Skip Headers
Oracle® Audit Vault Administrator's Guide
Release 10.2.3.2

Part Number E14459-11
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

8 Audit Vault Oracle Database (AVORCLDB) Utility Commands

Use the Audit Vault Oracle Database (AVORCLDB) command-line utility to manage the relationship between Oracle Audit Vault and an Oracle source database and collector. When you run these commands, remember the following:

Table 8-1 describes the AVORCLDB commands and where each is used, whether on the Audit Vault Server, on the Audit Vault collection agent, or in both places.

Table 8-1 AVORCLDB Commands

Command Where Used? Description

add_collector

Server

Adds a collector to Oracle Audit Vault

add_source

Server

Registers an audit source with Oracle Audit Vault

alter_collector

Server

Alters the attributes of a collector

alter_source

Server

Alters the attributes of a source

drop_collector

Server

Drops a collector from Oracle Audit Vault

drop_source

Server

Drops a source database from Oracle Audit Vault

-help

Both

Displays help information for the AVORCLDB commands

setup

Collection agent

Adds the source user credentials to the wallet, creates a database alias in the wallet for the source user, verifies the connection to the source using the wallet, and updates the tnsnames.ora file

verify

Both

Verifies that the source is compatible with the collectors that are specified for setup


8.1 avorcldb

The AVORCLDB command-line utility, which you use to configure an Oracle database with Oracle Audit Vault.

Syntax

avorcldb command -help

avorcldb command [options] arguments

Arguments

Argument Description
command Enter one of the commands listed in Table 8-1.
arguments Enter one or more of the AVORCLDB command arguments.
-help Displays help information for the AVORCLDB commands.

Usage Notes

Issuing an AVORCLDB command generates the following log file: $ORACLE_HOME/av/log/avorcldb.log.

8.2 add_collector

The avorcldb add_collector command adds a collector for the given Oracle source database to Audit Vault. Oracle Audit Vault verifies the source database for the collector requirements.

Where to Run This Command

Audit Vault Server:

Syntax

avorcldb add_collector -srcname srcname
-agentname agentname -colltype [OSAUD,DBAUD,REDO] 
[-collname collname] [-desc desc] 
[-av host:port:service] [-instname instname] [-orclhome orclhome] 

Arguments

Argument Description
-srcname srcname Enter the source database name for which the collector is to be added. This source name was displayed after you ran the avorcldb add_source command.

Remember that the source database name is case-sensitive.

-agentname agentname Enter the name of the collection agent that was created when you ran the avca add_agent command. (In most cases, this is the agent that you created when you installed the Audit Vault collection agent, as described in Oracle Audit Vault Collection Agent Installation Guide.)

If you are not sure of the agent name, then you can find it as follows: Log in to the Audit Vault Console, click the Configuration tab, and then click the Agent tab to display the Agents page. The name of the agent is displayed in the Agent column.

-colltype colltype Enter the collector type to be added.
  • DBAUD

  • OSAUD

  • REDO

See Table 1-5 for more information about the collector types.

-collname collname Create a name for the collector. Optional. If you do not create a name, Oracle Audit Vault names the collector colltype_Collector (for example, OSAUD_Collector for the OSAUD collector type).
-desc desc Enter a brief description of the collector. Optional.
-av host:port:service Enter the connection information for Oracle Audit Vault used for the database link from the source database to Oracle Audit Vault. You must include this argument if the -colltype argument is REDO; otherwise, this argument is optional.
-instname instname Enter the instance name of Audit Vault Oracle RAC installation. You must include this argument if you are adding multiple OSAUD collectors, that is, one collector for each database instance.
-orclhome orclhome Enter the Oracle home of the source database.You must include this argument if the -colltype argument is OSAUD; otherwise, this argument is optional. See the usage notes.

Usage Notes

Example

The following example shows how to add an OSAUD collector to Oracle Audit Vault on Linux and UNIX platforms in an Oracle Real Application Clusters (Oracle RAC) installation using the -instname argument.

avorcldb add_collector -srcname orcl 
-agentname kuksagruvin_os -colltype OSAUD -collname OSAUD_Collector -instname av01 
-orclhome /u01/app/oracle/product/10.2.0/db_1

source hr_db verified for OS File Audit Collector collector
Adding collector...
Collector added successfully.
collector successfully added to Audit Vault

remember the following information for use in avctl
Collector name (collname): OSAUD_Collector

This example shows how to add a DBAUD collector to Oracle Audit Vault:

avorcldb add_collector -srcname source1db.example.com 

-agentname kuksagruvin_dbuaud -colltype DBAUD 
source hr_db verified for Aud$/FGA_LOG$ Audit Collector collector

Adding collector...
Collector added successfully.
collector successfully added to Audit Vault

remember the following information for use in avctl
Collector name (collname): DBAUD_Collector

The next example shows how to add a REDO collector to Oracle Audit Vault.

avorcldb add_collector -srcname source1db.example.com 
-agentname kuksagruvin_redo -colltype REDO 
-av system1.example.com:1521:av 

source hr_db verified for REDO Log Audit Collector collector
Adding collector...
Collector added successfully.
collector successfully added to Audit Vault

remember the following information for use in avctl
Collector name (collname): REDO_Collector
initializing REDO Collector
setting up APPLY process on Audit Vault server
setting up CAPTURE process on source database

8.3 add_source

The avorcldb add_source command registers an Oracle source database with Oracle Audit Vault for audit data consolidation. Run this command on the Audit Vault Server.

Where to Run This Command

Audit Vault Server:

Syntax

avorcldb add_source -src host:port:service 
      [-srcname srcname] [-desc desc] [-agentname agentname]

Arguments

Argument Description
-src host:port:service Enter the source database connection information: host name, port number, and service ID (SID), separated by a colon.

If you are unsure of this connection information, run the lsnrctl status command on the computer where you installed the source database.

-srcname srcname Enter the name of the source database. Remember that the source database name is case-sensitive. Optional.

If you do not specify this argument, then Oracle Audit Vault uses the global database name.You can check this name by querying the GLOBAL_NAME data dictionary view in SQL*Plus. For example:

SQL> SELECT * FROM GLOBAL_NAME;
-desc desc Enter a brief description of the source database. Optional.
-agentname agentname Enter the name of the agent. If you omit this name, then Oracle Audit Vault uses the name of the agent that you created during the agent installation process. Optional.

Usage Notes

Example

The following example shows how to register a source database with Oracle Audit Vault.

avorcldb add_source -src hrdb.example.com:1521:orcl -srcname hr_db -agentname agent1
Enter Source user name: username
Enter Source password: password

Adding source...
Source added successfully.
source successfully added to Audit Vault

remember the following information for use in avctl
Source name (srcname): hr_db
Credential stored successfully
Mapping Source to Agent...

8.4 alter_collector

The avorcldb alter_collector command modifies the attributes of an Oracle Database collector.

Where to Run This Command

Audit Vault Server:

Syntax

avorcldb alter_collector -srcname srcname -collname collname
      [attrname=attrvalue...attrname=attrvalue]

Arguments

Argument Description
-srcname srcname Enter the name of the source database to which this collector belongs. Remember that the source database name is case-sensitive.
-collname collname Enter the name of the collector to be modified.
attrname=attrvalue Enter the attribute pair (attribute name, new attribute value) for mutable collector attributes for this collector type. This argument is optional.

Enclose the attribute value in double quotation marks. For multiple values, enclose the entire set in double quotation marks and separate each value with a space. For example:

...="value1 value2 value3"

Usage Notes

Table 8-2 describes the DBAUD collector attributes.

Table 8-2 DBAUD Collector Attributes

Attribute Description Mutable Default Value

AGENTNAME

Name of an agent to replace the agent that was specified by the avorcldb add_collector command that was used for this source database. This feature enables you to move a collector from one agent to another. It is useful for failover recovery if the host computer running the original agent fails. This attribute only applies to the DBAUD collector. When you enter a value for AGENTNAME, enter it using the same case that you used when you ran the avca add_agent command.

After you replace the agent, you must run the avorcldb setup command and avctl start_collector command. See "Examples" for more information.

Yes

NULL

AUDAUDIT_ACTIVE_SLEEP_TIME

The amount of active sleep time (in milliseconds) for the DBAUD process when the last retrieval actually did retrieve records.

Yes

1000 milliseconds

AUDAUDIT_AUDIT_VAULT_ALIAS

The alias name for the Audit Vault Server. The value you enter is not case sensitive.

No

NULL

AUDAUDIT_DELAY_TIME

The amount of delay time (in seconds) for the DBAUD process.

Yes

20 seconds

AUDAUDIT_MAX_PROCESS_RECORDS

The maximum number of records after which the collector commits records to the raw audit data store and generates minor recovery context. In fine-grained auditing (FGA_LOG$) and 9.x sources, the collector might need to delay this until the record with the higher timestamp is retrieved. A valid value is an integer value from 10 to 10000.

Yes

1000 records

AUDAUDIT_SLEEP_TIME

The amount of sleep time (in milliseconds) for the DBAUD process. For example, if it is now 10:00:00 AM, the collector will retrieve the records with the timestamps that are less than 9:59:40. However, the next time the collector will only retrieve records with the timestamps of 9:59:40 or higher. The assumption is that within 20 seconds after the timestamp is assigned to the record, the record would be visible (retrievable). This attribute is used only for time-based retrieval in fine-grained auditing (FGA_LOG$) on 9.x source databases. In Oracle Audit Vault, time-based retrieval is used for all retrievals.

Yes

5000 milliseconds

AUDAUDIT_SORT_POLICY

The audit data sort policy.

This attribute is not implemented. It was deprecated for Oracle Audit Vault Release 10.2.3.

Yes

NULL

AUDAUDIT_SOURCE_ALIAS

The alias name for the audit data source. The value you enter is not case sensitive.

No

NULL


Table 8-3 describes the OSAUD collector attributes.

Table 8-3 OSAUD Collector Attributes

Attribute Description Mutable Default Value

OSAUDIT_AUDIT_VALUE_ALIAS

The alias name for the Audit Vault Server. The value you enter is not case sensitive.

No

NULL

OSAUDIT_CHANNEL_TYPE

The channel type being used by the collector

This attribute is not implemented. It was deprecated in Oracle Audit Vault Release 10.2.3.

No

NULL

OSAUDIT_DEFAULT_FILE_DESTFoot 1 

The default directory for Oracle Database operating system audit files. This directory contains mandatory audit record files. The value you enter is not case sensitive.

Yes

$ORACLE_HOME/rdbms/audit

OSAUDIT_FILE_DEST

The directory for the Oracle Database operating system audit files. This directory contains SYS and regular audit record files.

Yes

$ORACLE_HOME/admin/DB_UNIQUE_NAME/adump

OSAUDIT_MAX_PROCESS_RECORDS

The maximum number of records to be processed during each call to process the collector. A valid value is an integer value from 10 to 10000.

Yes

10000

OSAUDIT_MAX_PROCESS_TIME

The maximum processing time for each call to process the collector (in centiseconds). A valid value is an integer value from 10 to 10000.

Yes

600 centiseconds

OSAUDIT_NLS_CHARSET

The NLS character set of the data source. The value you enter is not case sensitive.

Yes

WE8ISO8859P1

OSAUDIT_NLS_LANGUAGE

The NLS language of the data source. The value you enter is not case sensitive.

Yes

AMERICAN

OSAUDIT_NLS_TERRITORY

The NLS territory of the data source. The value you enter is not case sensitive.

Yes

AMERICA

OSAUDIT_NT_ORACLE_SID

The Oracle SID name on Microsoft Windows systems. The value you enter is not case sensitive.

Yes

NULL

OSAUDIT_RAC_INSTANCE_ID

The instance ID in an Oracle RAC environment

Yes

1.0

OSAUDIT_SOURCE_ALIAS

The alias or connection string to the source database. The value you enter is not case sensitive.

Yes

NULL

OSAUDIT_SYSLOG_FILE

The syslog file name and location, if other than the default as indicated in the etc/syslog.conf file. Setting this parameter to a valid syslog file name overrides the default setting. The value you enter is not case sensitive.

Yes

NULL


Footnote 1 To avoid collecting duplicate operating system audit trail records, do not set the attribute value for the OSAUDIT_DEFAULT_FILE_DEST attribute and the OSAUDIT_FILE_DEST attribute such that the values, although different, resolves to the same directory.

Table 8-4 describes the REDO collector attributes.

Table 8-4 REDO Collector Attributes

Attribute Description Mutable Default Value

AV.DATABASE.NAME

The Oracle Audit Vault database name. The value you enter is not case sensitive.

No

NULL

STRCOLL_DBPORT

The port number of the audit data Oracle source database

Yes

NULL

STRCOLL_DBSERVICE

The service name of the audit data Oracle source database. The value you enter is not case sensitive.

No

NULL

STRCOLL_HEARTBEAT_TIME

The time, in seconds, between events for monitoring the status of the Audit Vault REDO collection system

Yes

60 seconds

STRCOLL_SRCADM_ALIAS

The alias name for the audit data source. The value you enter is not case sensitive.

No

NULL

STRCOLL_SRCADM_NAME

The name of the audit data source database. The value you enter is not case sensitive.

No

NULL


On Microsoft Windows systems, if the path value for the OSAUDIT_DEFAULT_FILE_DEST attribute is set incorrectly using backslashes, use the Audit Vault Console to log in as the Audit Vault administrator and connect as AV_ADMIN, click Configuration, click Collector, select the OSAUD_Collector name, then click Edit and edit the value for this attribute using slashes instead of backslashes. When finished, click OK to save your changes.

Examples

The following example shows how to alter the AUDAUDIT_DELAY_TIME attribute for the DBAUD_Collector collector in Oracle Audit Vault:

avorcldb alter_collector -srcname hrdb.example.com -collname DBAUD_Collector  AUDAUDIT_DELAY_TIME="60" 

Collector altered successfully.

The following sequence of commands demonstrate how to move a collector from one collection agent to another agent:

  1. From the Audit Vault Server, configure two agents, A and B, on two separate hosts.

    For example:

    avca add_agent -agentname A -agenthost host1.example.com
    
    Adding agent...
    Enter agent user name: agent_user_name
    Enter agent user password: agent_user_pwd
    Re-enter agent user password: agent_user_pwd
    
    avca add_agent -agentname B -agenthost host2.example.com
    ...
    
  2. Configure collector L to run under agent A and collect from source S.

    For example:

    avorcldb add_collector -collname L -srcname S -agentname A
    
  3. The node that runs agent A fails.

  4. Move the collector L from agent A to agent B.

    For example:

    avorcldb alter_collector -collname L -srcname S agentname=B
    
  5. From the Audit Vault collection agent home, configure agent B to connect to source S.

    For example:

    avorcldb setup -srcname S
    
    Enter Source user name: source_user_name
    Enter Source password: password
    ...
    
  6. From the Audit Vault Server, restart the collector.

    For example:

    avctl start_collector -collname L -srcname S
    
    Starting Collector...
    Collector started successfully.
    

8.5 alter_source

The avorcldb alter_source command modifies the attributes of an Oracle source database.

Where to Run This Command

Audit Vault Server:

Syntax

avorcldb alter_source -srcname srcname
      [attrname=attrvalue...attrname=attrvalue]

Arguments

Argument Description
-srcname srcname Enter the name of the source database to be modified. Remember that the source database name is case-sensitive.
attrname=attrvalue Enter the pair (attribute name, new attribute value) for the mutable source attributes of this source to be modified. Optional. Separate multiple pairs by a space on the command line.

Usage Notes

Table 8-5 lists source attributes that you can specify for the attrname=attrvalue argument.

Table 8-5 Source Attributes

Parameter Description Mutable Default Value

HOST_IP

The Internet protocol address of the host system on which the source database resides

Yes

NULL

SOURCE_VERSION

The source database version

Yes

NULL

DESCRIPTION

The description for this source database

Yes

NULL

DB_SERVICE

A new audit data source database service name

Yes

NULL

PORT

A new port number for this system where the source database audit data resides

Yes

NULL

GLOBAL_DATABASE_NAME

The new global database name

Yes

NULL


Example

The following example shows how to alter the PORT attribute for the source database named hr_db in Oracle Audit Vault:

avorcldb alter_source -srcname hr_db PORT=1522

Altering source...
Source altered successfully.

8.6 drop_collector

The avorcldb drop_collector command disables (but does not remove) a collector from Oracle Audit Vault.

Where to Run This Command

Audit Vault Server:

Syntax

avorcldb drop_collector -srcname srcname -collname collname

Arguments

Argument Description
-srcname srcname Enter the name of the source database to which the collector (specified in the -collname argument) belongs. Remember that the source database name is case-sensitive.
-collname collname Enter the name of the collector to be dropped from Oracle Audit Vault.

Usage Notes

The drop_collector command does not delete the collector from Oracle Audit Vault. It only disables the collector. The collector metadata is still in the database after you run the drop_collector command. If you want to recreate the collector, create it with a different name.

Example

avorcldb drop_collector -srcname hrdb.example.com -collname DBAUD_Collector

Dropping collector...
Collector dropped successfully.

8.7 drop_source

The avorcldb drop_source command disables (but does not remove) a source database from Oracle Audit Vault.

Where to Run This Command

Audit Vault Server:

Syntax

avorcldb drop_source -srcname srcname

Arguments

Argument Description
-srcname srcname Enter the name of the source database to be dropped from Oracle Audit Vault. Remember that the source database name is case-sensitive.

Usage Notes

Example

The following example shows how to drop the source named hrdb.example.com from Oracle Audit Vault:

avorcldb drop_source -srcname hrdb.example.com 

Dropping source...
Source dropped successfully.

8.8 -help

The avorcldb -help command displays help information for the AVORCLDB commands. Run this command on either the Audit Vault Server and the Audit Vault collection agent.

Where to Run This Command

Either Audit Vault Server and collection agent:

Syntax

avorcldb -help

avorcldb command -help

Arguments

Argument Description
command Enter the name of an AVORCLDB command for which you want help to appear

Usage Notes

None

Example

The following example shows how to display general AVORCLDB utility help in Oracle Audit Vault:

avorcldb -help

The following example shows how to display specific AVORCLDB help for the add_source command in the Audit Vault Server home.

avorcldb add_source -help

  avorcldb add_source command
 
    add_source 
          -src <host:port:service> 
          [-srcname <srcname>] [-desc <desc>] [-agentname <agentname>]
 
  Purpose: The source is added to Audit Vault. The global DB Name  
       of the source database is used as the Source Name in Audit Vault
       The user specified in -srcusr argument must exits on the source DB
 
  Arguments:
       -src        : Source DB connection information
       -srcname    : Optional name of source, default : <global_dbname>
       -desc       : Optional description of the source
       -agentname  : Optional agent name to configure policy management
 
  Examples:
     avorcldb add_source -src lnxserver:4523:hrdb.domain.com
         -desc 'HR Database'

8.9 setup

The avorcldb setup command adds the source user credentials to the wallet, creates a database alias in the wallet for the source user, verifies the connection to the source using the wallet, and updates the tnsnames.ora file. You also can use this command to change the source user credentials in the wallet after these credentials have been changed in the source database.

Where to Run This Command

Audit Vault collection agent:

Syntax

avorcldb setup -srcname srcname 

Arguments

Argument Description
-srcname srcname Enter the name of the source database. Remember that the source database name is case-sensitive.

Usage Notes

Example

The following example configures the REDO and OSAUD collectors.

avorcldb setup -srcname hrdb.example.com
Enter Source user name: srcuser_ora
Enter Source password: password

adding credentials for user srcuser_ora for connection [SRCDB1]
Credential stored successfully.
updated tnsnames.ora with alias [SRCDB1] to source database
verifying SRCDB1 connection using wallet

To change the source user name password in the wallet in the Audit Vault collection agent home, use the following setup command, where the source name is orcl1 and the source user name is srcuser_ora.

avorcldb setup -srcname orcl
Enter Source user name: srcuser_ora
Enter Source password: password

adding credentials for user srcuser_ora for connection [SRCDB1]
Credential stored successfully.
updated tnsnames.ora with alias [SRCDB1] to source database
verifying SRCDB1 connection using wallet

8.10 verify

The avorcldb verify command verifies that the source is compatible for setting up the specified collectors.

Where to Run This Command

Either Audit Vault Server and collection agent:

Syntax

avorcldb verify -src host:port:service 
                -colltype [OSAUD,DBAUD,REDO,ALL] 

Arguments

Argument Description
-src host:port:service Enter the source database connection information: host name, port number, and service name, separated by a colon.

Typically, the host is the fully qualified domain name or IP address of the server on which the source database is running, and the port number is 1521.

If you are unsure of the host and port number, run the lsnrctl status command on the computer where you installed the source database.

-colltype colltype Enter one of the following collector types:
  • ALL

  • DBAUD

  • OSAUD

  • REDO

See Table 1-5 for more information about the collector types.


Usage Notes

Example

The following example verifies that the source is compatible with the OSAUD, DBAUD, and REDO collectors on a Linux or UNIX system.

avorcldb verify -src hrdb.example.com:1521:orcl -colltype ALL
Enter Source user name: username
Enter Source password: password

source HRDB.EXAMPLE.COM verified for OS File Audit Collector collector
source HRDB.EXAMPLE.COM verified for Aud$/FGA_LOG$ Audit Collector collector
source HRDB.EXAMPLE.COM verified for REDO Log Audit Collector collector