OS_auditmon_user

#!/bin/bash
# Oracle audit logs: show all actions for a user in last N minutes
read -p "Enter minutes to look back: " MINUTES
read -p "Enter username to search for: " USER
if ! [[ "$MINUTES" =~ ^[0-9]+$ ]]; then
    echo "Minutes must be a positive integer."
    exit 1
fi
if [[ -z "$USER" ]]; then
    echo "Username cannot be empty."
    exit 1
fi
echo "Searching audit logs for user '$USER' in last $MINUTES minutes..."
echo
# Header
printf "%-5s %-10s %-15s %-15s %-12s %-15s\n" "COUNT" "DB_USER" "OS_USER" "HOST" "RETURNCODE" "ACTION"
printf "%-5s %-10s %-15s %-15s %-12s %-15s\n" "-----" "-------" "-------" "----" "----------" "------"
find . -name "*.aud" -cmin -"$MINUTES" -exec cat {} + \
| awk -v u="$USER" '
BEGIN {
    db=""; os=""; host=""; rc="-"; action=""
}
{
    if(match($0,/USERID:\[[0-9]+\] "([^"]+)"/,a)) db=a[1]
    if(match($0,/OS\$USERID:\[[0-9]+\] "([^"]+)"/,b)) os=b[1]
    if(match($0,/USERHOST:\[[0-9]+\] "([^"]+)"/,c)) host=c[1]
    if(match($0,/RETURNCODE:\[[0-9]+\] "([0-9]+)"/,d)) rc=d[1]
    if(match($0,/ACTION:\[[0-9]+\] "([^"]+)"/,e)) action=e[1]
    # If ACTION found, print the event and reset variables
    if(action!="" && db==u) {
        print db, os, host, rc, action
        db=""; os=""; host=""; rc="-"; action=""
    }
}' \
| sort \
| uniq -c \
| awk '{printf "%-5s %-10s %-15s %-15s %-12s %-15s\n",$1,$2,$3,$4,$5,$6}'