Skip Headers
Oracle® Audit Vault Administrator's Guide
Release 10.2.3

Part Number E11059-03
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

C Audit Vault Oracle Database (AVORCLDB) Reference

Audit Vault Oracle Database (AVORCLDB) is a command-line utility that provides the ability to configure (add, alter, and drop) Oracle audit sources and Oracle collectors, verify source compatibility with the collectors, and set up Oracle Database audit sources for audit data collection by establishing the connection to the source through the collector.

Table C-1 describes the AVORCLDB commands and where each is used, whether on the Audit Vault Server, on the Audit Vault Collection Agent, or in both places.

Table C-1 AVORCLDB Commands

Command Where Used? Description

add_collector

Server

Adds a collector to Audit Vault

add_source

Server

Registers an audit source with Audit Vault

alter_collector

Server

Alters the attributes of a collector

alter_source

Server

Alters the attributes of a source

drop_collector

Server

Drops a collector from Audit Vault

drop_source

Server

Drops a source from Audit Vault

-help

Both

Displays Help for the AVORCLDB commands

setup

Collection Agent

Adds the source user credentials to the wallet, creates a database alias in the wallet for the source user, and verifies the connection to the source using the wallet

verify

Both

Verifies that the source is compatible with the collectors that are specified for setup



avorcldb

The AVORCLDB command-line utility.

Syntax

avorcldb <command> -help

avorcldb <command> [<options>] <arguments>

Arguments

Argument Description
<command> One of the following commands: add_source, alter_source, drop_source, add_collector, alter_collector, drop_collector, setup, or verify
[<options>] The optional AVORCLDB options
<arguments> One or more of the AVORCLDB command arguments
-help Displays Help for the AVORCLDB commands

Usage Notes

Example

The following output is from the avorcldb command executed in the Audit Vault Server home shell.

$ avorcldb -help

  Oracle DB Setup for Audit Vault
  -------------------------------
 
  Usage :
    avorcldb help
    avorcldb <command> -help
    avorcldb <command> <arguments>
 
 
Source setup commands
 
    verify
          -src <host:port:service>
          -colltype [OSAUD,DBAUD,REDO,ALL]
 
    add_source
          -src <host:port:service>
          [-srcname <srcname>] [-desc <desc>] [-agentname <agentname>]
 
    alter_source
          -srcname <srcname> [attrname=value]+
 
    drop_source
          -srcname <srcname>
 
Collector setup commands
 
    add_collector
          -srcname <srcname> -agentname <agentname>
          -colltype [OSAUD|DBAUD|REDO] [-collname <collname>]
          [-desc <desc>] [-av <host:port:service>]
          [-instname <instname>] [-orclhome <orclhome>]
 
    alter_collector
          -srcname <srcname> -collname <collname> [attrname=value]+
 
    drop_collector
          -srcname <srcname> -collname <collname>

The following output is from the avorcldb command executed in the Audit Vault Collection Agent home shell.

$ avorcldb -help

  Oracle DB Setup for Audit Vault
  -------------------------------
 
  Usage :
    avorcldb help
    avorcldb <command> -help
    avorcldb <command> <arguments>
 
 
Agent Commands
 
    verify
          -src <host:port:service>
          -colltype [OSAUD,DBAUD,REDO,ALL]
 
    setup
          -srcname <srcname>

add_collector

Adds a collector for the given source to Audit Vault. The source is verified for requirements of the collector. This command is run on the Audit Vault Server.

Syntax

avorcldb add_collector -srcname <srcname>
-agentname <agentname> -colltype [OSAUD,DBAUD,REDO] 
[-collname <collname>] [-desc <desc>] 
[-av <host:port:service>] [-instname <instname>] [-orclhome <orclhome>] 

Arguments

Argument Description
-srcname <srcname> The source name for which the collector is to be added
-agentname <agentname> The collection agent name where the collector is to be added
-colltype [OSAUD,DBAUD,REDO] The collector type to be added
[-collname <collname>] The collector name. This argument is optional. If this argument is not specified, <colltype>_Collector will be used.
[-desc <desc>] A brief description of the collector. This argument is optional.
[-av <host:port:service>] The connection information for Audit Vault used for the database link from the source database to Audit Vault. This argument is required if the -colltype argument is REDO; otherwise, this argument is optional.
[-instname <instname>] The instance name of Audit Vault Oracle RAC installation. This argument must be used to add multiple OSAUD collectors (one for each instance).
[-orclhome <orclhome>] The Oracle home of the source database. This argument is required if the -colltype argument is OSAUD; otherwise, this argument is optional. See the usage notes.

Usage Notes

Example

The following example shows how to add an OSAUD collector to Oracle Audit Vault on Linux and UNIX platforms in an Oracle Real Application Clusters (Oracle RAC) installation using the -instname argument.

avorcldb add_collector -srcname source1db.domain.com 
-agentname Agent1 -colltype OSAUD -instname av01 
-orclhome /u01/app/oracle/product/10.2.0/db_1
source SOURCE1DB.DOMAIN.COM verified for OS File Audit Collector collector
Adding collector...
Collector added successfully.
collector successfully added to Audit Vault

remember the following information for use in avctl
Collector name (collname): OSAUD_Collector

The following example shows how to add a DBAUD collector to Audit Vault:

avorcldb add_collector -srcname source1db.domain.com 
-agentname Agent1 -colltype DBAUD 
source SOURCE1DB.DOMAIN.COM verified for Aud$/FGA_LOG$ Audit Collector collector
Adding collector...
Collector added successfully.
collector successfully added to Audit Vault

remember the following information for use in avctl
Collector name (collname): DBAUD_Collector

The following example shows how to add a REDO collector to Audit Vault.

avorcldb add_collector -srcname source1db.domain.com 
-agentname Agent1 -colltype REDO 
-av system1.domain.com:1521:av 
source SOURCE1DB.DOMAIN.COM verified for REDO Log Audit Collector collector
Adding collector...
Collector added successfully.
collector successfully added to Audit Vault

remember the following information for use in avctl
Collector name (collname): REDO_Collector
initializing REDO Collector
setting up APPLY process on Audit Vault server
setting up CAPTURE process on source database

add_source

Registers an audit source with Audit Vault for audit data consolidation. This command is run on the Audit Vault Server.

Syntax

avorcldb add_source -src <host:port:service> [-srcusr <usr>/<pwd>]
      [-srcname <srcname>] [-desc <desc>] [-agentname <agentname>]

Arguments

Argument Description
-src <host:port:service> Source database connection information: host name, port number, and service ID (SID), separated by a colon
[-srcusr <usr>/<pwd>] Credentials of the user on the source database to collect audit data. The -srcusr argument can be omitted if the corresponding environment variable, AVORCLDB_SRCUSR is set to usr/passowrd. If the command-line argument -srcusr is specified, then the command-line argument overrides the environment variable.

For password handling security, do not specify this argument on the command-line nor use the environment variable. Instead, let the command prompt you for the source user name and password. See the example.

[-srcname <srcname>] Optional source name. If this argument is not specified, the global database name of the source will be used.
[-desc <desc>] Optional description of the source
[-agentname <agentname>] Optional collection agent name; however, this parameter must be specified in order to configure policy management using the Audit Vault Auditor's Console.

Usage Notes

Example

The following example shows how to register a source with Oracle Audit Vault. In this example, the AVORCLDB_SRCUSR environment variable is set to srcusr1/pwd and the -srcusr argument is omitted.

avorcldb add_source -src lnxserver:4523:hrdb.domain.com -agentname agent1
Enter Source user name: <username>
Enter Source password: *******
Adding source...
Source added successfully.
source successfully added to Audit Vault

remember the following information for use in avctl
Source name (srcname): RDBMSRC1.US.ORACLE.COM
Storing user credentials in wallet... 
Create credential oracle.security.client.connect_string3
done.
Mapping Source to Agent...

alter_collector

Modifies the attributes of a collector. This command is run on the Audit Vault Server.

Syntax

avorcldb alter_collector -srcname <srcname> -collname <collname> 
      [<attrname>=<attrvalue>...<attrname>=<attrvalue>]

Arguments

Argument Description
-srcname <srcname> Specify the source (by source name) to which this collector belongs.
-collname <collname> Specify the collector (by collector name) to be modified.
[<attrname>=<attrvalue>] Specify the pair (attribute name, new attribute value) for mutable collector attributes for this collector type. This argument is optional. Separate multiple pairs by a space on the command line.

Usage Notes

You can modify one or more collector attributes at a time. Table C-2, Table C-3, and Table C-4 list the collector attributes (parameters) by collector type, whether the parameter is mutable, and its default value. See Section 3.1.3.2 for a description of these attributes.

Table C-2 DBAUD Collector Attributes

Parameter Description Mutable Default Value

AUDAUDIT_ACTIVE_SLEEP_TIME

The amount of active sleep time (in milliseconds) for the DBAUD process when the last retrieval actually did retrieve records.

Yes

1000 milliseconds

AUDAUDIT_AUDIT_VAULT_ALIAS

The alias name for the Audit Vault Server.

No

NULL

AUDAUDIT_DELAY_TIME

The amount of delay time (in seconds) for the DBAUD process.

Yes

20 seconds

AUDAUDIT_MAX_PROCESS_RECORDS

The maximum number of records after which the collector commits records to the raw audit data store and generates minor recovery context. In the case of fine-grained auditing (FGA_LOG$) and 9.X sources, the collector might need to delay this until the record with the higher timestamp is retrieved. A valid value is an integer value from 10 to 10000.

Yes

1000 records

AUDAUDIT_SLEEP_TIME

The amount of sleep time (in milliseconds) for the DBAUD process. For example, if it is now 10:00:00 AM, the collector will retrieve the records with the timestamps that are less than 9:59:40. However, the next time the collector will only retrieve records with the timestamps of 9:59:40 or higher. The assumption is that within 20 seconds after the timestamp is assigned to the record, the record would be visible (retrievable). This attribute is used only for time-based retrieval, which is currently used for fine-grained auditing (FGA_LOG$) on 9.X sources. In Audit Vault release 10.2.3, time-based retrieval is used for all retrievals.

Yes

5000 milliseconds

AUDAUDIT_SORT_POLICY

The audit data sort policy.

This attribute is not implemented. It is deprecated for release 10.2.3.

Yes

NULL

AUDAUDIT_SOURCE_ALIAS

The alias name for the audit data source.

No

NULL


Table C-3 OSAUD Collector Attributes

Parameter Description Mutable Default Value

OSAUDIT_AUDIT_VALUE_ALIAS

The alias name for the Audit Vault Server.

No

NULL

OSAUDIT_CHANNEL_TYPE

The channel type being used by the collector.

This attribute is not implemented. It is deprecated for release 10.2.3.

No

NULL

OSAUDIT_DEFAULT_FILE_DESTFoot 1 

The default directory for Oracle operating system audit files containing mandatory audit records.

Yes

$ORACLE_HOME/rdbms/audit

OSAUDIT_FILE_DEST

The directory where Oracle operating system audit files containing SYS and normal audit records can be found.

Yes

$ORACLE_HOME/admin/DB_UNIQUE_NAME/adump

OSAUDIT_LOG_LEVEL

The log level: FATAL, ERROR, WARNING, INFO, and DEBUG.

This attribute is not implemented. It is deprecated for release 10.2.3.

Yes

WARNING

OSAUDIT_MAX_PROCESS_RECORDS

The maximum number of records to be processed during each call to process the collector. A valid value is an integer value from 10 to 10000.

Yes

10000

OSAUDIT_MAX_PROCESS_TIME

The maximum processing time for each call to process the collector (in centiseconds). A valid value is an integer value from 10 to 10000.

Yes

600 centiseconds

OSAUDIT_NLS_CHARSET

The NLS character set of the data source.

Yes

WE8ISO8859P1

OSAUDIT_NLS_LANGUAGE

The NLS language of the data source.

Yes

AMERICAN

OSAUDIT_NLS_TERRITORY

The NLS territory of the data source.

Yes

AMERICA

OSAUDIT_RAC_INSTANCE_ID

The instance ID in the Oracle RAC environment.

Yes

1.0

OSAUDIT_SOURCE_ALIAS

The alias, connection string, to the source database.

Yes

NULL

OSAUDIT_SYSLOG_FILE

The Syslog file name and location, if other than the default as indicated in the etc/syslog.conf file. Setting this parameter to a valid Syslog file name will override the default setting.

Yes

NULL

OSAUDIT_NT_ORACLE_SID

The Oracle SID name on Windows systems.

Yes

NULL


Footnote 1 To avoid collecting duplicate operating system audit trail records, do not set the attribute value for the OSAUDIT_DEFAULT_FILE_DEST attribute and the OSAUDIT_FILE_DEST attribute such that the values although different resolves to the same directory.

Table C-4 REDO Collector Attributes

Parameter Description Mutable Default Value

AV.DATABASE.NAME

The Audit Vault database name.

No

NULL

STRCOLL_DBPORT

The port number of the audit data source Oracle database.

Yes

NULL

STRCOLL_DBSERVICE

The service name of the audit data source Oracle database.

No

NULL

STRCOLL_HEARTBEAT_TIME

The time, in seconds, between events for monitoring the status of the Audit Vault REDO collection system.

Yes

60 seconds

STRCOLL_SRCADM_ALIAS

The alias name for the audit data source.

No

NULL

STRCOLL_SRCADM_NAME

The name of the audit data source.

No

NULL


On Windows systems, if the path value for the OSAUDIT_DEFAULT_FILE_DEST attribute is set incorrectly using backslashes, use the Audit Vault Console and log in as the Audit Vault Administrator and connect as AV_ADMIN, click Configuration, click Collector, select the OSAUD_Collector name, then click Edit and edit the value for this attribute using slashes instead of backslashes. When finished, click OK to save your changes.

Example

The following example shows how to alter the AUDAUDIT_DELAY_TIME attribute for the DBAUD_Collector collector in Audit Vault:

avorcldb alter_collector -srcname lnxserver.domain.com -collname DBAUD_Collector  AUDAUDIT_DELAY_TIME=60 
Altering collector...
Collector altered successfully.

alter_source

Modifies the attributes of the source. This command is run on the Audit Vault Server.

Syntax

avorcldb alter_source -srcname <srcname> 
      [<attrname>=<attrvalue>...<attrname>=<attrvalue>]

Arguments

Argument Description
-srcname <srcname> Specify the source (by source name) to be modified.
[<attrname>=<attrvalue>] Specify the pair (attribute name, new attribute value) for the mutable source attributes of this source to be modified. This argument is optional. Separate multiple pairs by a space on the command line.

Usage Notes

Table C-5 lists the source attributes (parameters) that can be changed (mutable), a brief description, and its default value. You can modify one or more source attributes at a time.

Table C-5 Source Attributes

Parameter Description Mutable Default Value

HOSTIP

The Internet protocol address of the host system on which the source resides

Yes

NULL

VERSION

The source version

Yes

NULL

DESCRIPTION

The description for this source

Yes

NULL

DB_SERVICE

A new audit data source service name

Yes

NULL

PORT

A new port number for this system where the source audit data resides

Yes

NULL

GLOBAL_DATABASE_NAME

The new global database name

Yes

NULL


Example

The following example shows how to alter the PORT attribute for the source named lnxserver.domain.com in Oracle Audit Vault:

avorcldb alter_source -srcname lnxserver.domain.com PORT=1522
Altering source...
Source altered successfully.

drop_collector

Drops a collector from Oracle Audit Vault. This command is run from the Audit Vault Server.

Syntax

avorcldb drop_collector -srcname <srcname> -collname <collname>  

Arguments

Argument Description
-srcname <srcname> Specify the name of the source to which the collector (specified in the -collname argument) belongs.
-collname <collname> Specify the collector (by collector name) to be dropped from Oracle Audit Vault.

Usage Notes

The drop_collector command will not delete the collector from Oracle Audit Vault; it actually disables the collector. The user can neither add the same collector name again nor enable the old name.

Example

The following example shows how to drop the collector named 'DBAud_Collector' from Oracle Audit Vault:

avorcldb drop_collector -srcname lnxserver.domain.com -collname DBAud_Collector
Dropping collector...
Collector dropped successfully.

drop_source

Drops a source from Oracle Audit Vault. This command is run on the Audit Vault Server.

Syntax

avorcldb drop_source -srcname <srcname> 

Arguments

Argument Description
-srcname <srcname> Specify the source (by source name) to be dropped from Oracle Audit Vault.

Usage Notes

Example

The following example shows how to drop the source named lnxserver.domain.com from Oracle Audit Vault:

avorcldb drop_source -srcname lnxserver.domain.com 
Dropping source...
Source dropped successfully.

-help

Displays Help for the AVORCLDB commands. This command is run on both the Audit Vault Server and the Audit Vault Collection Agent.

Syntax

avorcldb -help

avorcldb <command> -help

Arguments

Argument Description
<command> The name of an AVORCLDB command for which you want Help to appear

Usage Notes

None

Example

The following example shows how to display general AVORCLDB utility Help in Audit Vault:

avorcldb -help

The following example shows how to display specific AVORCLDB Help for the add_source command in the Audit Vault Server home shell.

$ avorcldb add_source -help
  avorcldb add_source command
 
    add_source
          -src <host:port:service> [-srcusr <usr>/<pwd>]
         [-srcname <srcname>] [-desc <desc>] [-agentname <agentname>]
 
  Purpose: The source is added to Audit Vault. The global DB Name
       of the source database is used as the Source Name in Audit Vault.
 
  Arguments:
       -src        : Source DB connection information
       -srcusr     : Optional source user name and password. Will be prompted.
       -srcname    : Optional name of source, default : <global_dbname>
       -desc       : Optional description of the source
       -agentname  : Optional agent name to configure policy management
 
  Examples:
     avorcldb add_source -src lnxserver:4523:hrdb.domain.com
       -desc 'HR Database'

setup

Adds the source user credentials to the wallet, creates a database alias in the wallet for the source user, and verifies the connection to the source using the wallet. This command is run on the Audit Vault Collection Agent. This command can also be used to change the source user credentials in the wallet when the credentials are changed on the source.

Syntax

avorcldb setup -srcname <srcname> [-srcusr <usr>/<pwd>]

Arguments

Argument Description
-srcname <srcname> The name of the source database
[-srcusr <usr>/<pwd>] Credentials of the user on the source database to collect audit data. The -srcusr argument can be omitted if the corresponding environment variable, AVORCLDB_SRCUSR is set to usr/passowrd. If the command-line argument -srcusr is specified, then the command-line argument overrides the environment variable. This argument is provided for backward compatibility.

For password handling security, do not specify this argument on the command-line nor use the environment variable. Instead, let the command prompt you for the source user name and password. See the example.


Usage Notes

If you happen to enter an incorrect user name or password or both when issuing the setup command and receive an error message that the verification of the credentials to make the connection to the source database using the wallet was not successful, reissue the setup command again using the correct credentials.

Example

The following example sets up the REDO and OSAUD collectors.

avorcldb setup -srcname lnxserver:hrdb.domain.com
Enter Source user name: <username>
Enter Source password: *******
adding credentials for user srcuser1 for connection [SRCDB1]
Storing user credentials in wallet...
Create credential oracle.security.client.connect_string3
done.
updated tnsnames.ora with alias [SRCDB1] to source database
verifying SRCDB1 connection using wallet

To change the srcusr user name password in the wallet in the Audit Vault Collection Agent home, use the following setup command, where the source name is orcl1 and the source user name is srcuser1.

avorcldb setup -srcname orcl1
Enter Source user name: srcuser1
Enter Source password: *******
adding credentials for user srcuser1 for connection [SRCDB1]
Storing user credentials in wallet...
Create credential oracle.security.client.connect_string3
done.
updated tnsnames.ora with alias [SRCDB1] to source database
verifying SRCDB1 connection using wallet

verify

Verifies that the source is compatible for setting up the specified collectors. This command can be run on both the Audit Vault Server and the Audit Vault Collection Agent.

Syntax

avorcldb verify -src <host:port:service> [-srcusr <usr>/<pwd>] 
                -colltype [OSAUD,DBAUD,REDO,ALL] 

Arguments

Argument Description
-src <host:port:service> Source database connection information: host name, port number, and service name, separated by a colon
[-srcusr <usr>/<pwd>] Credentials of the user on the source database to collect audit data. The -srcusr argument can be omitted if the corresponding environment variable, AVORCLDB_SRCUSR is set to usr/passowrd. If the command-line argument -srcusr is specified, then the command-line argument overrides the environment variable. This argument is provided for backward compatibility.

For password handling security, do not specify this argument on the command-line nor use the environment variable. Instead, let the command prompt you for the source user name and password. See the example.

-colltype [OSAUD,DBAUD,REDO,ALL] List of collector types [REDO, DBAUD, OSAUD] or ALL

Usage Notes

None

Example

The following example verifies that the source is compatible with the OSAUD, DBAUD, and REDO collectors on a Linux or UNIX-based system.

avorcldb verify -src lnxserver:4523:hrdb.domain.com -colltype ALL
Enter Source user name: <username>
Enter Source password: *******
source HRDB.DOMAIN.COM verified for OS File Audit Collector collector
source HRDB.DOMAIN.COM verified for Aud$/FGA_LOG$ Audit Collector collector
source HRDB.DOMAIN.COM verified for REDO Log Audit Collector collector