Oracle® Audit Vault Administrator's Guide Release 10.2.3.1 Part Number E13841-02 |
|
|
View PDF |
Use the Audit Vault Control (AVCTL) command-line utility to manage various Oracle Audit Vault components (for example, checking the status of collector agents or managing the Audit Vault Data Warehouse). When you run these commands, remember the following:
Enter the command in lowercase letters. The commands are case-sensitive.
When you open a new shell to run the command, first set the appropriate environment variables. See Section 2.2 for more information.
Oracle Audit Vault creates a log file of AVCTL command activity. See Section A.1 and Section A.2 for more information.
Table 7-1 describes the Audit Vault Control commands and where each is used, whether on the Audit Vault Server, on the Audit Vault collection agent, or in both places.
Table 7-1 Audit Vault Control Commands
Command | Where Used | Description |
---|---|---|
Both |
Displays help information for the AVCTL commands |
|
Server |
Loads older data from the raw audit data store into the data warehouse tables for analysis |
|
Server |
Purges audit data that was reloaded into the warehouse |
|
Server |
Refreshes the data warehouse with the data in the raw audit data store since the last refresh operation |
|
Server |
Shows the status (metric) of a collection agent |
|
Server |
Shows the status (metric) of the Audit Vault Console |
|
Server |
Shows the status (metric) of a collector |
|
Collection agent |
Shows the status (metric) of OC4J |
|
Server |
Starts the collection agent |
|
Server |
Starts the Audit Vault Console |
|
Server |
Starts the collector |
|
Collection agent |
Starts the agent OC4J |
|
Server |
Stops the collection agent |
|
Server |
Stops the Audit Vault Console |
|
Server |
Stops the collector |
|
Collection Agent |
Stops the agent OC4J |
Note:
In an Oracle RAC environment, you must issue the AVCTL commands from the node on which Oracle Enterprise Manager resides. This is the same node on which theav.ear
file is deployed.
If the node on which the av.ear
file is deployed is down, deploy the av.ear
file to another node using the AVCA
deploy_av
command.
Displays help information for the AVCTL
commands. You can run this command on both the Audit Vault Server and the Audit Vault collection agent.
Syntax
avctl -help
avctl command -help
Arguments
Argument | Description |
---|---|
command |
Enter the name of an AVCTL command for which you want help to appear |
Usage Notes
If you installed the collection agent on a Microsoft Windows computer and want to run the avctl help
command from there, run it from the ORACLE_HOME
\
agent_directory
\bin
directory. For UNIX or Linux installations, set the appropriate environment variables before running this command. See Section 2.2 for more information.
Example
The following example shows how to display general AVCTL
utility help in the Audit Vault Server home.
$ avctl -help -------------------------------------------- AVCTL Usage -------------------------------------------- Oracle Audit Vault Control commands - AV Server: avctl start_av [-loglevel error|warning|info|debug] avctl stop_av avctl show_av_status Oracle Audit Vault Control commands - Agent: avctl start_agent -agentname <agent name> avctl stop_agent -agentname <agent name> avctl show_agent_status -agentname <agent name> Oracle Audit Vault Control commands - Collector: avctl start_collector -collname <collector name> -srcname <source name> avctl stop_collector -collname <collector name> -srcname <source name> avctl show_collector_status -collname <collector name> -srcname <source name> Oracle Audit Vault Control commands - Warehouse: avctl refresh_warehouse [-wait] avctl load_warehouse -startdate <start date> -numofdays <num of days> [-dateformat <date format>] [-wait] avctl purge_warehouse -startdate <start date> -numofdays <num of days> [-dateformat <date format>] [-wait] avctl -help
The following example shows how to display specific AVCTL
Help for the start_agent
command in Oracle Audit Vault.
$ avctl start_agent -help avctl start_agent -agentname <agent name> ------------------------------------------------ -agentname <agent name> ------------------------------------------------
Loads audit trail data from the raw audit data store after it has been removed from the warehouse repository due to the retention period that was set. Run this command on the Audit Vault Server.
Syntax
avctl load_warehouse -startdate start_date-numofdays num_of_days [-dateformat date_format] [-wait]
Arguments
Argument | Description |
---|---|
-startdate start_date |
Enter the start date for the audit trail data to be loaded into the data warehouse repository using the default format DD-MON-YY. To use a different format, specify the -dateformat argument.
Use any supported Oracle Database date format. See Oracle Database Globalization Support Guide for more information about date formats. |
-numofdays num_of_days |
Enter the number of days' worth of audit trail data to be loaded. |
-dateformat date_format |
Enter the date format for the -startdate argument. Optional. Ensure that the date argument used for startdate matches the date format you choose.
For Oracle Database supported date formats, see Oracle Database Globalization Support Guide. |
-wait |
Enter the command wait for the load job to complete. If you do not specify this argument, a DBMS job is started, and the command returns immediately. Optional. |
Usage Notes
The audit records received from the value of the -startdate
argument for the given number of days specified by the -numofdays
argument will be loaded into the data warehouse.
See Section 3.4 for more information about managing the Oracle Audit Vault data warehouse.
Example
The following example shows how to load the data warehouse with 10 days' worth of audit data beginning with January 1, 2004:
$ avctl load_warehouse -startdate 01-JAN-04 -numofdays 10 AVCTL started Loading older audit records into warehouse... done.
The following example shows how to load the data warehouse with 10 days' worth of audit data beginning with January 1, 2004 using the DD/MM/YYYY date format, and to specify that the operation wait until the previous load job completes.
$ avctl load_warehouse -startdate 01/01/2004 -numofdays 10 -dateformat DD/MM/YYYY -wait AVCTL started Loading older audit records into warehouse... done.
Purges audit trail data from the warehouse repository that was previously loaded into the warehouse using the avctl load_warehouse
command. Run this command on the Audit Vault Server.
Syntax
avctl purge_warehouse -startdate start_date -numofdays num_of_days [-dateformat date_format] [-wait]
Arguments
Argument | Description |
---|---|
-startdate start_date |
Enter the start date for the events to be removed from the data warehouse tables using the default format DD-MON-YY. To use a different format, specify the -dateformat argument.
Use any supported Oracle Database date format. See Oracle Database Globalization Support Guide for more information about date formats. |
-numofdays num_of_days |
Enter the number of days' worth of data to be removed. |
-dateformat date_format |
Specify the date format for the -startdate argument. Optional. |
-wait |
Optionally, enter this keyword to have the command wait for the purge job to complete. If you omit this argument, then Oracle Audit Vault starts the job and then returns to the command prompt immediately. Optional. |
Usage Notes
The audit records received from the -startdate
argument for the given number of days specified by the -numofdays
argument will be removed from the data warehouse tables.
Only data loaded using the avctl load_warehouse
command can be purged using the avctl purge_warehouse
command. The data loaded using the avctl refresh_warehouse
command is removed automatically based on the warehouse duration specified using the avca set_warehouse_retention
command.
See Section 3.4 for more information about managing the Oracle Audit Vault data warehouse.
Example
The following example shows how to purge 10 days' worth of data from the data warehouse beginning with January 1, 2004:
$ avctl purge_warehouse -startdate 01-JAN-04 -numofdays 10 AVCTL started Purging older audit records from warehouse... done.
The following example shows how to purge 10 days' worth of data from the data warehouse beginning with January 1, 2004 and to specify that the operation wait until the previous purge job completes:
$ avctl purge_warehouse -startdate 01-JAN-04 -numofdays 10 -wait AVCTL started Purging older audit records from warehouse... Waiting for purge to complete... done.
The following example shows how to purge 10 days' worth of data from the data warehouse beginning with January 1, 2004 using the date format of DD/MM/YYYY.
$ avctl purge_warehouse -startdate 01/01/2004 -numofdays 10 -dateformat DD/MM/YYYY AVCTL started Purging older audit records from warehouse... done.
Refreshes the data warehouse repository with the data from the raw audit data store since the last refresh operation. Run this command on the Audit Vault Server.
Syntax
avctl refresh_warehouse [-wait]
Arguments
Argument | Description |
---|---|
-wait |
Enter this keyword to specify that the command wait for the refresh job to complete. If you omit this argument, Oracle Audit Vault starts the job and then returns to the command prompt immediately. Optional. |
Usage Notes
The last refresh operation could have been an explicit refresh using this command or a scheduled refresh based on the schedule set using the avca set_warehouse_schedule
command.
See Section 3.4 for more information about managing the Oracle Audit Vault data warehouse.
Example
The following example shows how to refresh the data warehouse:
$ avctl refresh_warehouse AVCTL started Refreshing warehouse... done.
This example shows how to specify that the refresh operation wait until the previous refresh job completes before refreshing the data warehouse:
$ avctl refresh_warehouse -wait AVCTL started Refreshing warehouse... Waiting for refresh to complete... done.
Shows the status (metric) of a collection agent. Run this command on the Audit Vault Server.
Syntax
avctl show_agent_status -agentname agent_name
Arguments
Argument | Description |
---|---|
-agentname agent_name |
Enter the collection agent (by collection agent name). |
Usage Notes
If you installed the collection agent on a Microsoft Windows computer, run the avctl show_agent_status
command from the ORACLE_HOME
\
agent_directory
\bin
directory. For UNIX or Linux installations, ensure that you have set the appropriate environment variables before running this command. See Section 2.2 for more information.
Example
The following example shows the collection agent status for the sales_agt
agent:
$ avctl show_agent_status -agentname SALES_AGT AVCTL started Getting agent metrics... -------------------------------- Agent is running -------------------------------- Metrics retrieved successfully.
Shows the Audit Vault Console status or the metric of the Audit Vault Server. Run this command on the Audit Vault Server.
Syntax
avctl show_av_status
Arguments
None
Usage Notes
When the Audit Vault Console becomes inaccessible, issue this command to determine its status.
Example
The following example shows the Audit Vault Console status:
$ avctl show_av_status AVCTL started Oracle Audit Vault 10g Database Control Release 10.2.3.1.0 Copyright (c) 1996, 2008 Oracle Corporation. All rights reserved. http://hrdb.us.example.com:5570/av Oracle Audit Vault 10g is running. ------------------------------------ Logs are generated in directory /oracle/product/10.2.3/av_1/av/log
Shows the status (metric) of a collector. Run this command on the Audit Vault Server.
Syntax
avctl show_collector_status -collname collector_name -srcname source_name
Arguments
Argument | Description |
---|---|
-collname collector_name |
Enter the target collector (by collector name). |
-srcname source_name |
Enter the name of the source database to which this collector belongs. |
Usage Notes
None
Example
The following example shows the collector status for the DBAUD_Collector collector:
$ avctl show_collector_status -collname DBAUD_Collector -srcname RODSRC1.US.EXAMPLE.COM AVCTL started Getting collector metrics... -------------------------------- Collector is running Records per second = 0.00 Bytes per second = 0.00 --------------------------------
Shows the OC4J status (metric). Run this command on the Audit Vault collection agent.
Syntax
avctl show_oc4j_status
Arguments
None
Usage Notes
If you installed the collection agent on a Microsoft Windows computer, run the avctl show_oc4j_status
command from the ORACLE_HOME
\
agent_directory
\bin
directory. For UNIX or Linux installations, set the appropriate environment variables before running this command. See Section 2.2 for more information.
Example
The following example shows the OC4J status for when it is running and when it is not running:
$ avctl show_oc4j_status AVCTL started ------------------------------------ OC4J is running ------------------------------------
This example shows the OC4J status for when it is not running:
$ avctl stop_oc4j AVCTL startedStopping OC4J...OC4J stopped successfully. $ avctl show_oc4j_status AVCTL started ------------------------------------ OC4J is not running ------------------------------------
Starts the specified collection agent. Run this command on the Audit Vault Server.
Syntax
avctl start_agent -agentname agent_name
Arguments
Argument | Description |
---|---|
-agentname agent_name |
Enter the collection agent (by collection agent name) to be started. |
Usage Notes
On successful completion of this command, the collection agent is moved to a RUNNING
state. If an error is encountered, the collection agent is moved to an ERROR
state.
Oracle Audit Vault accepts audit records only from collection agents in the RUNNING
state.
If you set the NLS_LANG
environment value before running the avctl start_oc4j
command in the Audit Vault Agent shell and running the avctl start_agent
command or avctl start_collector
command in the Audit Vault Server shell, the avctl start_collector
command can accept a multibyte source name or collector name.
Example
The following example shows how to start the collection agent in Oracle Audit Vault:
$ avctl start_agent -agentname sales_agt AVCTL started Starting Agent... Agent started successfully.
Starts the Audit Vault Console. Run this command on the Audit Vault Server.
Syntax
avctl start_av [-loglevel level]
Arguments
Argument | Description |
---|---|
-loglevel level |
Optionally, enter the desired level of logging from the following options.
|
Usage Notes
This command executes the emctl start dbconsole
command.
Example
The following example shows how to start the Audit Vault Console:
$ avctl start_av AVCTL started Starting OC4J... OC4J started successfully. Oracle Audit Vault 10g Database Control Release 10.2.3.1.0 Copyright (c) 1996,2008 Oracle Corporation. All rights reserved. http://shobeen.us.example.com:5700/av Oracle Audit Vault 10g is running. ------------------------------------ Logs are generated in directory /oracle/product/10.2.3/av_1/av/log
Starts the collector. Run this command on the Audit Vault Server.
Syntax
avctl start_collector -collname collector_name -srcname source_name
Arguments
Argument | Description |
---|---|
-collname collector_name |
Enter the name of the collector to be started. |
-srcname source_name |
Enter the name of the source database to which the collector (specified in the -collname argument) belongs. |
Usage Notes
On successful completion of this command, Oracle Audit Vault sets the collector to a RUNNING
state. If an error is encountered, the collector is set to an ERROR
state. If you receive a message saying that the collector is not in a RUNNING
state, ensure that the agent has been started. Use the avctl start_agent
command to start the agent, as described in Section 7.9.
Oracle Audit Vault accepts audit records only from collectors in the RUNNING
state.
If you set the NLS_LANG
environment value before running the avctl start_oc4j
command in the Audit Vault Agent shell and running the avctl start_agent
command or avctl start_collector
command in the Audit Vault Server shell, the avctl start_collector
command can accept a multibyte source name or collector name.
Example
The following example shows how to start the collector in Oracle Audit Vault:
$ avctl start_collector -collname REDO_Collector -srcname ORCLSRC1.EXAMPLE.COM AVCTL started Starting Collector... Collector started successfully.
Starts the agent OC4J. Run this command on the Audit Vault collection agent.
Syntax
avctl start_oc4j [-loglevel level] [-maxheapsize maximum_heap_memory]
Arguments
Argument | Description |
---|---|
-loglevel level |
Optionally, enter the desired level of logging from the following options:
|
-maxheapsize maximum_heap_memory |
Enter the maximum amount of heap memory allocated for the Java OC4J process. The default value is 1000 MB. Optional.
This setting enables you to fine-tune the OC4J performance based on the size of your Oracle Audit Vault installation. Check the size of the physical memory of the computer on which the Audit Vault collection agents are installed before setting this value. |
Usage Notes
If you installed the collection agent on a Microsoft Windows computer, run the avctl start_oc4j
command from the ORACLE_HOME
\
agent_directory
\bin
directory. For UNIX or Linux installations, set the appropriate environment variables before running this command. See Section 2.2 for more information.
If you set the NLS_LANG
environment value before running the avctl start_oc4j
command in the Audit Vault Agent shell and running avctl start_agent
command or avctl start_collector
command in the Audit Vault Server shell, it will ensure that the avctl start_collector
command can accept with a multibyte source name or collector name.
Example
The following example shows how to start OC4J. For the -maxheapsize
setting, include M
(for megabytes) as shown below. You can set it for other sizes, such as G
for gigabyte, but in most cases, you should set it in megabytes.
$ avctl start_oc4j -maxheapsize 500M AVCTL started Starting OC4J... OC4J started successfully.
Stops the collection agent. Run this command on the Audit Vault Server.
Syntax
avctl stop_agent -agentname agent_name
Arguments
Argument | Description |
---|---|
-agentname agent_name |
Enter the collection agent (by collection agent name) to be stopped. |
Usage Notes
This command will first stop all collectors running at this collection agent, and then stop the collection agent itself.
On successful completion of this command, the collection agent and its collectors are moved to a STOPPED
state.
f an error is encountered, Oracle Audit Vault sets the collection agent to an ERROR
state. Oracle Audit Vault accepts audit records only from collection agents in the RUNNING
state.
Example
The following example shows how to stop the collection agent in Oracle Audit Vault:
$ avctl stop_agent -agentname sales_agt AVCTL started Stopping Agent... Agent stopped successfully.
Stops the Audit Vault Console. Run this command on the Audit Vault Server.
Syntax
avctl stop_av
Arguments
None
Usage Notes
Oracle Audit Vault includes Enterprise Management Database Control as part of the user interfaces. When you issue the stop_av
commend, it not only shuts down the Audit Vault Console, but it also stops Enterprise Management Database Control by executing the emctl stop dbconsole
command. You do not need to issue the emctl
command separately.
Example
The following example shows how to stop the Audit Vault Console:
$ avctl stop_av AVCTL started Stopping OC4J... OC4J stopped successfully.
Stops the collector. Run this command on the Audit Vault Server.
Syntax
avctl stop_collector -collname collector_name -srcname source_name
Arguments
Argument | Description |
---|---|
-collname collector_name |
Enter the name of the collector to be stopped. |
-srcname source_name |
Enter the name of the source database to which the collector (specified in the -collname argument) belongs. |
Usage Notes
On successful completion of this command, Oracle Audit Vault moves the collector a STOPPED
state.
If an error is encountered, Oracle Audit Vault sets collector to an ERROR
state.
Oracle Audit Vault accepts audit records only from collectors in the RUNNING
state.
Example
The following example shows how to stop the collector in Oracle Audit Vault:
$ avctl stop_collector -collname STREAMSCOLLECTOR -srcname ORCL.REGRESS.RDBMS.DEV.US.ORACLE.COM AVCTL started Stopping Collector... Collector stopped successfully.
Stops the agent OC4J. Run this command on the Audit Vault collection agent.
Syntax
avctl stop_oc4j
Arguments
None
Usage Notes
If you installed the collection agent on a Microsoft Windows computer, run the avctl stop_oc4j
command from the ORACLE_HOME
\
agent_directory
\bin
directory. For UNIX or Linux installations, set the appropriate environment variables before running this command. See Section 2.2 for more information.
Example
The following example shows how to stop OC4J:
$ avctl stop_oc4j AVCTL started Stopping agent OC4J... OC4J stopped successfully.