5 Registering Hosts and Deploying the Agent

Topics

Registering Hosts in the Audit Vault Server

Topics

About Registering Hosts

If you want to collect audit data from a secured target, you must configure a connection between the Audit Vault Server and the host machine where the Audit Vault Agent resides for that secured target (usually the same computer as the secured target).

After registering a host, you must then deploy and activate the Audit Vault Agent on that host. See "Deploying and Activating the Audit Vault Agent on Host Computers".

This chapter assumes the Audit Vault Agent is deployed on the secured target host, and describes the procedures for registering hosts using the Audit Vault Server console UI. For information on using the command line interface, see "Using the AVCLI Command Line Interface".

After you register hosts and deploy the Audit Vault Agent on them, in order to start audit trail collections you must also register the secured targets, configure audit trails, and start audit trail collections manually. These procedures are described in:

To understand the high-level workflow for configuring the Oracle AVDF system, see "Summary of Configuration Steps".

Registering Hosts in the Audit Vault Server

Sections in this chapter give information on configuring hosts that is specific to each secured target type. However, the procedure for registering any host machine in the Audit Vault Server is the same.

To register a host machine in the Audit Vault Server:

  1. Log in to the Audit Vault Server console as an administrator.

  2. Click the Hosts tab.

    A list of the registered hosts, if present, appears in the Hosts page. To control the view of this list see "Working with Lists of Objects in the UI".

  3. Click Register.

  4. Enter the Host Name and Host IP address.

  5. Click Save.

    If you are using Oracle AVDF version 12.1.2, an Agent Activation Key is automatically generated when you register the host.

See Also:

"REGISTER HOST" for the command line syntax to register a host

Changing Host Names

Changing the name of a registered host can take up to 10 minutes because the system automatically reboots after you change the name.

Caution:

Do not manually reboot the system after changing a host name as this may put the system in an inconsistent state. Wait up to 10 minutes for the system to automatically reboot.

To change the name of a registered host:

  1. Log in to the Audit Vault Server console as an administrator.

  2. Click the Hosts tab.

  3. Click the name of the host you want to change.

  4. In the Modify Host page, change the Host Name field, and then click Save.

  5. Wait for the system to automatically reboot.

    This may take up to 10 minutes. Do not manually reboot the system.

Deploying and Activating the Audit Vault Agent on Host Computers

Topics

About Deploying the Audit Vault Agent

In order to collect audit trails from secured targets, you must deploy the Audit Vault Agent on a host computer, usually the same computer where the secured target resides. The Audit Vault Agent includes plug-ins for each secured target type, as well as host monitoring functionality.

In addition to deploying the Audit Vault Agent, in order to start audit trail collections you must also register each host, register secured targets, configure audit trails, and start audit trail collections manually. For these procedures, see:

To understand the high-level workflow for configuring the Oracle AVDF system, see "Summary of Configuration Steps".

Steps Required to Deploy and Activate the Audit Vault Agent

Deploying and activating the Audit Vault Agent on a host machine consists of these steps:

  1. Registering the Host

  2. Deploying the Audit Vault Agent on the Host Computer.

  3. (Oracle AVDF 12.1.1 Only) Requesting Agent Activation

  4. Activating and Starting the Audit Vault Agent.

Registering the Host

To register the host on which you deployed the Audit Vault Agent, follow the procedure in "Registering Hosts in the Audit Vault Server".(

Deploying the Audit Vault Agent on the Host Computer

You must use an OS user account to deploy the Audit Vault Agent. In this step, you copy the agent.jar file from the Audit Vault Server and deploy this file on the host machine.

Note:

The Audit Vault Agent is supported on Unix, Windows, and HP-UX Itanium platforms, and requires Java SE 6 or 7 on the host computer. See Oracle Audit Vault and Database Firewall Installation Guide for platform support details for the current release. For supported platforms in prior releases, see Article 1536380.1 at the Oracle Support website: https://support.oracle.com

To copy and deploy the Audit Vault Agent to the host machine:

  1. Log in to the Audit Vault Server console as an administrator.

  2. Click the Hosts tab, and then from the Hosts menu, click Agent.

    The Agent and host monitor files are listed.

  3. Click the Download button next to the Agent file, and then save the agent.jar file to a location of your choice.

  4. Using an OS user account, copy the agent.jar file to the secured target's host computer.

  5. On the host machine, set JAVA_HOME to the installation directory of the jdk1.6 (or higher version), and make sure the java executable corresponds to this JAVA_HOME setting.

    Note: For a Sybase ASE secured target, ensure that the Audit Vault Agent is installed on a computer in which SQL*Net can communicate with the Sybase ASE database.

  6. Start a command prompt with Run as Administrator.

  7. In the directory where you placed the agent.jar file, extract it by running:

    java -jar agent.jar -d Agent_Home

    This creates a directory by the name you enter for Agent_Home, and installs the Audit Vault Agent in that directory.

    On a Windows system, this command automatically registers a windows service named OracleAVAgent.

Caution:

After deploying the Audit Vault Agent, do not delete the Agent_Home directory unless directed to do so by Oracle Support. If you are updating an existing Audit Vault Agent, do not delete the existing Agent_Home directory.

(Oracle AVDF 12.1.1 Only) Requesting Agent Activation

This step is not required for Oracle AVDF 12.1.2.

Prerequisite: Follow the procedure in "Registering Hosts in the Audit Vault Server" for this host computer.

To request activation of the Audit Vault Agent in version 12.1.1:

  1. On the host computer, go to the following directory:

    Agent_Home/bin

    Agent_Home is the directory created in the step 7 above.

  2. Run the following command:

    agentctl activate

    This sends an activation request to the Audit Vault Server.

Activating and Starting the Audit Vault Agent

In this step, you activate the Audit Vault Agent with the Agent Activation Key and start the Agent.

Prerequisites:

To activate and start the agent:

  1. Log in to the Audit Vault Server console as an administrator, and click the Hosts tab.

  2. Oracle AVDF 12.1.1 Only: Select the host you want to activate, and then click Activate.

    This will generate an activation key under the Agent Activation Key column.

    In AVDF version 12.1.1, you can only activate a host if you have completed the procedure in "(Oracle AVDF 12.1.1 Only) Requesting Agent Activation". Otherwise the Agent Activation Status for that host will be No Request.

  3. On the Hosts tab, make a note of the Agent Activation Key for this host.

  4. On the host machine, change directory as follows:

    cd Agent_Home/bin

    Agent_Home is the directory created in the step 7 above.

  5. Run one of the following commands and provide the Agent Activation Key:

    • In Oracle AVDF 12.1.2:

      agentctl start -k 
Enter Activation Key:

      Enter the activation key when prompted. This key will not be displayed as you type it.

    • In Oracle AVDF 12.1.1:

      agentctl start -k activation_key

    Note: the -k argument is not needed after the initial agentctl start command.

See Also:

If the agent is deployed on a Microsoft Windows host computer, you can start or stop the agent Windows service through the Windows Services applet in the Windows Control Panel. See "Registering or Unregistering the Audit Vault Agent as a Windows Service".

See Also:

"ACTIVATE HOST" for the command line syntax to activate the agent

Registering or Unregistering the Audit Vault Agent as a Windows Service

Topics

About the Audit Vault Agent Windows Service

When the Audit Vault Agent is deployed on a Microsoft Windows host computer, during agent deployment ("Deploying the Audit Vault Agent on the Host Computer"), a Windows service named OracleAVAgent is automatically registered. Additionally, you can register and unregister the agent service using the agentctl command as shown below.

When the Audit Vault Agent is registered as a Windows service, you can start or stop the service through the Windows Services applet in the Windows Control Panel.

Registering the Audit Vault Agent as a Windows Service

Note: Deploying the Audit Vault Agent on a Windows host automatically registers a Windows service named agentctl. Use this procedure if you need to register the Windows service again.

To register the Audit Vault Agent as a Windows Service:

On the host machine, run the following command from the Agent_Home\bin directory:

agentctl registersvc

This adds the Oracle Audit Vault Agent service in the Windows services registry.

Important:

Be sure to set the Audit Vault Agent service to use the credentials of the Windows OS user account that was used to deploy the agent using the java -jar command. Do this in the service Properties dialogue.

Note that in the service Properties dialogue, local user name entries in the This account field should be formatted as in the following example: user name jdoe should be entered as .\jdoe. Refer to Microsoft Windows documentation for procedures to do so.

Unregistering the Audit Vault Agent as a Windows Service

To unregister the Audit Vault Agent as a Windows Service, use one of the following methods:

  • Method 1 (Recommended)

    On the host machine, run the command following command from the
    Agent_Home    \bin directory:

    agentctl unregistersvc

    This removes the Oracle Audit Vault Agent service from the Windows services registry.

  • Method 2

    If Method 1 fails, then execute the following from the Windows command prompt (Run as Administrator):

    cmd> sc delete OracleAVAgent

    You can verify that the Audit Vault Agent has been deleted by executing the following query from the Windows command prompt (Run as Administrator):

    cmd> sc queryex OracleAVAgent

Stopping, Starting, and Other Agent Operations

Topics

Stopping and Starting the Audit Vault Agent

Topics

Stopping and Starting the Agent on Unix Hosts

To stop or start the Audit Vault Agent after initial activation and start, run one of the following commands from the Agent_Home/bin directory on the host machine:

agentctl stop

agentctl start

Stopping and Starting the Agent on Windows Hosts

The Audit Vault Agent is automatically registered as a Windows service when you deploy the Agent on a Windows host. We recommend that you run the Agent as Windows service so that it can keep running after the user logs out.

See also "Registering or Unregistering the Audit Vault Agent as a Windows Service".

To stop or start the Agent Windows service:

Use one of the methods below:

  • In the Windows GUI (Control Panel, Administrative Tools, Services), find the Oracle Audit Vault Agent service, and then right-click it to select Start or Stop.

  • Run one of these commands from the Agent_Home\bin directory on the host machine:

    agentctl stopsvc

    agentctl startsvc

To check that the Windows service is stopped:

Run this command:

cmd> sc queryex OracleAVAgent

You should see the agent Windows service in a STOPPED state.

To stop or start the Agent in console mode:

start /b agentctl stop

start /b agentctl start

Changing the Logging Level for the Audit Vault Agent

The logging level you set affects the amount of information written to the log files. You may need to take this into account for disc space limitations.

Log files are located in the Agent_Home/av/log directory.

The following logging levels are listed in the order of amount of information written to log files, with debug providing the most information:

  • error - Writes only error messages

  • warning - (Default) Writes warning and error messages

  • info - Writes informational, warning, and error messages

  • debug - Writes detailed messages for debugging purposes

To change the logging level for an Audit Vault Agent:

  1. Ensure that you are logged into AVCLI on the Audit Vault Server.

  2. Run the ALTER HOST command.

    The syntax is as follows:

    ALTER HOST host_name SET LOGLEVEL=av.agent:log_level

    In this specification:

    • host_name: The name of the host where the Audit Vault Agent is deployed.

    • log_level: Enter a value of info, warn, debug, or error.

Deactivating and Removing the Audit Vault Agent

If you have registered the Audit Vault Agent as a Windows service, see "Registering or Unregistering the Audit Vault Agent as a Windows Service" to unregister the service.

Otherwise, to deactivate and remove the Audit Vault Agent:

  1. Stop all audit trails being collected by the Audit Vault Agent.

    1. In the Audit Vault Server console, click the Hosts tab, then click Audit Trails.

    2. Select the audit trails being collected by this Audit Vault Agent, and then click Stop.

  2. Stop the Audit Vault Agent by running the following command on the host computer:

    agentctl stop

  3. Deactivate the Audit Vault Agent on the host computer:

    1. In the Audit Vault Server console, click the Hosts tab.

    2. Select the host name, and then click Deactivate.

    3. Optionally, drop the host by selecting it, and then clicking Delete.

  4. Delete the Audit Vault Agent home directory on the host computer.

Updating the Audit Vault Agent

As of Oracle AVDF 12.1.1 BP2, when you update the Audit Vault Server to a future release, the Audit Vault Agent is automatically updated.

If your current release is prior to 12.1.1 BP2, refer to the README included with upgrade software or patch updates for instructions on how to update the Audit Vault Agent.

Information on downloading upgrade software is detailed in Oracle Audit Vault and Database Firewall Installation Guide.

Deploying Plug-ins and Registering Plug-in Hosts

Topics

About Plug-ins

Each type of secured target has a corresponding software plug-in in the Audit Vault Server, which enables the Audit Vault Agent to collect audit data. You can deploy more plug-ins, in addition to those shipped with Oracle AVDF, in order to collect audit data from more secured target types. New plug-ins are available from Oracle Technology Network or third parties. The plug-in deployment process updates the agent.jar file in the Audit Vault Server.

A plug-in supports only one secured target type. However, you may deploy more than one plug-in for the same secured target type if, for example, you acquired each plug-in from a different developer, or each plug-in supports a specific type of audit trail for the same secured target type. You can select the specific plug-in to use when you configure audit trail collections.

To start collecting audit data from the secured target type associated with a plug-in, you must also add the secured target in the Audit Vault Server, then configure and manually start audit trail collection. See "Configuring Secured Targets, Audit Trails, and Enforcement Points".

Deploying a plug-in consists of three steps:

  1. Ensuring that Auditing is Enabled in the Secured Target

  2. Registering the Plug-in Host in Audit Vault Server

  3. Deploying and Activating the Plug-in

Ensuring that Auditing is Enabled in the Secured Target

Ensure that auditing has been enabled in the secured target. See the secured target's product documentation for more information. For plug-ins for Oracle Database, see "Ensuring that Auditing is Enabled on Oracle Database Secured Targets".

Registering the Plug-in Host in Audit Vault Server

To register a host in the Audit Vault Server, see "Registering Hosts in the Audit Vault Server".

Deploying and Activating the Plug-in

To deploy and activate a plug-in:

  1. Copy the plug-in archive to the Audit Vault Server, and make a note of the location of the file.

    Plug-in archives are available from Oracle Technology Network or a third party.

  2. Log in to the Audit Vault Server console as an administrator.

  3. Click the Settings tab, and from the System menu, click Plug-ins.

    The Plug-ins page lists the currently deployed plug-ins:

    Description of plugins_page.gif follows
    Description of the illustration ''plugins_page.gif''

  4. Click Deploy, and in the Plug-in Archive field, enter or browse for the name of the plug-in archive.

    Description of plugin_deploy.gif follows
    Description of the illustration ''plugin_deploy.gif''

  5. Click Deploy Plug-in.

    The new plug-in is listed in the Hosts tab, Agent page, under Plug-ins. The updated agent.jar file has a new Agent Generation Time shown in the Agent page.

    The Hosts page displays an Agent Generation Time column for each registered host, indicating the version of the agent.jar on that host.

  6. Copy the updated agent.jar file to each registered host machine.

    If you have not registered a host machine, see "Registering Hosts in the Audit Vault Server".

  7. On the host machine, extract the agent:

    java -jar agent.jar

    Note:

    You cannot download the agent during the same login session in which you deploy a plug-in, since the agent.jar is being updated. However, users in other sessions will be able to download the most current version of agent.jar until the plug-in deployment process is complete and a new version is available.

Un-Deploying Plug-ins

To un-deploy a plug-in:

  1. Log in to the Audit Vault Server console as an administrator.

  2. Click the Settings tab, and from the System menu, click Plug-ins.

  3. Select the plug-in you want, and then click Un-deploy.

Deleting Hosts from the Audit Vault Server

When you delete a host, if you want to register it again to collect audit data, you must reinstall the Audit Vault Agent on this host.

To delete hosts:

  1. Log in to the Audit Vault Server console as an administrator.

  2. Click the Hosts tab.

    A list of the registered hosts, if present, appears in the Hosts page. To control the view of this list see "Working with Lists of Objects in the UI".

  3. Select the host(s) you want to delete, and then click Delete.