You can use the AVCLI commands to configure host connections from the command line. You must be granted the AV_ADMIN role before you can run these commands. This appendix does not list all of the AVCLI commands, however. It only covers the commands that an Audit Vault and Database Firewall administrator needs to configure secured target connections.
All AVCLI commands must end in a semi-colon (;).
See:
"Using the AVCLI Command Line Interface" for general usage information about using theAVCLI command line interfaceSetting the JAVA_HOME Environment Variable
In the Audit Vault Server, you must set the JAVA_HOME environment variable to point to the JDK 1.6 or 1.7 installation directory.
The AVCLI host commands enable you to configure the host computer on which the Audit Vault Agent will reside.
Table A-1 lists the AVCLI agent host commands.
Table A-1 AVCLI Agent Host Commands
| Command | Description |
|---|---|
|
Adds the host to Audit Vault Server and identifies it as a host on which an agent can be deployed |
|
|
Alters a host registered with the Audit Vault Server |
|
|
Lists the names of the currently registered agent host computers |
|
|
Drops the specified agent host from Audit Vault Server |
|
|
Activates the host on Audit Vault Server |
|
|
Deactivates the specified host |
The REGISTER HOST command adds the host to Audit Vault Server and identifies it as a host on which an agent can be deployed.
REGISTER HOST host_name [WITH IP ip_address]
| Argument | Description |
|---|---|
host_name |
The name of the host computer that you want to register.
To find the names of currently registered hosts, see "LIST HOST". See also "LIST ATTRIBUTE FOR SECURED TARGET". |
ip_address |
Optional. The IP ADDRESS associated with the host |
To change the IP address associated with a host, use the "ALTER HOST" command.
avcli> REGISTER HOST sample_host.example.com;
Registers the host, sample_host.example.com, to run the agent process with the Audit Vault Server.
avcli> REGISTER HOST sample_host.example.net with ip 192.0.2.1;
Registers the host, sample_host.example.net, and associates it with the IP address 192.0.2.1.
The ALTER HOST command alters a host registered with the Audit Vault Server.
ALTER HOST hostname SET {key=value [,key=value...]} ALTER HOST hostname SET {key=value [,LOGLEVEL=component_name:loglevel_value...]}
| Argument | Description |
|---|---|
hostname |
The name of the host. |
key |
The attribute being changed. See Table A-2 for supported key values. |
This command alters the attributes associated with the named host using key/value pairs. To modify multiple attributes in a single command invocation, specify comma-separated key/value pairs.
The following host name attributes are supported:
Table A-2 Host Attributes (key values)
| Parameter | Description |
|---|---|
|
|
The new host name that replaces the existing one. |
|
|
The new IP address that replaces the existing IP address. |
|
|
The log level of various code components running on this host. This option can dynamically change the log levels of various Audit Vault Server code components. The
where See Table A-3 for descriptions of Multiple components log levels can be changed by delimiting them using the | symbol. |
The following are valid values for the LOGLEVEL attribute:
Table A-3 LOGLEVEL Component Names
| Parameter | Description |
|---|---|
|
|
agent |
|
|
Audit Vault Server |
|
|
shared Server and Agent |
| Loglevel Value | Description |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
avcli> ALTER HOST sample_host.example.com SET ip=192.0.2.1;
Alters the host, sample_host.example.com, and changes the associated IP address to 192.0.2.1.
avcli> ALTER HOST sample_host.example.com SET name=new_sample_host.example.com;
Alters the host, sample_host.example.com, to new_sample_host.example.com. Additionally, it updates the IP address by doing a lookup against new_sample_host.example.com.
avcli> ALTER HOST sample_host.example.com SET loglevel=av.agent:info|av.common:debug;
Alters the log levels of the av.agent and av.common code components embedded in the agent process running on the host, sample_host.example.com.
The LIST HOST command lists the names of the currently registered agent host computers.
LIST HOST
avcli> LIST HOST;
The various active hosts registered with the Audit Vault Server are listed.
The DROP HOST command drops the host specified by the host_name from the Audit Vault Server and removes any associated metadata.
After dropping a host, if you want to register it again to collect audit data, you must reinstall the Audit Vault Agent on this host.
DROP HOST hostname
| Argument | Description |
|---|---|
hostname |
The name of the host computer being dropped.
To find the names of currently registered hosts, see "LIST HOST". See also "LIST ATTRIBUTE FOR SECURED TARGET". |
Ensure that the agent process on this host is in the stopped state before dropping the host. The DROP HOST command will fail otherwise.
avcli> DROP HOST sample_host;
The host, sample_host, and any associated metadata is dropped.
The ACTIVATE HOST command activates the host specified by hostname.
ACTIVATE HOST hostname
| Argument | Description |
|---|---|
hostname |
The host name. |
Once an host is activated, an activation key appears, which must be entered when an agent process is started to complete activation process.
avcli> ACTIVATE HOST sample_host.example.com
Activates the host, sample_host.example.com, and displays the activation key for this host.
The DEACTIVATE HOST command deactivates the host specified by hostname.
DEACTIVATE HOST hostname
| Argument | Description |
|---|---|
hostname |
The host name. |
Once a host is deactivated, it may not be able to connect to the Audit Vault Server.
avcli> DEACTIVATE HOST sample_host.example.com;
Deactivates the host, sample_host.example.com. The agent process on this host may not be able to connect to the Audit Vault Server.
The AVCLI Database Firewall commands enable you to configure the Database Firewall.
Table A-5 lists the AVCLI Database Firewall commands.
Table A-5 Database Firewall Commands
| Command | Description |
|---|---|
|
Registers the Database Firewall that has the specified IP address with the Audit Vault Server |
|
|
Drops an already registered Database Firewall from the Audit Vault Server. |
|
|
Lists all the Database Firewalls registered with the Audit Vault Server |
|
|
Reboots a named Database Firewall that is already registered with the Audit Vault Server |
|
|
Powers off a named Database Firewall that is already registered with the Audit Vault Server |
|
|
Creates a resilient pair with two Database Firewalls for high availability |
|
|
Swaps Database Firewalls in a resilient pair that includes the named Database Firewall |
|
|
Drops the resilient pair that contains the specified Database Firewall |
|
|
Alters the Database Firewall attributes |
|
|
Displays the status for a particular Database Firewall |
The REGISTER FIREWALL command registers the Database Firewall that has the specified IP address with the Audit Vault Server.
REGISTER FIREWALL firewall_name WITH IP ip_address
| Argument | Descriptions |
|---|---|
firewall_name |
The name of the Database Firewall. |
ip_address |
The IP address of the Database Firewall. |
The Database Firewall must be installed at the given IP address location.
To specify a firewall name with white space, enclose the entire string in quotes.
avcli> REGISTER FIREWALL sample_fw WITH IP 192.0.2.14;
Database Firewall sample_fw is installed at IP address 192.0.2.14.
The DROP FIREWALL command drops an already registered Database Firewall from the Audit Vault Server.
DROP FIREWALL firewall_name
| Argument | Descriptions |
|---|---|
firewall_name |
The name of the Database Firewall. |
avcli> DROP FIREWALL sample_fw;
The Database Firewall sample_fw is dropped.
The LIST FIREWALL command lists all the Database Firewalls registered with the Audit Vault Server.
LIST FIREWALL
avcli> LIST FIREWALL;
A list of the Database Firewalls registered with Audit Vault Server appears.
The REBOOT FIREWALL command reboots a named Database Firewall that is already registered with the Audit Vault Server.
REBOOT FIREWALL firewall_name
| Argument | Descriptions |
|---|---|
firewall_name |
The name of the Database Firewall. |
avcli> REBOOT FIREWALL sample_fw;
The Database Firewall sample_fw reboots.
The POWEROFF FIREWALL command powers off a named Database Firewall that is already registered with the Audit Vault Server.
POWEROFF FIREWALL firewall_name
| Argument | Descriptions |
|---|---|
firewall_name |
The name of the Database Firewall. |
avcli> POWEROFF FIREWALL sample_fw;
The Database Firewall sample_fw switches off.
The CREATE RESILIENT PAIR command creates a resilient pair with two Database Firewalls for high availability.
CREATE RESILIENT PAIR FOR FIREWALL PRIMARY primary_firewall SECONDARY secondary_firewall
| Argument | Descriptions |
|---|---|
primary_firewall |
The name of the primary Database Firewall. Only this Firewall can generate syslog alerts |
secondary_firewall |
The name of the secondary Database Firewall. |
avcli> CREATE RESILIENT PAIR FOR FIREWALL PRIMARY sample_fw1 SECONDARY sample_fw2;
A resilient pair is created with primary Database Firewall sample_fw1 and secondary Database Firewall sample_fw2.
The SWAP RESILIENT PAIR command swaps Database Firewalls in a resilient pair that includes the named Database Firewall.
SWAP RESILIENT PAIR HAVING FIREWALL firewall_name
| Argument | Descriptions |
|---|---|
firewall_name |
The name of the Database Firewall. |
avcli> SWAP RESILIENT PAIR HAVING FIREWALL sample_fw1;
In the existing resilient pair, Database Firewall sample_fw1, the primary firewall is swapped with the secondary firewall, or the reverse.
The DROP RESILIENT PAIR command drops the resilient pair that contains the specified Database Firewall.
DROP RESILIENT PAIR HAVING FIREWALL firewall_name
| Argument | Descriptions |
|---|---|
firewall_name |
The name of the Database Firewall. |
avcli> DROP RESILIENT PAIR HAVING FIREWALL sample_fw1;
The existing resilient pair that includes Database Firewall sample_fw1 is broken.
The ALTER FIREWALL command alters the Database Firewall attributes.
ALTER FIREWALL firewall_name SET attribute=value [, attribute=value]
| Argument | Description |
|---|---|
firewall_name |
The name of the Database Firewall. |
attribute |
The pair (attribute and new value) for the Database Firewall. Separate multiple pairs by a space on the command line. See Table A-6 for a list of attributes. |
Table A-6 lists Database Firewall attributes that you can specify for the attribute=value argument.
Table A-6 Oracle Database Firewall Attributes
| Parameter | Description |
|---|---|
|
|
The new name of the Database Firewall. |
|
|
The IP address of the Database Firewall. |
avcli> ALTER FIREWALL sample_fw1 SET NAME=sample_newfw1;
Database Firewall name changes from sample_fw1 to sample_newfw1.
avcli> ALTER FIREWALL sample_fw1 SET IP=192.0.2.169;
Database Firewall IP address is set to 192.0.2.169.
The SHOW STATUS command displays the status for a particular Database Firewall.
SHOW STATUS FOR FIREWALL firewall_name
| Argument | Descriptions |
|---|---|
firewall_name |
The name of the Database Firewall. |
avcli> SHOW STATUS FOR FIREWALL sample_fw1;
The running information for Database Firewall sample_fw1 appears.
The AVCLI Enforcement Point commands enable you to configure the Database Firewall.
Table A-7 lists the AVCLI Enforcement Point commands.
Table A-7 Enforcement Point Commands
| Command | Description |
|---|---|
|
Creates an enforcement point with the specified name and protects the Database Firewall using either mode DAM or DPE |
|
|
Drops the enforcement point |
|
|
Lists all the enforcements points associated with the Database Firewall or secured target |
|
|
Starts an enforcement point that was previously suspended |
|
|
Stops the enforcement point monitoring the secured target |
|
|
Alters the enforcement point and attributes |
The CREATE ENFORCEMENT POINT command creates an enforcement point with the specified name and protects the Database Firewall using either mode DAM or DPE.
CREATE ENFORCEMENT POINT enforcement_point_name FOR SECURED TARGET secured_target_name USING FIREWALL firewall_name TRAFFIC SOURCE traffic_source_name WITH MODE DPE|DAM
| Argument | Descriptions |
|---|---|
enforcement_point_name |
The name of the enforcement point. |
secured_target_name |
The name of the secured target. |
firewall_name |
The name of the Database Firewall. |
traffic_source_name |
The name of the traffic source |
avcli> CREATE ENFORCEMENT POINT sample_ep FOR SECURED TARGET sample_source USING FIREWALL sample_fw TRAFFIC SOURCE sample_trafficsource WITH MODE DPE;
An enforcement point named sample_ep is created on Database Firewall sample_fw, using DPE mode to protect the secured target sample_source, and using the traffic source sample_trafficsource.
The DROP ENFORCEMENT POINT command drops the enforcement point.
DROP ENFORCEMENT POINT enforcement_point_name
| Argument | Descriptions |
|---|---|
enforcement_point_name |
The name of the enforcement point. |
avcli> DROP ENFORCEMENT POINT sample_ep;
The enforcement point named sample_ep is dropped from the Database Firewall.
The LIST ENFORCEMENT POINT command lists all the enforcements points associated with either the Database Firewall or the secured target.
LIST ENFORCEMENT POINT FOR FIREWALL firewall_name LIST ENFORCEMENT POINT FOR SECURED TARGET secured_target_name
| Argument | Descriptions |
|---|---|
firewall_name |
The name of the Database Firewall. |
secured_target_name |
The name of the secured target. |
avcli> LIST ENFORCEMENT POINT FOR FIREWALL sample_fw;
A list of all the enforcement points associated with Database Firewall sample_fw appears.
avcli> LIST ENFORCEMENT POINT FOR SECURED TARGET sample_source;
A list all the enforcement points associated with secured target sample_source appears.
The START ENFORCEMENT POINT command starts an enforcement point that was previously suspended.
START ENFORCEMENT POINT enforcement_point_name
| Argument | Descriptions |
|---|---|
enforcement_point_name |
The name of the enforcement point. |
avcli> START ENFORCEMENT POINT sample_ep;
The enforcement point named sample_ep starts.
The STOP ENFORCEMENT POINT command stops the enforcement point monitoring the secured target.
STOP ENFORCEMENT POINT enforcement_point_name
| Argument | Descriptions |
|---|---|
enforcement_point_name |
The name of the enforcement point. |
avcli> STOP ENFORCEMENT POINT sample_ep;
The enforcement point named sample_ep stops.
The ALTER ENFORCEMENT POINT command alters the enforcement point and attributes.
ALTER ENFORCEMENT POINT enforcement_point_name SET attribute=value [, attribute=value]
| Argument | Description |
|---|---|
enforcement_point_name |
The name of the enforcement point. |
attribute |
The pair (attribute and new value) for the enforcement point being altered. Separate multiple pairs by a space on the command line. See Table A-8 for enforcement point attributes. |
Attributes are specified by a comma-separated list of key=value/pairs. The following key values are supported:
Table A-8 Enforcement Point Attributes
| Parameter | Description |
|---|---|
|
|
The new secured target name, which should be registered already in the Audit Vault Server, including the address. |
|
|
The mode which monitors the enforcement point. Valid modes are: DAM or DPE. |
|
|
|
|
|
New valid traffic sources for enforcement point. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The new IP Address for Remote agent. |
avcli> ALTER ENFORCEMENT POINT ep1 SET TARGET=newsource;
The enforcement point to monitor new secured target is altered.
avcli> ALTER ENFORCEMENT POINT ep1 SET MODE=dam;
The enforcement point monitoring is altered to DAM mode.
avcli> ALTER ENFORCEMENT POINT ep1 SET database_response=true, Full_error_message=true;
The enforcement point is altered to activate database response and log error messages associated with error codes.
avcli> ALTER ENFORCEMENT POINT ep1 SET database_interrogation=true;
The enforcement point is altered to activate direct database interrogation.
The AVCLI secured target commands enable you to configure both database and nondatabase secured targets for Audit Vault Server.
Table A-9 lists the AVCLI secured target commands.
Table A-9 AVCLI Secured Target Commands
| Command | Description |
|---|---|
|
Registers a secured target to be monitored by Audit Server |
|
|
Modifies the attributes of a secured target |
|
|
Lists all the addresses registered with the secured target |
|
|
Lists the various active secured targets registered with the Audit Vault Server |
|
|
Lists the secured target types currently registered with Audit Vault Server |
|
|
Lists the attributes of a given secured target |
|
|
Lists the metrics of a given secured target, such as the various trails |
|
|
Removes the registration of the specified secured target from Audit Vault Server |
The REGISTER SECURED TARGET command registers a secured target to be monitored by Audit Vault Server.
REGISTER SECURED TARGET secured_target_name OF SECURED TARGET TYPE "secured_target_type" [AT location] [AUTHENTICATED BY username/password]
| Argument | Description |
|---|---|
secured_target_name |
Name of secured target. Must be unique. |
secured_target_type |
A valid secured target type, for example "Oracle".
To find a list of supported secured target types, see "LIST SECURED TARGET TYPE". |
location |
The secured target database connection information.
Optional in Oracle AVDF 12.1.2, and can be added later using the command ALTER SECURED TARGET. The location is an opaque string that specifies how to connect to the secured target, typically a JDBC connect string. The syntax that you use depends on the secured target type. See the database-specific Usage Notes below. If location is not provided, certain features such as entitlement retrieval, audit settings management, SPA retrieval, and audit trail collection are disabled if applicable to this secured target type. |
user_name/password |
Optional. Credentials to connect to the secured target.
After you enter this argument and run the See the database-specific Usage Notes in the following sections. |
avcli> HELP REGISTER SECURED TARGET;
Displays detailed help for the REGISTER SECURED TARGET command.
Oracle Database Usage Notes and Examples
For the location argument, enter the host name, port number, and service ID (SID), separated by a colon. Use the following syntax:
AT host:port:service
For example:
Oracle Database: jdbc:oracle:thin:@//host:port/service
If you are unsure of this connection information, then run the lsnrctl status listener_name command on the computer where you installed the secured target database.
The AUTHENTICATED BY command prompts for the secured target user name and password. This user account must exist in the secured target database.
To find this user, query the SESSION_PRIVS and SESSION_ROLES data dictionary views.
Oracle Database Examples:
avcli> REGISTER SECURED TARGET sample_source OF SECURED TARGET TYPE "Oracle Database" AT jdbc:oracle:thin:@//anymachinename:1521/example.com AUTHENTICATED BY system/welcome_1;
Registers a Oracle secured target, sample_source, of secured target type Oracle Database, reachable using connect string jdbc:oracle:thin:@//anymachinename: 1521/example.com using credentials system/welcome_1.
avcli> REGISTER SECURED TARGET sample_mssqldb OF SECURED TARGET TYPE "Microsoft SQL Server" AT jdbc:av:sqlserver://hostname:port;
avcli> REGISTER SECURED TARGET sample_db2db OF SECURED TARGET TYPE "IBM DB2 LUW" AT jdbc:av:db2://host:port;
Registers a DB2 secured target, sample_db2db, of secured target type "IBM DB2 LUW", reachable using connect string jdbc:av:db2://host:port using credentials sa/welcome_1.
The ALTER SECURED TARGET command modifies the attributes of a secured target.
ALTER SECURED TARGET secured_target_name SET attribute=value [, attribute=value] ALTER SECURED TARGET secured target name ADD ADDRESS ip:port:[service] ALTER SECURED TARGET secured target name DROP ADDRESS ip:port:[service]
| Argument | Description |
|---|---|
secured_target_name |
The name of the secured target database to be modified. The name is case-sensitive.
To find a list of existing secured targets, see "LIST SECURED TARGET". |
attribute=value |
The key/value pair for the secured target attributes of the secured target to be modified. You can modify one or more secured target attributes at a time using a space on the command line.
See Table A-10 for secured target attributes. Some types of secured targets also require collection attributes. See "Collection Attributes". To find a list of attribute values for a secured target, see "LIST ATTRIBUTE FOR SECURED TARGET". |
ip |
The IP address |
port |
The port number |
service |
REQUIRED FOR ORACLE DATABASE ONLY: The service name or SID |
Table A-10 lists secured target attributes that you can specify,
Table A-10 Secured Target Attributes
| Attribute | Description |
|---|---|
|
|
The name for this secured target database instance. This must not be defined already in the Audit Vault Server for another secured target. |
|
|
The location of the secured target |
|
|
The new set of username and password pair used to connect to the secured target. This is a two part value separated by a slash (/). |
|
|
The description for this secured target database instance |
|
|
The maximum number of enforcement point threads for the secured target. The valid range is between 1 and 16 (inclusive). The default value is 1. |
General Usage Examples:
avcli> ALTER SECURED TARGET sample_source SET name=sample_source2;
The secured target name of sample_source changed to sample_source2.
avcli> ALTER SECURED TARGET sample_source SET credentials=scott/leopard;
The credentials used to connect to the secured target, sample_source, are changed.
avcli> ALTER SECURED TARGET sample_source SET description='This is a new description';
Number of enforcement point threads is set for secured target, sample_source.
avcli> ALTER SECURED TARGET sample_source SET maximum_enforcement_point_threads=14;
The description for the secured target, sample_source, is changed.
avcli> ALTER SECURED TARGET sample_source ADD address 192.0.2.2:1234:srcdb;
New secured target address is registered with secured target sample_source.
avcli> ALTER SECURED TARGET sample_source DROP address 192.0.2.2:1234:srcdb;
Secured target address registered before with secured target, sample_source, is dropped.
avcli> ALTER SECURED TARGET sample_source set maximum_enforcement_point_threads = 10;
Sets the maximum number of enforcement point threads for secured target sample_source to 10.
Oracle Example:
avcli> ALTER SECURED TARGET secured target sample_source set location=jdbc:oracle:thin:@//new_sample_host:1521:sample_db;
The location of the secured target, sample_source, changes.
The LIST ADDRESS FOR SECURED TARGET command lists all the addresses registered with the secured target.
LIST ADDRESS FOR SECURED TARGET secured_target_name
| Argument | Descriptions |
|---|---|
secured_target_name |
The name of the secured target. |
avcli> LIST ADDRESS FOR SECURED TARGET sample_source;
All the addresses for secured target, sample_source, appear.
The LIST SECURED TARGET command lists the active secured targets registered with the Audit Vault Server.
LIST SECURED TARGET;
Lists the active secure targets registered with the Audit Vault Server.
The LIST SECURED TARGET TYPE command lists the secured target types currently supported in the Audit Vault Server.
LIST SECURED TARGET TYPE
avcli> LIST SECURED TARGET TYPE;
Lists the secured target types currently supported in the Audit Vault Server.
The LIST ATTRIBUTE FOR SECURED TARGET command lists the attributes of a given secured target.
LIST ATTRIBUTE FOR SECURED TARGET secured target name;
| Argument | Description |
|---|---|
secured target name |
The name of the secured target. To find all registered secured targets, see "LIST SECURED TARGET". |
The LIST METRICS command lists the metrics of a given secured target, such as various trails.
LIST METRICS FOR SECURED TARGET secured_target_name
| Argument | Description |
|---|---|
secured_target_name |
The name of the secured target
To find all registered secured targets, see "LIST SECURED TARGET". |
The LIST METRICS command has the same usage for all secured target types.
avcli> LIST METRICS FOR SECURED TARGET sample_source;
Metrics available for the secured target, sample_source, are listed.
The DROP SECURED TARGET command removes the registration of the specified secured target from Audit Vault Server.
DROP SECURED TARGET secured_target_name
| Argument | Description |
|---|---|
secured_target_name |
The name of the secured target. To find all registered secured targets, see "LIST SECURED TARGET". |
Ensure that all trails associated with this secured target are in stopped state before dropping the secured target. Otherwise, the DROP SECURED TARGET command fails. See HELP STOP COLLECTION for an explanation of how to stop active trails.
Dropping a secured target stops the Audit Vault Server from monitoring it. Any audit data collected earlier continues to be available in the Audit Vault Server repository.
avcli> DROP SECURED TARGET sample_source;
The AVCLI secured target audit trial collection commands enable you to manage the audit trail collections for the secured targets.
Table A-11 lists the AVCLI secured target connection commands.
Table A-11 AVCLI Secured Target Connection Commands
| Command | Description |
|---|---|
|
Starts the collection of specified audit trail data from a given secured target |
|
|
Stops the audit trail collection |
|
|
Lists the available audit trails that have been started with the |
|
|
Drops an audit trail |
The START COLLECTION FOR SECURED TARGET command starts the collection of specified audit trail data from a given secured target, optionally using the specified collection plug-in.
START COLLECTION FOR SECURED TARGET secured_target_name USING HOST host FROM location [USING PLUGIN plugin id]
| Argument | Description |
|---|---|
| secured_target_name | The name of the secured target whose audit trail collection you want to begin.
To find all registered secured targets, see "LIST SECURED TARGET". |
host |
The name of the host where the secured target agent resides.
To find a list of configured agent hosts, see "LIST HOST". For detailed information about a secured target, see "LIST ATTRIBUTE FOR SECURED TARGET". |
location |
The location is one of following:
|
plugin id |
The collection plug-in id being used. Required if there is more than one possible plug-in. Optional if there is only one plug-in.
To find a list of existing plug-ins for the type, see "LIST PLUGIN FOR SECURED TARGET TYPE". |
To start the trail, the agent process which manages the trail should also be in running state. If the collection process connects to the secured target, the secured target must up and running. When multiple plug-ins can process audit data from a secured target, use the optional USING PLUGIN directive to disambiguate the collection process.
A trail starts in the START_REQUESTED state and transitions to a starting state, followed by a running state. If there is no outstanding audit data to process from the given trail, the collection process switches to an idle state. The current state can be viewed using the LIST TRAIL command.
If a trail must be authenticated, the Audit Vault Server uses the credentials provided in the AUTHENTICATED BY argument of the REGISTER SECURED TARGET command. (See "REGISTER SECURED TARGET".)
After you run the START COLLECTION command, the Audit Vault Server begins to collect audit data from the configured secured targets. If you want to stop the collection, then run the STOP COLLECTION command, described in "STOP COLLECTION FOR SECURED TARGET".
On Windows systems, enter directory and file name locations in either double-quoted strings or as a nonquoted string using forward slashes. For example:
... FROM DIRECTORY "c:\app\oracle\product\11.1\av"; ... FROM DIRECTORY c:/app/oracle/product/11.1/av;
avcli> START COLLECTION FOR SECURED TARGET sample_source USING HOST foo FROM directory/opt/audit_trail;
Audit data collection from trail /opt/audit_trail for secured target sample_source starts.
avcli> START COLLECTION FOR SECURED TARGET sample_source USING HOST foo FROM TABLE sys.aud$;
Audit data collection from table trail sys.aud$ for secured target sample_source starts.
avcli> START COLLECTION FOR SECURED TARGET sample_source USING HOST foo FROM syslog /usr/syslog/syslog*;
Collecting syslog trail /usr/syslog/syslog* for secured target sample_source starts.
avcli> START COLLECTION FOR SECURED TARGET sample_source USING HOST foo FROM event log application;
Collecting application event log trail for secured target sample_source starts.
avcli> START COLLECTION FOR SECURED TARGET sample_source USING HOST foo FROM transaction log;
Collecting transaction log trails for secured target sample_source starts.
avcli> START COLLECTION FOR SECURED TARGET sample_source USING HOST foo FROM TABLE sys.aud$ USING PLUGIN com.sample_plugin;
Audit data collection from table trail sys.aud$ for the secured target sample_source, using the com.sample_plugin, plug-in starts.
Oracle Database Secured Target Usage Notes
Audit Trail Settings
For the operating system type of audit trail, use the following settings:
| Type of Audit Trail | trail_type Setting | audit_trail Setting | |
| Operating system directory | DIRECTORY |
directory_location |
|
| Syslog file | SYSLOG |
file_name |
|
| Windows event log | EVENTLOG |
n/a |
SQL Server Secured Target Usage Notes
Audit Trail Settings
You can write the SQL Server audit trail to the Windows event log, C2 trace files, or server side trace files. The FROM trail_type audit_trail arguments are as follows:
| Type of Audit Trail | trail_type Setting | audit_trail Setting | |
| Windows event log | EVENTLOG |
n/a | |
| C2 trace file | DIRECTORY |
file_wildcard |
|
| Server-side trace files | DIRECTORY |
file_wildcard |
|
SQLAUDIT files |
DIRECTORY |
file_wildcard |
Sybase ASE Secured Target Usage Notes and Examples
For the Sybase ASE audit trail, set the trail_type audit_trail setting to TABLE SYSAUDITS.
Sybase ASE Example
avcli> START COLLECTION FOR SECURED TARGET hr_syb_db USING HOST sybserver FROM TABLE SYSAUDITS;
The trail location is the path to the directory where converted XML files are created by running the MySQL XML transformation utility. See "(Required for MySQL) Running the XML Transformation Utility".
IBM DB2 Usage Notes and Examples
For the IBM DB2 audit trail, set the trail_type audit_trail setting to DIRECTORY directory_location.
IBM DB2 Example
avcli> START COLLECTION FOR SECURED TARGET hr_db2_db USING HOST db2server FROM DIRECTORY "d:\temp\trace";
Oracle Solaris Secured Target Usage Notes
For an Oracle Solaris secured target, the trail location used in this command must be in the format:
hostname:path_to_trail
where hostname matches the hostname in the audit log names, which look like this:
timestamp1.timestamp2.hostname
Windows Secured Target Usage Notes
For a Windows secured target, the event log audit trail type collects data from the Windows Security Event Log. The trail location used in this command must be security.
The STOP COLLECTION FOR SECURED TARGET command stops the audit trail collection.
STOP COLLECTION FOR SECURED TARGET secured_target_name USING HOST hostname FROM location [USING PLUGIN plugin_id]]
| Argument | Description |
|---|---|
secured_target_name |
The name of the secured target for the trail collection you want to stop.
To find a list of all registered secured targets, see "LIST SECURED TARGET". |
hostname |
The name of the host where the secured target agent resides.
To find a list of configured agent hosts, see "LIST HOST". For detailed information about a secured target, see "LIST ATTRIBUTE FOR SECURED TARGET". |
location |
The location is one of following:
|
plugin_id |
The collection plug-in id being used. Required if there is more than one possible plug-in. Optional if there is only one plug-in.
To find a list of existing plug-ins for the type, see "LIST PLUGIN FOR SECURED TARGET TYPE". |
Since the command is sent to the trail directly, the agent process does not need to be in running state. When multiple plug-ins process audit data from a secured target, use the optional USING PLUGIN directive to disambiguate the process.
A trail will be in a STOP_REQUESTED state when stopped and transitions to a stopping state, followed by a stopped state. The current state can be viewed using the "LIST TRAIL FOR SECURED TARGET".
On Windows systems, enter directory and file name locations in either double-quoted strings or as a nonquoted string using forward slashes. For example:
... FROM DIRECTORY "c:\app\oracle\product\11.1\av"; ... FROM DIRECTORY c:/app/oracle/product/11.1/av;
avcli> STOP COLLECTION FOR SECURED TARGET sample_source USING HOST sample_host FROM directory /opt/audit_trail;
Audit data collection from trail /opt/audit_trail for secured target sample_source stops.
avcli> STOP COLLECTION FOR SECURED TARGET sample_source USING HOST sample_host FROM TABLE sys.aud$;
Audit data collection from table trail sys.aud$ for secured target sample_source stops.
avcli> STOP COLLECTION FOR SECURED TARGET sample_source USING HOST sample_host FROM syslog /usr/syslog/syslog*;
Collecting syslog trail /usr/syslog/syslog* for secured target sample_source stops.
avcli> STOP COLLECTION FOR SECURED TARGET sample_source USING HOST sample_host FROM event log application;
Collecting application event log trail for secured target sample_source stops
avcli> STOP COLLECTION FOR SECURED TARGET sample_source USING HOST sample_host FROM transaction log;
Collecting transaction log trail for secured target sample_source stops
avcli> STOP COLLECTION FOR SECURED TARGET sample_source USING HOST sample_host FROM TABLE sys.aud$ USING PLUGIN com.sample_plugin;
Audit data collection from table sys.aud$ for the secured target, sample_source, using the com.sample_plugin, plug-in stops
Oracle Database Usage Notes and Examples
Audit Trail Settings
For the operating system type of audit trail, use the following settings:
Oracle Database Examples
Operating system directory example:
avcli> STOP COLLECTION FOR SECURED TARGET hr_sql_db USING HOST hrdb.example.com FROM DIRECTORY $ORACLE_HOME/logs;
Operating system syslog file example:
avcli> STOP COLLECTION FOR SECURED TARGET hr_sql_db USING HOST hrdb.example.com FROM SYSLOG /etc/syslog.conf;
Operating system Windows event log example:
avcli> STOP COLLECTION FOR SECURED TARGET hr_sql_db USING HOST hrdb.example.com FROM EVENTLOG;
Database audit trail example:
avcli> START COLLECTION FOR SECURED TARGET hr_sql_db USING HOST hrdb.example.com FROM TABLE sys.aud$;
REDO log example:
avcli> START COLLECTION FOR SECURED TARGET hr_sql_db USING HOST hrdb.example.com FROM TRANSACTIONLOOG;
SQL Server Usage Notes and Example
The SQL Server audit trail can be in the Windows event log, C2 trace files, or server side trace files. The FROM trail_type audit_trail arguments are as follows:
| Type of Audit Trail | trail_type Setting | audit_trail Setting | |
| Windows event log | EVENTLOG |
n/a | |
| C2 trace file | C2TRACE |
file_wildcard |
|
| Server-side trace files | SERVERSIDETRACE |
file_wildcard |
SQL Server Examples
Windows event log example:
avcli> STOP COLLECTION FOR SECURED TARGET hr_sql_db USING HOST mssqlserver FROM EVENTLOG;
C2 trace example:
avcli> STOP COLLECTION FOR SECURED TARGET hr_sql_db USING HOST mssqlserver FROM DIRECTORY "c:\SQLAuditFile*.trc";
Server-side trace example:
avcli> STOP COLLECTION FOR SECURED TARGET hr_sql_db USING HOST mssqlserver FROM DIRECTORY "c:\SQLAuditFile*.trc";
Sybase ASE Usage Notes and Example
For the Sybase ASE audit trail, set the trail_type audit_trail setting to TABLE SYSAUDITS.
Sybase ASE Example
avcli> STOP COLLECTION FOR SECURED TARGET hr_syb_db USING HOST sybserver FROM TABLE SYSAUDITS;
The trail location is the path to the directory where converted XML files are created by running the MySQL XML transformation utility. See "(Required for MySQL) Running the XML Transformation Utility".
IBM DB2 Usage Notes and Example
For the IBM DB2 audit trail, set the trail_type audit_trail setting to DIRECTORY directory_location.
IBM DB2 Example
avcli> STOP COLLECTION FOR SECURED TARGET hr_db2_db USING HOST db2server FROM DIRECTORY "d:\temp\trace";
For Oracle Solaris, the trail location must be in the format:
hostname:path_to_trail
where hostname matches the hostname in the audit log names, which look like this:
timestamp1.timestamp2.hostname
Windows Secured Target Usage Notes
For a Windows secured target, the event log audit trail type collects data from the Windows Security Event Log. The trail location used in this command must be security.
The LIST TRAIL FOR SECURED TARGET command lists the available audit trails that have been started with the START COLLECTION command or stopped with the STOP COLLECTION command.
LIST TRAIL FOR SECURED TARGET secured_target_name
| Argument | Description |
|---|---|
secured_target_name |
The name of the secured target.
To find a list of existing secured targets, see "LIST SECURED TARGET". |
LIST TRAIL FOR SECURED TARGET does not list audit trails have been created but not yet started or stopped.
avcli> LIST TRAIL FOR SECURED TARGET sample_source;
The trails available for the secured target sample_souce are listed.
The DROP TRAIL FOR SECURED TARGET drops a trail that no longer needs to be monitored.
Note:
An audit trail must be in a STOPPED state in order for it to be dropped. A trail that has previously collected audit data associated with it cannot be dropped.DROP TRAIL FOR SECURED TARGET secured_target_name USING HOST hostname FROM location
| Argument | Description |
|---|---|
secured_target_name |
The name of the secured target whose audit trail you want to drop.
To find all registered secured targets, see "LIST SECURED TARGET". |
hostname |
The name of the host where the secured target agent resides.
To find a list of configured agent hosts, see "LIST HOST". For detailed information about a secured target, see "LIST ATTRIBUTE FOR SECURED TARGET". |
location |
The location is one of following:
|
avcli> DROP TRAIL FOR SECURED TARGET sample_source USING HOST foo FROM DIRECTORY /opt/audit_trail;
The audit trail from the directory /opt/audit_trail for secured target sample_source is dropped.
avcli> DROP TRAIL FOR SECURED TARGET sample_source USING HOST foo FROM TABLE sys.aud$;
The audit trail from table trail sys.aud$ for secured target sample_source is dropped.
avcli> DROP TRAIL FOR SECURED TARGET sample_source USING HOST foo FROM SYSLOG DEFAULT /usr/syslog/syslog*;
Syslog trail /usr/syslog/syslog* for secured target sample_source is dropped.
avcli> DROP TRAIL FOR SECURED TARGET sample_source USING HOST foo FROM TRANSACTION LOG;
The transaction log trail for secured target sample_source is dropped.
The AVCLI SMTP commands enable you to manage SMTP email notifications for Audit Vault Server reports and alert.
Table A-12 lists the SMTP-specific AVCLI commands.
Table A-12 AVCLI SMTP Commands
| Command | Description |
|---|---|
|
Registers the SMTP server configuration with the Audit Vault Server |
|
|
Modifies the SMTP server configuration and state |
|
|
Enables SMTP server configurations for servers registered with the |
|
|
Disables the SMTP server configuration |
|
|
Enables the SMTP server configuration and specifies the secure protocol mode used |
|
|
Disables secure mode in an existing secure SMTP server |
|
|
Tests SMTP integration with the Audit Vault Server by sending a test email |
|
|
Displays the current SMTP configuration details used by Audit Vault Server |
|
|
Unregisters the SMTP Server registered with the Audit Vault Server and removes any associated configuration metadata |
The REGISTER SMTP SERVER command registers the SMTP server configuration with the Audit Vault Server.
REGISTER SMTP SERVER AT host:[port] SENDER ID sender_id SENDER EMAIL sender_email [AUTHENTICATED BY username/password]
| Argument | Description |
|---|---|
host:[port] |
The name, and optionally, the outgoing port number of the SMTP server. The port defaults to 25, if unspecified. |
sender_id |
The user ID of the person responsible for sending the email (that is, the email address that appears after From). |
sender_email |
The email address of the person whose ID you entered for the SENDER ID, in Request For Comments (RFC) 822 format. |
username/password |
Optional. The authentication credentials for the recipient user.
If the SMTP server runs in authenticated mode and needs a valid |
Right after you create the SMTP server configuration, it is enabled and ready to use.
If the SMTP server is a secure server, then run the ALTER SYSTEM SMTP SECURE MODE ON command ("ALTER SMTP SERVER SECURE MODE ON") after you run REGISTER SMTP SERVER.
To test the configuration, run the TEST SMTP SERVER command ("TEST SMTP SERVER").
This command associates the sender id and sender email with this configuration data so that all generated emails are sent with this sender id and sender email.
avcli> REGISTER SMTP SERVER AT sample_mail.example.com sender id "do-not-reply";
For an SMTP server running in non-authentication mode at sample_mail.example.com, all email is generated and sent from the address: do-not-reply<donotreply@example.com>.
avcli> REGISTER SMTP SERVER AT sample_mail.example.com:455 SENDER ID av-alerts SENDER EMAIL avalerts@example.com AUTHENTICATED BY smtpuser/smtppass;
For an SMTP server running in authentication mode at sample_mail.example.com, port 455; all email is generated and sent from the address: av-alerts<avalerts@example.com>. The credentials smtpuser/smtppass connect to this server to send emails.
The ALTER SMTP SERVER command modifies the SMTP server configuration and state.
ALTER_SMTP SERVER AT host:[port] [SENDER ID sender_id]| [SENDER EMAIL sender_email] | [AUTHENTICATED BY username/password]
| Argument | Description |
|---|---|
host:[port] |
The name, and optionally, the outgoing port number of the SMTP server. The port defaults to 25. |
sender_id |
The user ID of the person responsible for sending the email (that is, the email address that appears after From). |
sender_email |
The email address of the person whose ID you entered for the SENDER ID, in Request For Comments (RFC) 822 format. |
username/password |
Optional. The authentication credentials for the recipient user.
If the SMTP server runs in authenticated mode and needs a valid |
After you complete the SMTP server configuration, it is enabled and ready to use.
If the SMTP server is a secure server, then run the ALTER SYSTEM SMTP SECURE MODE ON command ("ALTER SMTP SERVER SECURE MODE ON") after you run REGISTER SMTP SERVER.
To test the configuration, run the TEST SMTP SERVER command ("TEST SMTP SERVER").
If you omit an argument, then Audit Vault Server uses the previously configured setting.
avcli> ALTER SMTP SERVER AT new_sample_host:465;
The host and port configuration information of the SMTP server is changed.
avcli> ALTER SMTP SERVER SENDER ID new-do-not-reply;
The sender ID configuration information of the SMTP server is changed.
avcli> ALTER SMTP SERVER AT new_sample_host:465 sender id new-do-not-reply;
The host and port as well as the sender ID of the SMTP server is changed.
The ALTER SMTP SERVER ENABLE command enables SMTP server configurations for servers registered with the REGISTER SMTP SERVER command or modified with the ALTER SMTP SERVER command.
ALTER SMTP SERVER ENABLE
When you enable the configuration, Audit Vault Server uses the configuration that was in place when you last disabled the SMTP configuration.
To find details about the most recent service configuration, see "LIST ATTRIBUTE OF SMTP SERVER".
avcli> ALTER SMTP SERVER ENABLE; SMTP integration is enabled.
Enables the integration between the Audit Vault and SMTP server.
The ALTER SMTP SERVER DISABLE command disables the SMTP server configuration.
ALTER SMTP SERVER DISABLE
After you disable the configuration, Audit Vault Server preserves the most recent configuration. So, when you re-enable the configuration, this configuration is made active again.
To find details about the most recent service configuration, see "LIST ATTRIBUTE OF SMTP SERVER".
This command may be useful when the SMTP Server is down for system maintenance.
avcli> ALTER SMTP SERVER DISABLE; SMTP integration is disabled.
Disables the integration between the Audit Vault and SMT Server.
The ALTER SMTP SERVER SECURE MODE ON command enables the SMTP server configuration and specifies the secure protocol mode used.
ALTER SMTP SERVER SECURE MODE ON PROTOCOL [SSL | TLS ] [TRUSTSTORE location]
| Argument | Description |
|---|---|
PROTOCOL |
Optional: One of the following types of protocol: |
location |
The path to the truststore file used to validate the server certificates. Optional. |
Run this command after you run either the REGISTER SMTP SERVER ("REGISTER SMTP SERVER") or ALTER SMTP SERVER ("ALTER SMTP SERVER") command.
Only run this command if the SMTP server that you are configuring is a secure server.
avcli> ALTER SMTP SERVER SECURE MODE ON PROTOCOL ssl TRUSTSTORE /sample_tstore;
This command acknowledges that the SMTP Server registered with Oracle Audit Vault Server is in secure mode, that is, supports SSL or TLS, and uses the file
/sample_tstore
avcli> ALTER SMTP SERVER SECURE MODE ON PROTOCOL tls TRUSTSTORE /sample_tstore;
This example sets TLS protocol instead of SSL.
The ALTER SMTP SERVER SECURE MODE OFF command disables secure mode in an existing secure SMTP server.
ALTER SMTP SERVER SECURE MODE OFF
Run this command after you run either the REGISTER SMTP SERVER ("REGISTER SMTP SERVER") or ALTER SMTP SERVER ("ALTER SMTP SERVER") command.
avcli> ALTER SMTP SERVER SECURE MODE OFF; Updated SMTP server configuration to not use secure protocol.
Sets the SMTP Server registered with Oracle Audit Server to non-secure mode.
The TEST SMTP SERVER command tests SMTP integration with the Audit Vault Server by sending a test email.
TEST SMTP SERVER SEND EMAIL TO email_address
| Argument | Description |
|---|---|
email_address |
Recipient of the test email notification |
If the test fails, then check the configuration by running the LIST ATTRIBUTE OF SMTP SERVER ("LIST ATTRIBUTE OF SMTP SERVER") command.
You can recreate the configuration by running the ALTER_SMTP SERVER command ("ALTER SMTP SERVER").
If there are no errors, a test email appears in the mail box of the user specified by the e-mail address argument.
You can provide a list of comma-separated email addresses to this command.
A SMTP Server must first be registered with the Audit Vault Server before this command can be used. See "REGISTER SMTP SERVER".
avcli> TEST SMTP SERVER SEND EMAIL TO me@example.com
To test the SMTP integration, a test email is sent to the email address, me@example.com.
avcli> TEST SMTP SERVER SEND EMAIL TO abc@example1.com,xyz@example2.com
To test the SMTP integration, a test email is sent to the email address list, abc@example1.com,xyz@example2.com.
The LIST ATTRIBUTE OF SMTP SERVER command displays the current SMTP configuration details used by Audit Vault Server.
LIST ATTRIBUTE OF SMTP SERVER
To reconfigure the SMTP service connection, run the ALTER SMTP SERVER ("ALTER SMTP SERVER") command.
avcli> LIST ATTRIBUTE OF SMTP SERVER;
The configuration data/attributes for the SMTP server appear.
The DROP SMTP SERVER command unregisters the SMTP Server registered with the Audit Vault Server and removes any associated configuration metadata.
DROP SMTP SERVER
avcli> DROP SMTP SERVER; SMTP server unregistered successfully.
The SMTP Server is unregistered and any associated configuration metadata is removed.
The AVCLI security management command enable you to manage various administrator and super administrator privileges.
Table A-13 AVCLI Security Management Commands
| Command | Description |
|---|---|
|
Grants super administrator privileges to the user specified by |
|
|
Revokes super administrator privileges from users specified by |
|
|
Grants access to secured target name or secured target group name to specified user |
|
|
Revokes access to secured target or secured target group name from specified user |
|
|
Grants administrator privileges to specified user |
|
|
Revokes administrator privileges from specified user |
The GRANT SUPERADMIN command grants super administrator privileges to the user specified by username.
GRANT SUPERADMIN TO username
| Argument | Description |
|---|---|
username |
The specified user. |
This user automatically receives regular administrator rights as well.
avcli> GRANT SUPERADMIN TO scott;
Super administrator (and administrator) privileges granted to user scott.
The REVOKE SUPERADMIN command revokes super administrator privileges from users specified by username.
REVOKE SUPERADMIN FROM username
| Argument | Description |
|---|---|
username |
The specified user. |
The user continues to retain regular administrator rights.
avcli> REVOKE SUPERADMIN FROM scott;
Super administrator privileges are revoked from user scott.
The GRANT ACCESS command grants access to a secured target name or secured target group name to a specified user.
GRANT ACCESS ON SECURED TARGET secured_target_name TO username GRANT ACCESS ON SECURED TARGET GROUP secured_target_group name TO username
| Argument | Description |
|---|---|
username |
The specified user. |
secured_target_name |
The name of the secured target. |
secured_target_group_name |
The name of the secured target group. |
avcli> GRANT ACCESS ON SECURED TARGET sample_source TO scott;
User scott granted access to secured target sample_source.
avcli> GRANT ACCESS ON SECURED TARGET GROUP hr_db_group TO hr;
User hr granted access to group of secured targets specified by the group hr_db_group.
The REVOKE ACCESS command revokes access to a secured target or secured target group name from a specified user.
REVOKE ACCESS ON SECURED TARGET secured_target_name FROM username REVOKE ACCESS ON SECURED TARGET GROUP secured_target_group_name FROM username
| Argument | Description |
|---|---|
username |
The specified user. |
secured_target_name |
The name of the secured target. |
secured_target_group_name |
The name of the secured target group. |
avcli> REVOKE ACCESS ON SECURED TARGET sample_source FROM scott;
Access to secured target sample_source revoked from user scott.
avcli> REVOKE ACCESS ON SECURED TARGET GROUP hr_db_group FROM hr;
Access to a group of secured targets specified by the group hr_db_group revoked from user hr.
The GRANT ADMIN command grants administrator privileges to specified user.
GRANT ADMIN TO username
| Argument | Description |
|---|---|
username |
The specified user. |
avcli> GRANT ADMIN TO scott;
Administrator privileges granted to user scott.
Table A-14 lists SAN storage AVCLI commands. These commands are available as of Oracle AVDF version 12.1.2.
Table A-14 AVCLI SAN Storage Commands
| Command | Description |
|---|---|
|
Registers a SAN server of a specified storage type with the Audit Vault Server |
|
|
Alters a SAN server registered with the Audit Vault Server by logging into or logging out of a target available on the SAN server |
|
|
Displays the details of targets available on a specified SAN server |
|
|
Drops a SAN server registered with Audit Vault Server |
|
|
Displays details of disks available on the system |
|
|
Alters a diskgroup by adding or dropping disks |
|
|
Displays details of all diskgroups in the system |
|
|
Displays details of SAN servers registered with the Audit Vault Server |
|
|
Displays iSCSI initiator details for the Audit Vault Server |
Note: This command is available as of Oracle AVDF version 12.1.2.
The REGISTER SAN SERVER command registers a SAN server with the Audit Vault Server.
REGISTER SAN SERVER SAN_server_name OF TYPE storage_type ADDRESS address [PORT port] [METHOD discovery_method] [ON SECONDARY]
Use the [ON SECONDARY] option in a high availability configuration to apply this command to secondary Audit Vault Server.
| Argument | Description |
|---|---|
SAN_server_name |
Name of the SAN server. Must be unique. |
storage_type |
Storage type. Currently, only iSCSI is supported (case-insensitive). |
address |
IP address SAN server |
port |
Optional. Port number. Default is 3260. |
discovery_method |
Optional. Method used to discover targets. Possible values are:
SENDTARGETS [AUTHENTICATED BY username/password] ISNS Default is |
avcli> REGISTER SAN SERVER testServer1 OF TYPE iSCSI ADDRESS 192.0.2.1;
Registers a SAN server testServer1 of storage type iSCSI at address 192.0.2.1. The default port number 3260 and the default discovery method sendtargets will be used.
avcli> REGISTER SAN SERVER testServer2 Of Type iSCSI ADDRESS 192.0.2.1 METHOD sendtargets AUTHENTICATED BY username2/password2;
Registers a SAN server testServer2 of storage type iSCSI at address 192.0.2.1 using the discover method sendtargets with credentials username2 and password2.
Note: This command is available as of Oracle AVDF version 12.1.2.
The ALTER SAN SERVER command alters a SAN server registered with the Audit Vault Server by logging in or logging out of a target available on the SAN server.
ALTER SAN SERVER server_name LOGIN target_name ADDRESS address [PORT port][AUTHENTICATED BY username/password] [ON SECONDARY] ALTER SAN SERVER server_name LOGOUT target_name ADDRESS address [PORT port][AUTHENTICATED BY username/password] [ON SECONDARY]
Use the [ON SECONDARY] option in a high availability configuration to apply this command to secondary Audit Vault Server.
| Argument | Description |
|---|---|
server_name |
Name of the SAN server registered with the Audit Vault Server. |
target_name |
Name of the target on the SAN server. To get a list of targets, use the command "LIST TARGET FOR SAN SERVER". |
address |
IP address or hostname of the target on the SAN server |
port |
Optional. Default is 3260. |
username/password |
If needed, credential used to log in to the target. |
avcli> ALTER SAN SERVER testServer1 LOGIN target1 ADDRESS sample_target.example.com AUTHENTICATED BY username1/password1;
Alter the SAN server testServer1 by logging into target1 at address sample_target.example.com using credentials username1 and password1. The default port number 3260 will be used.
avcli> ALTER SAN SERVER testServer2 LOGOUT target2 ADDRESS sample_target.example.com
Alter the SAN server testServer2 by logging out of target2 at address sample_target.example.com.
Note: This command is available as of Oracle AVDF version 12.1.2.
The LIST TARGET FOR SAN SERVER command displays details of the targets available on a specified SAN server.
LIST TARGET FOR SAN SERVER server_name [ON SECONDARY]
Use the [ON SECONDARY] option in a high availability configuration to apply this command to secondary Audit Vault Server.
| Argument | Description |
|---|---|
server_name |
Name of the SAN server registered with the Audit Vault Server. |
avcli> LIST TARGET FOR SAN SERVER testServer1;
Displays the details of targets available on SAN server testServer1.
Note: This command is available as of Oracle AVDF version 12.1.2.
The DROP SAN SERVER command removes a SAN server registered with the Audit Vault Server.
DROP SAN SERVER server_name [ON SECONDARY]
Use the [ON SECONDARY] option in a high availability configuration to apply this command to secondary Audit Vault Server.
| Argument | Description |
|---|---|
server_name |
Name of the SAN server registered with the Audit Vault Server. |
avcli> DROP SAN SERVER testServer1;
Removes SAN server testServer1 from the Audit Vault Server.
Note: This command is available as of Oracle AVDF version 12.1.2.
The LIST DISK command displays details of all disks available in the system, or disks in a specific disk group.
LIST DISK [FOR DISKGROUP SYSTEMDATA|EVENTDATA|RECOVERY] [ON SECONDARY]
Use the [ON SECONDARY] option in a high availability configuration to apply this command to secondary Audit Vault Server.
avcli> LIST DISK;
Displays the details of all disks in the system.
avcli> LIST DISK FOR DISKGROUP SYSTEMDATA;
Displays the details of the SYSTEMDATA disk group.
Note: This command is available as of Oracle AVDF version 12.1.2.
The ALTER DISKGROUP command alters a disk group by adding or dropping disks from the group.
ALTER DISKGROUP SYSTEMDATA|EVENTDATA|RECOVERY ADD DISK disk_name [ON SECONDARY] ALTER DISKGROUP SYSTEMDATA|EVENTDATA|RECOVERY DROP DISK disk_name [ON SECONDARY]
Use the [ON SECONDARY] option in a high availability configuration to apply this command to secondary Audit Vault Server.
| Argument | Description |
|---|---|
disk_name |
Name of the disk to add or drop. When adding a disk, the disk must be available in the system, and not previously added to a disk group. To display all disks available in the system, use the command "LIST DISK". |
avcli> ALTER DISKGROUP SYSTEMDATA ADD DISK disk1;
Adds disk1 to the SYSTEMDATA disk group.
avcli> ALTER DISKGROUP RECOVERY DROP DISK disk2;
Drops disk2 from the RECOVERY disk group.
Note: This command is available as of Oracle AVDF version 12.1.2.
The LIST DISKGROUP command displays details of a disk group in the Audit Vault Server.
LIST DISKGROUP [ON SECONDARY]
Use the [ON SECONDARY] option in a high availability configuration to apply this command to secondary Audit Vault Server.
avcli> LIST DISKGROUP;
Displays details for all disk groups in the system, for example, name, total space, and free space. To see details of disk in a specific disk group, use the command "LIST DISK".
Note: This command is available as of Oracle AVDF version 12.1.2.
The LIST SAN SERVER command displays details of SAN servers registered with the Audit Vault Server.
LIST SAN SERVER [ON SECONDARY]
Use the [ON SECONDARY] option in a high availability configuration to apply this command to secondary Audit Vault Server.
avcli> LIST SAN SERVER;
Displays details of SAN servers registered in the system, for example, storage name, storage type, etc.
Note: This command is available as of Oracle AVDF version 12.1.2.
The SHOW ISCSI INITIATOR DETAILS FOR SERVER command displays iSCSI initiator details for the Audit Vault Server. These initiator details are used in the SAN server configuration to allow it to connect to the Audit Vault Server.
SHOW ISCSI INITIATOR DETAILS FOR SERVER [ON SECONDARY]
Use the [ON SECONDARY] option in a high availability configuration to apply this command to secondary Audit Vault Server.
avcli> SHOW ISCSI INITIATOR DETAILS FOR SERVER;
Displays the iSCSI initiator details for the Audit Vault Server.
Table A-15 lists the remote filesystem AVCLI commands. These commands are available as of Oracle AVDF 12.1.2. Currently they support registering and managing connections to NFS filesystems that are used as archive locations.
Table A-15 AVCLI Remote Filesystem Commands
| Command | Description |
|---|---|
|
Registers a remote filesystem with the Audit Vault Server |
|
|
Alters a remote filesystem registered with the Audit Vault Server |
|
|
Drops a remote filesystem registered with the Audit Vault Server |
|
|
Displays the list of exports available on an NFS server |
|
|
Lists all remote filesystems registered with the Audit Vault Server |
|
|
Shows the status of a remote filesystem registered with the Audit Vault Server |
Note: This command is available as of Oracle AVDF version 12.1.2.
The REGISTER REMOTE FILESYSTEM command registers a remote filesystem with the Audit Vault Server. This command currently supports registering an NFS filesystem. After registering a remote filesystem, an administrator can select it when specifying an archive location.
REGISTER REMOTE FILESYSTEM filesystem_name OF TYPE NFS ON HOST NFS_server_address USING EXPORT export [MOUNT]
| Argument | Description |
|---|---|
filesystem_name |
A unique name for the remote filesystem |
NFS_server_address |
Hostname or IP address of the NFS server |
export |
Name of the export directory on the NFS server. The export must be one of the exports available on the NFS server. |
avcli> REGISTER REMOTE FILESYSTEM sample_Filesystem OF TYPE NFS ON HOST example_host.example.com USING EXPORT /export/home1;
Registers a remote NFS filesystem named sample_Filesystem on the host example_host.example.com using the export directory /export/home1. This will mount the registered remote filesystem.
avcli> REGISTER REMOTE FILESYSTEM sample_Filesystem OF TYPE NFS ON HOST example_host.example.com USING EXPORT /export/home1 MOUNT;
Registers a remote NFS filesystem named sample_Filesystem on the host example_host.example.com using the export directory /export/home1. This will also mount the registered remote filesystem.
Note: This command is available as of Oracle AVDF version 12.1.2.
The ALTER REMOTE FILESYSTEM command alters a remote filesystem registered with the Audit Vault Server.
ALTER REMOTE FILESYSTEM filesystem_name SET {key=value [,key=value...]} ALTER REMOTE FILESYSTEM filesystem_name MOUNT ALTER REMOTE FILESYSTEM filesystem_name UNMOUNT [FORCE]
| Argument | Description |
|---|---|
filesystem_name |
Name of the remote filesystem |
key |
For an NFS remote filesystem, the key NAME is supported. |
avcli> ALTER REMOTE FILESYSTEM sample_filesystem SET NAME=newfilesystem;
Changes the name of the remote filesystem sample_filesystem to newfilesystem.
avcli> ALTER REMOTE FILESYSTEM sample_filesystem MOUNT;
Mounts the remote filesystem sample_filesystem.
avcli> ALTER REMOTE FILESYSTEM sample_filesystem UNMOUNT
Unmounts remote filesystem sample_filesystem.
avcli> ALTER REMOTE FILESYSTEM sample_filesystem UNMOUNT FORCE
Unmounts remote filesystem sample_filesystem and forces this operation.
Note: This command is available as of Oracle AVDF version 12.1.2.
The DROP REMOTE FILESYSTEM command drops a remote filesystem registered with the Audit Vault Server.
DROP REMOTE FILESYSTEM file_system_name
| Argument | Description |
|---|---|
filesystem_name |
Name of the remote filesystem. |
avcli> DROP REMOTE FILESYSTEM filesystem1;
Drops the remote filesystem filesystem1.
Note: This command is available as of Oracle AVDF version 12.1.2.
The LIST EXPORT command displays the list of exports available on a NFS server.
LIST EXPORT OF TYPE NFS ON HOST address
| Argument | Description |
|---|---|
address |
Hostname or IP address of the NFS server. |
avcli> LIST EXPORT OF TYPE NFS ON HOST example_server.example.com;
Lists the exports available on the NFS server example_server.example.com.
Note: This command is available as of Oracle AVDF version 12.1.2.
The LIST REMOTE FILESYSTEM command lists all remote filesystems registered with the Audit Vault Server.
LIST REMOTE FILESYSTEM
avcli> LIST REMOTE FILESYSTEM;
Lists all remote filesystems registered with the Audit Vault Server.
Note: This command is available as of Oracle AVDF version 12.1.2.
The SHOW STATUS OF REMOTE FILESYSTEM command shows the status of a specified remote filesystem.
SHOW STATUS OF REMOTE FILESYSTEM filesystem_name
| Argument | Description |
|---|---|
filesystem_name |
Name of the remote filesystem |
avcli> SHOW STATUS OF REMOTE FILESYSTEM filesystem1;
Shows the status of remote filesystem filesystem1.
Table A-16 AVCLI Server Management Commands
| Command | Description |
|---|---|
|
Modifies system configuration data |
|
|
Displays the certificate for the Audit Vault Server |
|
|
Downloads the Audit Vault Server log file for diagnostics |
The ALTER SYSTEM command modifies system configuration data.
ALTER SYSTEM SET {attribute=value [,attribute=value...]}
| Argument | Description |
|---|---|
attribute |
System attributes as key/value pairs. See Table A-17. |
Typically, system configuration data affects all components system-wide.
Multiple component log levels can be changed by delimiting them using the | symbol.
Modify system configuration data by altering the attributes associated with the data using key=value pairs and multiple attributes by specifying comma-separated pairs.
Log files are located in the $Oracle_Home/av/log directory in the Audit Vault Server.
The following attributes are supported:
| Parameter | Description |
|---|---|
|
|
The log level of components running on this host. The
where See Table A-18 for descriptions of values for the Multiple components' log levels can be changed by delimiting them using the |
|
|
Sets the system heartbeat interval to a numerical value in seconds. |
Table A-18 shows valid values for component_name and loglevel_value for the LOGLEVEL attribute:
| Parameter | Description |
|---|---|
|
|
The |
|
|
The |
|
|
The |
|
|
The |
|
|
The |
|
|
The |
|
|
The |
|
|
The |
|
|
The |
|
|
The |
avcli> ALTER SYSTEM SET SYS.HEARTBEAT_INTERVAL=10;
The SYS.HEARTBEAT_INTERVAL system configuration setting changes to 10 seconds.
avcli> ALTER SYSTEM SET loglevel=JfwkLog:DEBUG|PfwkLog:INFO;
The SHOW CERTIFICATE command displays the certificate for the Audit Vault Server.
SHOW CERTIFICATE FOR SERVER
avcli> SHOW CERTIFICATE FOR SERVER;
The Audit Vault Server certificate appears.
Note: This command is available as of Oracle AVDF version 12.1.2.
The DOWNLOAD LOG FILE command downloads the diagnostics log file (as a .zip file) from the Audit Vault Server and saves it in the following directory:
AVCLI_installation_path/av/log
DOWNLOAD LOG FILE FROM SERVER
avcli> DOWNLOAD LOG FILE FROM SERVER;
The Audit Vault Server log file is downloaded.
The AVCLI collection plug-in commands enable you to manage the deployment of collection plug-ins.
Table A-12 lists the collection plug-in AVCLI commands.
Table A-19 AVCLI Collection Plug-In Commands
| Command | Description |
|---|---|
|
Deploys a plug-in into Audit Vault Server home from a given archive file |
|
|
Lists all the plug-ins in an Audit Vault Server installation |
|
|
Undeploys a plug-in from an Audit Vault Server home |
The DEPLOY PLUGIN command deploys a plug-in into the Audit Vault Server home from a given archive file.
DEPLOY PLUGIN plugin archive
| Argument | Description |
|---|---|
plugin archive |
The plug-in archive.
Archive files have an |
No action is required after this command.
The DEPLOY PLUGIN command updates the agent archive with the contents of this plug-in for future Agent deployments.
When a newer version of the plug-in is available, use the DEPLOY PLUGIN command to update the plug-in artifacts. Multiple plug-ins can support a single secured target type.
avcli> DEPLOY PLUGIN /opt/avplugins/sample_plugin.zip;
Deploys the plug-in at /opt/avplugins/sample_plugin.zip into the Audit Vault Server and updates the agent archive by adding the plug-in to its contents.
The LIST PLUGIN FOR SECURED TARGET TYPE command lists all the plug-ins that support a particular secured target type.
LIST PLUGIN FOR SECURED TARGET TYPE secured target type name
| Argument | Description |
|---|---|
secured target type name |
The name of the secured target type |
To find a list of available secured target types, see "LIST SECURED TARGET TYPE".
avcli> LIST PLUGINS FOR SECURED TARGET TYPE "Oracle Database";
The plug-ins that support the secured target type "Oracle Database" are listed.
The UNDEPLOY PLUGIN command deletes a plug-in from an Audit Vault Server home.
UNDEPLOY PLUGIN plugin_id
| Argument | Description |
|---|---|
plugin_id |
The ID of the plug-in that you want to undeploy. |
UNDEPLOY PLUGIN attempts to identify dependent plug-ins or packages prior to deleting the plug-in.
This command undeploys a plug-in specified by the plug-in ID from the Audit Vault Server. It also updates the agent archive removing this plug-in, so that it is not deployed in future agent deployments.
avcli> UNDEPLOY PLUGIN com.abc.sample_plugin;
The plug-in, com.abc.sample_plugin, is undeployed from Oracle Audit Vault Server and the agent archive is updated by removing the plug-in.
Table A-20 lists the general usage AVCLI commands.
Table A-20 AVCLI HELP and EXIT Commands
| Command | Description |
|---|---|
|
Connects the current user in |
|
|
Lists all |
|
|
Displays help information for all of the commands in the |
|
|
Displays the version number for |
|
|
Exits |
The CONNECT command enables you to connect as a different user in AVCLI.
CONNECT username
If you have logged into to AVCLI without specifying a username and password, then you must use the CONNECT command to connect as a valid user.
For additional ways to connect to AVCLI, see "Using the AVCLI Command Line Interface".
avcli> CONNECT psmith
Enter password: password
Connected.
The HELP command lists all available AVCLI commands and their categories.
HELP
avcli> HELP;
The -HELP command displays version number and help information about the AVCLI commands. Run the -HELP command from outside of AVCLI.
avcli -h avcli -H avcli -help avcli -HELP
avcli -help:
[oracle@slc02vjp ~]$ avcli -help
AVCLI : Release 12.1.2.0.0 - Production on Thu Nov 8 00:53:54 UTC 2012
Copyright (c) 1996, 2014 Oracle. All Rights Reserved.
Usage 1: avcli -{h|H} | -{v|V}
-{h|H} Displays the AVCLI version and the usage help
-{v|V} Displays the AVCLI version.
Usage 2: avcli [ [<option>] [<logon>] [<start>] ]
<option> is: [-{l|L} <log level>]
-{l|L} <log level> Sets the log level to the level specified.
Supported log levels: INFO, WARNING, ERROR, DEBUG
<logon> is: -{u|U} <username>
Specifies the database account username for the database
connection
<start> is: -{f|F} <filename>.<ext>
Runs the specified AVCLI script from the local file system
(filename.ext). Valid AVCLI script files should have
their file extension as '.av' (e.g. sample_script.av)
The -VERSION command displays the version number for AVCLI. Run the -VERSION command from outside of AVCLI.
avcli -v avcli -V avcli -version avcli -VERSION
avcli -v AVCLI : Release 12.1.2.0.0 - Production on Tue Apr 26 14:25:31 PDT 2011 Copyright (c) 2014, Oracle. All Rights Reserved.