2 Registering Source Databases and Collectors

This chapter contains:

General Steps for Adding Sources and Deploying Collectors
Checking and Setting Environment Variables
Registering Oracle Database Sources and Collectors
Registering Microsoft SQL Server Database Sources and Collector
Registering Sybase ASE Database Sources and Collector
Registering IBM DB2 Database Sources and Collector
Starting the Collection Agents
Starting the Collectors
Checking the Status of the Collectors
Checking If the Collectors Are Collecting Audit Records

2.1 General Steps for Adding Sources and Deploying Collectors

You must perform the following general tasks to add source databases to Oracle Audit Vault and then deploy collectors:

For Linux and UNIX platforms, check and set environment variables in the shells in which you will be interacting with the Audit Vault Server and the Audit Vault Collection Agent.

See Section 2.2.
Add an Oracle source database and collectors using the AVORCLDB command-line utility.

See Section 2.3.
To add a Microsoft SQL Server source database and collector, use the AVMSSQLDB command-line utility

See Section 2.4.
To add a Sybase ASE source database and collector, use the AVSYBDB command-line utility

See Section 2.5.
To add an IBM DB2 source database and collector, use the AVDB2DB command-line utility.

See Section 2.6.
Start the collection agents and collectors using the AVCTL command-line utility.

See Section 2.7 and Section 2.8.
Periodically ensure that the collectors are running and collecting audit data.

See Section 2.9 and Section 2.10.

2.2 Checking and Setting Environment Variables

This section contains:

About Checking and Setting Linux and UNIX Environment Variables
Setting the Audit Vault Server Linux and UNIX Environment Variables
Setting the Collection Agent Linux and UNIX Environment Variables
Using the Collection Agent in a Microsoft Windows Environment
Setting the Oracle Source Database Linux and UNIX Environment Variables

2.2.1 About Checking and Setting Linux and UNIX Environment Variables

For Linux and UNIX platforms, you must set environment variables before you begin the procedures in this chapter. You set these variables in the three shells that you will use to perform the configuration. Keep these shells open throughout the configuration process. You will need to access them periodically as you complete the configuration steps. If you reopen a shell, then you must reset its environment variables.

2.2.2 Setting the Audit Vault Server Linux and UNIX Environment Variables

You use the Audit Vault Server shell to interact with the Audit Vault Server. To set the environment variables for the Audit Vault Server, you can run either of two scripts, coraenv (for the C shell) or oraenv (for the Bourne, Bash, or Korn shell).

Table 2-1 describes how the coraenv and oraenv scripts set the environment variables.

Table 2-1 Audit Vault Server Environment Variable Settings

Environment Variable	Behavior
`ORACLE_HOME`	Sets to the Audit Vault Server home directory.
`ORACLE_SID`	Prompts for the Oracle system identifier (SID) for the Audit Vault Server. By default, this SID is `av`.
`PATH`	Appends `$ORACLE_HOME/bin` to your `PATH` environment variable.
`LD_LIBRARY_PATH`	Appends `$ORACLE_HOME/lib` to your `LD_LIBRARY_PATH` environment variable setting. Applies to Linux x86, Linux x86_64, and Solaris SPARC_64 installations only.
`SHLIB_PATH`	Appends `$ORACLE_HOME/lib` to your `SHLIB_PATH` environment variable setting. Applies to HP-UX installations only.
`LIBPATH`	Appends `$ORACLE_HOME/lib` to your `LIBPATH` environment variable setting. Applies to AIX installations only.

To set environment variables for the Audit Vault Server shell:

In the server where you installed the Oracle Audit Vault Server, open a shell.
Run one of the following scripts, which are located in the /usr/local/bin directory:
- C shell: coraenv
- Bourne, Bash, or Korn shell: oraenv
To test that the script was successful, try invoking the following command:
```
$  avctl -help
```
It should return help information for the AVCTL utility, and the only way it can do that is if the ORACLE_HOME and PATH environment variables are correctly set. If the scripts fail, then manually set the environment variables listed in Table 2-1.
If you plan to add Microsoft SQL Server, Sybase ASE, or IBM DB2 source databases to Oracle Audit Vault, then set the LANG and NLS_LANG environment variables.

For example:
- C shell:
```
setenv LANG de_DE.UTF-8

setenv NLS_LANG GERMAN_GERMANY.AL32UTF8
```
- Bourne, Bash, or Korn shell:
```
LANG=de_DE.UTF-8

NLS_LANG=GERMAN_GERMANY.AL32UTF8
```
See Oracle Database Globalization Support Guide for more information about the NLS_LANG environment variable, including supported character sets and languages.

Oracle Audit Vault supports the following languages for the LANG environment variable:

en: English ja: Japanese

de: German ko: Korean

es: Spanish pt_BR: Brazilian Portuguese

fr: French zh_CN: Simplified Chinese

it: Italian zh_TW: Traditional Chinese

Optionally, you can set the LANG environment variable in the .profile or .cshrc file.

You do not need to set this variable for the Oracle Database AVORCLDB utility. This utility automatically uses the NLS_LANG environment variable setting, which is set during installation. See Oracle Database Globalization Support Guide for more information about language support for Oracle Database.
Leave the Audit Vault Server shell open for the remaining procedures in this chapter.

2.2.3 Setting the Collection Agent Linux and UNIX Environment Variables

To set environment variables for the Audit Vault collection agent shell:

In the server where you installed the Audit Vault collection agent, open a shell.
Check and manually set the ORACLE_HOME environment variable to the Audit Vault collection agent home directory.
Check and set the LD_LIBRARY_PATH environment variable to include $ORACLE_HOME/lib.
Check and set the PATH environment variable to include $ORACLE_HOME/bin. Be sure that you append this information to the existing PATH information.
Ensure that the following environment variables are not set: ORACLE_SID, TNS_ADMIN, and TWO_TASK.
To test that you correctly set these environment variables, try invoking the following command:
```
$  avctl -help
```
It should return help information for the AVCTL utility, and the only way it can do that is if the ORACLE_HOME and PATH environment variables are correctly set.
If you plan to add Microsoft SQL Server, Sybase ASE, or IBM DB2 databases to Oracle Audit Vault, then set the LANG and NLS_LANG environment variables.

See Step 4 under Section 2.2.2 for instructions.
Leave the Audit Vault collection agent shell open for the remaining procedures in this chapter.

2.2.4 Using the Collection Agent in a Microsoft Windows Environment

If you installed the collection agent on Microsoft Windows, do not set any environment variables. Instead, run any collection agent-specific commands (such as avctl start_oc4j or avctl stop_oc4j) from the collection agent home directory, which is ORACLE_HOME\agent_dir\bin.

2.2.5 Setting the Oracle Source Database Linux and UNIX Environment Variables

To set the environment variables for the source database, you can run the same scripts, corenv or oraenv, that you used to set the Audit Vault Server environment variables. Table 2-1 describes how these scripts set the environment variables, except that for the source database, they set the ORACLE_SID variable to orcl, unless you have given it a different name during installation.

To set environment variables for the source database:

In the server where you installed the Oracle source database, open a shell.
From the /usr/local/bin directory, run one of the following scripts:
- C shell: coraenv script
- Bourne, Bash, or Korn shell: oraenv script
Leave the Oracle source database shell open for the remaining procedures in this chapter.

2.3 Registering Oracle Database Sources and Collectors

This section contains:

Step 1: If Necessary, Create a Password File
Step 2: Create a User Account on the Oracle Source Database
Step 3: Verify That the Source Database Is Compatible with the Collectors
Step 4: Register the Oracle Source Database with Oracle Audit Vault
Step 5: Add the Oracle Collectors to Oracle Audit Vault
Step 6: Enable the Audit Vault Agent to Run the Oracle Database Collectors

2.3.1 Step 1: If Necessary, Create a Password File

If you use Oracle Database Vault to protect the Oracle source database, you must have a password file created. A connection to the source database using the SYSDBA or SYSOPER privilege succeeds only if the password file has been created. Some later versions of Oracle Database Vault enable operating system authentication by default. To create the password file in the source database, use the orapwd utility. See Oracle Database Administrator's Guide for more information about orapwd. To use orapwd to enable or disable SYSDBA connections, see Oracle Audit Vault Server Installation Guide for Linux x86.

For example:

$ orapwd file=$ORACLE_HOME/dbs/av_pwd password=sys_password

2.3.2 Step 2: Create a User Account on the Oracle Source Database

The collectors that you will configure later must use this user account to access audit data from the Oracle source database.

To create the user account:

Access the shell used by the Oracle source database.
Log in to SQL*Plus as a user who has been granted the CREATE USER privilege.

If the source database is protected by Oracle Database Vault, log in as a user who has been granted the DV_ACCTMGR (Database Vault Account Manager) role.

For example:
```
$ sqlplus avadmindva
Enter password: password
Connected.
```
Create the Oracle source database user account.

For example:
```
SQL> CREATE USER srcuser_ora IDENTIFIED BY password;
```

Connect as user SYS with the SYSDBA privilege.

SQL> CONNECT SYS/AS SYSDBA
Enter password: password

Run the zarsspriv.sql script from either the Audit Vault Server or Audit Vault collection agent on Oracle soruce database.

This script grants the Oracle source database user account the privileges needed to enable the collectors to access audit data. By default, this script is located in the $ORACLE_HOME/av/scripts/streams/source directory in both the Audit Vault Server and the Audit Vault collection agent Oracle home directories.

Use the following syntax:
```
zarsspriv.sql srcusr mode
```
In this specification:
- srcusr: Enter the name of the user account that you just created.
- mode: Specify one of the following modes. Enter the modes in uppercase letters.
  - SETUP: For the OSAUD and DBAUD collectors, and for policy management
  - REDO_COLL: For the REDO log collector; includes all privileges that are granted using the argument mode SETUP.
For example, to specify the SETUP mode for user srcuser_ora:
```
SQL> @/oracle/product/10.2.3/av/scripts/streams/source/zarsspriv.sql
Enter value for 1: srcuser_ora
Enter value for 2: SETUP

Granting privileges to SRCUSER_ORA ... Done.
```
Connect as the source user that you created in Step 3, and then check that the privileges were granted.
```
SQL> CONNECT srcuser_ora
Enter password: password
Connected.

SQL> SELECT * FROM SESSION_PRIVS;
SQL> SELECT * FROM SESSION_ROLES;
```
The output for each SELECT statement should list the privileges and roles that are listed in the zarsspriv.sql file, such as the CREATE SESSION privilege and the RESOURCE role.
If the source database has Oracle Database Vault installed, log in as a user who has been granted the DV_OWNER (Database Vault Owner) role, and then add the source user to the Oracle Data Dictionary realm.

For example:
```
SQL> CONNECT dbvowner
Enter password: password
Connected.

SQL> EXEC DBMS_MACADM.ADD_AUTH_TO_REALM('Oracle Data Dictionary', 'SRCUSER_ORA', null, dbms_macutl.g_realm_auth_participant);
SQL> COMMIT;
```
If the source database has Oracle Database Vault installed, grant the Oracle source database user account the DV_SECANALYST role.

The DV_SECANALYST role enables the user to run Oracle Database Vault reports and monitor Oracle Database Vault. This role also enables the Oracle source database user to collect Database Vault audit trail data from the source database.

For example:
```
SQL> GRANT DV_SECANALYST TO srcuser_ora;
```
Exit SQL*Plus.
Leave this shell open.

2.3.3 Step 3: Verify That the Source Database Is Compatible with the Collectors

Now you are ready to verify that the Oracle source database is compatible with the collector type in the Audit Vault collection agent home.

To verify the Oracle source database compatibility:

Access either the shell used for the Audit Vault Server or the collection agent.

If you want to use the collection agent location, and if you installed the collection agent on Microsoft Windows, go to the ORACLE_HOME\agent_dir\bin directory.
Run the following command and note the host, port, and service settings:
```
$ lsnrctl status
```
Run the avorcldb verify command, using the values that the LSNRCTL utility returned.

You must specify the host name, port number, and service name. Typically, for Oracle Database, the host is the fully qualified domain name or the IP address of the server on which the Oracle source database is running, and the port number is 1521.

For example, assume that the host is hrdb.example.com, the port number is 1521, the service name is orcl, and the user account is srcuser_ora:
```
$ avorcldb verify -src hrdb.example.com:1521:orcl -colltype ALL
Enter Source user name: srcuser_ora
Enter Source password: password
```
See Section 8.10 for detailed information about the avorcldb verify command.
Do not close this shell.

The AVORCLDB utility checks if an Audit Vault collector can be run against the source database configuration.

Example 2-1 shows what happens if the Oracle source database is not properly configured. In this case, you must set the initialization parameters listed in the output before you can use the REDO log collector.

Example 2-1 Partially Successful Verify Operation of Source Compatibility with the Collectors

$ avorcldb verify -src hrdb.example.com:1521:orcl -colltype ALL
Enter Source user name: srcuser_ora
Enter Source password: password

source hrdb.EXAMPLE.COM verified for OS File Audit Collector
source hrdb.EXAMPLE.COM verified for Aud$/FGA_LOG$ Audit Collector
Source database must be in ARCHIVELOG mode to use REDO Log collector
Incorrect database compatibility 9.2.0; recommended value is 10.2.0.0.0
Parameter _JOB_QUEUE_INTERVAL not set; recommended value range [1 - ANY_VALUE]
Parameter JOB_QUEUE_PROCESSES = 0 not in recommended value range [4 - ANY_VALUE]
Parameter AQ_TM_PROCESSES = 0 is not in required value range [4 - ANY_VALUE]
Parameter UNDO_RETENTION = 900 not in recommended value range [3600 - ANY_VALUE]
Parameter GLOBAL_NAMES = false not set to recommended value true
Please set the above init.ora parameters to recommended values

After you correct the problems (in this case, setting all those missing or incorrect initialization parameters), rerun the avorcldb verify command to ensure that the result is as you want it. Example 2-2 shows what happens after this source database has been properly configured. See also Chapter 12, "REDO Collector Database Reference."

Example 2-2 Successful Verify Operation of Source Compatibility with the REDO Collector

$ avorcldb verify -src hrdb.example.com:1521:orcl -colltype REDO
Enter Source user name: srcuser_ora
Enter Source password: password

source hrdb.EXAMPLE.COM verified for REDO Log Audit Collector collector

2.3.4 Step 4: Register the Oracle Source Database with Oracle Audit Vault

To register the Oracle source database with Oracle Audit Vault:

Access the shell used for the Audit Vault Server.
Run the avorcldb add_source command.

For example:
```
$ avorcldb add_source -src hrdb.example.com:1521:orcl
                      -desc 'HR Database'
                      -agentname agent1
Enter Source user name: srcuser_ora
Enter Source password: password 

Adding source...
Source added successfully.
source successfully added to Audit Vault

remember the following information for use in avctl
Source name (srcname): HRDB.EXAMPLE.COM
Storing user credentials in wallet... 
Create credential oracle.security.client.connect_string3
done.
Mapping Source to Agent...
```
In this example:
- -src: Enter the source database connection information: host name, port number, and service name, separated by a colon. If you are unsure of this information, run the lsnrctl status command on the computer where you installed the source database.
- -desc: Optionally, enter a brief description for the source database.
- -agentname: Optionally, create a name for the collector agent to be associated with this source database. However, you must specify an agent name if auditors plan to configure policy management using the Audit Vault Console.
- Source user name and password: Enter the user account information that you created in Step 2: Create a User Account on the Oracle Source Database.
See Section 8.3 for detailed information about the avorcldb add_source command.
Note the return value from the output.

You will need this value, which represents the global database name, for subsequent steps in this section. In this example, the return value is HRDB.EXAMPLE.COM.
Do not close this shell.

2.3.5 Step 5: Add the Oracle Collectors to Oracle Audit Vault

You can add one or more collectors to Oracle Audit Vault, depending on your needs. The available collector types are listed in Table 1-4.

To add a collector to Oracle Audit Vault:

If you plan to use the OSAUD collector, access the shell used for the Oracle source database.

$ sqlplus sys/as sysdba
Enter password: password
Connected.

Set the maximum operating system file size to a setting equal to or less than 204800.

If the operating system file grows larger than 2 GB, then the OSAUD collector ignores all audit records created past this size. Use the following SQL statement to set the maximum size to 102400 KB, which translates as 2 GB.
```
BEGIN
  DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY(
   AUDIT_TRAIL_TYPE            =>  DBMS_AUDIT_MGMT.AUDIT_TRAIL_OS,
   AUDIT_TRAIL_PROPERTY        =>  DBMS_AUDIT_MGMT.OS_FILE_MAX_SIZE,
   AUDIT_TRAIL_PROPERTY_VALUE  =>  204800);
END;
/
```
Afterwards, when the operating system exceeds 2 GB, then Oracle Database stops appending audit records to the current file, and then creates a new file to resume the audit data collection.

For reference information about the DBMS_AUDIT_MGMT PL/SQL package, see Chapter 14.
Access the shell used for the Audit Vault Server.
Run the avorcldb add_collector command to add the collectors you want.

For example:
```
avorcldb add_collector -srcname HRDB.EXAMPLE.COM 
                       -agentname agent1 
                       -colltype OSAUD
                       -orclhome /u01/app/oracle/product/10.2.0/db_1
```
In this example:
- -srcname: Create a name for this source database, which Oracle Audit Vault will refer to when collecting audit data. Remember that the source name is case-sensitive.
- -agentname: Enter the name for the agent that you created in Step 4: Register the Oracle Source Database with Oracle Audit Vault.
- -colltype: Enter OSAUD, DBAUD, or REDO. If you plan to specify REDO, you must include the -av argument, which specifies the connection information for Oracle Audit Vault used for the database link from the source database to Oracle Audit Vault. See Section 8.2 more information about the -av argument.
- -orclhome: Enter the Oracle source database home directory. For Microsoft Windows installations of Oracle Database, enter the path using forward slashes, or if you want to use back slashes, enclose the path in double quotation marks.
See Section 8.2 for detailed information about the avorcldb add_collector command.
Optionally, modify the attributes associated with the collector.

The collector has a set of default attributes. You can modify these by using the avorcldb alter_collector command. See Section 8.4.
Do not close this shell.

Example 2-3 shows how to add the OSAUD collector to Oracle Audit Vault for UNIX platforms. You must include the -orclhome orclhome parameter to specify the location of the source database as an absolute path, if u01/app is the Oracle base directory.

Example 2-3 Adding the OSAUD Collector to Oracle Audit Vault for UNIX Platforms

$ avorcldb add_collector -srcname hrdb.example.com 
                         -agentname agent1 
                         -colltype OSAUD
                         -orclhome /u01/app/oracle/product/10.2.0/db_1

source HRDB.EXAMPLE.COM verified for OS File Audit Collector collector
Adding collector...
Collector added successfully.
collector successfully added to Audit Vault

remember the following information for use in avctl
Collector name (collname): OSAUD_Collector

Example 2-4 shows how to add the OSAUD collector to Oracle Audit Vault on Microsoft Windows for the event log and XML audit trail. You must include the -orclhome orclhome parameter to specify the location of the source database. Use slashes (/) instead of backslashes (\) for the Microsoft Windows path. If you want to use backslashes, enclose the path in double quotation marks. For example:

-orclhome "c:\oracle\product\10.2.0\db_1"

Example 2-4 Adding the OSAUD Collector to Oracle Audit Vault on Microsoft Windows

$ avorcldb add_collector -srcname HRDB.EXAMPLE.COM 
                         -agentname agent1 
                         -colltype OSAUD 
                         -orclhome c:/oracle/product/10.2.0/db_1

source HRDB.EXAMPLE.COM verified for Windows Event Log Audit Collector collector 
Adding collector... 
Collector added sucessfully. 
collector successfully added to Audit Vault 

remember the following information for use in avctl
Collector name (collname): OSAUD_Collector

Example 2-5 shows how to add the DBAUD collector to Oracle Audit Vault.

Example 2-5 Adding the DBAUD Collector to Oracle Audit Vault

$ avorcldb add_collector -srcname HRDB.EXAMPLE.COM 
                         -agentname agent1 -colltype DBAUD

source HRDB.EXAMPLE.COM verified for Aud$/FGA_LOG$ Audit Collector collector
Adding collector...
Collector added successfully.
collector successfully added to Audit Vault

remember the following information for use in avctl
Collector name (collname): DBAUD_Collector

Example 2-6 shows how to add the REDO collector to Oracle Audit Vault. Note that you must supply the -av argument for this collector type.

Example 2-6 Adding the REDO Collector to Oracle Audit Vault

$ avorcldb add_collector -srcname HRDB.EXAMPLE.COM 
                         -agentname agent1 
                         -colltype REDO
                         -av hrdb.example.com:1521:orcl

source HRDB.EXAMPLE.COM verified for REDO Log Audit Collector collector
Adding collector...
Collector added successfully.
collector successfully added to Audit Vault

remember the following information for use in avctl
Collector name (collname): REDO_Collector
initializing REDO Collector
setting up APPLY process on Audit Vault server
setting up CAPTURE process on source database

Note:

If the REDO collector does not initialize, the APPLY process on the Audit Vault Server and CAPTURE process on the source database cannot start. This problem happens if the source user account does not have the correct privileges. Ensure that you ran the zarsspriv.sql script, described in Section 2.3.2.

2.3.6 Step 6: Enable the Audit Vault Agent to Run the Oracle Database Collectors

You now are ready to add the collection agent credentials to the Oracle source database. This process adds the source user credentials to the wallet, creates a database alias in the wallet for the source user, and verifies the connection to the source using the wallet. This way, the Audit Vault collection agent can run the Oracle Database collectors. You must complete this step so that the collectors can start properly.

To enable to Audit Vault agent to run the Oracle Database collectors:

Access the shell used for the Audit Vault collection agent.

If you have closed this shell, see the following sections:
- Section 2.2.3 describes how to set environment variables for the collection agent.
- If you installed the collection agent on Microsoft Windows, do not set any environment variables. Instead, go to the ORACLE_HOME\agent_dir\bin directory.
Use the avorcldb setup command to add the collection agent credentials.

For example:
```
$ avorcldb setup -srcname hrdb.example.com

Enter Source user name: srcuser_ora
Enter Source password: password

adding credentials for user srcuser_ora for connection [SRCDB1]
Storing user credentials in wallet...
Create credential oracle.security.client.connect_string3
done.
updated tnsnames.ora with alias [SRCDB1] to source database
verifying SRCDB1 connection using wallet
```
In this example:
- -srcname: Enter the name of the source database that you plan to use.
- Source user name and password: Enter the source database user name and password that you created in Step 2: Create a User Account on the Oracle Source Database.
See Section 8.9 for detailed information about the avorcldb setup command.
Do not close this shell.

This step completes the registration for the Oracle source database and its collectors. Next, you must start the collection agents and collectors. See Section 2.7 and Section 2.8 for more information.

2.4 Registering Microsoft SQL Server Database Sources and Collector

This section contains:

Step 1: Download the SQL Server 2005 Driver for JDBC
Step 2: Create a User Account on the Microsoft SQL Server Source Database
Step 3: Verify That the Source Database Is Compatible with the Collector
Step 4: Register the SQL Server Source Database with Oracle Audit Vault
Step 5: Add the MSSQLDB Collector to Oracle Audit Vault
Step 6: Enable the Audit Vault Agent to Run the MSSQLDB Collector

2.4.1 Step 1: Download the SQL Server 2005 Driver for JDBC

Ensure that you have downloaded the SQL Server 2005 Driver for JDBC (sqljdbc.jar) to the $ORACLE_HOME/jlib directories in both the Audit Vault Server and Audit Vault Agent homes. This driver provides high performance native access to Microsoft SQL Server 2000 and 2005 database data sources. Ensure that this jar file is present in the Oracle Audit Vault OC4J before starting the agent OC4J. The MSSQLDB collector uses this driver to collect audit data from Microsoft SQL Server databases.

2.4.2 Step 2: Create a User Account on the Microsoft SQL Server Source Database

The collector that you will configure later must use this user account to access audit data from the Microsoft SQL Server source database. After you create the user account, the privileges that you assign to this user depend on whether the source database is Microsoft SQL Server 2000 or 2005.

To create the user account:

Log in to the Microsoft SQL Server source database.
Create a user account.

For example, to create a user account named srcuser_mss:
```
EXEC sp_addlogin srcuser_mss, password
```

For a Microsoft SQL Server 2005 database, grant this user the alter_trace privilege.

Log in as the SYSADMIN user.
Run the following command to grant the alter trace privilege to the user.

For example:
```
GRANT ALTER TRACE TO srcuser_mss
```

For a Microsoft SQL Server 2000 database, grant the user the SYSADMIN fixed server role.

Click Security.
Click Logins.
Right-click the login you created (for example, srcuser_mss).
Click Properties.
On the left pane, click Server Roles.
Select the sysadmin option setting, and then click OK.

2.4.3 Step 3: Verify That the Source Database Is Compatible with the Collector

Next, you are ready to verify that the Microsoft SQL Server source database is compatible with the collector type in the Audit Vault collection agent home.

To verify the source database compatibility:

Access either the shell used for the Audit Vault Server or the collection agent.

If you want to use the collection agent location, and if you installed the collection agent on Microsoft Windows, go to the ORACLE_HOME\agent_dir\bin directory.
Run the avmssqldb verify command.

You must specify the host name and port number. Typically, for Microsoft SQL Server, the host is the fully qualified domain name or the IP address of the server on which the SQL Server source database is running, and the port number is 1433.

For example, assume that the host is hrdb.example.com and the port number is 1433, and the user account is srcuser_mss:
```
$ avmssqldb verify -src hrdb.example.com:1433
Enter a username : srcuser_mss
Enter a password: password

***** Source Verified *****
```
See Section 9.10 for detailed information about the avmssqldb verify -src command.
Do not close this shell.

2.4.4 Step 4: Register the SQL Server Source Database with Oracle Audit Vault

To register the SQL Server source database with Oracle Audit Vault:

Access the shell for the Audit Vault Server.
Run the avmssqldb add_source command.

For example:
```
$ avmssqldb add_source -src hrdb.example.com:1433 -srcname mssqldb4 -desc 'HR Database'
Enter a username :srcuser_mss
Enter a password : password

***** Source Verified *****
***** Source Added Successfully *****
```
In this example:
- -src: Enter the fully qualified domain name (or IP address) and port number for the source database that you specified in Step 3: Verify That the Source Database Is Compatible with the Collector.
- -srcname: Create a name for the source database. Oracle Audit Vault refers to this name when it collects audit data.
- -desc: Optionally, enter a brief description for the source database.
- username and password: Enter the user name and password that you created in Step 2: Create a User Account on the Microsoft SQL Server Source Database.
See Section 9.3 for detailed information about the avmssqldb add_source command.
Do not close this shell.

2.4.5 Step 5: Add the MSSQLDB Collector to Oracle Audit Vault

Now you are ready to add the MSSQLDB collector to Oracle Audit Vault. By default, the MSSQLDB collector collects audit records from all audit trails that have been enabled in the source database: C2 audit logs, server-side trace logs, and the Windows Event log.

To add the MSSQLDB collector to Oracle Audit Vault:

Access the shell used for the Audit Vault Server.
Run the avmssqldb add_collector command.

For example:
```
$ avmssqldb add_collector -srcname mssqldb4 -agentname agent1
Enter a username :srcuser_mss
Enter a password : password

***** Collector Added Successfully*****
```
In this example:
- -srcname: Enter the name of the SQL Server source database that you verified in Step 3: Verify That the Source Database Is Compatible with the Collector.
- -agentname: Create a name for the agent.
See Section 9.2 for detailed information about the avmssqldb add_collector command.
Optionally, modify the attributes associated with the MSSQLDB collector.

The MSSQLDB collector has a set of default attributes. You can modify these by using the avssqldb alter_collector command. See Section 9.4.
Do not close this shell.

2.4.6 Step 6: Enable the Audit Vault Agent to Run the MSSQLDB Collector

Next, you must add the collection agent credentials to the Microsoft SQL Server source database. This process adds the source user credentials to the wallet, creates a database alias in the wallet for the source database user, and verifies the connection to the source database using the wallet. This way, the Oracle Audit Vault collection agent can run the MSSQLDB collector. You must complete this step so that the collectors can start properly.

To enable the Oracle Audit Vault agent to run the MSSQLDB collector:

Access the shell used for the Audit Vault collection agent.

If you installed the collection agent on Microsoft Windows, go to the ORACLE_HOME\agent_dir\bin directory.
Run the avmssqldb setup command.

For example:
```
$ avmssqldb setup -srcname mssqldb4
Enter a username :srcuser_mss
Enter a password : password

***** Credentials Successfully added *****
```
In this example:
- -srcname: Enter the source database name that you specified in Step 3: Verify That the Source Database Is Compatible with the Collector.
- username and password: Enter the user name and password that you created in Step 2: Create a User Account on the Microsoft SQL Server Source Database.
See Section 8.9 for detailed information about the avmssqldb setup command.
Do not close this shell.

This step completes the registration for the Microsoft SQL Server source database and its collector. Next, you must start the collection agent and collector. See Section 2.7 and Section 2.8 for more information.

2.5 Registering Sybase ASE Database Sources and Collector

This section contains:

Step 1: Download the jConnect for JDBC Driver
Step 2: Create a User Account on the Sybase ASE Source Database
Step 3: Verify That the Source Database Is Compatible with the Collector
Step 4: Register the Sybase ASE Source Database with Oracle Audit Vault
Step 5: Add the SYBDB Collector to Oracle Audit Vault
Step 6: Enable the Audit Vault Agent to Run the SYBDB Collector

2.5.1 Step 1: Download the jConnect for JDBC Driver

Ensure that you have downloaded the jConnect for JDBC driver JDBC (jconn3.jar) to the $ORACLE_HOME/jlib directories in both the Audit Vault Server and Audit Vault Agent homes. This driver provides high performance native access to Sybase ASE database data sources. Ensure that this jar file is present in the Oracle Audit Vault OC4J before starting the agent OC4J. The SYBDB collector uses this driver to collect audit data from Sybase ASE databases.

2.5.2 Step 2: Create a User Account on the Sybase ASE Source Database

The collector that you will configure later must use this user account to access audit data from the Sybase ASE source database.

To create the user account:

Log in to the Sybase ASE source database.
Create a user account.

For example:
```
sp_addlogin srcuser_syb, password 
```
Add this user to the Sybase ASE source database.
```
sp_adduser srcuser_syb
```
Grant the SSO_role privilege to the source user.
```
grant role sso_role to srcusr_syb
```

2.5.3 Step 3: Verify That the Source Database Is Compatible with the Collector

Now you are ready to verify that the Sybase ASE source database is compatible with the collector type in the Audit Vault collection agent home:

To verify the Sybase ASE source database compatibility:

Access either the shell used for the Audit Vault Server or the collection agent.

If you want to use the collection agent location, and if you installed the collection agent on Microsoft Windows, go to the ORACLE_HOME\agent_dir\bin directory.
Run the avsybdb verify command.

You must specify the host name and port number. Typically, for Sybase ASE, the host is the fully qualified domain name or IP address of the server on which the Sybase ASE source database is running, and the port number is 5000.

For example, assume that the host is hrdb.example.com and the port number is 5000, and the user account is srcuser_syb:
```
$ avsybdb verify -src hrdb.example.com:5000
Enter a username :srcuser_syb
Enter a password : password

***** Source Verified *****
```
See Section 10.10 for detailed information about the avsybdb verify command.
Do not close this shell.

2.5.4 Step 4: Register the Sybase ASE Source Database with Oracle Audit Vault

To register the Sybase ASE source database with Oracle Audit Vault:

Access the shell used for the Audit Vault Server.
Run the avsybdb add_source command.

For example:
```
$ avsybdb add_source -src hrdb.example.com:5000 -srcname  sybdb4
Enter a username :srcuser_syb
Enter a password : password

***** Source Verified *****
***** Source Added Successfully *****
```
In this example:
- -src: Enter the fully qualified domain name (or IP address) and port number for the source database that you verified in Step 3: Verify That the Source Database Is Compatible with the Collector.
- -srcname: Create a name for this source database. Oracle Audit Vault refers to this name when it collects audit data.
- username and password: Enter the user name and password that you created in Step 2: Create a User Account on the Sybase ASE Source Database.
See Section 10.3 for detailed information about the avsybdb add_source command.
Do not close this shell.

2.5.5 Step 5: Add the SYBDB Collector to Oracle Audit Vault

To add the SYBDB collector to Oracle Audit Vault:

Access the shell used for the Audit Vault Server.
Run the avsybdb add_collector command.

For example:
```
$ avsybdb add_collector -srcname sybdb4 -agentname agent1 
Enter a username :srcuser_syb
Enter a password : password

***** Collector Added Successfully*****
```
In this example:
- -srcname: Create a name for the source database. Oracle Audit Vault refers to this name when collecting audit data.
- -agentname: Create a name for the agent.
- username and password: Enter the user name and password that you created in Step 2: Create a User Account on the Sybase ASE Source Database.
See Section 10.2 for detailed information about the avsybdb add_collector command.
Optionally, modify the attributes associated with the collector.

The collector has a set of default attributes. You can modify these by using the avsybdb alter_collector command. See Section 10.4.
Do not close this shell.

2.5.6 Step 6: Enable the Audit Vault Agent to Run the SYBDB Collector

You now are ready to configure the collection agent credentials to the Sybase ASE source database. This process adds the source user credentials to the wallet, creates a database alias in the wallet for the source user, and verifies the connection to the source using the wallet. This way, the Oracle Audit Vault collection agent can run the SYBDB collector. You must complete this step so that the collectors can start properly.

To enable the Oracle Audit Vault collection agent to run the SYBDB collector:

Access the shell used for the Oracle Audit Vault collection agent.

If you installed the collection agent on Microsoft Windows, go to the ORACLE_HOME\agent_dir\bin directory.
Run the avsybdb setup command.

For example:
```
$ avsybdb setup -srcname sybdb4
Enter a username :srcuser_syb
Enter a password : password

***** Credentials Successfully added *****
```
In this example:
- -srcname: Enter the source database name that you created in Step 5: Add the SYBDB Collector to Oracle Audit Vault.
- username and password: Enter the user name and password that you created in Step 2: Create a User Account on the Sybase ASE Source Database.
See Section 10.9 for detailed information about the avsybdb setup command.
Do not close this shell.

This step completes the registration for the Sybase ASE source database and its collector. Next, you must start the collection agent and collector. See Section 2.7 and Section 2.8 for more information.

2.6 Registering IBM DB2 Database Sources and Collector

This section contains:

Step 1: Copy the DB2 Data Server Driver for JDBC and SQLJ to the Audit Vault Homes
Step 2: Designate a User Account on the IBM DB2 Source Database
Step 3: Verify That the Source Database Is Compatible with the Collector
Step 4: Register the IBM DB2 Source Database with Oracle Audit Vault
Step 5: Add the DB2DB Collector to Oracle Audit Vault
Step 6: Convert the Binary DB2 Audit File to an ASCII Text File

2.6.1 Step 1: Copy the DB2 Data Server Driver for JDBC and SQLJ to the Audit Vault Homes

Copy the IBM Data Server Driver for JDBC and SQLJ (db2jcc.jar) to the $ORACLE_HOME/jlib directories in both the Audit Vault Server and Audit Vault Agent homes. Oracle Audit Vault requires version 3.50 or later of the driver. This version of the db2jcc.jar file is available in either IBM DB2 UDB version 9.5 or IBM DB2 Connect version 9.5 or later.

This driver provides high performance native access to IBM DB2 database data sources. The DB2 collector uses this driver to collect audit data from IBM DB2 databases, so the driver must be present in Oracle Audit Vault OC4J before you can start the agent OC4J.

You can verify the version of this jar file that is currently installed as follows:

Ensure that the directory path to the db2jcc.jar file is included in the CLASSPATH environment variable setting.
Run the following command:
```
java com.ibm.db2.jcc.DB2Jcc -version
```

2.6.2 Step 2: Designate a User Account on the IBM DB2 Source Database

Designate an IBM DB2 user account to be used for the AVDB2DB utility, which you will use later to configure collectors for your DB2 database. This user must have privileges to run the IBM DB2 SYSPROC.ENV_GET_PROD_INFO procedure.

Note:

If you are using IBM DB2 Version 8.2, ensure that you have installed Fixpack 16. Otherwise, the SYSPROC.ENV_GET_PROD_INFO procedure is not available.

2.6.3 Step 3: Verify That the Source Database Is Compatible with the Collector

Now you are ready to verify that the IBM DB2 source database is compatible with the collector type in the Audit Vault collection agent home:

To verify the IBM DB2 source database compatibility:

Access either the shell used for the Audit Vault Server or the collection agent.

If you want to use the collection agent location, and if you installed the collection agent on Microsoft Windows, go to the ORACLE_HOME\agent_dir\bin directory.
Run the avdb2db verify command.

You must specify the host name and port number. Typically, for IBM DB2, the host is the fully qualified domain name or IP address of the server on which the IBM DB2 source database is running, and the port number is 50000.

For example, assume that the host is hrdb.example.com, the port number is 50000, the source database is sales_db, and the user account is srcuser_db2:
```
$ avdb2db verify -src hrdb.example.com:50000:sales_db
Enter a username : srcuser_db2
Enter a password : password

***** Source Verified *****
```
See Section 11.10 for detailed information about the avdb2db verify command.
Do not close this shell.

2.6.4 Step 4: Register the IBM DB2 Source Database with Oracle Audit Vault

To register the IBM DB2 source database with Oracle Audit Vault:

Access the shell used for the Audit Vault Server.
Run the avdb2db add_source command.

For example:
```
$ avdb2db add_source -src hrdb.example.com:50000 -srcname db2db4
Enter a username : srcuser_db2
Enter a password : password

***** Source Verified *****
***** Source Added Successfully *****
```
In this example:
- -src: Enter the fully qualified domain name (or IP address) and port number for the source database that you verified in Step 3: Verify That the Source Database Is Compatible with the Collector.
- -srcname: Create a name for this source database. Oracle Audit Vault refers to this name when it collects audit data.
- username and password: Enter the user name and password that you designated in Step 2: Designate a User Account on the IBM DB2 Source Database.
See Section 11.3 for detailed information about the avdb2db add_source command.
Do not close this shell.

2.6.5 Step 5: Add the DB2DB Collector to Oracle Audit Vault

To add the DB2DB collector to Oracle Audit Vault:

Access the shell used for the Audit Vault Server.
Run the avdb2db add_collector command.

For example:
```
$ avdb2db add_collector -srcname db2db4 -agentname agent1 
Enter a username :srcuser_db2
Enter a password : password

***** Collector Added Successfully*****
```
In this example:
- -srcname: Create a name for the source database. Oracle Audit Vault refers to this name when collecting audit data.
- -agentname: Create a name for the agent.
- username and password: Enter the user name and password that you designated in Step 2: Designate a User Account on the IBM DB2 Source Database.
See Section 11.2 for detailed information about the avdb2db add_collector command.
Modify the SINGLE_FILEPATH attribute of the avdb2db alter_collector command to point to the location of the DB2 audit directory. This is the directory where the DB2 collector will collect audit data. You must specify an absolute path, not a relative path.

For example:
```
$ avdb2db alter_collector -srcname db2db4 -collname DB2Collector 
SINGLE_FILEPATH=DB2_HOME/sqlib/security/auditdata

***** Collector Altered Successfully *****
```
See Section 11.4 for more information about the avdb2db alter_collector command.
Do not close this shell.

2.6.6 Step 6: Convert the Binary DB2 Audit File to an ASCII Text File

IBM DB2 creates its audit files in a binary file format that is separate from the DB2 database. You must convert the binary file to an ASCII file before each time that Oracle Audit Vault collects audit data from a DB2 database. Ideally, schedule the script to run periodically. If the script finds older text files that have already been collected by the DB2DB collector, the script deletes them. It creates a new, timestamped ASCII text file each time you run it.

Step 7A: Complete the Preparation Steps
Step 7B: Run the Conversion Script

2.6.6.1 Step 7A: Complete the Preparation Steps

Follow these steps:

Identify a user who has privileges to run the db2audit command.

This user will extract the binary files to the trace files.
Access the shell used by the Oracle Audit Vault collection agent.
Log in as the Oracle Audit Vault agent software owner.
Grant the user you identified in Step 1 execute privileges to run the conversion script from the Oracle Audit Vault directory.

Alternatively, you can copy the appropriate conversion script located in the $ORACLE_HOME/bin directory to a location where this user can run them. These scripts are as follows:
- DB2 release 8.2 databases: DB282ExtractionUtil (for Microsoft Windows, this file is called DB282ExtractionUtil.bat.)
- DB2 9.5 release databases: DB295ExtractionUtil (for Microsoft Windows, this file is called DB295ExtractionUtil.bat.)
Grant the user you identified in Step 1 read permission for the $ORACLE_HOME/av/log directory and its contents.

This user needs read permission for this directory as part of the process of generating the trace files that are extracted by the extraction utility.

2.6.6.2 Step 7B: Run the Conversion Script

Follow these steps:

In the server where you installed the IBM DB2 database, open a shell as the SYSADM DB2 user.
Set the following variables:
- ORACLE_HOME
- DB2AUDIT_HOME (this directory points to the main directory that contains the db2audit command)
Ensure that the Oracle Audit Vault owner of the agent process has read permissions for the trace files that will be generated by the extraction utility.
Log in as the DB2 user that you identified in Step 1 in Section 2.6.6.1.
Make a note of the directory that you identified in Step 3 in Section 2.6.5.

You will need to provide this directory path when you run the conversion script.
Run one of the following scripts, depending on the version of DB2 that you have installed:
- DB2 release 8.2 databases: Run the script as follows:
```
DB282ExtractionUtil default_DB2_audit_directory
```
  Enter the full directory path to the location of the DB2 audit directory. Typically, this directory is in the following locations:
  - UNIX: DB2_HOME/sqlib/security/auditdata
  - Microsoft Windows: DB2HOME\instance\security\auditdata
  Ensure that this path is the same as the path that you specfied for the avdb2db alter_collector SINGLE_FILEPATH attribute in Step 3 in Section 2.6.5.
  
  This script creates the ASCII text file in the auditdata directory, using the following format, which indicates the time the file was created:
```
db2audit.instance.log.0.YYYYDDMMHHMMSS.out
```
- DB2 release 9.5 databases: Run the script as follows:
```
DB295ExtractionUtil default_DB2_audit_directory output_directory
```
  In this specification:
  - default_DB2_audit_directory is the same as the directory that is used for DB2 release 8.2.
  - output_directory is a directory specified by the avdb2db alter_collector SINGLE_FILEPATH attribute. See Section 11.4 in Section 11.4 for more information. This file is created in using the db2audit.instance.log.0.YYYYDDMMHHMMSS.out format.
  These two directory paths can be the same, or optionally, you can specify different directories for each location.

To schedule the script to run automatically, follow these guidelines:

Microsoft Windows. Use the Windows Scheduler. Provide the archive directory path, extraction path (for release 9.5 databases only), and source database name in the scheduled task.
Linux. Use the crontab UNIX utility. Provide the same information that you would provide using the parameters described previously when you normally run the script.

This step completes the registration for the IBM DB2 source database and its collector. Next, you must start the collection agent and collector. See Section 2.7 and Section 2.8 for more information.

2.7 Starting the Collection Agents

This section contains:

Starting the Collection Agents from the Audit Vault Console
Starting the Collection Agents from a Shell

2.7.1 Starting the Collection Agents from the Audit Vault Console

To start the collection agents from the Audit Vault Console:

Start the Audit Vault Console.

See Section 3.2.3. You must ensure that OC4J and the Audit Vault Console are running, and then you must log in to the Audit Vault Console.
In the Audit Vault Console, select the Management tab, and then select the Agents subpage.

The Agents page appears with a table containing the following columns.
- Agent: Name of the collection agent
- Host: The host name where the collection agent is installed
- Port: The port number of the host system where the collection agent is installed
- HTTPS: Whether the collection agent is communicating with the Audit Vault Server using a secure communication channel (HTTPS)
- Status: The current running status of the collection agent: a green up arrow indicates that the collection agent is running; a red down arrow indicates that the collection agent is not running, or error indicates that the collection agent is in an error state
Description of the illustration agntmgmt.gif
Select the agent that you want to start, and then click Start.

2.7.2 Starting the Collection Agents from a Shell

To start the collection agents from a shell:

Start the Audit Vault Console.

See Section 3.2.3. You must ensure that OC4J and the Audit Vault Console are running, but do not log in to the Audit Vault Console.
Access the shell used for the Audit Vault Server.

If you have closed this shell, reset its environment variables. See Section 2.2.2.

Run the avctl show_agent_status command to ensure that the collection agent is started.

For example:

$ avctl show_agent_status -agentname agent1

AVCTL started
Getting agent metrics...
--------------------------------
Agent is not running
--------------------------------
Metrics retrieved successfully
--------------------------------

If the collection agent is not started, run the avctl start_agent command .

For example:

$ avctl start_agent -agentname agent1

AVCTL started
Executing task start_agent
Starting Agent...
Agent started successfully.

2.8 Starting the Collectors

This section contains:

Starting the Collectors from the Audit Vault Console
Starting the Collectors from the Audit Vault Server or Collection Agent Shell

2.8.1 Starting the Collectors from the Audit Vault Console

To start the collectors from the Audit Vault Console:

Log in to the Audit Vault Console as a user who has been granted the AV_ADMIN role.

See Section 3.2.3 for login instructions.
Click the Management tab, then Collectors to display the Collectors page.

The Collectors page appears with a table containing the following columns.
- Collector: Name of the collector
- Agent: The name of the collection agent for this collector
- Audit Source: The name of the audit data source
- Status: The current running status of the collector: a green up arrow indicates that the collector is running, a red down arrow indicates that the collector is not running, an error indicates that the collector is in an error state
- Records Per Second: The number of records per second being collected for the current time period
- Bytes Per Second: The number of bytes per second in audit records being collected for the current time period
Description of the illustration colmgmt.gif
Select the collector that you want to start.

This page also indicates whether the collector is running. A green up arrow indicates the collector is running; a red down arrow indicates it is not running.
Click Start.

2.8.2 Starting the Collectors from the Audit Vault Server or Collection Agent Shell

To start the collectors from a shell:

Access the shell used for the Audit Vault collection agent.

If you have closed this shell, see the following sections:
- Section 2.2.3 describes how to set environment variables for the collection agent.
- If you installed the collection agent on Microsoft Windows, do not set any environment variables. Instead, go to the ORACLE_HOME\agent_dir\bin directory.
Ensure that the agent OC4J is running.
```
$ avctl show_oc4j_status
```
If the agent OC4J is not running, run the avctl start_oc4j command.
```
$ avctl start_oc4j
```
Access the shell used for the Audit Vault Server.

Section 2.2.2 describes how to set environment variables for the Audit Vault Server.
Run the avctl start_collector command .

For example:
```
$ avctl start_collector -collname OSAUD_Collector 
                        -srcname ORCLSRC1.EXAMPLE.COM 
AVCTL started
Executing task start_collector
Starting Collector...
Collector started successfully.
```
If the startup is successful, Oracle Audit Vault moves the collector to a RUNNING state.

See Section 7.11 for more information about the avctl start_collector command.

2.9 Checking the Status of the Collectors

This section contains:

Checking the Status of Collectors from the Audit Vault Console
Checking the Status of Collectors from a Shell

2.9.1 Checking the Status of Collectors from the Audit Vault Console

Log in to the Audit Vault Console as a user who has been granted the AV_ADMIN role.

See Section 3.2.3 for login instructions.
Select the Management tab, and then select the Collectors tab.
In the Collectors page, check the list of collectors.

If the collector is running, its Status is set to an up arrow. If it is not, it is set to a red arrow pointing downward.

2.9.2 Checking the Status of Collectors from a Shell

To check the status of collectors from a shell :

Access the shell used for the Audit Vault Server.

If you have closed this shell, open a new one and reset its environment variables. See Section 2.2.2.

Run the avctl show_collector_status command.

For example:

$ avctl show_collector_status -collname OSAUD_Collector 
                              -srcname ORCLSRC1.EXAMPLE.COM 
AVCTL started
Getting collector metrics...
--------------------------------
Collector is running
Records per second  =  0.00
Bytes per second  =  0.00
--------------------------------

See Section 7.7 for detailed information about the avctl show_collector_status command.

2.10 Checking If the Collectors Are Collecting Audit Records

To ensure that audit records are being collected, inspect the contents of the log files in the Audit Vault collection agent $ORACLE_HOME/av/log directory. The non-Oracle Database log files have the format sourcedatabasename_collectorname-%g.log. The %g is a generation number that starts from 0 (zero) and increases once the file size reaches the 100 MB limit. The log file names for command-line utilities are as follows:

Oracle Database AVORCLDB utility: DBAUD-and-OSAUD-collector-name_source-name_source-id.log
Microsoft SQL Server AVMSSQLDB utility: MSSQLDB-%g.log
Sybase ASE AVSYBDB: SYBDB-%g.log
IBM DB2 AVDB2DB utility: AVDB2DB-%g.log

The log file keeps a running record of its audit record collection operations and will indicate when collection has occurred, or if a problem was encountered in the collection operation. See Appendix A for more information about the log files, and troubleshooting collector setup and collector startup operations.

	`en`: English	`ja`: Japanese
	`de`: German	`ko`: Korean
	`es`: Spanish	`pt_BR`: Brazilian Portuguese
	`fr`: French	`zh_CN`: Simplified Chinese
	`it`: Italian	`zh_TW`: Traditional Chinese