The audit_trail as OS will not have extended sql data , the XML,EXTENDED will to capture the SQLTEXT,

The audit_trail= OS parameter do not have option to have the sql statement but the XML,EXTENDED

I tested with the audit_trail with XML,EXTENDED and allows it the sql statement capture .

if you try to set audit_trail as OS,EXTENDED the setting is not accepted as following are the errors mentioned when attempted , and upon reboot it will go to incompatible parameter

audit_trail, must be from among NONE | OS | DB | DB,EXTENDED | XML | XML,EXTENDED

please see the following trace file in Cloud trail logs

a) Set audit_trail= XML,EXTENDED b) Reboot the database(as Audit is static parameter needs a reboot)

Log insight

fields @timestamp, @message, @logStream, @log | sort @timestamp desc | limit 1000

Here you can see the Audit with sql in the cloud log and

<AuditRecord><Audit_Type>1</Audit_Type><Session_Id>985490</Session_Id><StatementId>38</StatementId><EntryId>351</EntryId><Extended_Timestamp>2024-03-20T05:35:11.972589Z</Extended_Timestamp><DB_User>MX1</DB_User><OS_User>abc123</OS_User><Userhost> myhost</Userhost><OS_Process>43645</OS_Process><Terminal>unknown</Terminal><Instance_Number>0</Instance_Number><Object_Schema>ADMIN</Object_Schema><Object_Name>TAB1</Object_Name><Action>2</Action><TransactionId>0C00180074010000</TransactionId><Returncode>0</Returncode><Scn>64000686</Scn><Priv_Used>48</Priv_Used><DBID>3738265799</DBID><Current_User>MX1</Current_User>

<Sql_Text> insert into admin.tab1 values ('tab1')</Sql_Text>

Please also see following two part series for a comprehensive information on RDS oracle Audit

Security auditing in Amazon RDS for Oracle: Part 1

https://aws.amazon.com/blogs/database/part-1-security-auditing-in-amazon-rds-for-oracle/

Security auditing in Amazon RDS for Oracle: Part 2 https://aws.amazon.com/blogs/database/part-2-security-auditing-in-amazon-rds-for-oracle/