Oracle® Audit Vault Administrator's Guide Release 10.2.3 Part Number E11059-03 |
|
|
View PDF |
Audit Vault Control (AVCTL) is a command-line utility that provides the Audit Vault administrator with the ability to control various Audit Vault components.
Table B-1 describes the Audit Vault Control commands and where each is used, whether on the Audit Vault Server, on the Audit Vault Collection Agent, or in both places.
Table B-1 Audit Vault Control Commands
Command | Where Used | Description |
---|---|---|
Both |
Displays Help for the AVCTL commands |
|
Server |
Loads older data from the raw audit data store into the data warehouse tables for analysis |
|
Server |
Purges audit data that was reloaded into the warehouse |
|
Server |
Refreshes the data warehouse with the data in the raw audit data store since the last refresh operation. |
|
Server |
Shows the status (metric) of a collection agent |
|
Server |
Shows the status (metric) of the Audit Vault Console |
|
Server |
Shows the status (metric) of a collector |
|
Collection Agent |
Shows the status (metric) of the collection agent OC4J |
|
Server |
Starts the collection agent |
|
Server |
Starts the Audit Vault Console |
|
Server |
Starts the collector |
|
Collection Agent |
Starts the collection agent OC4J |
|
Server |
Stops the collection agent |
|
Server |
Stops the Audit Vault Console |
|
Server |
Stops the collector |
|
Collection Agent |
Stops the collection agent OC4J |
Note:
In an Oracle RAC environment, AVCTL commands must be issued from the node on which Oracle Enterprise Manager resides. This is the same node on which theav.ear
file is deployed.
If the node on which the av.ear
file is deployed is down, deploy the av.ear
file to another node using the AVCA deploy_av command.
Displays Help for the AVCTL commands. This command is run on both the Audit Vault Server and the Audit Vault Collection Agent.
avctl -help avctl <command> -help
Argument | Description |
---|---|
<command> |
The name of an AVCTL command for which you want Help to appear |
None
The following example shows how to display general AVCTL utility Help in the Audit Vault Server home.
avctl -help -------------------------------------------- AVCTL Usage -------------------------------------------- Oracle Audit Vault Control commands - AV Server: avctl start_av [-loglevel error|warning|info|debug] avctl stop_av avctl show_av_status Oracle Audit Vault Control commands - Agent: avctl start_agent -agentname <agent name> avctl stop_agent -agentname <agent name> avctl show_agent_status -agentname <agent name> Oracle Audit Vault Control commands - Collector: avctl start_collector -collname <collector name> -srcname <source name> avctl stop_collector -collname <collector name> -srcname <source name> avctl show_collector_status -collname <collector name> -srcname <source name> Oracle Audit Vault Control commands - Warehouse: avctl refresh_warehouse [-wait] avctl load_warehouse -startdate <start date> -numofdays <num of days> [-dateformat <date format>] [-wait] avctl purge_warehouse -startdate <start date> -numofdays <num of days> [-dateformat <date format>] [-wait] avctl -help
The following example shows how to display specific AVCTL Help for the start_agent command in Audit Vault.
avctl start_agent -help avctl start_agent -agentname <agent name> ------------------------------------------------ -agentname <agent name> ------------------------------------------------
The following example shows how to display general AVCTL utility Help in the Audit Vault Collection Agent home.
-------------------------------------------- AVCTL Usage -------------------------------------------- Oracle Audit Vault Control commands - Agent OC4J: avctl start_oc4j [-loglevel error|warning|info|debug] avctl stop_oc4j avctl show_oc4j_status avctl -help
Loads audit trail data from the raw audit data store after it has been removed from the warehouse repository due to the retention period that was set. This command is run on the Audit Vault Server.
avctl load_warehouse -startdate <start date> -numofdays <num of days> [-dateformat <date format>] [-wait]
Argument | Description |
---|---|
-startdate <startdate> |
Specify the start date for the audit trail data to be loaded into the data warehouse repository using the default format DD-MON-YY. To use a different format, specify the -dateformat argument. |
-numofdays <num of days> |
Specify the number of days' worth of audit trail data to be loaded. |
[-dateformat <date format>] |
Optionally, specify the date format for the -startdate argument. |
[-wait] |
Optionally, specify that the command wait for the load job to complete. If this argument is not specified, a DBMS job is started, and the command returns immediately. |
The audit records received from the value of the -startdate
argument for the given number of days specified by the -numofdays
argument will be loaded into the data warehouse.
The following example shows how to load the data warehouse with 10 days' worth of audit data beginning with January 1, 2004:
avctl load_warehouse -startdate 01-JAN-04 -numofdays 10 AVCTL started Loading older audit records into warehouse... done.
The following example shows how to load the data warehouse with 10 days' worth of audit data beginning with January 1, 2004 using the DD/MM/YYYY date format, and to specify that the operation wait until the previous load job completes.
avctl load_warehouse -startdate 01/01/2004 -numofdays 10 -dateformat DD/MM/YYYY -wait AVCTL started Loading older audit records into warehouse... done.
Purges audit trail data from the warehouse repository that was previously reloaded into the warehouse using the AVCTL load_warehouse command. This command is run on the Audit Vault Server.
avctl purge_warehouse -startdate <start date> -numofdays <num of days> [-dateformat <date format>] [-wait]
Argument | Description |
---|---|
-startdate <start date> |
Specify the start date for the events to be removed from the data warehouse tables using the default format DD-MON-YY. To use a different format, specify the -dateformat argument. |
-numofdays <num of days> |
Specify the number of days' worth of data to be removed. |
[-dateformat] <date format> |
Optionally, specify the date format for the -startdate argument. |
[-wait] |
Optionally, specify that the command wait for the purge job to complete. If this argument is not specified, a DBMS job is started, and the command returns immediately. |
The audit records received from the -startdate
argument for the given number of days specified by the -numofdays
argument will be removed from the data warehouse tables.
Only data loaded using the AVCTL load_warehouse command can be purged using the purge_warehouse
command. The data loaded using the AVCTL refresh_warehouse command is removed automatically based on the warehouse duration specified using the AVCA set_warehouse_retention command.
The following example shows how to purge 10 days' worth of data from the data warehouse beginning with January 1, 2004:
avctl purge_warehouse -startdate 01-JAN-04 -numofdays 10 AVCTL started Purging older audit records from warehouse... done.
The following example shows how to purge 10 days' worth of data from the data warehouse beginning with January 1, 2004 and to specify that the operation wait until the previous purge job completes:
avctl purge_warehouse -startdate 01-JAN-04 -numofdays 10 -wait AVCTL started Purging older audit records from warehouse... Waiting for purge to complete... done.
The following example shows how to purge 10 days' worth of data from the data warehouse beginning with January 1, 2004 using the date format of DD/MM/YYYY.
avctl purge_warehouse -startdate 01/01/2004 -numofdays 10 -dateformat DD/MM/YYYY AVCTL started Purging older audit records from warehouse... done.
Refreshes the data warehouse repository with the data from the raw audit data store since the last refresh operation. This command is run on the Audit Vault Server.
avctl refresh_warehouse [-wait]
Argument | Description |
---|---|
[-wait] |
Optionally, specify that the command wait for the refresh job to complete. If this argument is not specified, a DBMS job is started, and the command returns immediately. |
The last refresh operation could have been an explicit refresh using this command or a scheduled refresh based on the schedule set using the AVCA set_warehouse_schedule command.
The following example shows how to refresh the data warehouse:
avctl refresh_warehouse AVCTL started Refreshing warehouse... done.
The following example shows how to specify that the refresh operation wait until the previous refresh job completes before refreshing the data warehouse:
avctl refresh_warehouse -wait AVCTL started Refreshing warehouse... Waiting for refresh to complete... done.
Shows the status (metric) of a collection agent. This command is run on the Audit Vault Server.
avctl show_agent_status -agentname <agent name>
Argument | Description |
---|---|
-agentname <agent name> |
Specify the collection agent (by collection agent name). |
None
The following example shows the collection agent status for the OC4JAGENT1 agent:
avctl show_agent_status -agentname OC4JAGENT1 AVCTL started Getting agent metrics... -------------------------------- Agent is running -------------------------------- Metrics retrieved successfully.
Shows the Audit Vault Console status or the metric of the Audit Vault Server. This command is run on the Audit Vault Server.
avctl show_av_status
None
When the Audit Vault Console becomes inaccessible, issue this command to determine its status.
The following example shows the Audit Vault Console status:
avctl show_av_status AVCTL started Oracle Audit Vault 10g Database Control Release 10.2.3.0.0 Copyright (c) 1996, 2008 Oracle Corporation. All rights reserved. http://atacw05.us.oracle.com:5570/av Oracle Audit Vault 10g is running. ------------------------------------ Logs are generated in directory /oracle/product/10.2.3/av_1/av/log
Shows the status (metric) of a collector. This command is run on the Audit Vault Server.
avctl show_collector_status -collname <collector name> -srcname <source name>
Argument | Description |
---|---|
-collname <collector name> |
Specify the target collector (by collector name). |
-srcname <source name> |
Specify the source (by source name) to which this collector belongs. |
None
The following example shows the collector status for the DBAUD_Collector collector:
avctl show_collector_status -collname DBAUD_Collector -srcname RODSRC1.US.ORACLE.COM AVCTL started Getting collector metrics... -------------------------------- Collector is running Records per second = 0.00 Bytes per second = 0.00 --------------------------------
Shows the collection agent OC4J status (metric). This command is run on the Audit Vault Collection Agent.
avctl show_oc4j_status
None
None
The following example shows the collection agent OC4J status for when it is running and when it is not running:
avctl show_oc4j_status AVCTL started ------------------------------------ OC4J is running ------------------------------------
The following example shows the collection agent OC4J status for when it is not running:
avctl stop_oc4j AVCTL startedStopping OC4J...OC4J stopped successfully. avctl show_oc4j_status AVCTL started ------------------------------------ OC4J is not running ------------------------------------
Starts the collection agent. This command is run on the Audit Vault Server.
avctl start_agent -agentname <agent name>
Argument | Description |
---|---|
-agentname <agent name> |
Specify the collection agent (by collection agent name) to be started. |
On successful completion of this command, the collection agent is moved to a RUNNING state. If an error is encountered, the collection agent is moved to an ERROR state.
Audit Vault accepts audit records only from collection agents in the RUNNING state.
If you set the NLS_LANG
environment value before performing an avctl start_oc4j
command in the Audit Vault Agent shell and performing an avctl start_agent
command or avctl start_collector
command in the Audit Vault Server shell, it will ensure that the avctl start_collector
command will succeed with a multibyte source name or collector name.
The following example shows how to start the collection agent in Oracle Audit Vault:
avctl start_agent -agentname OC4JAGENT1 AVCTL started Starting Agent... Agent started successfully.
Starts the Audit Vault Console. This command is run on the Audit Vault Server.
avctl start_av [-loglevel error|warning|info|debug]
Argument | Description |
---|---|
[-loglevel error|warning|info|debug] |
Optionally, specify the desired level of logging. |
This command executes an emctl start dbconsole
command.
The following example shows how to start the Audit Vault Console:
avctl start_av AVCTL started Starting agent OC4J... OC4J started successfully. Oracle Audit Vault 10g Database Control Release 10.2.3.0.0 Copyright (c) 1996,2008 Oracle Corporation. All rights reserved. http://atacw05.us.oracle.com:5700/av Oracle Audit Vault 10g is running. ------------------------------------ Logs are generated in directory /oracle/product/10.2.2/av_1/av/log
Starts the collector. This command is run on the Audit Vault Server.
avctl start_collector -collname <collector name> -srcname <source name>
Argument | Description |
---|---|
-collname <collector name> |
Specify the collector (by collector name) to be started. |
-srcname <source name> |
Specify the name of the source to which the collector (specified in the -collname argument) belongs. |
On successful completion of this command, the collector is moved to a RUNNING state. If an error is encountered, the collector is moved to an ERROR state.
Audit Vault accepts audit records only from collectors in the RUNNING state.
If you set the NLS_LANG
environment value before performing an avctl start_oc4j
command in the Audit Vault Agent shell and performing an avctl start_agent
command or avctl start_collector
command in the Audit Vault Server shell, it will ensure that the avctl start_collector
command will succeed with a multibyte source name or collector name.
The following example shows how to start the collector in Audit Vault:
avctl start_collector -collname REDO_Collector -srcname ORCL.REGRESS.RDBMS.DEV.US.ORACLE.COM AVCTL started Starting Collector... Collector started successfully.
Starts the collection agent OC4J. This command is run on the Audit Vault Collection Agent.
avctl start_oc4j [-loglevel error|warning|info|debug]
Argument | Description |
---|---|
[-loglevel error|warning|info|debug] |
Optionally, specify the desired level of logging. |
This command is used to start the collection agent OC4J.
If you set the NLS_LANG
environment value before performing an avctl start_oc4j
command in the Audit Vault Agent shell and performing an avctl start_agent
command or avctl start_collector
command in the Audit Vault Server shell, it will ensure that the avctl start_collector
command will succeed with a multibyte source name or collector name.
The following example shows how to start OC4J:
avctl start_oc4j AVCTL started Starting agent OC4J... OC4J started successfully.
Stops the collection agent. This command is run on the Audit Vault Server.
avctl stop_agent -agentname <agent name>
Argument | Description |
---|---|
-agentname <agent name> |
Specify the collection agent (by collection agent name) to be stopped. |
This command will first stop all collectors running at this collection agent, and then stop the collection agent itself.
On successful completion of this command, the collection agent and its collectors are moved to a STOPPED state.
If an error is encountered, the collection agent is moved to an ERROR state. Audit Vault accepts audit records only from collection agents in the RUNNING state.
The following example shows how to stop the collection agent in Audit Vault:
avctl stop_agent -agentname OC4JAGENT1 AVCTL started Stopping Agent... Agent stopped successfully.
Stops the Audit Vault Console. This command is run on the Audit Vault Server.
avctl stop_av
None
Audit Vault includes Enterprise Management Database Control as part of the user interfaces. When you issue the stop_av
commend, it not only shuts down Audit Vault Console, but it also will stop Enterprise Management Database Control as well by executing the emctl stop dbconsole
command. It is not necessary to issue the emctl commands separately.
The following example shows how to stop the Audit Vault Console:
avctl stop_av AVCTL started Stopping OC4J... OC4J stopped successfully.
Stops the collector. This command is run on the Audit Vault Server.
avctl stop_collector -collname <collector name> -srcname <source name>
Argument | Description |
---|---|
-collname <collector name> |
Specify the collector (by collector name) to be stopped. |
-srcname <source name> |
Specify the name of the source to which the collector (specified in the -collname argument) belongs. |
On successful completion of this command, the collector is moved to a STOPPED state.
If an error is encountered, the collector is moved to an ERROR state.
Audit Vault accepts audit records only from collectors in the RUNNING state.
The following example shows how to stop the collector in Oracle Audit Vault:
avctl stop_collector -collname STREAMSCOLLECTOR -srcname ORCL.REGRESS.RDBMS.DEV.US.ORACLE.COM AVCTL started Stopping Collector... Collector stopped successfully.