Database · November 14, 2024
Oracle databases are widely used in enterprise environments, and they come with a variety of features to ensure security and compliance. One such feature is auditing, which allows organizations to track and log database activities. However, users may encounter errors during the auditing process, one of which is the ORA-28056: Writing audit records to Windows Event Log failed error. This article aims to provide a comprehensive understanding of this error, its causes, and potential solutions.
What is ORA-28056?
The ORA-28056 error occurs when Oracle attempts to write audit records to the Windows Event Log but fails to do so. This can disrupt the auditing process, leading to potential compliance issues and making it difficult for administrators to track user activities within the database.
Common Causes of ORA-28056
Several factors can lead to the ORA-28056 error. Understanding these causes is crucial for effective troubleshooting:
- Insufficient Permissions: The Oracle database service may not have the necessary permissions to write to the Windows Event Log. This is often the case if the service is running under a user account that lacks administrative privileges.
- Event Log Size Limitations: Windows Event Logs have size limits. If the log reaches its maximum size, new entries cannot be written, resulting in the ORA-28056 error.
- Configuration Issues: Incorrect configuration settings in the Oracle database can also lead to this error. For instance, if the audit trail is not properly set up, it may cause failures in writing to the event log.
- Windows Security Policies: Certain security policies in Windows may restrict applications from writing to the Event Log, leading to this error.
Troubleshooting ORA-28056
To resolve the ORA-28056 error, administrators can follow these troubleshooting steps:
1. Check Service Permissions
Ensure that the Oracle database service is running under an account with sufficient permissions. Ideally, it should be running under a user account that has administrative rights. You can check and modify the service account by following these steps:
1. Open the Services management console (services.msc).
2. Locate the Oracle service (e.g., OracleServiceORCL).
3. Right-click and select Properties.
4. Go to the Log On tab and verify the account details.2. Review Event Log Size Settings
Check the size of the Windows Event Log and adjust the settings if necessary. To do this:
1. Open the Event Viewer (eventvwr.msc).
2. Right-click on the Application log and select Properties.
3. Check the maximum log size and adjust it if it is too small.3. Verify Oracle Audit Configuration
Ensure that the Oracle audit settings are correctly configured. You can check the audit settings using the following SQL command:
SELECT * FROM DBA_PRIVS WHERE GRANTEE = 'SYS' AND PRIVILEGE = 'AUDIT ANY';If the necessary privileges are not granted, you may need to adjust the audit settings accordingly.
4. Check Windows Security Policies
Review the local security policies on the Windows server to ensure that there are no restrictions preventing Oracle from writing to the Event Log. This can be done through the Local Security Policy management console (secpol.msc).
Conclusion
The ORA-28056 error can pose significant challenges for database administrators, particularly in environments where auditing is critical for compliance and security. By understanding the common causes and following the troubleshooting steps outlined above, administrators can effectively resolve this issue and ensure that their Oracle databases continue to function smoothly.
For organizations looking to enhance their database management capabilities, consider exploring options such as USA VPS Hosting solutions that provide robust performance and security features tailored for Oracle databases.
Today I tried to connect with Oracle Database 11g and got ORA-28056 error. Oracle Database was installed on Windows Server 2003.
I just issued the following command and got this error.
START > RUN > CMD
C:\>sqlplus /nolog
SQL*Plus: Release 11.2.0.2.0 Production on Fri Jan 23 13:40:09 2014
Copyright (c) 1982, 2010, Oracle. All rights reserved.
SQL> conn / as sysdba
ERROR:
ORA-28056: Writing audit records to Windows Event Log failed
OSD-197314968: Message 197314968 not found; product=RDBMS; facility=SOSD
O/S-Error: (OS 1502) The event log file is full.
ORA-01075: you are currently logged on
Cause of Problem:
The problem was occurred because Event Viewer log was full and not been able to log anymore events.
Solution of the Problem:
You need to free the event viewer log.
How to free event viewer log?
Step-1:
First login to your Server machine as an Administrator.
Step-2:
Now Click on START > Control Panel > Performance and Maintenance > Administrative Tools and Click on Event Viewer.
Step-3:
As the Event Log is full and unable to record new events, clear the logs by just right clicking on the Application/System/Security on the left side and select Clear All Events. It will ask you to save the events, if you want to save then click on Yes otherwise choose No option.
You Must Read:
How to fix – ORA-01033: ORACLE initialization or shutdown in progress.
Note:
You can also select overwrite option under properties of Application/System/Security, if required. It will automatically overwrite all old events to new events. You don’t need to clear the logs again and again.
There is one more option by which you can increase the size of logs as shown in below snapshot.
This tutorial will resolve your problem. Share this to your friends to enhance their knowledge too.
AND error_code = ‘ORA-28056’
Database: 19c Release 1
Error code: ORA-28056
Description: Writing audit records to Windows Event Log failed
Cause: Unable to write an audit entry to the Windows event log used as the audit trail.
Action: Check the error number for a possible operating system error. If there is no error, contact Oracle Support Services.
Understanding Oracle Database Error Code ORA-28056
The Oracle Database error code ORA-28056 indicates that a user is attempting to connect to the database with an account that has been locked due to a security policy. This error typically arises when the user’s account has exceeded the maximum number of allowed failed login attempts or has been manually locked by an administrator.
Error Message
The full error message for ORA-28056 is:
ORA-28056: account is locked
Causes of ORA-28056
- The user account has been locked by an administrator.
- The account has reached the maximum number of failed login attempts.
- The account is configured with a security policy that enforces account locking.
Steps to Resolve ORA-28056
To resolve the ORA-28056 error, follow these steps:
1. Identify the Locked Account
First, determine which account is locked. You can use the following SQL query to check the status of user accounts:
SELECT username, account_status FROM dba_users WHERE account_status = 'LOCKED';2. Unlock the User Account
If you have the necessary privileges, you can unlock the user account using the following SQL command:
ALTER USER username ACCOUNT UNLOCK;Replace username with the actual name of the locked account.
3. Review Security Policies
It’s essential to review the security policies in place that may have caused the account to lock. Check the FAILED_LOGIN_ATTEMPTS parameter and consider adjusting it if necessary:
SHOW PARAMETER FAILED_LOGIN_ATTEMPTS;4. Reset Password (if necessary)
If the account was locked due to multiple failed login attempts, consider resetting the password to ensure the user can log in successfully. Use the following command:
ALTER USER username IDENTIFIED BY new_password;5. Notify the User
Once the account is unlocked and any necessary changes are made, inform the user of the status of their account and any new credentials if applicable.
Preventing Future Occurrences
To minimize the chances of encountering ORA-28056 in the future:
- Educate users about password policies and the importance of keeping their passwords secure.
- Consider implementing account lockout thresholds that balance security with usability.
- Monitor login attempts and account statuses regularly to catch potential issues early.
Conclusion
Error code ORA-28056 can hinder user access to the Oracle Database, but it is a manageable issue. By following the steps outlined above, administrators can quickly unlock accounts and prevent future occurrences of this error.
If you continue to experience issues or need further assistance, consider consulting the official Oracle documentation or reaching out to Oracle support for more specialized help.
Database: 11g Release 1
Error code: ORA-28056
Description: Writing audit records to Windows Event Log failed
Cause: Unable to write an audit entry to the Windows event log used as the audit trail.
Action: Check the error number for a possible operating system error. If there is no error, contact Oracle Support Services.
Database: 11g Release 2
Error code: ORA-28056
Description: Writing audit records to Windows Event Log failed
Cause: Unable to write an audit entry to the Windows event log used as the audit trail.
Action: Check the error number for a possible operating system error. If there is no error, contact Oracle Support Services.
Database: 12c Release 1
Error code: ORA-28056
Description: Writing audit records to Windows Event Log failed
Cause: Unable to write an audit entry to the Windows event log used as the audit trail.
Action: Check the error number for a possible operating system error. If there is no error, contact Oracle Support Services.
Database: 12c Release 2
Error code: ORA-28056
Description: Writing audit records to Windows Event Log failed
Cause: Unable to write an audit entry to the Windows event log used as the audit trail.
Action: Check the error number for a possible operating system error. If there is no error, contact Oracle Support Services.
Database: 18c Release 1
Error code: ORA-28056
Description: Writing audit records to Windows Event Log failed
Cause: Unable to write an audit entry to the Windows event log used as the audit trail.
Action: Check the error number for a possible operating system error. If there is no error, contact Oracle Support Services.
AND error_code = ‘ORA-28056’
Database: 12c Release 1
Error code: ORA-28056
Description: Writing audit records to Windows Event Log failed
Cause: Unable to write an audit entry to the Windows event log used as the audit trail.
Action: Check the error number for a possible operating system error. If there is no error, contact Oracle Support Services.
Understanding Oracle Database Error Code ORA-28056
The Oracle Database error code ORA-28056 indicates that a user is attempting to connect to the database with an account that has been locked due to a security policy. This error typically arises when the user’s account has exceeded the maximum number of allowed failed login attempts or has been manually locked by an administrator.
Error Message
The full error message for ORA-28056 is:
ORA-28056: account is locked
Causes of ORA-28056
- The user account has been locked by an administrator.
- The account has reached the maximum number of failed login attempts.
- The account is configured with a security policy that enforces account locking.
Steps to Resolve ORA-28056
To resolve the ORA-28056 error, follow these steps:
1. Identify the Locked Account
First, determine which account is locked. You can use the following SQL query to check the status of user accounts:
SELECT username, account_status FROM dba_users WHERE account_status = 'LOCKED';2. Unlock the User Account
If you have the necessary privileges, you can unlock the user account using the following SQL command:
ALTER USER username ACCOUNT UNLOCK;Replace username with the actual name of the locked account.
3. Review Security Policies
It’s essential to review the security policies in place that may have caused the account to lock. Check the FAILED_LOGIN_ATTEMPTS parameter and consider adjusting it if necessary:
SHOW PARAMETER FAILED_LOGIN_ATTEMPTS;4. Reset Password (if necessary)
If the account was locked due to multiple failed login attempts, consider resetting the password to ensure the user can log in successfully. Use the following command:
ALTER USER username IDENTIFIED BY new_password;5. Notify the User
Once the account is unlocked and any necessary changes are made, inform the user of the status of their account and any new credentials if applicable.
Preventing Future Occurrences
To minimize the chances of encountering ORA-28056 in the future:
- Educate users about password policies and the importance of keeping their passwords secure.
- Consider implementing account lockout thresholds that balance security with usability.
- Monitor login attempts and account statuses regularly to catch potential issues early.
Conclusion
Error code ORA-28056 can hinder user access to the Oracle Database, but it is a manageable issue. By following the steps outlined above, administrators can quickly unlock accounts and prevent future occurrences of this error.
If you continue to experience issues or need further assistance, consider consulting the official Oracle documentation or reaching out to Oracle support for more specialized help.
Database: 11g Release 1
Error code: ORA-28056
Description: Writing audit records to Windows Event Log failed
Cause: Unable to write an audit entry to the Windows event log used as the audit trail.
Action: Check the error number for a possible operating system error. If there is no error, contact Oracle Support Services.
Database: 11g Release 2
Error code: ORA-28056
Description: Writing audit records to Windows Event Log failed
Cause: Unable to write an audit entry to the Windows event log used as the audit trail.
Action: Check the error number for a possible operating system error. If there is no error, contact Oracle Support Services.
Database: 12c Release 2
Error code: ORA-28056
Description: Writing audit records to Windows Event Log failed
Cause: Unable to write an audit entry to the Windows event log used as the audit trail.
Action: Check the error number for a possible operating system error. If there is no error, contact Oracle Support Services.
Database: 18c Release 1
Error code: ORA-28056
Description: Writing audit records to Windows Event Log failed
Cause: Unable to write an audit entry to the Windows event log used as the audit trail.
Action: Check the error number for a possible operating system error. If there is no error, contact Oracle Support Services.
Database: 19c Release 1
Error code: ORA-28056
Description: Writing audit records to Windows Event Log failed
Cause: Unable to write an audit entry to the Windows event log used as the audit trail.
Action: Check the error number for a possible operating system error. If there is no error, contact Oracle Support Services.
I got a PC which ran out from disk space & Oracle was not working. The error was ORA-28056.
I need to delete all the event log & then reconnect it again. Here you can see what happened & it get resolved.
C:\Documents and Settings\navneet>sqlplus
SQL*Plus: Release 11.2.0.1.0 Production on Wed Mar 7 15:44:02 2012
Copyright (c) 1982, 2010, Oracle. All rights reserved.
Enter user-name: /as sysdba
Connected to an idle instance.
SQL> startup
ORA-28056: Writing audit records to Windows Event Log failed
OSD-157797404: Message 157797404 not found; product=RDBMS; facility=SOSD
O/S-Error: (OS 1502) The event log file is full.
SQL> exit
Disconnected
Solution of the Problem : This was because the Event Viewer log is full and could not log anymore events.
The solution is to clear the event log .To solve this issue follow any of the following steps.
1) When a log is full, it stops recording new events. Clearing the log is one way to free the log and start recording new events. To do so
Go to Control Panel —> Administrative Tools —> Event Viewer —> Clear All Events.
2) We can also free a log and start recording new events by overwriting old events. To overwrite events,
Go to Control Panel —> Administrative Tools —> Event Viewer —> on the left side Application/System/Security (as available) Right click —> Properties —> click Overwrite events as needed .
This ensures that all new events are written to the log, even when the log is full.
3) We can also start logging new events by increasing the maximum log size. To increase the log size,
Go to Control Panel —> Administrative Tools —> Event Viewer —> on the left side Application/System/Security (as available) Right click —> Properties —> Increase the Maximum log size by typing a bigger value.
After that open the CMD,
write «sqlplus /nolog» and press enter.
Now, write «connect as sysdba», enter the user name, for example, «sys» and the password.
After connect, write «startup».
C:\Documents and Settings\navneet>sqlplus
SQL*Plus: Release 11.2.0.1.0 Production on Wed Mar 7 15:52:12 2012
Copyright (c) 1982, 2010, Oracle. All rights reserved.
Enter user-name: /as sysdba
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 — Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> select status from v$instance;
STATUS
————
STARTED
SQL> alter database mount;
Database altered.
SQL> select status from v$instance;
STATUS
————
MOUNTED
SQL> alter database open;
Database altered.
SQL> select status from v$instance;
STATUS
————
OPEN
Njoy!!!!!
Your suggestions and queries are always warm welcomed.