cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

SAP Sybase ASE Audit Logs: Handling Multi-Row Single Events in Query Results

Aakanksha_Chandya
Explorer

2 weeks ago - last edited 2 weeks ago

0 Kudos
333

How to handle split audit log entries in SAP Sybase ASE?

When querying audit logs in Sybase ASE, I'm facing an issue where the extrainfo column is being split across multiple rows. This makes it difficult to analyse the complete audit information.

Query: 

select * from sybsecurity..sysaudits_01


Example of the issue:
- Row 1: event, eventtime, loginname, dbname, objname, objowner, [part1 of extrainfo...]
- Row 2: event, eventtime, loginname, dbname, objname, objowner,[continuation of extrainfo...]
- Row 3: event, eventtime, loginname, dbname, objname, objowner,[rest of extrainfo...]

I need a way to either:
1. Combine these split rows into a single row per audit event(Reliably)
2. Or increase the character limit for the extrainfo column.

 

 

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
chris_keating
Product and Topic Expert
Product and Topic Expert
2 weeks ago
0 Kudos
You may get a targeted set of experts by using an ASE tag "SAP Adaptive Server Enterprise". The tags you have selected are not ASE related.
Mark_A_Parsons
Contributor
2 weeks ago
0 Kudos

Consider adding a) a sample set of rows from your audit table, b) your coding attempt, c) the (wrong) output generated by your code and d) the (correct) expected result.

Also of interest would be a) your ASE version and b) some idea of how you wish to run the code (SQL batch? stored proc? something else?).

Accepted Solutions (0)

Answers (3)

Answers (3)

bonusbrevis
Participant
a week ago

Have you tried using the sequence column in sysaudits_xx?  

 

SELECT extrainfo FROM sysaudits_xx where eventtime =x and spid=x ORDER BY SEQUENCE

 

Show replies
Show replies
umasaral
Contributor
a week ago
0 Kudos

To handle split extrainfo in Sybase ASE audit logs:
1. Use auditprocess utility or sp_audit parsing scripts to reconstruct events—they handle multi-row extrainfo properly.
2. There’s no supported way to increase extrainfo column length in sysaudits_xx tables.
3. To combine rows manually, use event, eventtime, and objname as correlation keys and STRING_AGG() (if on ASE 16+) or cursor logic in a stored proc.
4. For robust analysis, export logs and process externally (e.g., Python script or shell pipeline).
5. Consider using audit init with larger audit block sizes to reduce row-splitting frequency.

Show replies
Show replies
umasaral
Contributor
2 weeks ago
0 Kudos

To handle split extrainfo entries in Sybase ASE audit logs:
1. Use the audit_process_event function or ASE audit tools like sp_audit_read to reconstruct full events—these tools auto-merge split rows.
2. If writing custom SQL, identify related rows using event, eventtime, and spid, then use FOR XML PATH or STRING_AGG (if supported) to combine them.
3. Example (pseudocode):


SELECT eventtime, loginname,
STRING_AGG(extrainfo, '')
FROM sybsecurity..sysaudits_01
GROUP BY eventtime, loginname;


4. ASE does not support increasing the extrainfo column size—it’s fixed by Sybase.
5. Best practice: Use auditing tools or export logs and reassemble them via a script (Python/PowerShell) for complex cases.

Show replies
Show replies
Aakanksha_Chandya
Explorer
2 weeks ago
0 Kudos
Hi, Thanks for your response.
Aakanksha_Chandya
Explorer
2 weeks ago
0 Kudos
Hi, Thanks for your response. Writing a custom SQL like the one you suggested is giving inconsistent results as events can have same time and loginname but still be two separate events spread over multiple rows. I was not able to find any documentation for "audit_process_event function or ASE audit tools like sp_audit_read". Could you please provide me with any references I can use, if you have any?
Ask a Question