEventList fields for Amazon RDS for SQL Server

databaseActivityEventList JSON array for database activity streams

The audit log payload is an encrypted databaseActivityEventList JSON array. The following table lists alphabetically the fields for each activity event in the decrypted DatabaseActivityEventList array of an audit log.

When unified auditing is enabled in Oracle Database, the audit records are populated in this new audit trail. The UNIFIED_AUDIT_TRAIL view displays audit records in tabular form by retrieving the audit records from the audit trail. When you start a database activity stream, a column in UNIFIED_AUDIT_TRAIL maps to a field in the databaseActivityEventList array.

Important

The event structure is subject to change. Amazon RDS might add new fields to activity events in the future. In applications that parse the JSON data, make sure that your code can ignore or take appropriate actions for unknown field names.

databaseActivityEventList fields for Amazon RDS for Oracle

The following are databaseActivityEventList fields for Amazon RDS for Oracle.

Field	Data Type	Source	Description
`class`	string	`AUDIT_TYPE` column in `UNIFIED_AUDIT_TRAIL`	The class of activity event. This corresponds to the `AUDIT_TYPE` column in the `UNIFIED_AUDIT_TRAIL` view. Valid values for Amazon RDS for Oracle are the following: `Standard` `FineGrainedAudit` `XS` `Database Vault` `Label Security` `RMAN_AUDIT` `Datapump` `Direct path API` For more information, see UNIFIED_AUDIT_TRAIL in the Oracle documentation.
`clientApplication`	string	`CLIENT_PROGRAM_NAME` in `UNIFIED_AUDIT_TRAIL`	The application the client used to connect as reported by the client. The client doesn't have to provide this information, so the value can be null. A sample value is `JDBC Thin Client`.
`command`	string	`ACTION_NAME` column in `UNIFIED_AUDIT_TRAIL`	Name of the action executed by the user. To understand the complete action, read both the command name and the `AUDIT_TYPE` value. A sample value is `ALTER DATABASE`.
`commandText`	string	`SQL_TEXT` column in `UNIFIED_AUDIT_TRAIL`	The SQL statement associated with the event. A sample value is `ALTER DATABASE BEGIN BACKUP`.
`databaseName`	string	`NAME` column in `V$DATABASE`	The name of the database.
`dbid`	number	`DBID` column in `UNIFIED_AUDIT_TRAIL`	Numerical identifier for the database. A sample value is `1559204751`.
`dbProtocol`	string	N/A	The database protocol. In this beta, the value is `oracle`.
`dbUserName`	string	`DBUSERNAME` column in `UNIFIED_AUDIT_TRAIL`	Name of the database user whose actions were audited. A sample value is `RDSADMIN`.
`endTime`	string	N/A	This field isn't used for RDS for Oracle and is always null.
`engineNativeAuditFields`	object	`UNIFIED_AUDIT_TRAIL`	By default, this object is empty. When you start the activity stream with the `--engine-native-audit-fields-included` option, this object includes the following columns and their values: ADDITIONAL_INFO APPLICATION_CONTEXTS AUDIT_OPTION AUTHENTICATION_TYPE CLIENT_IDENTIFIER CURRENT_USER DBLINK_INFO DBPROXY_USERNAME DIRECT_PATH_NUM_COLUMNS_LOADED DP_BOOLEAN_PARAMETERS1 DP_TEXT_PARAMETERS1 DV_ACTION_CODE DV_ACTION_NAME DV_ACTION_OBJECT_NAME DV_COMMENT DV_EXTENDED_ACTION_CODE DV_FACTOR_CONTEXT DV_GRANTEE DV_OBJECT_STATUS DV_RETURN_CODE DV_RULE_SET_NAME ENTRY_ID EXCLUDED_OBJECT EXCLUDED_SCHEMA EXCLUDED_USER EXECUTION_ID EXTERNAL_USERID FGA_POLICY_NAME GLOBAL_USERID INSTANCE_ID KSACL_SERVICE_NAME KSACL_SOURCE_LOCATION KSACL_USER_NAME NEW_NAME NEW_SCHEMA OBJECT_EDITION OBJECT_PRIVILEGES OLS_GRANTEE OLS_LABEL_COMPONENT_NAME OLS_LABEL_COMPONENT_TYPE OLS_MAX_READ_LABEL OLS_MAX_WRITE_LABEL OLS_MIN_WRITE_LABEL OLS_NEW_VALUE OLS_OLD_VALUE OLS_PARENT_GROUP_NAME OLS_POLICY_NAME OLS_PRIVILEGES_GRANTED OLS_PRIVILEGES_USED OLS_PROGRAM_UNIT_NAME OLS_STRING_LABEL OS_USERNAME PROTOCOL_ACTION_NAME PROTOCOL_MESSAGE PROTOCOL_RETURN_CODE PROTOCOL_SESSION_ID PROTOCOL_USERHOST PROXY_SESSIONID RLS_INFO RMAN_DEVICE_TYPE RMAN_OBJECT_TYPE RMAN_OPERATION RMAN_SESSION_RECID RMAN_SESSION_STAMP ROLE SCN SYSTEM_PRIVILEGE SYSTEM_PRIVILEGE_USED TARGET_USER TERMINAL UNIFIED_AUDIT_POLICIES USERHOST XS_CALLBACK_EVENT_TYPE XS_COOKIE XS_DATASEC_POLICY_NAME XS_ENABLED_ROLE XS_ENTITY_TYPE XS_INACTIVITY_TIMEOUT XS_NS_ATTRIBUTE XS_NS_ATTRIBUTE_NEW_VAL XS_NS_ATTRIBUTE_OLD_VAL XS_NS_NAME XS_PACKAGE_NAME XS_PROCEDURE_NAME XS_PROXY_USER_NAME XS_SCHEMA_NAME XS_SESSIONID XS_TARGET_PRINCIPAL_NAME XS_USER_NAME For more information, see UNIFIED_AUDIT_TRAIL in the Oracle Database documentation.
`errorMessage`	string	N/A	This field isn't used for RDS for Oracle and is always null.
`exitCode`	number	`RETURN_CODE` column in `UNIFIED_AUDIT_TRAIL`	Oracle Database error code generated by the action. If the action succeeded, the value is `0`.
`logTime`	string	`EVENT_TIMESTAMP_UTC` column in `UNIFIED_AUDIT_TRAIL`	Timestamp of the creation of the audit trail entry. A sample value is `2020-11-27 06:56:14.981404`.
`netProtocol`	string	`AUTHENTICATION_TYPE` column in `UNIFIED_AUDIT_TRAIL`	The network communication protocol. A sample value is `TCP`.
`objectName`	string	`OBJECT_NAME` column in `UNIFIED_AUDIT_TRAIL`	The name of the object affected by the action. A sample value is `employees`.
`objectType`	string	`OBJECT_SCHEMA` column in `UNIFIED_AUDIT_TRAIL`	The schema name of object affected by the action. A sample value is `hr`.
`paramList`	list	`SQL_BINDS` column in `UNIFIED_AUDIT_TRAIL`	The list of bind variables, if any, associated with `SQL_TEXT`. A sample value is `parameter_1,parameter_2`.
`pid`	number	`OS_PROCESS` column in `UNIFIED_AUDIT_TRAIL`	Operating system process identifier of the Oracle database process. A sample value is `22396`.
`remoteHost`	string	`AUTHENTICATION_TYPE` column in `UNIFIED_AUDIT_TRAIL`	Either the client IP address or name of the host from which the session was spawned. A sample value is `123.456.789.123`.
`remotePort`	string	`AUTHENTICATION_TYPE` column in `UNIFIED_AUDIT_TRAIL`	The client port number. A typical value in Oracle Database environments is `1521`.
`rowCount`	number	N/A	This field isn't used for RDS for Oracle and is always null.
`serverHost`	string	Database host	The IP address of the database server host. A sample value is `123.456.789.123`.
`serverType`	string	N/A	The database server type. The value is always `ORACLE`.
`serverVersion`	string	Database host	The Amazon RDS for Oracle version, Release Update (RU), and Release Update Revision (RUR). A sample value is `19.0.0.0.ru-2020-01.rur-2020-01.r1.EE.3`.
`serviceName`	string	Database host	The name of the service. A sample value is `oracle-ee`.
`sessionId`	number	`SESSIONID` column in `UNIFIED_AUDIT_TRAIL`	The session identifier of the audit. An example is `1894327130`.
`startTime`	string	N/A	This field isn't used for RDS for Oracle and is always null.
`statementId`	number	`STATEMENT_ID` column in `UNIFIED_AUDIT_TRAIL`	Numeric ID for each statement run. A statement can cause many actions. A sample value is `142197`.
`substatementId`	N/A	N/A	This field isn't used for RDS for Oracle and is always null.
`transactionId`	string	`TRANSACTION_ID` column in `UNIFIED_AUDIT_TRAIL`	The identifier of the transaction in which the object is modified. A sample value is `02000800D5030000`.

databaseActivityEventList fields for Amazon RDS for SQL Server

The following are databaseActivityEventList fields for Amazon RDS for SQL Server.

Field	Data Type	Source	Description
`class`	string	`sys.fn_get_audit_file.class_type` mapped to `sys.dm_audit_class_type_map.class_type_desc`	The class of activity event. For more information, see SQL Server Audit (Database Engine) in the Microsoft documentation.
`clientApplication`	string	`sys.fn_get_audit_file.application_name`	The application that the client connects as reported by the client (SQL Server version 14 and higher). This field is null in SQL Server version 13.
`command`	string	`sys.fn_get_audit_file.action_id` mapped to `sys.dm_audit_actions.name`	The general category of the SQL statement. The value for this field depends on the value of the class.
`commandText`	string	`sys.fn_get_audit_file.statement`	This field indicates the SQL statement.
`databaseName`	string	`sys.fn_get_audit_file.database_name`	Name of the database.
`dbProtocol`	string	N/A	The database protocol. This value is `SQLSERVER`.
`dbUserName`	string	`sys.fn_get_audit_file.server_principal_name`	The database user for the client authentication.
`endTime`	string	N/A	This field isn't used by Amazon RDS for SQL Server and the value is null.
`engineNativeAuditFields`	object	Each field in `sys.fn_get_audit_file` that is not listed in this column.	By default, this object is empty. When you start the activity stream with the `--engine-native-audit-fields-included` option, this object includes other native engine audit fields, which are not returned by this JSON map.
`errorMessage`	string	N/A	This field isn't used by Amazon RDS for SQL Server and the value is null.
`exitCode`	integer	`sys.fn_get_audit_file.succeeded`	Indicates whether the action that started the event succeeded. This field can't be null. For all the events except login events, this field reports whether the permission check succeeded or failed, but not whether the operation succeeded or failed. Values include: `0` – Fail `1` – Success
`logTime`	string	`sys.fn_get_audit_file.event_time`	The event timestamp that is recorded by the SQL Server.
`netProtocol`	string	N/A	This field isn't used by Amazon RDS for SQL Server and the value is null.
`objectName`	string	`sys.fn_get_audit_file.object_name`	The name of the database object if the SQL statement is operating on an object.
`objectType`	string	`sys.fn_get_audit_file.class_type` mapped to `sys.dm_audit_class_type_map.class_type_desc`	The database object type if the SQL statement is operating on an object type.
`paramList`	string	N/A	This field isn't used by Amazon RDS for SQL Server and the value is null.
`pid`	integer	N/A	This field isn't used by Amazon RDS for SQL Server and the value is null.
`remoteHost`	string	`sys.fn_get_audit_file.client_ip`	The IP address or hostname of the client that issued the SQL statement (SQL Server version 14 and higher). This field is null in SQL Server version 13.
`remotePort`	integer	N/A	This field isn't used by Amazon RDS for SQL Server and the value is null.
`rowCount`	integer	`sys.fn_get_audit_file.affected_rows`	The number of table rows affected by the SQL statement (SQL Server version 14 and higher). This field is in SQL Server version 13.
`serverHost`	string	Database Host	The IP address of the host database server.
`serverType`	string	N/A	The database server type. The value is `SQLSERVER`.
`serverVersion`	string	Database Host	The database server version, for example, 15.00.4073.23.v1.R1 for SQL Server 2017.
`serviceName`	string	Database Host	The name of the service. An example value is `sqlserver-ee`.
`sessionId`	integer	`sys.fn_get_audit_file.session_id`	Unique identifier of the session.
`startTime`	string	N/A	This field isn't used by Amazon RDS for SQL Server and the value is null.
`statementId`	string	`sys.fn_get_audit_file.sequence_group_id`	A unique identifier for the client's SQL statement. The identifier is different for each event that is generated. A sample value is `0x38eaf4156267184094bb82071aaab644`.
`substatementId`	integer	`sys.fn_get_audit_file.sequence_number`	An identifier to determine the sequence number for a statement. This identifier helps when large records are split into multiple records.
`transactionId`	integer	`sys.fn_get_audit_file.transaction_id`	An identifier of a transaction. If there aren't any active transactions, the value is zero.
`type`	string	Database activity stream generated	The type of event. The values are `record` or `heartbeat`.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Audit logs

Processing an activity stream using the SDK