# databaseActivityEventList JSON array for database activity streams
<a name="DBActivityStreams.AuditLog.databaseActivityEventList"></a>

The audit log payload is an encrypted `databaseActivityEventList` JSON array. The following table lists alphabetically the fields for each activity event in the decrypted `DatabaseActivityEventList` array of an audit log. 

When unified auditing is enabled in Oracle Database, the audit records are populated in this new audit trail. The `UNIFIED_AUDIT_TRAIL` view displays audit records in tabular form by retrieving the audit records from the audit trail. When you start a database activity stream, a column in `UNIFIED_AUDIT_TRAIL` maps to a field in the `databaseActivityEventList` array.

**Important**  
The event structure is subject to change. Amazon RDS might add new fields to activity events in the future. In applications that parse the JSON data, make sure that your code can ignore or take appropriate actions for unknown field names. 

## databaseActivityEventList fields for Amazon RDS for Oracle
<a name="DBActivityStreams.AuditLog.databaseActivityEventList.ro"></a>

The following are `databaseActivityEventList` fields for Amazon RDS for Oracle.


| Field | Data Type | Source | Description | 
| --- | --- | --- | --- | 
|  `class`  |  string  |  `AUDIT_TYPE` column in `UNIFIED_AUDIT_TRAIL`  |  The class of activity event. This corresponds to the `AUDIT_TYPE` column in the `UNIFIED_AUDIT_TRAIL` view. Valid values for Amazon RDS for Oracle are the following: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/DBActivityStreams.AuditLog.databaseActivityEventList.html) For more information, see [UNIFIED\$1AUDIT\$1TRAIL](https://docs.oracle.com/en/database/oracle/oracle-database/19/refrn/UNIFIED_AUDIT_TRAIL.html#GUID-B7CE1C02-2FD4-47D6-80AA-CF74A60CDD1D) in the Oracle documentation.  | 
|  `clientApplication`  |  string  |  `CLIENT_PROGRAM_NAME` in `UNIFIED_AUDIT_TRAIL`  |  The application the client used to connect as reported by the client. The client doesn't have to provide this information, so the value can be null. A sample value is `JDBC Thin Client`.  | 
|  `command`  |  string  |  `ACTION_NAME` column in `UNIFIED_AUDIT_TRAIL`  |  Name of the action executed by the user. To understand the complete action, read both the command name and the `AUDIT_TYPE` value. A sample value is `ALTER DATABASE`.  | 
|  `commandText`  |  string  |  `SQL_TEXT` column in `UNIFIED_AUDIT_TRAIL`  |  The SQL statement associated with the event. A sample value is `ALTER DATABASE BEGIN BACKUP`.  | 
|  `databaseName`  |  string  |  `NAME` column in `V$DATABASE`  |  The name of the database.  | 
|  `dbid`  |  number  |  `DBID` column in `UNIFIED_AUDIT_TRAIL`  |  Numerical identifier for the database. A sample value is `1559204751`.  | 
|  `dbProtocol`  |  string  |  N/A  |  The database protocol. In this beta, the value is `oracle`.  | 
|  `dbUserName`  |  string  |  `DBUSERNAME` column in `UNIFIED_AUDIT_TRAIL`  |  Name of the database user whose actions were audited. A sample value is `RDSADMIN`.  | 
|  `endTime`  |  string  |  N/A  |  This field isn't used for RDS for Oracle and is always null.  | 
|  `engineNativeAuditFields`  |  object  |  `UNIFIED_AUDIT_TRAIL`  |  By default, this object is empty. When you start the activity stream with the `--engine-native-audit-fields-included` option, this object includes the following columns and their values: <pre>ADDITIONAL_INFO<br />APPLICATION_CONTEXTS<br />AUDIT_OPTION<br />AUTHENTICATION_TYPE<br />CLIENT_IDENTIFIER<br />CURRENT_USER<br />DBLINK_INFO<br />DBPROXY_USERNAME<br />DIRECT_PATH_NUM_COLUMNS_LOADED<br />DP_BOOLEAN_PARAMETERS1<br />DP_TEXT_PARAMETERS1<br />DV_ACTION_CODE<br />DV_ACTION_NAME<br />DV_ACTION_OBJECT_NAME<br />DV_COMMENT<br />DV_EXTENDED_ACTION_CODE<br />DV_FACTOR_CONTEXT<br />DV_GRANTEE<br />DV_OBJECT_STATUS<br />DV_RETURN_CODE<br />DV_RULE_SET_NAME<br />ENTRY_ID<br />EXCLUDED_OBJECT<br />EXCLUDED_SCHEMA<br />EXCLUDED_USER<br />EXECUTION_ID<br />EXTERNAL_USERID<br />FGA_POLICY_NAME<br />GLOBAL_USERID<br />INSTANCE_ID<br />KSACL_SERVICE_NAME<br />KSACL_SOURCE_LOCATION<br />KSACL_USER_NAME<br />NEW_NAME<br />NEW_SCHEMA<br />OBJECT_EDITION<br />OBJECT_PRIVILEGES<br />OLS_GRANTEE<br />OLS_LABEL_COMPONENT_NAME<br />OLS_LABEL_COMPONENT_TYPE<br />OLS_MAX_READ_LABEL<br />OLS_MAX_WRITE_LABEL<br />OLS_MIN_WRITE_LABEL<br />OLS_NEW_VALUE<br />OLS_OLD_VALUE<br />OLS_PARENT_GROUP_NAME<br />OLS_POLICY_NAME<br />OLS_PRIVILEGES_GRANTED<br />OLS_PRIVILEGES_USED<br />OLS_PROGRAM_UNIT_NAME<br />OLS_STRING_LABEL<br />OS_USERNAME<br />PROTOCOL_ACTION_NAME<br />PROTOCOL_MESSAGE<br />PROTOCOL_RETURN_CODE<br />PROTOCOL_SESSION_ID<br />PROTOCOL_USERHOST<br />PROXY_SESSIONID<br />RLS_INFO<br />RMAN_DEVICE_TYPE<br />RMAN_OBJECT_TYPE<br />RMAN_OPERATION<br />RMAN_SESSION_RECID<br />RMAN_SESSION_STAMP<br />ROLE<br />SCN<br />SYSTEM_PRIVILEGE<br />SYSTEM_PRIVILEGE_USED<br />TARGET_USER<br />TERMINAL<br />UNIFIED_AUDIT_POLICIES<br />USERHOST<br />XS_CALLBACK_EVENT_TYPE<br />XS_COOKIE<br />XS_DATASEC_POLICY_NAME<br />XS_ENABLED_ROLE<br />XS_ENTITY_TYPE<br />XS_INACTIVITY_TIMEOUT<br />XS_NS_ATTRIBUTE<br />XS_NS_ATTRIBUTE_NEW_VAL<br />XS_NS_ATTRIBUTE_OLD_VAL<br />XS_NS_NAME<br />XS_PACKAGE_NAME<br />XS_PROCEDURE_NAME<br />XS_PROXY_USER_NAME<br />XS_SCHEMA_NAME<br />XS_SESSIONID<br />XS_TARGET_PRINCIPAL_NAME<br />XS_USER_NAME</pre> For more information, see [UNIFIED\$1AUDIT\$1TRAIL](https://docs.oracle.com/database/121/REFRN/GUID-B7CE1C02-2FD4-47D6-80AA-CF74A60CDD1D.htm#REFRN29162) in the Oracle Database documentation.  | 
|  `errorMessage`  |  string  |  N/A  |  This field isn't used for RDS for Oracle and is always null.  | 
|  `exitCode`  |  number  |  `RETURN_CODE` column in `UNIFIED_AUDIT_TRAIL`  |  Oracle Database error code generated by the action. If the action succeeded, the value is `0`.  | 
|  `logTime`  |  string  |  `EVENT_TIMESTAMP_UTC` column in `UNIFIED_AUDIT_TRAIL`  |  Timestamp of the creation of the audit trail entry. A sample value is `2020-11-27 06:56:14.981404`.  | 
|  `netProtocol`  |  string  |  `AUTHENTICATION_TYPE` column in `UNIFIED_AUDIT_TRAIL`  |  The network communication protocol. A sample value is `TCP`.  | 
|  `objectName`  |  string  |  `OBJECT_NAME` column in `UNIFIED_AUDIT_TRAIL`  |  The name of the object affected by the action. A sample value is `employees`.  | 
|  `objectType`  |  string  |  `OBJECT_SCHEMA` column in `UNIFIED_AUDIT_TRAIL`  |  The schema name of object affected by the action. A sample value is `hr`.  | 
|  `paramList`  |  list  |  `SQL_BINDS` column in `UNIFIED_AUDIT_TRAIL`  |  The list of bind variables, if any, associated with `SQL_TEXT`. A sample value is `parameter_1,parameter_2`.  | 
|  `pid`  |  number  |  `OS_PROCESS` column in `UNIFIED_AUDIT_TRAIL`  |  Operating system process identifier of the Oracle database process. A sample value is `22396`.  | 
|  `remoteHost`  |  string  |  `AUTHENTICATION_TYPE` column in `UNIFIED_AUDIT_TRAIL`  |  Either the client IP address or name of the host from which the session was spawned. A sample value is `123.456.789.123`.  | 
|  `remotePort`  |  string  |  `AUTHENTICATION_TYPE` column in `UNIFIED_AUDIT_TRAIL`  |  The client port number. A typical value in Oracle Database environments is `1521`.  | 
|  `rowCount`  |  number  |  N/A  |  This field isn't used for RDS for Oracle and is always null.  | 
|  `serverHost`  |  string  |  Database host  |  The IP address of the database server host. A sample value is `123.456.789.123`.  | 
|  `serverType`  |  string  |  N/A  |  The database server type. The value is always `ORACLE`.  | 
|  `serverVersion`  |  string  |  Database host  |  The Amazon RDS for Oracle version, Release Update (RU), and Release Update Revision (RUR). A sample value is `19.0.0.0.ru-2020-01.rur-2020-01.r1.EE.3`.  | 
|  `serviceName`  |  string  |  Database host  |  The name of the service. A sample value is `oracle-ee`.   | 
|  `sessionId`  |  number  |  `SESSIONID` column in `UNIFIED_AUDIT_TRAIL`  |  The session identifier of the audit. An example is `1894327130`.  | 
|  `startTime`  |  string  |  N/A  |  This field isn't used for RDS for Oracle and is always null.  | 
|  `statementId`  |  number  |  `STATEMENT_ID` column in `UNIFIED_AUDIT_TRAIL`  |  Numeric ID for each statement run. A statement can cause many actions. A sample value is `142197`.  | 
|  `substatementId`  |  N/A  |  N/A  |  This field isn't used for RDS for Oracle and is always null.  | 
|  `transactionId`  |  string  |  `TRANSACTION_ID` column in `UNIFIED_AUDIT_TRAIL`  |  The identifier of the transaction in which the object is modified. A sample value is `02000800D5030000`.  | 

## databaseActivityEventList fields for Amazon RDS for SQL Server
<a name="DBActivityStreams.AuditLog.databaseActivityEventList.rss"></a>

The following are `databaseActivityEventList` fields for Amazon RDS for SQL Server.


| Field | Data Type | Source | Description | 
| --- | --- | --- | --- | 
|  `class`  |  string  |  ` sys.fn_get_audit_file.class_type` mapped to `sys.dm_audit_class_type_map.class_type_desc`  |  The class of activity event. For more information, see [SQL Server Audit (Database Engine)](https://learn.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-database-engine?view=sql-server-ver16) in the Microsoft documentation.  | 
|  `clientApplication`  |  string  |  `sys.fn_get_audit_file.application_name`  |  The application that the client connects as reported by the client (SQL Server version 14 and higher). This field is null in SQL Server version 13.  | 
|  `command`  |  string  |  `sys.fn_get_audit_file.action_id` mapped to `sys.dm_audit_actions.name`  |  The general category of the SQL statement. The value for this field depends on the value of the class.  | 
|  `commandText`  |  string  |  `sys.fn_get_audit_file.statement`  |  This field indicates the SQL statement.  | 
|  `databaseName`  |  string  |  `sys.fn_get_audit_file.database_name`  |  Name of the database.  | 
|  `dbProtocol`  |  string  |  N/A  |  The database protocol. This value is `SQLSERVER`.  | 
|  `dbUserName`  |  string  |  `sys.fn_get_audit_file.server_principal_name`  |  The database user for the client authentication.  | 
|  `endTime`  |  string  |  N/A  |  This field isn't used by Amazon RDS for SQL Server and the value is null.  | 
|  `engineNativeAuditFields`  |  object  |  Each field in `sys.fn_get_audit_file` that is not listed in this column.  |  By default, this object is empty. When you start the activity stream with the `--engine-native-audit-fields-included` option, this object includes other native engine audit fields, which are not returned by this JSON map.  | 
|  `errorMessage`  |  string  |  N/A  |  This field isn't used by Amazon RDS for SQL Server and the value is null.  | 
|  `exitCode`  |  integer  |  `sys.fn_get_audit_file.succeeded`  |  Indicates whether the action that started the event succeeded. This field can't be null. For all the events except login events, this field reports whether the permission check succeeded or failed, but not whether the operation succeeded or failed. Values include: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/DBActivityStreams.AuditLog.databaseActivityEventList.html)  | 
|  `logTime`  |  string  |  `sys.fn_get_audit_file.event_time`  |  The event timestamp that is recorded by the SQL Server.  | 
|  `netProtocol`  |  string  |  N/A  |  This field isn't used by Amazon RDS for SQL Server and the value is null.  | 
|  `objectName`  |  string  |  `sys.fn_get_audit_file.object_name`  |  The name of the database object if the SQL statement is operating on an object.  | 
|  `objectType`  |  string  |  `sys.fn_get_audit_file.class_type` mapped to `sys.dm_audit_class_type_map.class_type_desc`  |  The database object type if the SQL statement is operating on an object type.  | 
|  `paramList`  |  string  |  N/A  |  This field isn't used by Amazon RDS for SQL Server and the value is null.  | 
|  `pid`  |  integer  |  N/A  |  This field isn't used by Amazon RDS for SQL Server and the value is null.  | 
|  `remoteHost`  |  string  |  `sys.fn_get_audit_file.client_ip`  |  The IP address or hostname of the client that issued the SQL statement (SQL Server version 14 and higher). This field is null in SQL Server version 13.  | 
|  `remotePort`  |  integer  |  N/A  |  This field isn't used by Amazon RDS for SQL Server and the value is null.  | 
|  `rowCount`  |  integer  |  `sys.fn_get_audit_file.affected_rows`  |  The number of table rows affected by the SQL statement (SQL Server version 14 and higher). This field is in SQL Server version 13.  | 
|  `serverHost`  |  string  |  Database Host  |  The IP address of the host database server.  | 
|  `serverType`  |  string  |  N/A  |  The database server type. The value is `SQLSERVER`.  | 
|  `serverVersion`  |  string  |  Database Host  |  The database server version, for example, 15.00.4073.23.v1.R1 for SQL Server 2017.  | 
|  `serviceName`  |  string  |  Database Host  |  The name of the service. An example value is `sqlserver-ee`.  | 
|  `sessionId`  |  integer  |  `sys.fn_get_audit_file.session_id`  |  Unique identifier of the session.  | 
|  `startTime`  |  string  |  N/A  |  This field isn't used by Amazon RDS for SQL Server and the value is null.  | 
|  `statementId`  |  string  |  `sys.fn_get_audit_file.sequence_group_id`  |  A unique identifier for the client's SQL statement. The identifier is different for each event that is generated. A sample value is `0x38eaf4156267184094bb82071aaab644`.  | 
|  `substatementId`  |  integer  |  `sys.fn_get_audit_file.sequence_number`  |  An identifier to determine the sequence number for a statement. This identifier helps when large records are split into multiple records.  | 
|  `transactionId`  |  integer  |  `sys.fn_get_audit_file.transaction_id`  |  An identifier of a transaction. If there aren't any active transactions, the value is zero.  | 
|  `type`  |  string  |  Database activity stream generated  |  The type of event. The values are `record` or `heartbeat`.  |