If you want to collect audit data from a secured target, you must configure a connection between the Audit Vault Server and the host machine where the Audit Vault Agent resides for that secured target (usually the same computer as the secured target).
After registering a host, you must then deploy and activate the Audit Vault Agent on that host. See "Deploying and Activating the Audit Vault Agent on Host Computers".
This chapter assumes the Audit Vault Agent is deployed on the secured target host, and describes the procedures for registering hosts using the Audit Vault Server console UI. For information on using the command line interface, see "Using the AVCLI Command Line Interface".
After you register hosts and deploy the Audit Vault Agent on them, in order to start audit trail collections you must also register the secured targets, configure audit trails, and start audit trail collections manually. These procedures are described in:
To understand the high-level workflow for configuring the Oracle AVDF system, see "Summary of Configuration Steps".
Sections in this chapter give information on configuring hosts that is specific to each secured target type. However, the procedure for registering any host machine in the Audit Vault Server is the same.
To register a host machine in the Audit Vault Server:
Log in to the Audit Vault Server console as an administrator.
Click the Hosts tab.
A list of the registered hosts, if present, appears in the Hosts page. To control the view of this list see "Working with Lists of Objects in the UI".
Click Register.
Enter the Host Name and Host IP address.
Click Save.
If you are using Oracle AVDF version 12.1.2, an Agent Activation Key is automatically generated when you register the host.
See Also:
"REGISTER HOST" for the command line syntax to register a hostChanging the name of a registered host can take up to 10 minutes because the system automatically reboots after you change the name.
Caution:
Do not manually reboot the system after changing a host name as this may put the system in an inconsistent state. Wait up to 10 minutes for the system to automatically reboot.To change the name of a registered host:
Log in to the Audit Vault Server console as an administrator.
Click the Hosts tab.
Click the name of the host you want to change.
In the Modify Host page, change the Host Name field, and then click Save.
Wait for the system to automatically reboot.
This may take up to 10 minutes. Do not manually reboot the system.
In order to collect audit trails from secured targets, you must deploy the Audit Vault Agent on a host computer, usually the same computer where the secured target resides. The Audit Vault Agent includes plug-ins for each secured target type, as well as host monitoring functionality.
In addition to deploying the Audit Vault Agent, in order to start audit trail collections you must also register each host, register secured targets, configure audit trails, and start audit trail collections manually. For these procedures, see:
To understand the high-level workflow for configuring the Oracle AVDF system, see "Summary of Configuration Steps".
Deploying and activating the Audit Vault Agent on a host machine consists of these steps:
To register the host on which you deployed the Audit Vault Agent, follow the procedure in "Registering Hosts in the Audit Vault Server".(
You must use an OS user account to deploy the Audit Vault Agent. In this step, you copy the agent.jar
file from the Audit Vault Server and deploy this file on the host machine.
Note:
The Audit Vault Agent is supported on Unix, Windows, and HP-UX Itanium platforms, and requires Java SE 6 or 7 on the host computer. See Oracle Audit Vault and Database Firewall Installation Guide for platform support details for the current release. For supported platforms in prior releases, see Article 1536380.1 at the Oracle Support website:https://support.oracle.com
To copy and deploy the Audit Vault Agent to the host machine:
Log in to the Audit Vault Server console as an administrator.
Click the Hosts tab, and then from the Hosts menu, click Agent.
The Agent and host monitor files are listed.
Click the Download button next to the Agent file, and then save the agent.jar
file to a location of your choice.
Using an OS user account, copy the agent.jar
file to the secured target's host computer.
On the host machine, set JAVA_HOME
to the installation directory of the jdk1.6
(or higher version), and make sure the java
executable corresponds to this JAVA_HOME
setting.
Note: For a Sybase ASE secured target, ensure that the Audit Vault Agent is installed on a computer in which SQL*Net can communicate with the Sybase ASE database.
Start a command prompt with Run as Administrator.
In the directory where you placed the agent.jar
file, extract it by running:
java -jar agent.jar -d
Agent_Home
This creates a directory by the name you enter for Agent_Home
, and installs the Audit Vault Agent in that directory.
On a Windows system, this command automatically registers a windows service named OracleAVAgent
.
Caution:
After deploying the Audit Vault Agent, do not delete theAgent_Home
directory unless directed to do so by Oracle Support. If you are updating an existing Audit Vault Agent, do not delete the existing Agent_Home
directory.This step is not required for Oracle AVDF 12.1.2.
Prerequisite: Follow the procedure in "Registering Hosts in the Audit Vault Server" for this host computer.
To request activation of the Audit Vault Agent in version 12.1.1:
On the host computer, go to the following directory:
Agent_Home
/bin
Agent_Home
is the directory created in the step 7 above.
Run the following command:
agentctl activate
This sends an activation request to the Audit Vault Server.
In this step, you activate the Audit Vault Agent with the Agent Activation Key and start the Agent.
Prerequisites:
Follow the procedure in "Registering Hosts in the Audit Vault Server".
(Oracle AVDF 12.1.1 Only) Follow the procedure in "(Oracle AVDF 12.1.1 Only) Requesting Agent Activation".
To activate and start the agent:
Log in to the Audit Vault Server console as an administrator, and click the Hosts tab.
Oracle AVDF 12.1.1 Only: Select the host you want to activate, and then click Activate.
This will generate an activation key under the Agent Activation Key column.
In AVDF version 12.1.1, you can only activate a host if you have completed the procedure in "(Oracle AVDF 12.1.1 Only) Requesting Agent Activation". Otherwise the Agent Activation Status for that host will be No Request
.
On the Hosts tab, make a note of the Agent Activation Key for this host.
On the host machine, change directory as follows:
cd
Agent_Home
/bin
Agent_Home
is the directory created in the step 7 above.
Run one of the following commands and provide the Agent Activation Key:
In Oracle AVDF 12.1.2:
agentctl start -k Enter Activation Key:
Enter the activation key when prompted. This key will not be displayed as you type it.
In Oracle AVDF 12.1.1:
agentctl start -k
activation_key
Note: the -k
argument is not needed after the initial agentctl start
command.
See Also:
If the agent is deployed on a Microsoft Windows host computer, you can start or stop the agent Windows service through the Windows Services applet in the Windows Control Panel. See "Registering or Unregistering the Audit Vault Agent as a Windows Service".See Also:
"ACTIVATE HOST" for the command line syntax to activate the agentWhen the Audit Vault Agent is deployed on a Microsoft Windows host computer, during agent deployment ("Deploying the Audit Vault Agent on the Host Computer"), a Windows service named OracleAVAgent
is automatically registered. Additionally, you can register and unregister the agent service using the agentctl
command as shown below.
When the Audit Vault Agent is registered as a Windows service, you can start or stop the service through the Windows Services applet in the Windows Control Panel.
Note: Deploying the Audit Vault Agent on a Windows host automatically registers a Windows service named agentctl
. Use this procedure if you need to register the Windows service again.
To register the Audit Vault Agent as a Windows Service:
On the host machine, run the following command from the Agent_Home
\bin
directory:
agentctl registersvc
This adds the Oracle Audit Vault Agent service in the Windows services registry.
Important:
Be sure to set the Audit Vault Agent service to use the credentials of the Windows OS user account that was used to deploy the agent using thejava -jar
command. Do this in the service Properties dialogue.
Note that in the service Properties dialogue, local user name entries in the This account field should be formatted as in the following example: user name jdoe
should be entered as .\jdoe
. Refer to Microsoft Windows documentation for procedures to do so.
To unregister the Audit Vault Agent as a Windows Service, use one of the following methods:
Method 1 (Recommended)
On the host machine, run the command following command from the
Agent_Home\bin
directory:
agentctl unregistersvc
This removes the Oracle Audit Vault Agent service from the Windows services registry.
Method 2
If Method 1 fails, then execute the following from the Windows command prompt (Run as Administrator):
cmd>
sc delete OracleAVAgent
You can verify that the Audit Vault Agent has been deleted by executing the following query from the Windows command prompt (Run as Administrator):
cmd>
sc queryex OracleAVAgent
To stop or start the Audit Vault Agent after initial activation and start, run one of the following commands from the Agent_Home
/bin
directory on the host machine:
agentctl stop
agentctl start
The Audit Vault Agent is automatically registered as a Windows service when you deploy the Agent on a Windows host. We recommend that you run the Agent as Windows service so that it can keep running after the user logs out.
See also "Registering or Unregistering the Audit Vault Agent as a Windows Service".
To stop or start the Agent Windows service:
Use one of the methods below:
In the Windows GUI (Control Panel, Administrative Tools, Services), find the Oracle Audit Vault Agent service, and then right-click it to select Start or Stop.
Run one of these commands from the Agent_Home\bin
directory on the host machine:
agentctl stopsvc
agentctl startsvc
To check that the Windows service is stopped:
Run this command:
cmd> sc queryex OracleAVAgent
You should see the agent Windows service in a STOPPED
state.
To stop or start the Agent in console mode:
start /b agentctl stop
start /b
agentctl start
The logging level you set affects the amount of information written to the log files. You may need to take this into account for disc space limitations.
Log files are located in the Agent_Home
/av/log
directory.
The following logging levels are listed in the order of amount of information written to log files, with debug providing the most information:
error - Writes only error messages
warning - (Default) Writes warning and error messages
info - Writes informational, warning, and error messages
To change the logging level for an Audit Vault Agent:
Ensure that you are logged into AVCLI
on the Audit Vault Server.
Run the ALTER HOST
command.
The syntax is as follows:
ALTER HOST
host_name
SET LOGLEVEL=av.agent:
log_level
In this specification:
host_name
: The name of the host where the Audit Vault Agent is deployed.
log_level
: Enter a value of info
, warn
, debug
, or error
.
If you have registered the Audit Vault Agent as a Windows service, see "Registering or Unregistering the Audit Vault Agent as a Windows Service" to unregister the service.
Otherwise, to deactivate and remove the Audit Vault Agent:
Stop all audit trails being collected by the Audit Vault Agent.
In the Audit Vault Server console, click the Hosts tab, then click Audit Trails.
Select the audit trails being collected by this Audit Vault Agent, and then click Stop.
Stop the Audit Vault Agent by running the following command on the host computer:
agentctl stop
Deactivate the Audit Vault Agent on the host computer:
In the Audit Vault Server console, click the Hosts tab.
Select the host name, and then click Deactivate.
Optionally, drop the host by selecting it, and then clicking Delete.
Delete the Audit Vault Agent home directory on the host computer.
As of Oracle AVDF 12.1.1 BP2, when you update the Audit Vault Server to a future release, the Audit Vault Agent is automatically updated.
If your current release is prior to 12.1.1 BP2, refer to the README included with upgrade software or patch updates for instructions on how to update the Audit Vault Agent.
Information on downloading upgrade software is detailed in Oracle Audit Vault and Database Firewall Installation Guide.
Each type of secured target has a corresponding software plug-in in the Audit Vault Server, which enables the Audit Vault Agent to collect audit data. You can deploy more plug-ins, in addition to those shipped with Oracle AVDF, in order to collect audit data from more secured target types. New plug-ins are available from Oracle Technology Network or third parties. The plug-in deployment process updates the agent.jar
file in the Audit Vault Server.
A plug-in supports only one secured target type. However, you may deploy more than one plug-in for the same secured target type if, for example, you acquired each plug-in from a different developer, or each plug-in supports a specific type of audit trail for the same secured target type. You can select the specific plug-in to use when you configure audit trail collections.
To start collecting audit data from the secured target type associated with a plug-in, you must also add the secured target in the Audit Vault Server, then configure and manually start audit trail collection. See "Configuring Secured Targets, Audit Trails, and Enforcement Points".
Deploying a plug-in consists of three steps:
Ensure that auditing has been enabled in the secured target. See the secured target's product documentation for more information. For plug-ins for Oracle Database, see "Ensuring that Auditing is Enabled on Oracle Database Secured Targets".
To register a host in the Audit Vault Server, see "Registering Hosts in the Audit Vault Server".
To deploy and activate a plug-in:
Copy the plug-in archive to the Audit Vault Server, and make a note of the location of the file.
Plug-in archives are available from Oracle Technology Network or a third party.
Log in to the Audit Vault Server console as an administrator.
Click the Settings tab, and from the System menu, click Plug-ins.
The Plug-ins page lists the currently deployed plug-ins:
Click Deploy, and in the Plug-in Archive field, enter or browse for the name of the plug-in archive.
Click Deploy Plug-in.
The new plug-in is listed in the Hosts tab, Agent page, under Plug-ins. The updated agent.jar
file has a new Agent Generation Time shown in the Agent page.
The Hosts page displays an Agent Generation Time column for each registered host, indicating the version of the agent.jar
on that host.
Copy the updated agent.jar
file to each registered host machine.
If you have not registered a host machine, see "Registering Hosts in the Audit Vault Server".
On the host machine, extract the agent:
java -jar agent.jar
Note:
You cannot download the agent during the same login session in which you deploy a plug-in, since theagent.jar
is being updated. However, users in other sessions will be able to download the most current version of agent.jar
until the plug-in deployment process is complete and a new version is available.When you delete a host, if you want to register it again to collect audit data, you must reinstall the Audit Vault Agent on this host.
Log in to the Audit Vault Server console as an administrator.
Click the Hosts tab.
A list of the registered hosts, if present, appears in the Hosts page. To control the view of this list see "Working with Lists of Objects in the UI".
Select the host(s) you want to delete, and then click Delete.