Skip Headers
Oracle® Audit Vault Administrator's Guide
Release 10.3

E23571-08
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

6 Using Oracle Audit Vault in Enterprise Manager Cloud Control

This chapter contains:

6.1 About Using Oracle Audit Vault in Oracle Enterprise Manager

You can monitor and perform some basic administrative Oracle Audit Vault administrative functions from Oracle Enterprise Manager Cloud Control 12c Release 1 (12.1). To accomplish this, you must first download and deploy the Oracle Audit Vault Enterprise Manager plug-in from the following location:

http://www.oracle.com/technetwork/oem/grid-control/downloads/index.html

Follow the instructions in Oracle Enterprise Manager System Monitoring Plug-in Installation Guide for Oracle Audit Vault to install the Enterprise Manager agents on the computers where you have installed the Audit Vault Server and Audit Vault agents. After you have completed the installation, you can use the procedures in this chapter to perform tasks such as starting, stopping, and monitoring agents and collectors.

6.2 Logging into the Oracle Audit Vault Pages in Enterprise Manager

To log into the Oracle Audit Vault pages in Enterprise Manager:

  1. Access the Enterprise Manager Cloud Control instance that you configured to use Oracle Audit Vault.

    For example:

    https://nemosity.example.com:4473/em/

  2. In the Welcome page, in the User Name prompt, enter your user name and for the Password prompt, enter your password.

  3. Click Login.

    If you have customized your environment so that a specific Oracle Audit Vault home page appears, then this page should appear. (See Figure 6-1.) If it does not, then from the Targets menu, select All Targets. In the All Targets page, select the name of the Audit Vault system, whose target type is Oracle Audit Vault.

Figure 6-1 shows the Oracle Audit Vault home page.

Figure 6-1 Oracle Audit Vault Home Page in Oracle Enterprise Manager Cloud Control

Description of Figure 6-1 follows
Description of "Figure 6-1 Oracle Audit Vault Home Page in Oracle Enterprise Manager Cloud Control"

6.3 Monitoring General Oracle Audit Vault Activities

The Oracle Audit Vault home page, shown in Figure 6-1, displays a high level view of the general activities in your Audit Vault installation. From there, you can drill down to more detailed reports for each component.

The general activities are as follows:

  • The name of this installation, followed by the Oracle Audit Vault System menu, on which this Audit Vault system is installed. In the top right corner is the name of the host computer on which Enterprise Manager is installed, followed by the last refresh date for this page.

  • Summary provides the following:

    • Version of the Audit Vault Server

    • Console, indicating whether the Audit Vault Console is up (available) or down (unavailable)

    • Database name of the Oracle Audit Vault repository and status

    • Number of Audit Vault agents

    • Number of source databases

    • Number of collectors

  • Job Activity indicates the status of collector that have been started of shut down within the last 7 days. Statistics are:

    • Suspended Executions

    • Problem Executions

    • Action Required Executions

    • Scheduled Executions

    • Running Executions

    See Section 6.8.3 for more information.

  • Auditor Activity Notifications indicates the auditor activity notifications status. Statistics are:

    • Ready To Be Sent

    • Pending

    • Failed/Expired

    To find more details about these notifications, click the displayed numbers for Ready To Be Sent, Pending, and Failed/Expired. See Section 6.10 for more information.

  • Audit Vault Agents provides the status of the Audit Vault agents that have been added as Enterprise Manager targets or have not yet been added as targets. See Section 6.7.1 for more information.

  • Collectors indicates the number of collectors that Enterprise Manager is monitoring, and whether that are up or down, or are unknown. It also indicates collectors that have not uploaded any data within a predefined time frame. See Section 6.8.1 for more information.

  • Sources indicates the types of source database that you have configured with Audit Vault: Oracle databases, IBM DB2 databases, Sybase ASE databases, and Microsoft SQL Server databases. See Section 6.9 for more information.

  • Incidents and Problems enables you to filter incidents and problems that may arise from the agent, collector, and source configuration. See Section 6.11 for more information.

6.4 Accessing the Audit Vault System Configuration Topology

You can display a topology that illustrates how your Audit Vault system is configured. It shows the Audit Vault Server, the Audit Vault repository, the Oracle listener, and the Audit Vault agents.

From the Oracle Audit Vault System menu, select Configuration, and then Topology. You can create customized views for your selected sets of entities. For detailed information about using topology maps in Enterprise Manager, see Oracle Enterprise Manager Cloud Control Administrator's Guide.

6.5 Finding Information About the Latest Detailed Configuration

You can find information about the latest detailed Oracle Audit Vault configuration. From the Oracle Audit Vault System menu, select Configuration, and then Last Collected. Figure 6-2 shows an example of the Latest Configuration page, with the Immediate Relationship tab selected.

Figure 6-2 Latest Oracle Audit Vault Detailed Configuration

Description of Figure 6-2 follows
Description of "Figure 6-2 Latest Oracle Audit Vault Detailed Configuration"

From here, you can perform the following activities:

  • Find detailed information about a category of components, such as all source attributes, by selecting from the list on the left side of the page.

  • Find details about general configuration, by selecting from the name of the Audit Vault Server, Immediate Relationship, Member Of, Uses, and Used By tabs.

  • Filter the view by selecting from the View menu.

  • Export the configuration settings to a spreadsheet by selecting the Export button.

  • Create a detached view of the current page by selecting the Detach button.

See Also:

Oracle Enterprise Manager Cloud Control Administrator's Guide for detailed information about configuration views in Enterprise Manager

6.6 Setting Warning and Critical Thresholds

You can set the threshold for Audit Vault-specific metrics that Enterprise Manager collects. If the threshold condition is matched, then an alert is created in Enterprise Manager. For example, you can set the warning and critical threshold for pending auditor activity notifications. If the number of notifications exceeds the given count, then Enterprise Manager generates an alert (for example, an email notification for your site's security officer). Using the advanced configuration setting (available by selecting the pencil icon under the Edit column in the Metric and Collection Settings page), you can set the number of occurrences of the alert condition before Enterprise Manager generates the alert. For detailed information about setting these types of metrics, see Oracle Enterprise Manager Cloud Control Administrator's Guide.

  1. From the Oracle Audit Vault System menu, select Monitoring, then Metric and Collection Settings.

  2. In the Metrics page, from the View menu, select All metrics to display all of the metrics that you can set.

    A page similar to the following appears:

    Description of em_metrics.gif follows
    Description of the illustration em_metrics.gif

  3. In the Metrics page, fill out the settings as follows:

    • Warning Threshold: Enter the maximum number of warnings. This value represents threshhold value of the corresponding metric column. When the value for the metric column satisfies the given threshhold condition, then Enterprise Manager creates an alert.

    • Critical Threshold: Enter the maximum number of critical alerts. Similar to the Warning Threshold behavior, except that it applies to critical alerts.

    • Collective Schedule: Click the link for the current collection section (for example, Every 15 Minutes) to modify the frequency for the alert collection.

    • Edit: Select to edit advanced settings, which provide advice on values you may want to enter for the thresholds and collective schedule.

  4. Optionally, in the Other Collected Items page, set the collection schedule for the Agent Configuration, Collector Attributes, Collector Configuration, Source Attributes, and Source Configuration settings.

  5. Click OK.

  6. In the Confirmation dialog box, click OK.

6.7 Monitoring, Starting, and Stopping Agents Using Enterprise Manager

This section contains:

6.7.1 Monitoring Audit Vault Agents Using Enterprise Manager Cloud Control

You can find the status of Audit Vault agents by checking the Audit Vault Agents region of the Oracle Audit Vault home page. If the Audit Vault agent has been added as an Enterprise Manager target, then the status can be Up, Down, or Unknown. If the Audit Vault agent has not yet been added as an Enterprise Manager target or if the Audit Vault agent is not installed on the host computer, then the status appears under Configuration Issues.

Figure 6-3 shows an example of this region.

Figure 6-3 Audit Vault Agents Area in the Oracle Audit Vault Home Page

Description of Figure 6-3 follows
Description of "Figure 6-3 Audit Vault Agents Area in the Oracle Audit Vault Home Page"

To find detailed information about the Audit Vault agents, use one of the following methods:

  • To find detailed information about a category of events, such as all up (running) agents, click the number of the Audit Vault agents in the Audit Vault Agents region in the Oracle Audit Vault home page. Or, you can click the appropriate area in the chart.

  • To find detailed information about all of the Audit Vault agents, from the Oracle Audit Vault System menu, select Audit Vault Agents.

Figure 6-4 shows an example of the status of all Audit Vault agents in an installation, which includes not only whether the Audit Vault agent is running, but the version of the agent, host name of the computer on which the agent is installed, and types of incidents that these agents have captured. You can sort the listing by selecting from the Search by list.

Figure 6-4 Detailed Audit Vault Agents Page

Description of Figure 6-4 follows
Description of "Figure 6-4 Detailed Audit Vault Agents Page"

To find more detailed information about the Audit Vault agents, click the name of the agent in the Audit Vault Agent column, which displays the Audit Vault Agent home page. The links under the Host column display the home page for the host target, and the links in the Incidents columns display detailed information about the selected incident.

Figure 6-5 shows an example of the Audit Vault Agent home page.

Figure 6-5 Audit Vault Agents Home Page

Description of Figure 6-5 follows
Description of "Figure 6-5 Audit Vault Agents Home Page"

6.7.2 Starting or Stopping Audit Vault Agents Using Enterprise Manager Cloud Control

To start or stop one or more Audit Vault agents from Enterprise Manager:

  1. From the Oracle Audit Vault System menu, select Audit Vault Agents.

    If you only want agents of a particular status, such as all agents that are down, then you can drill down by selecting the appropriate icon from the Oracle Audit Vault home page, as collectors in Section 6.7.1. You also can filter from the detailed Audit Vault Agents page.

  2. In the Audit Vault Agents page, select one or more agents.

    See Figure 6-4.

  3. Select the Start button to start the Audit Vault agents, or select the Stop button to stop them.

    You also can start or stop the Audit Vault agents from the Audit Vault Agent home page. (See Figure 6-5.)

  4. In the Credentials dialog box, enter the credentials of a host user who owns the Oracle Home on all the selected Audit Vault agents hosts. Then click OK.

6.8 Monitoring, Starting, and Stopping Collectors in Enterprise Manager

This section contains:

6.8.1 Monitoring Collectors Using Enterprise Manager

From the Oracle Audit Vault home page, you can find collectors that are up or down and whether the collectors are having problems collecting data. If Enterprise Manager cannot retrieve the collector status or if the actual status is not known, then the status is set to Unknown.

Figure 6-6 shows the Collectors region of the Oracle Audit Vault home page.

Figure 6-6 Collectors Region of the Oracle Audit Vault Home Page

Description of Figure 6-6 follows
Description of "Figure 6-6 Collectors Region of the Oracle Audit Vault Home Page"

To find detailed information about the collectors, use one of the following methods:

  • To find detailed information about a category of collectors, such as all up collectors, click the number of the collectors in the Collectors region in the Oracle Audit Vault home page. Or, you can click the appropriate area in the chart.

  • To find detailed information about all of the collectors, from the Oracle Audit Vault System menu, select Collectors.

Figure 6-7 shows an example of a detailed view of all collectors. In addition to whether the collector is up or down, it shows the names of the source database and the Audit Vault agent that are associated with the collector, the type of collector, the time the collector last uploaded data, throughput, and whether the collector captured any incidents, based on user profiles. You can filter the list of collectors by selecting from the Search by list.

Figure 6-7 Detailed Audit Vault Collectors Page

Description of Figure 6-7 follows
Description of "Figure 6-7 Detailed Audit Vault Collectors Page"

To find more detailed information about the collectors, click the name of the collector in the Collector column, which displays the Audit Vault Collector home page.

Figure 6-8 shows the Audit Vault Collector home page.

Figure 6-8 Audit Vault Collector Home Page

Description of Figure 6-8 follows
Description of "Figure 6-8 Audit Vault Collector Home Page"

6.8.2 Starting or Stopping Collectors Using Enterprise Manager

To start or stop one or more Audit Vault collectors using Enterprise Manager:

  1. From the Oracle Audit Vault System menu, select Collectors.

    If you only want collectors of a particular status, such as all collectors that are down, then you can drill down by selecting the appropriate icon from the Oracle Audit Vault home page, as described in Section 6.8.1. You also can filter from the detailed Audit Vault Collectors page.

  2. In the Audit Vault Collectors page, select one or more collectors.

    See Figure 6-7, "Detailed Audit Vault Collectors Page".

  3. Select the Start button to start these collectors, or select the Stop button to stop them.

    To find the status of collectors that have been started or shut down, see Section 6.8.3.

  4. In the Credentials dialog box, enter the credentials of host user who owns the Oracle Home on the Audit Vault system host. Then click OK.

6.8.3 Finding the Status of Started or Shut Down Collector Jobs

After you have started or shut down one or more collectors from Enterprise Manager, you can find the status of the job by checking the Job Activity region of the Oracle Audit Vault home page. The Job Activity region shows suspended, problem, action-required, scheduled, and running job executions. It does not show successful job executions.

Figure 6-9 shows the Job Activity region of the Oracle Audit Vault home page.

Figure 6-9 Collector Startup and Shutdown Jobs

Description of Figure 6-9 follows
Description of "Figure 6-9 Collector Startup and Shutdown Jobs"

6.9 Monitoring Source Databases

From the Oracle Audit Vault home page, you can find the types of source databases that your system is using, assuming that the source database has been added as an Enterprise Manager target. If the source database is an Oracle database that has been added as a target, then you can find out if it is up, down, or has an unknown status.

Figure 6-10 Sources Region in the Oracle Audit Vault Home Page

Description of Figure 6-10 follows
Description of "Figure 6-10 Sources Region in the Oracle Audit Vault Home Page"

To find detailed information about the sources, use one of the following methods:

  • To find detailed information about a category of sources, such as all up (running) sources, click the number of the sources in the Sources region in the Oracle Audit Vault home page. Or, you can click the appropriate area in the chart.

  • To find detailed information about all of the sources, from the Oracle Audit Vault System menu, select Sources.

Figure 6-11 shows an example of a detailed view of a set of source databases. In addition to the source type and whether the source is up, this page shows the version of the source database, the host computer on which it is installed, the Audit Vault agents and collectors that are monitoring the source, and the throughput for audit records.

Figure 6-11 Detailed Audit Vault Sources Page

Description of Figure 6-11 follows
Description of "Figure 6-11 Detailed Audit Vault Sources Page"

To access the Database Home page of an Oracle source database that has been added as a target, click the name of the source in the Source column.

6.10 Monitoring Auditor Activity Notifications

From the Oracle Audit Vault home page, you can find the auditor notifications that are ready to be sent, are pending, and have failed or expired.

Figure 6-12 shows the Auditor Activity Notifications region.

Figure 6-12 Auditor Activity Notifications

Description of Figure 6-12 follows
Description of "Figure 6-12 Auditor Activity Notifications"

To find detailed information about these notifications, click on the number that represents the number of notifications available (for example, 634321 next to the Ready To Be Sent label in Figure 6-12).

Figure 6-13 shows an example of how a detailed Auditor Activity Notifications page appears.

Figure 6-13 Detailed Auditor Activity Notifications Page

Description of Figure 6-13 follows
Description of "Figure 6-13 Detailed Auditor Activity Notifications Page"

You can view more details, including metrics, with this page. You can perform the following additional actions from this page:

  • To compare notifications between two source database targets, click the Compare Targets link.

  • To modify the metrics and collection settings, select Metric and Collection Settings. See Oracle Enterprise Manager System Monitoring Plug-in Installation Guide for Oracle Audit Vault for details. The Metric and Collection settings page is similar to the following:

    Description of em_metric_settings.gif follows
    Description of the illustration em_metric_settings.gif

6.11 Monitoring Alert Incidents and Problems

From the Oracle Audit Vault home page, you can find information about any incidents and problems that may arise from the Audit Vault administrative configuration.

Figure 6-14 Incidents and Problems Page

Description of Figure 6-14 follows
Description of "Figure 6-14 Incidents and Problems Page"

To find detailed information about an incident, select the name of the incident from the Message column. Figure 6-15 shows an example of a detailed incident view.

Figure 6-15 Detailed Incident

Description of Figure 6-15 follows
Description of "Figure 6-15 Detailed Incident"

From here, you can view a variety of information by selecting the following tabs:

  • General provides the ID, target, when the incident was created, when it was last updated, a summary of the incident behavior, the internal event name (such as Status), the event type (such as Target Availability), and the event category (such as Availability). It also provides a Tracking area, which enables to you to acknowledge the incident, add comments, manage the workflow of the incident. It also provides a Guided Resolution area so that you can view a topology of the configuration, view any recent configuration changes, reevaluate alerts, or black out targets.

  • Events provides details about the event that caused the incident: the error message, its severity, the target database, the target database type, when the event was triggered, the internal name, and the number of occurrences of the event.

  • My Oracle Support Knowledge enables you to log into My Oracle Support.

  • Updates shows updates that have occurred in relation to this incident. The View menu and Query by Example icon enable you to filter these updates.

  • Related Events And Incidents shows events that have occurred on related targets. Events are considered related if they occur on targets on which the target of the incident depends, within a time range of 30 minutes before or after the incident was recorded. The page indicates the severity, when the related incident was reported, the message, the target, the target type, the incident ID, and the category.

6.12 Generating Oracle Audit Vault Reports Using Information Publisher

You can generate reports on the Oracle Audit Vault configuration by using the Enterprise Manager Information Reports.

To access the Information Publisher reports:

  1. From the Oracle Audit Vault System menu, select Information Publisher Reports.

    A page similar to the following appears:

    Description of em_pub_reports.gif follows
    Description of the illustration em_pub_reports.gif

  2. Create and generate the reports as necessary.

    For more information about using the Information Publisher Reports, see Oracle Enterprise Manager Cloud Control Administrator's Guide.

6.13 Managing the Oracle Audit Vault System from Enterprise Manager

This section contains:

6.13.1 Controlling Administrative Access to the Audit Vault System

This section contains:

6.13.1.1 Changing the Audit Vault System Administrative Owner

By default, the SYSMAN user has full privileges for the Audit Vault system. To change this user to another:

  1. From the Audit Vault System menu, select Target Setup, and then Administrator Access.

  2. In the Access page, select the Change Owner button.

    The Search and Select Administrator window appears.

  3. From the Search and Select Administrator window, select a trusted user, and then click Select.

  4. In the Access page, select OK.

6.13.1.2 Adding or Removing Users for Administrative Access to the Audit Vault System

You can grant users or roles specific privileges for managing the Audit Vault system.

  1. From the Audit Vault System menu, select Target Setup, and then Administrator Access.

  2. In the Access page, select the Add or Remove button.

    The Search and Select Administrator or Role window appears.

  3. Select one or more users or roles, and then select Select.

  4. If you have added users or roles (or if you want to edit the access for these selections), then select the users or role and then select the Grant to Selected button.

  5. In the Bulk Assigned Privileges page, select the privileges that you want to grant.

  6. Click Continue.

    The Access page appears.

  7. Click OK.

6.13.2 Starting and Shutting Down the Audit Vault Console

To start or shut down the Audit Vault Console:

  1. From the Oracle Audit Vault System menu, select Startup/Shutdown.

  2. In the Startup/Shutdown Audit Vault Console page, enter the credentials of a host user of who owns the Oracle Home on the Audit Vault Server host.

  3. Click OK.

6.13.3 Adding the Audit Vault System to an Enterprise Manager Group

You can add the Audit Vault Server target to an Enterprise Manager group of existing Audit Vault system targets. This enables you to monitor and manage multiple Audit Vault system targets.

To add the Audit Vault system to an Enterprise Manager group:

  1. From the Oracle Audit Vault System menu, select Target Setup, and then Add to Group.

  2. In the Add to Groups page, select a group to which you want to add the Audit Vault system target, and then click Add.

See Also:

6.13.4 Removing the Audit Vault System Target from Enterprise Manager

You can remove Audit Vault system targets from Enterprise Manager. If you created user accounts specifically for use with the Enterprise Manager Audit Vault system target, then you can drop these accounts. If you had granted existing users the AV_MONITOR role for this target, then you should revoke this role from those users.

To remove the Audit Vault system target from Enterprise Manager:

  1. From the Oracle Audit Vault home page, select the Oracle Audit Vault System menu, then Target Setup, and then Remove Target.

  2. In the Confirmation dialog box, select Yes.

Later on, if you decide that you want to add the Audit Vault system back to Enterprise Manager, see Oracle Enterprise Manager Cloud Control Administrator's Guide.