Oracle® Audit Vault Administrator's Guide Release 10.2.3 Part Number E11059-03 |
|
|
View PDF |
This chapter describes how to begin configuring Audit Vault components by performing the following tasks:
Checking and Setting Environment Variables (Linux and UNIX Platforms)
Registering Oracle Database Sources and Collectors with Audit Vault
Registering SQL Server Database Sources and Collector with Audit Vault
Adding sources to Audit Vault and deploying collectors involves the following tasks:
For Linux and UNIX platforms, check and set environment variables in the shells in which you will be interacting with the Audit Vault Server and the Audit Vault Collection Agent (see Section 2.1).
Add an Oracle source and collectors using the AVORCLDB command-line utility (see Section 2.2).
Add a Microsoft SQL Server source and collector using the AVMSSQLDB command-line utility (see Section 2.3).
Start up collection agents and collectors using the AVCTL command-line utility (see Section 2.4).
As the last configuration step in an Audit Vault Server and for each Audit Vault Collection Agent installation, a user logged on as super user and ran the root.sh
configuration file. On the Audit Vault Server, this file drops three scripts in the /usr/local/bin
directory. Two of these scripts, coraenv
(for the C shell) and oraenv
(for the Bourne, Bash, or Korn shell), can be called by users to set environment variables on the Audit Vault Server.
However, because these two scripts are not dropped as part of the Audit Vault Collection Agent installation, you must set environment variables using the appropriate operating system shell command.
The tasks to perform in the respective shells for interacting with the Audit Vault Server, the Audit Vault Collection Agent, and the source database are listed as follows:
At the command line, run the coraenv
script (for the C shell) or the oraenv
script (for the Bourne, Bash, or Korn shell) located in the /usr/local/bin
directory that sets the following environment variables: ORACLE_SID
, ORACLE_HOME
, PATH
, and LD_LIBRARY_PATH
(for Linux x86, Linux x86_64, and Solaris SPAC_64), SHLIB_PATH
(for HP-UX), or LIBPATH
(for AIX), as applicable in the shell in which you will be interacting with Audit Vault Server.
Set the LANG
environment variable to the locale category for native language of choice when using the AVMSSQLDB command-line utility. This ensures the locale language specified appears as expected in all translated information. The NLS_LANG
environment variable is Oracle specific and while effective with the AVORCLDB command-line utility has no effect on the AVMSSQLDB command-line utility; while the LANG
environment variable is the standard way of setting the locale category for native language.
ORACLE_HOME
is set to the Audit Vault Server home directory. ORACLE_SID
is set to av
, the unique service name (SID) for the Audit Vault database. If your SID is set otherwise, use that SID. The PATH
appends $ORACLE_HOME/bin
to your PATH
environment variable, and LD_LIBRARY_PATH
appends $ORACLE_HOME/lib
to your LD_LIBRARY_PATH
environment variable.
Note:
If you can run the AVCTL -help command from the command-line and display help for this command-line utility, theORACLE_HOME
and PATH
environment variables are set.Audit Vault Collection Agent Shell
Check and manually set the ORACLE_HOME
environment variable to the Audit Vault Collection Agent home directory.
Check and set the LD_LIBRARY_PATH
environment variable to include $ORACLE_HOME/lib
.
Check and set the PATH
environment variable to include $ORACLE_HOME/bin
. Be sure that you append this information to the existing PATH
information.
Ensure that the following environment variables are unset: ORACLE_SID
, TNS_ADMIN
, and TWO_TASK
.
Note:
If you can run the AVCTL -help command from the command-line and display help for this command-line utility, theORACLE_HOME
and PATH
environment variables are set.Set the LANG
environment variable to the locale category for native language of choice when using the AVMSSQLDB command-line utility. This ensures the locale language specified appears as expected in all translated information. The NLS_LANG
environment variable is Oracle specific and while effective with the AVORCLDB command-line utility has no effect on the AVMSSQLDB command-line utility; while the LANG
environment variable is the standard way of setting the locale category for native language.
At the command line, run the coraenv
script (for the C shell) or the oraenv
script (for the Bourne, Bash, or Korn shell) located in the /usr/local/bin
directory that sets the following environment variables: ORACLE_SID
, ORACLE_HOME
, PATH
, and LD_LIBRARY_PATH
(for Linux x86, Linux x86_64, and Solaris SPAC_64), SHLIB_PATH
(for HP-UX), or LIBPATH
(for AIX), as applicable in the shell in which you will be interacting with the source database.
ORACLE_HOME
is set to the source database home directory. By default, this is the directory path down to and including db_1
, for example, if that is the home directory name. ORACLE_SID
is set to orcl
, for example, if that is your Oracle SID name, which is the unique service name (SID) for the source database. If your SID is set otherwise, use that SID. The PATH
appends $ORACLE_HOME/bin
to your PATH
environment variable, and LD_LIBRARY_PATH
appends $ORACLE_HOME/lib
to your LD_LIBRARY_PATH
environment variable.
Perform the following steps to register or add an Oracle Database source and collectors with Oracle Audit Vault:
If your source database is protected by Oracle Database Vault, for certain versions of Database Vault, ensure that the source database has a password file set up. A connection to the source AS SYSDBA
or AS SYSOPER
can succeed only if the password file is set up. Some later versions of Database Vault enable operating system authentication by default. See Oracle Database Administrator's Guide for information about the orapwd
command used to create the password file or see Enabling or Disabling Connections with the SYSDBA
Privilege in Oracle Audit Vault Server Installation Guide for Linux x86.
Create a user on the Oracle source database.
On the Oracle source database
Create a user, referred to as srcuser1
, on the source database for use by the collectors. For example:
SQL> create user srcuser1 identified by password;
The source user, srcuser1
, must have a set of required privileges and roles granted to it. The required privileges and roles are listed in $ORACLE_HOME/av/scripts/streams/source/zarsspriv.sql
. This script is located in both the Audit Vault Server and the Audit Vault Collection Agent Oracle homes after an installation.
Run this script on the source database as SYS
user to grant this user srcuser1
the required privileges using the following syntax:
The argument srcusr
is the user to be granted the privileges, and the argument mode
is one of two keywords:
zarsspriv.sql srcusr mode
SETUP
– For OSAUD and DBAUD collectors, and for policy management
REDO_COLL
– For the REDO log collector; includes all privileges that are granted using the argument mode SETUP
.
Example 2-1 shows how the argument srcusr
whose value is srcuser1
is granted the required privileges for the OSAUD and DBAUD collectors, and for policy management.
Example 2-2 shows how the argument srcusr
whose value is srcuser1
is granted the required privileges for the REDO collector.
Example 2-1 Grant the Source User the Required Privileges for Policy Management
sqlplus / as sysdba . . . SQL> @zarsspriv.sql srcuser1 SETUP Granting privileges to SRCUSER1 ... Done. SQL>
Example 2-2 Grant the Source User the Required Privileges for the REDO Collector
sqlplus / as sysdba . . . SQL> @zarsspriv.sql srcuser1 REDO_COLL Granting privileges to SRCUSER1 ... Done. SQL>
Note:
Connect as the source user,srcuser1
, then issue the following SELECT statements to check the privileges and roles of this source user.
SQL> CONNECT SRCUSER1
Enter password: srcuser1-password
Connected.
SQL> SELECT * FROM SESSION_PRIVS;
SQL> SELECT * FROM SESSION_ROLES;
The output for each SELECT statement for this source user should show that it has been granted many privileges and roles, among these for example, the source user has been granted the CREATE DATABASE LINK privilege and DBA role.
The privileges granted can be found in the zarsspriv.sql
file.
For Source Databases with Oracle Database Vault Installed
A source database with Oracle Database Vault also installed requires additional privileges to access the source database. Log in as Database Vault Owner on the source database and execute the following. The example uses the source user, srcuser1
, previously created on the source.
sqlplus dbvowner
Enter password: password
SQL> exec dbms_macadm.add_auth_to_realm('Oracle Data Dictionary', 'SRCUSER1', null, dbms_macutl.g_realm_auth_participant);
SQL> COMMIT;
SQL> exit;
In addition, to collect Database Vault audit trail data from the source database, the srcuser1
needs to be granted dv_secanalyst
. For example,
sqlplus /nolog
SQL> connect dbvowner
Enter password: password
SQL> GRANT dv_secanalyst TO srcuser1;
Grant succeeded.
SQL> exit
From the Audit Vault Server home shell, verify that the source is compatible for the collector type in the collection agent home. The AVORCLDB verify command checks the source database to see if the configuration on it would allow an Audit Vault collector to run against it.
To verify that the source is compatible with each of the collectors, use the AVORCLDB verify command in the collection agent home shell, as shown in Example 2-3. The values for the -src <host:port:service>
argument can be determined by entering the command lsnrctl status
in the source shell and looking for the host name, the port number, and the service name for the source database. You will be prompted for the source user name and password. This is the source user name srcuser1
and that user name's password from Step 2.
Example 2-3 Partly Successful Verify Operation of Source Compatibility with the Collectors
avorcldb verify -src SRC1.US.ORACLE.COM:1521:orcl -colltype ALL Enter Source user name: srcuser1 Enter Source password: ******* source SRC1.US.ORACLE.COM verified for OS File Audit Collector source SRC1.US.ORACLE.COM verified for Aud$/FGA_LOG$ Audit Collector Source database must be in ARCHIVELOG mode to use REDO Log collector Incorrect database compatibility 9.2.0; recommended value is 10.2.0.0.0 Parameter _SPIN_COUNT not set; recommended value is 5000 Parameter _JOB_QUEUE_INTERVAL not set; recommended value range [1 - ANY_VALUE] Parameter JOB_QUEUE_PROCESSES = 0 not in recommended value range [4 - ANY_VALUE] Parameter SGA_MAX_SIZE = 155189248 not in recommended value range [209715200 - ANY_VALUE] Parameter SGA_TARGET = 0 not in recommended value range [209715200 - ANY_VALUE] Parameter AQ_TM_PROCESSES = 0 is not in required value range [4 - ANY_VALUE] Parameter UNDO_RETENTION = 900 not in recommended value range [3600 - ANY_VALUE] Parameter GLOBAL_NAMES = false not set to recommended value true Please set the above init.ora parameters to recommended values
If the AVORCLDB verify
command returns an error message for a specific collector or some other message indicating a problem, examine the content of the error message, then try to fix the problem.
In Example 2-3, a number of initialization parameters on the source database must be set or modified to use the REDO collector. For a complete list of parameters used by the REDO collector, see Appendix E.
Retry the verify
command, specifying the collector type in which there was a problem, as shown in Example 2-4. You can run this command as many times as needed until all problems are solved and this command returns a verified source message indicating success.
From the Audit Vault Server home shell, add the source to Audit Vault using the AVORCLDB add_source command. You will be prompted for the source user name and password. In this example, use the source user name, srcuser1
, created in Step 2. Note that the -agentname <agentname>
parameter, though optional, must be specified in order to configure policy management using the Audit Vault Auditor's Console.
Example 2-5 shows how to add a source to Audit Vault.
Example 2-5 Adding an Oracle Database Source to Audit Vault Database
avorcldb add_source -src lnxserver:4523:source1db.domain.com -desc 'HR Database' -agentname agent1 Enter Source user name: srcuser1 Enter Source password: ******* \ Adding source... Source added successfully. source successfully added to Audit Vault remember the following information for use in avctl Source name (srcname): ORCLSRC1.DOMAIN.COM Storing user credentials in wallet... Create credential oracle.security.client.connect_string3 done. Mapping Source to Agent...
From the Audit Vault Server home shell, add the collector to Audit Vault using the AVORCLDB add_collector command.
Example 2-6 shows how to add the OSAUD collector to Audit Vault for UNIX platforms. Note the required -orclhome <orclhome>
parameter to specify the location of the source database as an absolute path, if u01/app
is the Oracle Base directory.
Note:
There is a 2 GB audit file size limit for the OSAUD collector to be able to collect audit records from audit trails stored in files, which includes theSYSLOG
, .AUD
, and .XML
files. If a file size greater than 2 GB is encountered, the OSAUD collector will ignore all audit records beyond 2 GB. To control the size of the operating system audit trail and select the audit trail type to set, set the DBMS_AUDIT_MGMT.OS_FILE_MAX_SIZE
property and the DBMS_AUDIT_MGMT.AUDIT_TRAIL_TYPE
type by using the DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY
PL/SQL procedure. See Section 4.4 for tutorial information and Appendix G for reference information.Example 2-6 Adding the OSAUD Collector to Audit Vault for UNIX Platforms
avorcldb add_collector -srcname ORCLSRC1.DOMAIN.COM -agentname agent1 -colltype OSAUD -orclhome /u01/app/oracle/product/10.2.0/db_1 source ORCLSRC1.DOMAIN.COM verified for OS File Audit Collector collector Adding collector... Collector added successfully. collector successfully added to Audit Vault remember the following information for use in avctl Collector name (collname): OSAUD_Collector
Example 2-7 shows how to add the OSAUD collector to Audit Vault on Windows for the event log and XML audit trail. Note the required -orclhome <orclhome>
parameter to specify the location of the source database.
Example 2-7 Adding the OSAUD Collector to Audit Vault on Windows for the Event Log and XML Audit Trail
avorcldb add_collector -srcname ORCLSRC1.DOMAIN.COM -agentname agent1 -colltype OSAUD -orclhome c:\oracle\product\10.2.0\db_1 source ORCLSRC1.DOMAIN.COM verified for Windows Event Log Audit Collector collector Adding collector... Collector added sucessfully. collector successfully added to Audit Vault remember the following information for use in avctl Collector name (collname): OSAUD_Collector
Example 2-8 shows how to add the DBAUD collector to Audit Vault.
Example 2-8 Adding the DBAUD Collector to Audit Vault
avorcldb add_collector -srcname ORCLSRC1.DOMAIN.COM -agentname agent1 -colltype DBAUD source ORCLSRC1.DOMAIN.COM verified for Aud$/FGA_LOG$ Audit Collector collector Adding collector... Collector added successfully. collector successfully added to Audit Vault remember the following information for use in avctl Collector name (collname): DBAUD_Collector
Example 2-9 shows how to add the REDO collector to Audit Vault and shows that value for the -av
argument must be supplied for this collector type.
Example 2-9 Adding the REDO Collector to Audit Vault
avorcldb add_collector -srcname ORCLSRC1.DOMAIN.COM -agentname agent1 -colltype REDO -av lnxserver:4523:hrdb.domain.com source ORCLSRC1.DOMAIN.COM verified for REDO Log Audit Collector collector Adding collector... Collector added successfully. collector successfully added to Audit Vault remember the following information for use in avctl Collector name (collname): REDO_Collector initializing REDO Collector setting up APPLY process on Audit Vault server setting up CAPTURE process on source database
Note:
If thezarsspriv.sql
script as described in Step 2 is not run on the source or fails to run correctly for some reason, the initialization of the REDO collector does not complete, causing the APPLY process on the Audit Vault Server and CAPTURE process on the source database to not be started after adding the REDO collector.In the Audit Vault Collection Agent shell, set up the source using the AVORCLDB setup command (as shown in Example 2-10). Enter the source name -srcname <srcname>
previously used in Step 5. You will be prompted for the source user name and the source user name password. In this example, use the source user name, srcuser1
and its password created in Step 2.
Example 2-10 Setting Up the Source at the Collection Agent
avorcldb setup -verbose -srcname ORCLSRC1.DOMAIN.COM Enter Source user name: srcuser1 Enter Source password: ******* adding credentials for user srcuser1 for connection [SRCDB1] Storing user credentials in wallet... Create credential oracle.security.client.connect_string3 done. updated tnsnames.ora with alias [SRCDB1] to source database verifying SRCDB1 connection using wallet
Note:
If you forget to run the AVORCLDB setup command, the OSAUD, DBAUD, and REDO collectors will fail to start.Perform the following steps to register or add SQL Server sources and collector with Oracle Audit Vault:
Check to ensure that the SQL Server 2005 Driver for JDBC (sqljdbc.jar
), which provides high performance native access to SQL Server 2000 and SQL Server 2005 database data sources, has been downloaded and copied to the Audit Vault Server and Audit Vault Agent Home (OH
/jlib
) location. Ensure that this jar file, used by the MSSQLDB collector, is present in Audit Vault Agent OC4J, before starting the Agent OC4J.
For Audit Vault Server information, see Downloading and Copying the JDBC Driver File for Microsoft SQL Server Database Connectivity in Oracle Audit Vault Server Installation Guide for Linux x86.
For Audit Vault Agent information, see Downloading and Copying the JDBC Driver File for Microsoft SQL Server Database Connectivity in Oracle Audit Vault Collection Agent Installation Guide.
Note:
If this JDBC Driver file (sqljdbc.jar
) is not in its designated location, the avmssqldb command-line utility will not run because this utility uses this jar file. The MSSQLDB collector will not start if this jar file, used by the MSSQLDB collector, is not present in the Audit Vault Agent OC4J. See Stopping and Starting the Agent OC4J in Oracle Audit Vault Collection Agent Installation Guide for the sequence of steps to follow to ensure this jar file is present in Audit Vault Agent OC4J, before starting the Agent OC4J.Create a source user with the required privileges.
For SQL Server 2000, the minimum required privilege granted to the source user is sysadmin
server role privileges. This user can perform any activity on the server. The Administrator with Security Association (SA) role must perform this task.
For SQL Server 2005, the minimum required privilege granted to the source user is alter trace
privilege. The sysadmin
must perform this task.
Steps to create a login for the source user and for SQL Server 2000, assign sysadmin
role to that user; or, for SQL Server 2005, grant alter trace
privilege to that user:
Create a new MS SQL Server login that allows a source user to connect to an instance of Microsoft SQL Server.
Example 2-11 shows how to create a login for the source user.
For SQL Server 2000, assign sysadmin
fixed server role to the srcuser1
login. When a source user is added to a fixed server role, the source user gains the permissions associated with that role.
Steps to provide sysadmin
fixed server role privileges to the srcuser1
login:
srcuser1
, to which you want to provide the sysadmin
role.For SQL Server 2005, grant alter trace
privilege to the srcuser1
login.
Steps to grant alter trace
privilege to the srcuser1
login:
sysadmin
.GRANT ALTER TRACE TO srcuser1
Verify the source and source user in the Audit Vault Server shell.
Before you configure the collector for Microsoft SQL Server, verify that:
The source database is compatible with the collector
The source user name and password are valid
Example 2-12 shows how to verify the source database. Use the source user name and password created in Step 1.
Add a source. From the Audit Vault Server home shell, add the source to Audit Vault using the AVMSSQLDB add_source command. Use the source user name and password created in Step 1.
Example 2-13 Registering a SQL Server Database Source with Audit Vault Database
avmssqldb add_source -src sqlserver:4423 -srcname mssqldb4 -desc 'HR Database' Enter a username :srcuser1 Enter a password : ******* ***** Source Verified ***** ***** Source Added Successfully *****
This command adds or registers the source with Audit Vault.
Add a collector. From the Audit Vault Server home shell, add the collector to Audit Vault using the AVMSSQLDB add_collector command:
Example 2-14 Registering the Microsoft SQL Server MSSQLDB Collector with Audit Vault Database
avmssqldb add_collector -srcname mssqldb4 -agentname agent1 Enter a username :srcuser1 Enter a password : ******* ***** Collector Added Successfully*****
This command adds or registers the MSSQLDB collector with Audit Vault. Note that by default, the MSSQLDB collector collects audit records from all audit trails: C2 audit logs, server-side trace logs, and Windows Event log provided these audit trails have been enabled in the source database.
In the Audit Vault Collection Agent shell, set up the source using the AVMSSQLDB setup command (as shown in Example 2-15). Enter the source name -srcname <srcname>
previously used in Step 3. You will be prompted for the source user name and source user name password. In this example, use the source user name, srcuser1
and its password created in Step 1.
This section describes starting up collection agents and collectors.
Steps to start up a collection agent are described as follows:
Ensure that the Audit Vault Agent OC4J is running. Perform the following AVCTL command in the Audit Vault Agent home to check its status. See Section 3.2.2 for more information about managing the agent OC4J.
avctl show_oc4j_status
Ensure that the collection agent is started.
To check the status of the collection agent to see if it is started, on the Audit Vault Server shell, use the AVCTL show_agent_status command, as shown in Example 2-16. In this case the collection agent is not started.
Start the collection agent.
If the collection agent is not started as indicated in Example 2-16, use the AVCTL start_agent command to start the collection agent, as shown in Example 2-17.
See Chapter 3 for additional configuration and management tasks that you may need to perform on your running Audit Vault system.
Steps to start up Oracle Database collectors are described as follows:
In the Audit Vault Server shell, start the OSAUD, DBAUD, and REDO collectors.
To start the OSAUD, DBAUD, and REDO collectors, use the AVCTL start_collector command for each collector, as shown in Example 2-18. If successful, each collector is moved to a RUNNING state.
Example 2-18 Starting the OSAUD, DBAUD, and REDO Collectors
avctl start_collector -collname OSAUD_Collector -srcname DBS1.REGRESS.RDBMS.DEV.US.ORACLE.COM AVCTL started Executing task start_collector Starting Collector... Collector started successfully. avctl start_collector -collname DBAUD_Collector -srcname DBS1.REGRESS.RDBMS.DEV.US.ORACLE.COM AVCTL started Executing task start_collector Starting Collector... Collector started successfully. avctl start_collector -collname REDO_Collector -srcname DBS1.REGRESS.RDBMS.DEV.US.ORACLE.COM AVCTL started Executing task start_collector Starting Collector... Collector started successfully.
To use the Audit Vault Console to start collectors, log in to the Audit Vault Console as the user with AV_ADMIN
role granted. Using the tabs, click Management, then Collectors to display the Collectors page (see Figure 3-9). On the Collectors page you can view the collectors and collector information and start and stop collectors. Locate the OSAUD_Collector
, the DBAUD_Collector
, and REDO_Collector
collectors that you added. Note the status of each collector. A red down arrow should appear, indicating that the collector is not running. Select each collector and click Start. A green up arrow appears when the collector is successfully started and is in the RUNNING state.
To see if audit records are being collected, inspect the contents of the log files in the Audit Vault Collection Agent home $ORACLE_HOME/av/log
directory. The log file has the format <collector_name>_<source-name_prefix>_<source_id>.log
. For the DBAUD_Collector collector, the log file name is DBAUD_Collector_<source-name_prefix>_<source-id>.log
. For the OSAUD_Collector collector, the log file name is OSAUD_Collector_<source-name_prefix>_<source-id>.log
. Each log file keeps a running record of its audit record collection operations and will indicate when collection has occurred, or if a problem was encountered in the collection operation. See Chapter 6 for more information about troubleshooting collector setup and start collector operations.
Check the collector status from the Audit Vault Server shell using the AVCTL command-line utility.
To check the status of the collectors, use the AVCTL show_collector_status command shown in Example 2-19.
Example 2-19 Checking the Status of the OSAUD, DBAUD, and REDO Collectors
avctl show_collector_status -collname OSAUD_Collector -srcname DBS1.REGRES.RDBMS.DEV.US.ORACLE.COM AVCTL started Getting collector metrics... -------------------------------- Collector is running Records per second = 0.00 Bytes per second = 0.00 -------------------------------- avctl show_collector_status -collname DBAUD_Collector -srcname DBS1.REGRES.RDBMS.DEV.US.ORACLE.COM AVCTL started Getting collector metrics... -------------------------------- Collector is running Records per second = 0.00 Bytes per second = 0.00 -------------------------------- avctl show_collector_status -collname REDO_Collector -srcname DBS1.REGRES.RDBMS.DEV.US.ORACLE.COM AVCTL started Getting collector metrics... -------------------------------- Collector is running Records per second = 0.00 Bytes per second = 228.00 --------------------------------
The status return message will indicate whether the collector is running or not; otherwise, it might display an error message indicating that there is a problem.
In the Audit Vault Server shell, start the MSSQLDB collector.
Steps to start up the Microsoft SQL Server Database Collector are described as follows:
Ensure that the Audit Vault Agent OC4J and agent are running. See Section 2.4.1 for more information about managing the agent OC4J and agent.
In the Audit Vault Server shell, start the MSSQLDB collector.
To start the MSSQLDB collector, use the AVCTL start_collector command for each collector, as shown in Example 2-18. If successful, each collector is moved to a RUNNING state.
Example 2-20 Starting the MSSQLDB Collector
avctl start_collector -collname MSSQLCollector -srcname mssqldb4 AVCTL started Executing task start_collector Starting Collector... Collector started successfully.
To use the Audit Vault Console to start collectors, log in to the Audit Vault Console as the user with AV_ADMIN
role granted. Using the tabs, click Management, then Collectors to display the Collectors page (see Figure 3-9). On the Collectors page you can view the collectors and collector information and start and stop collectors. Locate the MSSQLCollector
collector that you added. Note the status of each collector. A red down arrow should appear, indicating that the collector is not running. Select each collector and click Start. A green up arrow appears when the collector is successfully started and is in the RUNNING state.
To see if audit records are being collected, inspect the contents of the log files in the Audit Vault Collection Agent home ORACLE_HOME\av\log
directory. The log file has the format <sourcetypename>-%g.log
. The %g
is a generation number that starts from 0 (zero) and increases once the file size reaches the 10 MB limit. For the MSSQLDB_Collector collector, the log file name is MSSQLDB-0.log
. The log file keeps a running record of its audit record collection operations and will indicate when collection has occurred, or if a problem was encountered in the collection operation. See Chapter 6 for more information about troubleshooting collector setup and start collector operations.
Note:
For SQL Server 2000 source databases only, when theAUDIT_SERVERSIDE_TRACES_FLAG
attribute is set to 1 or on, the trace file (.trc) audit trail is not released to the collector until either the file reaches its maximum file size and another trace file is created, or the source database is shutdown and started up again.Check the collector status from the Audit Vault Server shell using the AVCTL command-line utility.
To check the status of the collectors, use the AVCTL show_collector_status command shown in Example 2-19.
Example 2-21 Checking the Status of the MSSQLDB Collector
avctl show_collector_status -collname MSSQLCollector -srcname mssqldb4 AVCTL started Getting collector metrics... -------------------------------- Collector is running Records per second = 0.00 Bytes per second = 0.00 --------------------------------
The status return message will indicate whether the collector is running or not; otherwise, it might display an error message indicating that there is a problem.