6 Registering Hosts and Deploying the Agent
Learn about registering hosts and deploying the agents.
- Registering Hosts on Oracle Audit Vault Server
Learn about registering hosts on Oracle Audit Vault Server. - Deploying and Activating the Audit Vault Agent on Host Computers
Learn about how to deploy and activate the Audit Vault Agent on host computers. - Stopping, Starting, and Other Agent Operations
Learn about starting and stopping the agent and other operations. - Updating Oracle Audit Vault Agent
Learn about updating Oracle Audit Vault Agent. - Deploying Plug-ins and Registering Plug-in Hosts
Learn about deploying plug-ins and registering plug-in hosts. - Deleting Hosts from Audit Vault Server
Learn how to delete hosts from Audit Vault Server.
6.1 Registering Hosts on Oracle Audit Vault Server
Learn about registering hosts on Oracle Audit Vault Server.
- About Registering Hosts
Learn how to register hosts. - Registering Hosts in the Audit Vault Server
Learn about registering hosts in the Audit Vault Server. - Changing Host Names
Learn about changing host name.
Parent topic: Registering Hosts and Deploying the Agent
6.1.1 About Registering Hosts
Learn how to register hosts.
Register a host computer from where audit data is collected. After registering the host, you can deploy and activate the Audit Vault Agent on that host. Audit Vault Agent is a component of Oracle AVDF. It collects audit data from the targets and sends audit data to the Audit Vault Server. A target is a system that you want to monitor and protect. This chapter contains necessary information for registering hosts using the Audit Vault Server console.
After registering the hosts on the Audit Vault Server perform the following steps to be able to collect audit records:
- Download the Audit Vault Agent software from the Audit Vault Server console
- Deploy the Audit Vault Agent
- Activate the Audit Vault Agent
- Register one or more targets from which the audit data needs to be collected
- Start audit trails using the Audit Vault Server console
See Also:
-
Summary of Configuration Steps to understand the high-level workflow for configuring the Oracle Audit Vault and Database Firewall system.
-
Deploying and Activating the Audit Vault Agent on Host Computers
Parent topic: Registering Hosts on Oracle Audit Vault Server
6.1.2 Registering Hosts in the Audit Vault Server
Learn about registering hosts in the Audit Vault Server.
To register a host computer in the Audit Vault Server:
Agent Deployment in a High Availability System
Audit Vault Agent may be associated with multiple IP addresses in the following cases:
-
Agent installed on a host with multiple network interface cards
-
Agent installed on a node of high availability cluster
- Only one Audit Vault Agent installation is necessary for high availability cluster deployment. The Agent installation is needed only on active node of the cluster. Ensure the Audit Vault Agent installation directory is accessible to all nodes of the cluster.
- Cluster management software must be configured to start, stop, and monitor the Agent by providing the necessary input. The Agent must be started automatically by the cluster management software on the active node and stopped automatically on passive nodes.
See Also:
-
REGISTER HOST for the command line syntax to register a host.
-
Configuring or Changing the Audit Vault Server Services to configure DNS server.
Parent topic: Registering Hosts on Oracle Audit Vault Server
6.1.3 Changing Host Names
Learn about changing host name.
To change the name of a registered host:
Parent topic: Registering Hosts on Oracle Audit Vault Server
6.2 Deploying and Activating the Audit Vault Agent on Host Computers
Learn about how to deploy and activate the Audit Vault Agent on host computers.
- About Deploying the Audit Vault Agent
Learn about deploying Oracle Audit Vault Agent. - Audit Vault Agent Requirements
Learn about the Audit Vault Agent requirements. - Steps Required to Deploy and Activate the Audit Vault Agent
Learn about the procedures to deploy and activate Oracle Audit Vault Agent. - Registering the Host
Learn about the procedure for registering the host. - Deploying the Audit Vault Agent
Learn about deploying the Audit Vault Agent. - Activating and Starting the Audit Vault Agent
Learn how to activate and start Oracle Audit Vault Agent. - Registering and Unregistering the Audit Vault Agent as a Windows Service
Learn about registering and unregistering Oracle Audit Vault Agent as a Windows service.
Parent topic: Registering Hosts and Deploying the Agent
6.2.1 About Deploying the Audit Vault Agent
Learn about deploying Oracle Audit Vault Agent.
To collect audit trails from targets, you must deploy the Audit Vault Agent on a standalone host computer which is usually the same computer where the target resides. The Audit Vault Agent includes plug-ins for each target type, as well as host monitoring functionality.
For audit trail collection perform the following:
- Register the host
- Deploy the Audit Vault Agent
- Register the target
- Add audit trails for the targets
To decide on the specific host to deploy the Agent, follow these guidelines.
Trail Type | Guideline |
---|---|
|
To configure |
|
To configure |
|
To configure |
Table 6-1 OS Permission Required for Installing the Agent
Operating System | User |
---|---|
Linux/Unix |
Any user. |
Windows |
Any user for running the Agent from the command prompt. admin user for registering as a service. |
Note:
-
Host Monitor on Linux/Unix/AIX/Solaris platforms must be installed as root user.
-
If directory trails are used then Agent installation user should have read permission on the audit files.
-
Host Monitor on Windows platform, must be installed as admin user.
-
Ensure that the host machine has OpenSSL 1.0.1 (or later) installed for Audit Vault Agent
See Also:
-
Summary of Configuration Steps to understand the high-level workflow for configuring the Oracle Audit Vault and Database Firewall system.
-
Adding Audit Trails in Audit Vault Server to configure an audit trail.
6.2.2 Audit Vault Agent Requirements
Learn about the Audit Vault Agent requirements.
Recommended prerequisites for installing Audit Vault Agent:
- Ensure to meet the system requirements. See Product Compatibility Matrix.
-
Ensure to meet the following Java requirements:
- Install the supported Java version on the Audit Vault Agent. See Audit Vault Agent: Supported and Tested Java Runtime Environment.
- Apply the latest java patches.
- Point the
JAVA_HOME
to JRE/JDK directory and set the path before installing the Agent.
- The host machine on which the Audit Vault Agent is deployed must have at least 512 MB RAM.
- Apply the latest security patches of OpenSSL libraries available from the OS vendor for the specific OS version on the host machine.
- The host machine on which the Audit Vault Agent is deployed must have connectivity to the Audit Vault Server. In case of high availability set up, it must have connectivity to both the primary and standby Audit Vault Servers.
- The Audit Vault Server uses 2 ports (1521 and 1522 by default) for Agent communication. Ensure to configure the ports appropriately for this communication.
- If NAT (Network Address Translation) is used in the network between Audit Vault Server and the host machine where agent is deployed, then ensure the IP address of the host machine is resolvable from Audit Vault Server.
-
The user must have the required OS permissions to install the Agent. The user must be able to access the audit trail location in case of directory audit trails. See About Deploying the Audit Vault Agent for the OS permissions required for installing the Agent.
6.2.3 Steps Required to Deploy and Activate the Audit Vault Agent
Learn about the procedures to deploy and activate Oracle Audit Vault Agent.
Deploying and activating the Audit Vault Agent on a host machine consists of these steps:
6.2.4 Registering the Host
Learn about the procedure for registering the host.
To register the host on which you deployed the Audit Vault Agent, follow the procedure in "Registering Hosts on Oracle Audit Vault Server".
6.2.5 Deploying the Audit Vault Agent
Learn about deploying the Audit Vault Agent.
You must use an OS user account to deploy the Audit Vault Agent. In this step, you copy the agent.jar
file from the Audit Vault Server and deploy this file on the host machine.
Note:
Ensure that all security patches from the OS vendor is applied on the host machine.
See Also:
The Audit Vault Agent is supported on Unix and Microsoft Windows platforms. It requires Java version 1.8 to be installed on the host machine. See Product Compatibility Matrix for Agent platform support details for the current release and for the supported Java versions.
To copy and deploy the Audit Vault Agent to the host computer:
Caution:
After deploying the Audit Vault Agent, do not delete the Agent_Home
directory unless directed to do so by Oracle Support. If you are updating an existing Audit Vault Agent, then do not delete the existing Agent_Home
directory.
6.2.6 Activating and Starting the Audit Vault Agent
Learn how to activate and start Oracle Audit Vault Agent.
In this step, you activate the Audit Vault Agent with the Agent Activation Key and start the Agent.
Prerequisites
-
Follow and complete the procedure in Registering Hosts on Oracle Audit Vault Server.
-
Log in to the Audit Vault Server console as an administrator. See Using Audit Vault Server Console for more information.
To activate and start the agent:
See Also:
-
Registering and Unregistering the Audit Vault Agent as a Windows Service to start or stop the agent Windows service through the Windows Services applet in the Windows Control Panel, in case the Agent is deployed on a Microsoft Windows host computer.
-
ACTIVATE HOST for the command line syntax to activate the Agent.
6.2.7 Registering and Unregistering the Audit Vault Agent as a Windows Service
Learn about registering and unregistering Oracle Audit Vault Agent as a Windows service.
Note:
The Audit Vault Agent as a Windows Service is not supported in Oracle Audit Vault and Database Firewall release 12.2.0.7.0. Use the console mode to stop or start the Agent.
- About the Audit Vault Agent Windows Service
Learn about the Audit Vault Agent Windows service. - Registering the Audit Vault Agent as a Windows Service
You can register the Oracle Audit Vault agent as a Windows service. - Unregistering the Audit Vault Agent as a Windows Service
You can use two methods to unregister the Oracle Audit Vault Agent as a Windows service.
6.2.7.1 About the Audit Vault Agent Windows Service
Learn about the Audit Vault Agent Windows service.
When you deploy the Audit Vault Agent on a Microsoft Windows host computer, during agent deployment, a Microsoft Windows service named OracleAVAgent is automatically registered. Additionally, you can register and unregister the agent service using the agentctl
command.
When the Audit Vault Agent is registered as a Windows service, you can start or stop the service through the Windows Services applet in the Windows Control Panel.
6.2.7.2 Registering the Audit Vault Agent as a Windows Service
You can register the Oracle Audit Vault agent as a Windows service.
Note: Deploying the Audit Vault Agent on a Windows host automatically
registers a Windows service named agentctl
. Use this procedure to
register the Windows service again.
To register the Audit Vault Agent as a Windows Service:
On the host machine, run the following command from the
Agent_Home\bin
directory:
agentctl registersvc
This adds the Oracle Audit Vault Agent service in the Windows services registry.
Note:
Be sure to set the Audit Vault Agent service to use the credentials of the Windows OS user account that was used to deploy the agent using the java -jar
command. Do this in the service Properties dialogue.
Note that in the service Properties dialogue, local user name entries in the
This account field should be formatted as in the
following example: user name jdoe
should be entered as
.\jdoe
. Refer to Microsoft Windows documentation for
procedures to do so.
6.2.7.3 Unregistering the Audit Vault Agent as a Windows Service
You can use two methods to unregister the Oracle Audit Vault Agent as a Windows service.
To unregister the Oracle Audit Vault Agent as a Windows Service, use one of the following methods:
-
Method 1 (Recommended)
On the host machine, run the following command from the
Agent_Home
\bin
directory:agentctl unregistersvc
This removes the Oracle Audit Vault Agent service from the Windows services registry.
-
Method 2
If Method 1 fails, then execute the following from the Windows command prompt (Run as Administrator):
cmd>
sc delete OracleAVAgent
You can verify that the Audit Vault Agent has been deleted by executing the following query from the Windows command prompt (Run as Administrator):
cmd>
sc queryex OracleAVAgent
6.3 Stopping, Starting, and Other Agent Operations
Learn about starting and stopping the agent and other operations.
- Stopping and Starting Oracle Audit Vault Agent
Learn about stopping and starting Oracle Audit Vault Agent. - Changing the Logging Level for the Audit Vault Agent
Learn how to change the logging level for Oracle Audit Vault Agent. - Viewing the Status and Details of Audit Vault Agent
Learn about viewing the status and details of Audit Vault Agent. - Deactivating and Removing Audit Vault Agent
Learn about deactivating and removing Audit Vault Agent.
Parent topic: Registering Hosts and Deploying the Agent
6.3.1 Stopping and Starting Oracle Audit Vault Agent
Learn about stopping and starting Oracle Audit Vault Agent.
Topics
Important:
Stop and start the Audit Vault Agent as the same OS user account that you used during installation.
- Stopping and Starting the Agent on Unix Hosts
Learn about stopping and starting the Agent on Unix hosts. - Stopping and Starting the Agent on Windows Hosts
Learn about stopping and starting the agent on Microsoft Windows hosts. - Autostarting the Agent on Windows Hosts
Learn about autostarting the agent on Microsoft Windows hosts.
Parent topic: Stopping, Starting, and Other Agent Operations
6.3.1.1 Stopping and Starting the Agent on Unix Hosts
Learn about stopping and starting the Agent on Unix hosts.
To start the Audit Vault Agent after initial activation, run the following command
from the Agent_Home/bin
directory on the host machine:
agentctl start
To stop the Audit Vault Agent run the following command from the
Agent_Home/bin
directory on
the host machine:
agentctl stop
Note:
After theagentctl stop
command, execute agentctl
status
command to ensure the Agent is in STOPPED
state
before executing the agentctl start
command again.
Parent topic: Stopping and Starting Oracle Audit Vault Agent
6.3.1.2 Stopping and Starting the Agent on Windows Hosts
Learn about stopping and starting the agent on Microsoft Windows hosts.
The Audit Vault Agent is automatically registered as a Windows service when you deploy the Agent on a Windows host. We recommend that you run the Agent as Windows service so that it can keep running after the user logs out.
To stop or start the Agent Windows service
Use one of the methods below:
-
In the Windows GUI (Control Panel > Administrative Tools > Services), find the Oracle Audit Vault Agent service, and then right-click it to select Start or Stop.
-
Run one of these commands from the
Agent_Home\bin
directory on the host machine:agentctl stopsvc
agentctl startsvc
To check that the Windows service is stopped
Run this command:
cmd> sc queryex OracleAVAgent
You should see the agent Windows service in a STOPPED
state.
To stop or start the Agent in console mode
start /b agentctl stop
start /b
agentctl start
To forcibly stop the Agent in console mode
agentctl stop -force
Note:
This is not a recommended option to stop the Agent. Use it only in case the Agent goes into an unreachable state for a long time and cannot be restarted or stopped. In such a scenario, use this option to forcibly stop and later restart the agent.
To restart the agent use the agentctl start
command.
Parent topic: Stopping and Starting Oracle Audit Vault Agent
6.3.1.3 Autostarting the Agent on Windows Hosts
Learn about autostarting the agent on Microsoft Windows hosts.
You can configure the agent service to start automatically on a Windows host.
Parent topic: Stopping and Starting Oracle Audit Vault Agent
6.3.2 Changing the Logging Level for the Audit Vault Agent
Learn how to change the logging level for Oracle Audit Vault Agent.
The logging level that you set affects the amount of information that Oracle writes to the log files. You may need to take this into account due to disc space limitations.
Log files are located in the Agent_Home/av/log
directory.
The following logging levels are listed in the order of the amount of information written to log files, where debug provides the most information:
-
error - Writes only error messages
-
warning - (Default) Writes warning and error messages
-
info - Writes informational, warning, and error messages
-
debug - Writes detailed messages for debugging purposes
Using the Audit Vault Server Console to Change Logging Levels
To change the logging level for the Audit Vault Agent using the Audit Vault Server UI, see "Clearing Diagnostic Logs".
Using AVCLI to Change the Agent Logging Level
To change the logging level for the Audit Vault Agent using the AVCLI utility:
-
Ensure that you are logged into AVCLI on the Audit Vault Server.
-
Run the
ALTER HOST
command.The syntax is as follows:
ALTER HOST
host_nameSET LOGLEVEL=av.agent:
log_levelIn this specification:
-
host_name: The name of the host where the Audit Vault Agent is deployed.
-
log_level: Enter a value of
info
,warn
,debug
, orerror
.
-
Parent topic: Stopping, Starting, and Other Agent Operations
6.3.3 Viewing the Status and Details of Audit Vault Agent
Learn about viewing the status and details of Audit Vault Agent.
You can view an Audit Vault Agent's status and details such as activation key, platform, version, location, and other details.
Prerequisite
Log in to the Audit Vault Server console as an administrator. See Using Audit Vault Server Console for more information.
To view the status and details of an Audit Vault Agent:
Parent topic: Stopping, Starting, and Other Agent Operations
6.3.4 Deactivating and Removing Audit Vault Agent
Learn about deactivating and removing Audit Vault Agent.
Use this procedure to deactivate and remove Audit Vault Agent.
See Also:
If you have registered the Audit Vault Agent as a Windows service, see Registering and Unregistering the Audit Vault Agent as a Windows Service to unregister the service.
To deactivate and remove the Audit Vault Agent:
-
Stop all audit trails being collected by the Audit Vault Agent.
-
In the Audit Vault Server console, click the Home tab, then click Audit Trails.
-
In the left navigation menu, click Audit Trails to display a page of the available audit trails.
-
Select the check boxes for each audit trail that you want to stop, and then click Stop.
-
-
Stop the Audit Vault Agent by running the following command on the host computer:
agentctl stop
-
Deactivate the Audit Vault Agent on the host computer:
-
In the Audit Vault Server console, click the Agents tab, and then in the left navigation menu, select Agents.
-
Select the check box for each host name that you want to deactivate, and then click Deactivate.
-
Optionally, drop the host by selecting the check box for it, and then clicking Delete.
-
-
Delete the Audit Vault Agent home directory on the host computer.
Note:
The Audit Vault Agent deployed on a host is associated with the specific Audit Vault Server from where it was downloaded. This Audit Vault Agent collects audit data from the configured targets. It sends this data to the specific Audit Vault Server. To configure the audit trail collection from the existing targets to a different Audit Vault Server, you should deactivate, remove the existing Agent, download the Audit Vault Agent installation file from the new Audit Vault Server, and install it on the target host. This scenario is different from updating the existing Auditing Vault Agent.
Parent topic: Stopping, Starting, and Other Agent Operations
6.4 Updating Oracle Audit Vault Agent
Learn about updating Oracle Audit Vault Agent.
As of Oracle Audit Vault and Database Firewall 12.1.1 BP2, when you update the Audit Vault Server to a future release, the Audit Vault Agent is automatically updated.
If your current release is prior to 12.1.1 BP2, then refer to the README included with upgrade software or patch updates for instructions on how to update the Audit Vault Agent.
As of Oracle Audit Vault and Database Firewall 12.2.0, when you upgrade the Audit Vault Server to a later version, or restart the Audit Vault Agent, you no longer need to restart audit trails manually. The audit trails associated with this Audit Vault Agent automatically restart if you have not explicitly stopped them. If you upgrade the Audit Vault Server to 12.2.0 from a prior release, audit trails associated with the updated Agents will automatically restart if the trails have a single plug-in.
See Also:
Oracle Audit Vault and Database Firewall Installation Guide for information about downloading upgrade software.
Parent topic: Registering Hosts and Deploying the Agent
6.5 Deploying Plug-ins and Registering Plug-in Hosts
Learn about deploying plug-ins and registering plug-in hosts.
- About Plug-ins
Learn about plug-ins for Oracle Audit Vault Server. - Ensuring that Auditing is Enabled in A Target
Learn how to ensure that auditing is enabled in a target. - Registering the Plug-in Host in Audit Vault Server
Learn about registering a plug-in host in Oracle Audit Vault Server. - Deploying and Activating the Plug-in
Learn about deploying and activating a plug-in in Oracle Audit Vault Server. - Un-Deploying Plug-ins
Learn about un-deploying plug-ins.
Parent topic: Registering Hosts and Deploying the Agent
6.5.1 About Plug-ins
Learn about plug-ins for Oracle Audit Vault Server.
Each type of target has a corresponding software plug-in in the Audit Vault Server, which enables the Audit Vault Agent to collect audit data. You can deploy more plug-ins, in addition to those shipped with Oracle Audit Vault and Database Firewall, in order to collect audit data from more target types. New plug-ins are available from Oracle Technology Network or third parties.
A plug-in supports only one target type. However, you may deploy more than one plug-in for the same target type if, for example, you acquired each plug-in from a different developer, or each plug-in supports a specific type of audit trail for the same target type. You can select the specific plug-in to use when you configure audit trail collections.
To start collecting audit data from the target type associated with a plug-in, you must also add the target in the Audit Vault Server, then configure and manually start audit trail collection.
Deploying a plug-in consists of three steps:
Parent topic: Deploying Plug-ins and Registering Plug-in Hosts
6.5.2 Ensuring that Auditing is Enabled in A Target
Learn how to ensure that auditing is enabled in a target.
Ensure that auditing has been enabled in the target. See the target's product documentation for more information.
See Also:
Ensuring that Auditing is Enabled on the Target for information on plug-ins for Oracle Database.
Parent topic: Deploying Plug-ins and Registering Plug-in Hosts
6.5.3 Registering the Plug-in Host in Audit Vault Server
Learn about registering a plug-in host in Oracle Audit Vault Server.
To register a host in the Audit Vault Server, see "Registering Hosts in the Audit Vault Server".
Parent topic: Deploying Plug-ins and Registering Plug-in Hosts
6.5.4 Deploying and Activating the Plug-in
Learn about deploying and activating a plug-in in Oracle Audit Vault Server.
To deploy and activate a plug-in:
Parent topic: Deploying Plug-ins and Registering Plug-in Hosts
6.5.5 Un-Deploying Plug-ins
Learn about un-deploying plug-ins.
To un-deploy a plug-in:
Parent topic: Deploying Plug-ins and Registering Plug-in Hosts
6.6 Deleting Hosts from Audit Vault Server
Learn how to delete hosts from Audit Vault Server.
When you delete a host, if you want to register it again to collect audit data, then you must reinstall the Audit Vault Agent on this host.
To delete hosts:
Parent topic: Registering Hosts and Deploying the Agent