Use of various masks
The _require mask can be a valuable tool because it audits every database server user for the events that are specified in this mask. You can use this mask to perform the bulk of the auditing. You can use the _require mask to make rapid changes to the auditing configurations for all users by adding or removing items from this one mask.
The _exclude mask is also useful. It is read last, so its contents take precedence over the instructions in the other masks. As the name implies, the audit events that you specify in the _exclude mask are excluded from auditing. This exclusion is true of every event, including those specified in the _require mask. The Read Row audit event, for example, is a good candidate for the _exclude mask. Read Row is a common event that can generate huge amounts of potentially useless data in the audit trail.
How you use the _default and individual user masks depends on the number of users and their activities. For example, if you have only a few users, you might want to give each one an individual mask. You might then use the _default mask to audit events that are initiated by users who do not normally use your database, and configure the _default mask with a high level of security. To offset any detrimental effects on system performance, set up less-comprehensive individual user masks for frequent users. Or, if you have many users and do not want to create many individual user masks, leave the _default mask empty and rely on the _require mask for most of your auditing.