Topics
If you want to collect audit data from a secured target, you must configure a connection between the Audit Vault Server and the host machine where the Audit Vault Agent resides for that secured target (usually the same computer as the secured target).
After registering a host, you must then deploy and activate the Audit Vault Agent on that host.
This chapter assumes the Audit Vault Agent is deployed on the secured target host, and describes the procedures for registering hosts using the Audit Vault Server console UI.
After you register hosts and deploy the Audit Vault Agent on them, in order to start audit trail collections you must also register the secured targets, configure audit trails, and start audit trail collections manually.
See Also:
Summary of Configuration Steps to understand the high-level workflow for configuring the Oracle Audit Vault and Database Firewall system.
Deploying and Activating the Audit Vault Agent on Host Computers
Sections in this chapter give information on configuring hosts that is specific to each secured target type. However, the procedure for registering any host machine in the Audit Vault Server is the same.
See Also:
REGISTER HOST for the command line syntax to register a host.
Configuring or Changing the Oracle Audit Vault Server Services to configure DNS server.
Working with Lists of Objects in the UI to control the view of registered hosts listed in the Hosts page.
After you change a host name, the change takes place immediately. You do not need to restart the host Audit Vault Server.
Caution:
Do not manually reboot the system after changing a host name as this may put the system in an inconsistent state. Wait up to 10 minutes for the system to automatically reboot.
Prerequisite
Log in to the Audit Vault Server console as an administrator. See Logging in to the Audit Vault Server Console UI for more information.
Learn about how to deploy and activate the Audit Vault Agent on host computers.
In order to collect audit trails from secured targets, you must deploy the Audit Vault Agent on a host computer usually the same computer where the secured target resides. The Audit Vault Agent includes plug-ins for each secured target type, as well as host monitoring functionality.
In addition to deploying the Audit Vault Agent, in order to start audit trail collections you must also register each host, register secured targets, configure audit trails, and start audit trail collections manually (thereafter, audit trails start automatically when the Audit Vault Agent is restarted, or updated due to an Audit Vault Server update).
To deploy the Audit Vault Agent in Oracle RAC environment, follow these guidelines.
Trail Type | Guideline |
---|---|
|
To configure |
|
To configure This is sufficient in case the audit trails are configured as described in section Configuring Audit Trail Collection for Oracle Real Application Clusters. |
|
To configure |
Table 5-1 OS Permission Required For Installing The Agent
Operating System | User |
---|---|
Linux/Unix |
Any user. |
Windows |
Any user for running the Agent from the command prompt. admin user for registering as a service. |
Note:
Host Monitor on Linux/Unix/AIX/Solaris platforms must be installed as root user.
If directory trails are used then Agent installation user should have read permission on the audit files.
Host Monitor on Windows platform is not certified in release 12.2.0.11.0
.
If your installation is 12.2.0.10.0
and prior, then Host Monitor must be installed as admin user.
Ensure that the host machine has OpenSSL 1.0.1 (or later) installed for Audit Vault Agent
See Also:
Summary of Configuration Steps to understand the high-level workflow for configuring the Oracle Audit Vault and Database Firewall system.
Adding an Audit Trail in the Audit Vault Server to configure an audit trail.
Deploying and activating the Audit Vault Agent on a host machine consists of these steps:
To register the host on which you deployed the Audit Vault Agent, follow the procedure in "Registering Hosts in the Audit Vault Server".
You must use an OS user account to deploy the Audit Vault Agent. In this step, you copy the agent.jar
file from the Audit Vault Server and deploy this file on the host machine.
Note:
Ensure that the host machine has OpenSSL 1.0.1 (or later) installed for Audit Vault Agent.
See Also:
The Audit Vault Agent is supported on Unix, Windows, and HP-UX Itanium platforms, and requires Java
version 1.8 to be installed on the host computer. See Oracle Audit Vault and Database Firewall Installation Guide for Agent platform support details for the current release and for the supported Java
versions. For supported platforms in prior releases, see Article 1536380.1 at the Oracle Support website: https://support.oracle.com
To copy and deploy the Audit Vault Agent to the host machine:
Caution:
After deploying the Audit Vault Agent, do not delete the Agent_Home
directory unless directed to do so by Oracle Support. If you are updating an existing Audit Vault Agent, do not delete the existing Agent_Home
directory.
Prerequisites
Follow and complete the procedure in Registering Hosts in the Audit Vault Server.
Log in to the Audit Vault Server console as an administrator. See Logging in to the Audit Vault Server Console UI for more information.
To activate and start the agent:
See Also:
Registering and Unregistering the Audit Vault Agent as a Windows Service to start or stop the agent Windows service through the Windows Services applet in the Windows Control Panel, in case the Agent is deployed on a Microsoft Windows host computer.
ACTIVATE HOST for the command line syntax to activate the Agent.
Learn about registering and unregistering Oracle Audit Vault Agent as a Windows service.
Note:
The Audit Vault Agent as a Windows Service is not supported in Oracle Audit Vault and Database Firewall release 12.2.0.7.0. Use the console mode to stop or start the Agent.
Learn about the Audit Vault Agent Windows service.
When you deploy the Audit Vault Agent on a Microsoft Windows host computer, during agent deployment, a Microsoft Windows service named OracleAVAgent is automatically registered. Additionally, you can register and unregister the agent service using the agentctl
command.
When the Audit Vault Agent is registered as a Windows service, you can start or stop the service through the Windows Services applet in the Windows Control Panel.
Deploying the Audit Vault Agent on a Windows host automatically registers a Windows service named agentctl
. Use this procedure to register the Windows service again.
Prerequisite
Ensure to comply with one of the following prerequisites:
msvcr110.dll
file is available in any of the directories defined in the PATH variable.msvcr110.dll
is present to the PATH variable. For example: C:\Windows\System32
msvcr110.dll
file that is compatible with the Windows target machine to the <Agent Home>/bin
and <Agent Home>/bin/mswin-x86-64
folders.To register the Audit Vault Agent as a Windows Service, run the following command on the host machine from the Agent_Home\bin
directory:
agentctl registersvc
This adds the Audit Vault Agent service in the Windows services registry.
Note:
java -jar
command. Do this in the service Properties dialogue.jdoe
should be entered as .\jdoe
. Refer to Microsoft Windows documentation for procedures to do so.You can use two methods to unregister the Oracle Audit Vault Agent as a Windows service.
To unregister the Oracle Audit Vault Agent as a Windows Service, use one of the following methods:
Method 1 (Recommended)
On the host machine, run the following command from the Agent_Home
\bin
directory:
agentctl unregistersvc
This removes the Oracle Audit Vault Agent service from the Windows services registry.
Method 2
If Method 1 fails, then execute the following from the Windows command prompt (Run as Administrator):
cmd>
sc delete OracleAVAgent
You can verify that the Audit Vault Agent has been deleted by executing the following query from the Windows command prompt (Run as Administrator):
cmd>
sc queryex OracleAVAgent
Topics
Learn about stopping and starting Oracle Audit Vault Agent.
Topics
Important:
Stop and start the Audit Vault Agent as the same OS user account that you used during installation.
Learn about stopping and starting the agent on Microsoft Windows hosts.
The Audit Vault Agent is automatically registered as a Windows service when you deploy the Agent on a Windows host. We recommend that you run the Agent as Windows service so that it can keep running after the user logs out.
To stop or start the Agent Windows service
Use one of the methods below:
In the Windows GUI (Control Panel > Administrative Tools > Services), find the Oracle Audit Vault Agent service, and then right-click it to select Start or Stop.
Run one of these commands from the Agent_Home\bin
directory on the host machine:
agentctl stopsvc
agentctl startsvc
To check that the Windows service is stopped
Run this command:
cmd> sc queryex OracleAVAgent
You should see the agent Windows service in a STOPPED
state.
To stop or start the Agent in console mode
start /b agentctl stop
start /b
agentctl start
To forcibly stop the Agent in console mode
agentctl stop -force
Note:
This is not a recommended option to stop the Agent. Use it only in case the Agent goes into an unreachable state for a long time and cannot be restarted or stopped. In such a scenario, use this option to forcibly stop and later restart the agent.
To restart the agent use the agentctl start
command.
The logging level you set affects the amount of information written to the log files. You may need to take this into account for disc space limitations.
Log files are located in the Agent_Home
/av/log
directory.
The following logging levels are listed in the order of amount of information written to log files, with debug providing the most information:
error - Writes only error messages
warning - (Default) Writes warning and error messages
info - Writes informational, warning, and error messages
Using the Audit Vault Server Console to Change Logging Levels
To change the logging level for the Audit Vault Agent using the Audit Vault Server UI, see "Changing Logging Levels and Clearing Diagnostic Logs".
Using AVCLI to Change the Agent Logging Level
To change the logging level for the Audit Vault Agent using the AVCLI utility:
Ensure that you are logged into AVCLI
on the Audit Vault Server.
Run the ALTER HOST
command.
The syntax is as follows:
ALTER HOST
host_name
SET LOGLEVEL=av.agent:
log_level
In this specification:
host_name
: The name of the host where the Audit Vault Agent is deployed.
log_level
: Enter a value of info
, warn
, debug
, or error
.
You can view an Audit Vault Agent's status and details such as activation key, platform, version, location, and other details.
Prerequisite
Log in to the Audit Vault Server console as an administrator. See Logging in to the Audit Vault Server Console UI for more information.
To view the status and details of an Audit Vault Agent:
Use this procedure to deactivate and remove the Audit Vault Agent.
See Also:
If you have registered the Audit Vault Agent as a Windows service, see Registering and Unregistering the Audit Vault Agent as a Windows Service to unregister the service.
To deactivate and remove the Audit Vault Agent:
Stop all audit trails being collected by the Audit Vault Agent.
In the Audit Vault Server console, click the Hosts tab, then click Audit Trails.
Select the audit trails being collected by this Audit Vault Agent, and then click Stop.
Stop the Audit Vault Agent by running the following command on the host computer:
agentctl stop
Deactivate the Audit Vault Agent on the host computer:
In the Audit Vault Server console, click the Hosts tab.
Select the host name, and then click Deactivate.
Optionally, drop the host by selecting it, and then clicking Delete.
Delete the Audit Vault Agent home directory on the host computer.
Note:
The Audit Vault Agent deployed on a host is associated with the specific Audit Vault Server from where it was downloaded. This Audit Vault Agent collects audit data from the configured secured targets. It sends this data to the specific Audit Vault Server. To configure the audit trail collection from the existing secured targets to a different Audit Vault Server, you should deactivate, remove the existing Agent, download the Audit Vault Agent installation file from the new Audit Vault Server, and install it on the target host. This scenario is different from updating the existing Auditing Vault Agent.
Learn about updating Oracle Audit Vault Agent.
As of Oracle Audit Vault and Database Firewall 12.1.1 BP2, when you update the Audit Vault Server to a future release, the Audit Vault Agent is automatically updated.
If your current release is prior to 12.1.1 BP2, then refer to the README included with upgrade software or patch updates for instructions on how to update the Audit Vault Agent.
As of Oracle Audit Vault and Database Firewall 12.2.0, when you upgrade the Audit Vault Server to a later version, or restart the Audit Vault Agent, you no longer need to restart audit trails manually. The audit trails associated with this Audit Vault Agent automatically restart if you have not explicitly stopped them. If you upgrade the Audit Vault Server to 12.2.0 from a prior release, audit trails associated with the updated Agents will automatically restart if the trails have a single plug-in.
See Also:
Oracle Audit Vault and Database Firewall Installation Guide for information about downloading upgrade software.
Topics
Each type of secured target has a corresponding software plug-in in the Audit Vault Server, which enables the Audit Vault Agent to collect audit data. You can deploy more plug-ins, in addition to those shipped with Oracle Audit Vault and Database Firewall, in order to collect audit data from more secured target types. New plug-ins are available from Oracle Technology Network or third parties.
A plug-in supports only one secured target type. However, you may deploy more than one plug-in for the same secured target type if, for example, you acquired each plug-in from a different developer, or each plug-in supports a specific type of audit trail for the same secured target type. You can select the specific plug-in to use when you configure audit trail collections.
To start collecting audit data from the secured target type associated with a plug-in, you must also add the secured target in the Audit Vault Server, then configure and manually start audit trail collection.
Deploying a plug-in consists of three steps:
Ensure that auditing has been enabled in the secured target. See the secured target's product documentation for more information.
See Also:
Ensuring that Auditing is Enabled on the Secured Target for information on plug-ins for Oracle Database.
To register a host in the Audit Vault Server, see "Registering Hosts in the Audit Vault Server".