Oracle® Audit Vault Administrator's Guide Release 10.2.3.2 Part Number E14459-02 |
|
|
View PDF |
Use the Audit Vault SQL Server Database (AVMSSQLDB
) command-line utility to manage the relationship between Oracle Audit Vault and a Microsoft SQL Server source database and collector. When you run these commands, remember the following:
Enter the command in lowercase letters. The commands are case-sensitive.
When you open a new shell to run the command, first set the appropriate environment variables. See Section 2.2 for instructions.
Oracle Audit Vault creates a log file of AVMSSQLDB command activity. See Section A.1 and Section A.2 for more information.
Table 9-1 describes the AVMSSQLDB
commands and where each is used, whether on the Audit Vault Server, on the Audit Vault collection agent, or in both places.
Table 9-1 AVMSSQLDB Commands
Command | Where Used? | Description |
---|---|---|
Server |
Adds a collector to Oracle Audit Vault |
|
Server |
Registers an audit source with Oracle Audit Vault |
|
Server |
Alters the attributes of a collector |
|
Server |
Alters the attributes of a source |
|
Server |
Drops a collector from Oracle Audit Vault |
|
Server |
Drops a source from Oracle Audit Vault |
|
Both |
Displays help information for the |
|
Collection agent |
Adds the source user credentials to the wallet, creates a database alias in the wallet for the source user, and verifies the connection to the source using the wallet |
|
Both |
Verifies that the source is compatible with the collectors |
The AVMSSQLDB
command-line utility, which you use to configure a Microsoft SQL Server database with Oracle Audit Vault.
Syntax
avmssqldb command -help avmssqldb command [options] arguments
Arguments
Argument | Description |
---|---|
command |
Enter one of the commands listed in Table 9-1. |
arguments |
Enter one or more of the AVMSSQLDB command arguments. |
-help |
Displays help information for the AVMSSQLDB commands. |
Usage Notes
Issuing an AVMSSQLDB
command generates the following log file: $ORACLE_HOME/av/log/mssqldb-%g.log
. The %g
is a generation number that starts from 0 (zero) and increases once the file size reaches the 100 MB limit.
The avmssqldb add_collector
command adds a collector for the given SQL Server source database to Oracle Audit Vault. Oracle Audit Vault verifies the source database for the collector requirements.
Where to Run This Command
Audit Vault Server
Syntax
avmssqldb add_collector -srcname srcname -agentname agentname [-collname collname] [-desc desc]
Arguments
Argument | Description |
---|---|
-srcname srcname |
Enter the name of the source database for which the collector is to be added. Remember that the source database name is case-sensitive. |
-agentname agentname |
Create a name for the agent that will use the MSSQLDB collector. |
-collname collname |
Create a name for the MSSQLDB collector. Optional. If you do not create a name, Oracle Audit Vault names the collector MSSQLCollector . |
-desc desc |
Enter a brief description of the collector. Optional. |
Usage Notes
Run any collector-specific preparation scripts before you execute the avmssqldb
add_collector
command.
The avmssqldb add_collector
command prompts for the source user name and password. This user account must exist on the source database.
Example
The following example shows how to add the MSSQLDB collector to Oracle Audit Vault.
$ avmssqldb add_collector -srcname mssqldb4 -agentname agent1 Enter a username :source_user_name Enter a password : password ***** Collector Added Successfully*****
The avmssqldb add_source
command registers a SQL Server source database with Oracle Audit Vault for audit data consolidation.
Where to Run This Command
Audit Vault Server
Syntax
avmssqldb add_source -src host:port|host\instance_name -srcname srcname [-desc desc]
Arguments
Argument | Description |
---|---|
-src host : port | host \ instance_name |
Enter the source database connection information.Typically, the host is the fully qualified domain name or IP address of the server on which the SQL Server source database is running.
The syntax you use depends on your configuration. Use the following syntax for single-instance configurations where the port number is different from 1433. Separate the host and port number with a colon. -src host:port Use the following syntax if the instance is not on the default port or does not have a default name. For configurations with multiple instances on one server, you must only use this syntax. Separate the host name and instance name with a backslash, and then enclose them single quotation marks. -src 'host\instance_name' |
-srcname srcname |
Create a name for the source database connection. Remember that the source database name is case-sensitive. Oracle Audit Vault uses this name to connect to the Microsoft SQL Server source database. |
-desc desc |
Enter a brief description for the source database. Optional. |
Usage Notes
The avmssqldb add_source
command prompts for the source user name and password. This user account must exist on the source database. See the example.
Example
The following example shows how to register a source with Oracle Audit Vault.
$ avmssqldb add_source -src mssqlserver\hr_db -srcname mssqldb4 -desc 'HR Database' Enter a username :source_user_name Enter a password : password ***** Source Verified ***** ***** Source Added Successfully *****
The avmssqldb alter_collector
command modifies the attributes of an MSSQLDB collector.
Where to Run This Command
Audit Vault Server
Syntax
avmssqldb alter_collector -srcname srcname -collname collname [attrname=attrvalue...attrname=attrvalue]
Arguments
Argument | Description |
---|---|
-srcname srcname |
Enter the name of the source database to which this collector belongs. Remember that the source database name is case-sensitive. |
-collname collname |
Enter the name of the collector to be modified. |
attrname = attrvalue |
Enter the attribute pair (attribute name, new attribute value) for mutable collector property and attributes for this collector type. This argument is optional. Separate multiple pairs by a space on the command line. |
Usage Notes
For SQL Server 2000 source databases only, the trace file (.trc
) audit trail is not released to the collector until either the file reaches its maximum file size and another trace file is created, or the source database is shut down and restarted.
You can specify the SERVERSIDE_TRACE_FILEPATH
or C2_TRACE_FILEPATH
attributes in the following ways:
The value for the path can be of the form Drive:\Directory....\File Prefix.trc
, enclosed in double quotation marks. For example:
"c:\tracefiles\SQLAudit.trc"
Enter #DYNAMIC
(but not enclosed in quotation marks) to enable the collector to query the SQL Server database to find the trace file paths. For example:
... SERVERSIDE_TRACE_FILEPATH=#DYNAMIC
You can include the asterisk (*
) wildcard character to select multiple files. For example:
... SERVERSIDE_TRACE_FILEPATH="c:\SQLAuditFile*.trc"
Be aware that if you include the asterisk (*
) wildcard character in the file path, then the collector reads from all files that are affected by the wildcard. For example, if you enter c:\SQLAuditFile*.trc
, then the collector reads from SQLAuditFile1.trc
, SQLAuditFile2.trc
, SQLAuditFile3.trc
, and so on.
Specify the path by providing the complete file path name. For example:
... SERVERSIDE_TRACE_FILEPATH="c:\SQLAuditFile1.trc
Specify the multiple trace file paths by separating each path with a semicolon (;
). For example:
... SERVERSIDE_TRACE_FILEPATH="c:\SQLAuditFile1.trc;SQLAuditFile2.trc; c:\tracefi*.trc"
If the SERVERSIDE_TRACE_FILEPATH
attribute or the C2_TRACE_FILEPATH
attribute is set to null, then the SQL Server collector does not retrieve audit data from the source database.
If you want the collector to retrieve trace file paths by querying SQL Server database, set the SERVERSIDE_TRACE_FILEPATH
attribute or the C2_TRACE_FILEPATH
attribute to #DYNAMIC
. Do not enclose #DYNAMIC
in quotation marks.
If AUDIT_SERVERSIDE_TRACES_FLAG
is not set, then collector does not check the value of SERVERSIDE_TRACE_FILEPATH
. In this case, no data is collected from the server side traces, even if the value of SERVERSIDE_TRACE_FILEPATH
is set. This behavior also applies to the AUDIT_C2_FLAG
and C2_TRACE_FILEPATH
settings, which control record collection from C2 traces.
For server side traces, if AUDIT_SERVERSIDE_TRACES_FLAG
is set, then the collector retrieves the value of the SERVERSIDE_TRACE_FILEPATH
setting. If this parameter contains the value #DYNAMIC
, then the collector collects audit data from the SQL Server source database. This behavior also applies to the AUDIT_C2_FLAG
and C2_TRACE_FILEPATH
settings.
You can modify the collector DESCRIPTION
property and one or more attributes at a time. Table 9-2 lists the collector attributes (parameters), whether the parameter is mutable, the default value, and a brief description of the attribute.
Note the following case-sensitivity guidelines for specifying attributes:
Except for the AGENTNAME
attribute, the attribute names are case sensitive. Enter them in upper-case letters.
All the attribute values, including the AGENTNAME
attribute value, are case sensitive. Enter them in the case shown the following tables.
Table 9-2 MSSQLDB Collector Attributes
Attribute | Description | Mutable | Default Value |
---|---|---|---|
|
Name of an agent to replace the agent that was specified by the After you replace the agent, you must run the |
Yes |
|
|
The description for this collector. The value you enter is not case sensitive. |
Yes |
|
|
Number of connections to the database |
No |
|
|
Whether C2 logs can be collected by the MSSQLDB collector. Values can be 0 or 1. |
Yes |
|
|
Whether server-side trace logs can be collected by the MSSQLDB collector. Values can be 0 or 1. See the usage notes. |
Yes |
|
|
Whether events logs can be collected by the MSSQLDB collector. Values can be 0 or 1. For SQL Server 2000, set this parameter to 0, because in that release, there are no auditable events written to the Windows Eventlog. |
Yes |
|
|
The C2 trace file path. The value you enter is not case sensitive. See the usage notes. |
Yes |
|
|
The value for server-side trace file path The value you enter is not case sensitive. See the usage notes. |
Yes |
|
|
The delay time (in milliseconds) of the collector |
Yes |
|
|
The maximum number of records to be fetched by the collector. This attribute is mutable. |
Yes |
|
Examples
The following example shows how to alter the NO_OF_RECORDS
attribute and the collector description for the MSSQLCollector
collector in Oracle Audit Vault:
$ avmssqldb alter_collector -srcname mssqldb4 -collname MSSQLCollector NO_OF_RECORDS=1500 DESCRIPTION="MSSQLDB collector 45" SERVERSIDE_TRACE_FILEPATH="c:\SQLAuditFile*.trc" ***** Collector Altered Successfully *****
The following sequence of commands demonstrate how to move a collector from one collection agent to another agent:
From the Audit Vault Server, configure two agents, A and B, on two separate hosts.
For example:
$ avca add_agent -agentname A -agenthost host1.example.com Adding agent... Enter agent user name: agent_user_name Enter agent user password: agent_user_pwd Re-enter agent user password: agent_user_pwd $ avca add_agent -agentname B -agenthost host2.example.com ...
Configure collector L to run under agent A and collect from source S.
For example:
$ avorcldb add_collector -collname L -srcname S -agentname A
The node that runs agent A fails.
Move the collector L from agent A to agent B.
For example:
$ avorcldb alter_collector -collname L -srcname S agentname=B
From the Audit Vault collection agent home, configure agent B to connect to source S.
For example:
$ avorcldb setup -srcname S Enter Source user name: source_user_name Enter Source password: password ...
From the Audit Vault Server, restart the collector.
For example:
$ avctl start_collector -collname L -srcname S Starting Collector... Collector started successfully.
The avmssqldb alter_source
command modifies the attributes of a SQL Server source database.
Where to Run This Command
Audit Vault Server
Syntax
avmssqldb alter_source -srcname sourcename [attrname=attrvalue...attrname=attrvalue]
Arguments
Argument | Description |
---|---|
-srcname sourcename |
Enter the name of the source database to be modified. Remember that the source database name is case-sensitive. |
attrname = attrvalue |
Enter the attribute pair (attribute name, new attribute value) for mutable source properties and attributes for this source type. This argument is optional. Separate multiple pairs by a space on the command line. |
Usage Notes
Table 9-3 lists the source attributes, a brief description of the attribute, whether the attribute is mutable, and the default value. You can modify one or more source attributes at a time.
Table 9-3 Source Attributes
Attribute | Description | Mutable | Default Value |
---|---|---|---|
|
The source type name for this source database. The default name is MSSQLDB. |
No |
|
|
The name for this source database |
No |
|
|
The source database host name |
No |
|
|
The source database host IP address |
No |
|
|
The source database version |
Yes |
|
|
The description for this source database |
Yes |
|
|
A new port number for this system where the source database audit data resides |
Yes |
None |
Example
The following example shows how to alter the DESCRIPTION
attribute for the source database named mssqldb4
in Oracle Audit Vault:
$ avmssqldb alter_source -srcname mssqldb4 DESCRIPTION="HR Database" ***** Source Altered Successfully *****
The avmssqldb drop_collector
command disables (but does not remove) an MSSQLDB collector from Oracle Audit Vault.
Where to Run This Command
Audit Vault Server
Syntax
avmssqldb drop_collector -srcname srcname -collname collname
Arguments
Argument | Description |
---|---|
-srcname srcname |
Enter the name of the source database to which the collector (specified in the -collname argument) belongs. Remember that the source database name is case-sensitive. |
-collname collname |
Enter the name of the collector to be dropped from Oracle Audit Vault. |
Usage Notes
The drop_collector
command does not delete the collector from Oracle Audit Vault. It only disables the collector. The collector metadata is still in the database after you run the drop_collector
command. If you want to recreate the collector, create it with a different name.
Example
The following example shows how to drop a collector named MSSQLCollector
from Oracle Audit Vault:
$ avmssqldb drop_collector -srcname mssqldb4 -collname MSSQLCollector ***** Collector Dropped Successfully *****
The avmssqldb drop_source
command disables (but does not remove) a SQL Server source database from Oracle Audit Vault.
Where to Run This Command
Audit Vault Server
Syntax
avmssqldb drop_source -srcname srcname
Arguments
Argument | Description |
---|---|
-srcname srcname |
Enter the source (by source name) to be dropped from Oracle Audit Vault. Remember that the source database name is case-sensitive. |
Usage Notes
The drop_source
command does not delete the source database from Oracle Audit Vault. It only disables the source database definition in Oracle Audit Vault. The source database metadata is still in the database after you run the drop_source
command. If you want to re-create the source database definition, create it with a different name.
You cannot drop a source database if it has any active collectors for this source database. You must drop all collectors associated with the source database before you can run the drop_source
command on it.
Example
The following example shows how to drop the source named mssqldb4
from Oracle Audit Vault:
$ avmssqldb drop_source -srcname mssqldb4 ***** Drop Source Successfully *****
The avmssqldb -help
command displays help information for the AVMSSQLDB
commands.
Where to Run This Command
Either Audit Vault Server or collection agent home
Syntax
avmssqldb -help
avmssqldb command -help
Arguments
Argument | Description |
---|---|
command |
Enter the name of an AVMSSQLDB command for which you want help to appear. |
Usage Notes
None
Example
The following example shows how to display general AVMSSQLDB
utility help in Oracle Audit Vault:
avmssqldb -help
The following example shows how to display specific AVMSSQLDB
help for the add_source
command in the Audit Vault Server home shell.
$ avmssqldb add_source -help add_source -src <host>[:<port>|\<instancename>] -srcname <srcname> [-desc <desc>] Purpose: The source is added to Audit Vault. Arguments: -src : Source DB connection information -srcname : Name of a source -desc : Optional description of the source Examples: avmssqldb add_source -src 'server\instancename' -desc 'source for admin databases' -srcname mssource
The avmssqldb setup
command adds the SQL Server source user credentials to the wallet, creates a database alias in the wallet for the source user, and verifies the connection to the source using the wallet. You also can use this command to change the source user credentials in the wallet after these credentials have been changed in the source database.
Where to Run This Command
Audit Vault collection agent home
Syntax
avmssqldb setup -srcname srcname
Arguments
Argument | Description |
---|---|
-srcname srcname |
Enter the name of the source database. Remember that the source database name is case-sensitive. |
Usage Notes
If you installed the collection agent on a Microsoft Windows computer, run the avmssqldb setup
command from the ORACLE_HOME
\bin
directory. For UNIX or Linux installations, set the appropriate environment variables before running this command. See Section 2.2 for more information.
The avmssqldb setup
command prompts for the source user name and password. This user account must exist on the source database.
Example
$ avmssqldb setup -srcname mssqldb4 Enter a username : source_user_name Enter a password : password ***** Credentials Successfully added *****
The avmssqldb verify
command verifies that a SQL Server source database is compatible for setting up the specified collector.
Where to Run This Command
Either Audit Vault Server or collection agent home
Syntax
avmssqldb verify -src host:port|host\instance_name
Arguments
Argument | Description |
---|---|
-src host : port | host \ instance_name |
Enter the source database connection information.Typically, the host is the fully qualified domain name or IP address of the server on which the SQL Server source database is running.
The syntax you use depends on your configuration. Use the following syntax for single-instance configurations where the port number is different from 1433. Separate the host and port number with a colon. -src host:port Use the following syntax if the instance is not on the default port or does not have a default name. For configurations with multiple instances on one server, you must only use this syntax. Separate the host name and instance name with a backslash, and then enclose them single quotation marks. -src 'host\instance_name' |
Usage Notes
The avmssqldb verify
command checks the following:
Whether the version of the SQL Server database is supported: SQL Server 2000 or SQL Server 2005
Whether the source user has the required privileges in the source database that is to be registered with Oracle Audit Vault
Whether auditing (C2 auditing and server-side trace auditing) is enabled in the source database
If you installed the collection agent on a Microsoft Windows computer, then run the avmssqldb verify
command from the ORACLE_HOME
\bin
directory. For UNIX or Linux installations, set the appropriate environment variables before running this command. See Section 2.2 for more information.
The avmssqldb verify
command prompts for the source user name and password. This user account must exist on the source database.
Example
The following example verifies that the source is compatible with the MSSQLDB collector on Windows.
$ avmssqldb verify -src 192.0.2.1:4523 Enter a username : source_user_name Enter a password : password ***** Source Verified *****