In 11g, it seems to audit all sessions by default. For dbs that take multiple connections per second, the audit logs add up Fast. It creates so many logs that even running a grep for ‘1017’ (failed logins) in files that are one minute old results in ‘argument list too long’.
If the logs aren’t needed for SOX/other compliance, it’s easiest to whittle down what is actually audited.
To do so:
SQL> noaudit session;
With it set to ‘noaudit’, it will continue to audit sys connections (the basic connection info unless audit_sys_operations is set to true – in which case, it will audit more than just the ‘connect’).
To add on failed login auditing:
SQL> audit session whenever not successful;
Now it is set to audit sys connections and failed logins and the audit logs are few enough to allow a ‘failed login script’ to grep for ‘1017’ and email what it finds.
Note – alternately, you can of course set it to send its audit info to the db instead of the OS. Both versions have their pluses and minuses.