Topics
Host monitoring is designed for situations in which you have many small databases in a distributed environment, and you want Oracle Audit Vault and Database Firewall to monitor SQL traffic to all of these databases centrally with one Database Firewall. This allows flexibility in the choice of the network point at which the traffic is monitored. For example, this is helpful in situations where it is not easy to route the traffic through a bridge or to get it from a mirror port.
The host monitor captures the SQL traffic from the network card and sends it over the network to a Database Firewall. This SQL data is then available for reports generated by Oracle Audit Vault and Database Firewall. Host monitoring is used only for monitoring SQL traffic (DAM mode) and cannot be used to block or substitute SQL statements.
To use Host Monitor, you deploy the Audit Vault Agent on the host machine on which you want to deploy the Host Monitor. It should be the same machine as the database. For larger databases, the SQL traffic captured by a host monitor will increase network traffic. In this case, you can install the host monitoring software onto a server that is different from the database server. It is recommended to use a spanning port to connect this database server to the server used for the Host Monitor.
You can use one Database Firewall to monitor multiple secured target databases on the same host using one host monitor installation. To do this, you create an enforcement point in DAM mode, and a NETWORK
audit trail, for each secured target.
To monitor all network traffic for a secured target, the Oracle Audit Vault and Database Firewall auditor must select a firewall policy that will log events, for example, Log Unique.
Note:
Host monitoring is supported on Linux, Solaris, AIX, and Windows platforms, and can monitor any database supported by the Database Firewall. See Table B-1 for supported databases.
Host Monitor Agent supports link type Solaris IPNET on Oracle Solaris SPARC64 and x86-64.
Host Monitor Agent supports Ethernet (EN10MB) link type for all supported platforms.
Host Monitor enables the Database Firewall to directly monitor SQL traffic in a database.
Recommended requirements for installing Host Monitor:
Ensure the latest version of the following packages from the OS vendor for the specific OS version are installed on the host machine:
Specific requirements for installing Host Monitor on Windows platform:
avdf12.2.0.13.0-utility.zip
bundle in Oracle Software Delivery Cloud. It is part of the Oracle Audit Vault and Database Firewall installable files. Ensure to install Npcap in WinPcap-API-compatible mode.MSVCRT.dll (*)
or later) package installed. This is a must to use Host Monitor on Windows.Specific requirements for installing Host Monitor on Linux/Unix/AIX/Solaris platforms:
available
for IBM AIX on Power Systems (64-bit). It is set to defined
by default.See Also:
Enabling and Using Host Monitoring for host monitoring instructions and prerequisites.
To register a host in the Audit Vault Server, see "Registering Hosts in the Audit Vault Server".
Oracle Audit Vault and Database Firewall 12.2.0.13.0 (and later) supports Host Monitoring on Windows. This functionality is supported by additionally installing OpenSSL and Npcap. This section contains the necessary details to be followed before upgrading from older releases in 12.2 (other than 12.2.0.11.0, 12.2.0.12.0), or for a fresh installation of 12.2.0.13.0 (or later).
Installing OpenSSL
OpenSSL 1.1.1g or a higher version must be installed on the Windows host machine. Use OpenSSL 1.1.1i for release Oracle AVDF 12.2.0.14.0. Follow these steps to make system related changes before installing OpenSSL:
Path
under the Variable column.Add the location of the OpenSSL bin directory at the beginning of the Path
variable.
Note:
While installing OpenSSL on Windows machine, you are prompted to choose a location to copy the OpenSSL DLLs as an additional configuration step. It is recommended that you choose the Windows System Directory option, as this location is added to thePath
environment variable on Windows machine by default. Else, if you choose the OpenSSL bin directory option, then ensure the location is added to the Path
environment variable.New Installation of Host Monitor for Windows
Host Monitoring on Windows functionality is supported by additionally installing Npcap. Follow these steps to install Npcap for a fresh installation of Host Monitor in release 12.2.0.13.0 (or later):
utility.zip
bundle in Oracle Software Delivery Cloud. It is part of the Oracle Audit Vault and Database Firewall installable files.Complete the Npcap installation on the Windows host machine. Ensure to install in WinPcap-API-compatible mode.
Note:
Installing Npcap in WinPcap API compatible mode removes any existing installation of WinPcap from the Windows machine.In addition to the Windows System
directory, Npcap copies the DLL files to the Npcap sub-directory inside the Windows System
directory. Do not remove the DLL files from the Windows System
directory.
Note:
Installing Npcap in WinPcap API compatible mode, adds the Npcap DLL files to the WindowsSystem
directory which is already there in the system Path
environment variable.Optionally add the Npcap
sub directory inside the Windows System
directory to the Path
environment variable, by following the steps below:
Path
under the Variable column.Path
variable. For example: C:\Windows\System32\Npcap
Path
environment variable.Upgrading Host Monitor on Windows
Host Monitoring on Windows functionality is supported by additionally installing Npcap. Follow these steps to continue using Host Monitor on Windows on releases 12.2.0.9.0; 12.2.0.10.0; or 12.2.0.13.0; before upgrading to Oracle AVDF release 12.2.0.14.0:
STOPPED
state.utility.zip
bundle of the specific release.Complete the Npcap installation on the Windows host machine. Ensure to install in WinPcap-API-compatible mode.
Note:
Installing Npcap in WinPcap API compatible mode removes any existing installation of WinPcap/Npcap from the Windows machine.In addition to the Windows System
directory, Npcap copies the DLL files to the Npcap sub-directory inside the Windows System
directory. Do not remove the DLL files from the Windows System
directory.
Note:
Installing Npcap in WinPcap API compatible mode, adds the Npcap DLL files to the WindowsSystem
directory which is already there in the system Path
environment variable.Optionally add the Npcap
sub-directory inside the Windows System
directory to the Path
environment variable, by following the steps below:
Path
under the Variable column.Path
variable. For example: C:\Windows\System32\Npcap
Path
environment variable.Note:
STOPPED
state, before installing Npcap. Else, an error may be encountered.Prerequisites
Deploy the Audit Vault Agent. See Deploying the Audit Vault Agent on the Host Computer.
To install the Host Monitor:
To create a secured target, see "Registering or Removing Secured Targets in the Audit Vault Server".
For Host Monitor only deployment, create an enforcement point in Database Activity Monitoring (DAM) mode to receive and process the data sent from the Host Monitor.
A network interface card (NIC) must be configured while creating the enforcement point for Database Firewall with Host Monitor only deployment. This must be different from the Management Interface that is used for communication to Audit Vault Server.
See Also:
Learn how to create network audit trails.
Create an audit trail for each target you are monitoring with a Host Monitor. Specify NETWORK
for the Audit Trail Type.
Note:
Ensure the collection attributenetwork_device_name_for_hostmonitor
is mandatorily configured for the targets which are monitored by Host Monitor. The name of the network interface card is the attribute value. The network interface card receives all the network traffic of the target database.Linux/AIX/Solaris hosts
Follow these steps to determine the value of the network_device_name_for_hostmonitor
collection attribute:
Execute the following command to list the network device details present in the host machine:
ifconfig -a
network_device_name_for_hostmonitor
.Windows hosts
Follow these steps to determine the value of the network_device_name_for_hostmonitor
collection attribute:
Topics
Learn how to start the host monitor.
Starting the host monitor consists of starting collection for the NETWORK audit trail on the host you are monitoring.
To start the host monitor from the Audit Vault Server console:
To stop the host monitor, stop the audit trail you created for the secured target that is being monitored. See "Stopping, Starting, and Autostart of Audit Trails in the Audit Vault Server".
You can view whether a host monitor is installed, and information such as its location, version, update time, and other details.
To view host monitor status and details:
Learn how to update the host monitor on Unix systems.
When you update the Audit Vault Server to a future release, the host monitor is automatically updated.
If your current release is prior to 12.1.2, refer to the README included with upgrade software or patch updates for instructions on how to update the host monitor.
See Also:
Oracle Audit Vault and Database Firewall Installation Guide for information on downloading upgrade software.
By default, the Database Firewall allows the host monitor connection based on verifying the host's (originating) IP address.
If you want the additional security of using certificate-based authentication for the host monitor, follow these procedures after the host monitor is installed:
To require a signed certificate for host monitor connections: