Oracle® Audit Vault and Database Firewall

Release Notes

Release 12.1.2


July 2017

These Release Notes contain important information about Oracle Audit Vault and Database Firewall Release 12.1.2.

This document contains these topics:

Downloading the Audit Vault and Database Firewall Documentation

You can download the most current version of this document, and the full set of Oracle Audit Vault and Database Firewall documentation, from the following website:

You can find documentation for other Oracle products at the following website:

Upgrading to Oracle AVDF 12.1.2 from a Previous Release

You can upgrade to Oracle AVDF version (Bundle Patch 1) from all Oracle AVDF versions up to, and including, and from version However, you can not upgrade from a subsequent 12.1.1 bundle patch, for example, if it was released after version (Bundle Patch 1). To upgrade from such a bundle patch, please contact Oracle Support to obtain the most recent bundle patch for AVDF 12.1.2.

Supported Secured Targets and Platforms

You can find the latest information on supported secured targets and platforms in Oracle Audit Vault and Database Firewall Administrator's Guide, and in Article 1536380.1 at the following website:

What's New in this Release

The following are new features in this release:

  • You can configure the Audit Vault Server to use an external iSCSI SAN server to store the audit event repository and system data.

  • The Audit Vault Agent is updated automatically when the Audit Vault Server is upgraded or a patch is applied.

  • You can store archive data in a Network File Share (NFS) location.

  • Entitlement reports include data specific to Oracle Database 12c.

  • Database Vault is automatically enabled and configured in the Oracle Database embedded in the Audit Vault Server. This further strengthens security by restricting privileged access to the Oracle Database for all users including those with administrative access.

  • Password hashing has been upgraded to a more secure standard. Change your passwords after upgrade to take advantage of the more secure hash.

  • The Audit Vault Agent deployment procedure has been simplified. Registering a host in the Audit Vault Server automatically generates an Agent activation key, and therefore, the step requesting Agent activation is no longer required.

  • Adding and updating a secured target location has been simplified in the Audit Vault Server administrator console UI.

  • You can set alerts to be forwarded to syslog.

  • You can download diagnostics log files from the Audit Vault Server UI.

  • The Audit Vault Agent is supported on 32-bit Linux and Windows platforms.

  • Oracle Database 9i is supported for Database Firewall.

  • MySQL 5.6 is supported on the Database Firewall.

Known Issues

Table 1 lists the system's current known issues, with workarounds if available. Be sure to apply the latest Bundle Patch. New installations include the latest Bundle Patch.

In general, if you experience a problem using the Audit Vault Server console UI, try running the same command using the AVCLI command line utility. See Oracle Audit Vault and Database Firewall Administrator's Guide for a command line reference.

Table 1 Audit Vault and Database Firewall Known Issues

Bug Number Description


Syslog (audit trail) collector does not work for systems with rsyslog

This affects Oracle secured targets running on computers on Oracle Linux 6 (OEL6) platforms.


  1. Set the following parameters in the /etc/rsyslog.conf file:

    # Use default timestamp format
    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
  2. Start syslog audit trails using the full path to the syslog files. For example, when configuring a syslog audit trail in the Audit Vault Server console, in the Trail Location field, provide a full path such as /usr/local/syslog*.

    If you are using AVCLI, you can execute a command such as the following:

    avcli> START COLLECTION FOR SECURED TARGET sample_source USING HOST foo FROM syslog /usr/local/syslog*;


HA: After failover Audit Vault Server fails to forward syslog and arcsight messages


  1. Log in to the Audit Vault Server console as a super administrator.

  2. Click the Settings tab, and then click Connectors.

  3. In the Syslog section, and then click Save.

  4. Scroll down to the HP ArcSight SIEM section, and then click Save.


Provide option to remove HA configuration from UI.


This workaround is available starting with AVDF (12.1.1 BP4).

To unpair two paired Audit Vault Servers:

  1. Shut down the standby (secondary) Audit Vault Server.

  2. Log in to the primary Audit Vault Server as root.

  3. Run this command:

    sudo -u oracle /usr/local/dbfw/bin/setup_ha.rb --unconfigure


Need to install Visual C++ 2010 Package to run Windows Agent.


Install Microsoft Visual C++ 2010 Redistributable Package to run the Audit Vault Agent on a Windows host. If you are using Microsoft Windows 2003, then you must also install Windows 2003,Microsoft Visual C++ 2005 Redistributable Package.


Invalid DB Firewall network configurations should be resolved before upgrade.

This is relevant for users with Database Firewall and, in particular, Host Monitor Deployed. Before upgrading to 12.1.2 you should ensure that your Database Firewall configuration is valid.


Ensure that any enabled traffic sources on the Database Firewall have two ports in the traffic source.

Also ensure that any enforcement point in DPE mode is using an enabled traffic source.


Update oracle_user_setup.sql script to avoid using Oracle Data Dictionary realm for Database Vault.

This issue affects Oracle Database 12c secured targets that have Database Vault enabled. When using the Oracle AVDF user setup script oracle_user_setup.sql, and running the script with REDO_COLL mode, the script outputs the following message, which does not apply to Oracle Database 12c:

Connect to the secured target database as DV Owner and execute: 
exec dbms_macadm.add_auth_to_realm('Oracle Data Dictionary', 'C##USER1', null,dbms_macutl.g_realm_auth_participant);


Ignore the above message if you see it when running the script for an Oracle Database 12c. Instead, execute the following on the database as DV Owner:


For username, use the name of the account you created for Oracle AVDF on this Oracle Database secured target.

For full instructions on this setup script, see Oracle Audit Vault and Database Firewall Administrator's Guide.


Online help lists four disk groups in the Audit Vault Server repository.

The online help for the Repository page in the Settings tab incorrectly indicates there is an ARCHIVE disk group. There are only three disk groups available in Oracle AVDF 12.1.2:





Host monitor might choose incorrect network device if multiple preferred devices exist.

This can occur when the default network adapter that the host monitor uses (of type Intel(R) PRO/1000 MT Network Adapter) is for the wrong network.


Change the network adapter the host monitor uses so that traffic is captured from the correct network for the secured target. Follow these steps:

  1. Check the host monitor log file and look for a section similar to:

    The selected network device for capturing is:
    \Device\NPF_{22E6D6FF-43E2-4212-9970-05C446A33A35}. To change the device update the network_device_name_for_hostmonitor attribute at Collection Attributes to any one value from the list:
    \Device\NPF_{60611262-3FCC-4374-9333-BD69BF51DEEA} and restart the trail

    This indicates which device is being used, and which devices are available. For more information on the available devices, you can run the host monitor in debug mode.

  2. In the Audit Vault Server console, Secured Targets tab, click the secured target you want.

  3. In the Modify Collection Attributes section, Attribute Name field, enter network_device_name_for_hostmonitor.

  4. In the Attribute Value field, enter the device name, for example: \Device\NPF_{17C832B3-B8FC-44F4-9C99-6ECFF1706DD1}

  5. Click Add, and then Save.

  6. Restart the audit trail for this secured target.


Agent upgrade fails if 12.1.0 Agent has deployed plug-ins.


Re-deploy the plug-ins, and then download and install the Agent again.


Agent install fails when agent.jar is downloaded from IE browser, with "Invalid or corrupt jarfile" error.


Use a different browser (such as Firefox) to download the agent.jar file, then run java -jar agent.jar again.

Documentation Accessibility

For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at

Access to Oracle Support

Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit or visit if you are hearing impaired.

Oracle Audit Vault Release Notes, Release 12.1.2


Copyright © 2012, 2017, Oracle and/or its affiliates. All rights reserved.

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable:

U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.

This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.

This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle.