1. Auditor's Guide
  2. Troubleshooting Oracle Audit Vault and Database Firewall for Auditors

A Troubleshooting Oracle Audit Vault and Database Firewall for Auditors

Learn how to resolve issues that auditors using Oracle Audit Vault and Database Firewall may encounter.

A.1 Server Error 500 When Logging Into UI as avauditor

This error and workaround only applies to Oracle AVDF 20.1-20.4. Starting with Oracle AVDF 20.5 this fix is built into Oracle AVDF.

Issue

The main dashboard page of Oracle AVDF is timing out and causing server error 500 when logging into UI as avauditor.

Workaround

Log in to auditor console without accessing the dashboard, by using the following link:

https://<your_ip>/console/f?p=7700:170:840803006486::NO:170::&cs=3sUkbsmjyA0l4dG7esmazo5QHpcHUH-VMcnBdG0LMRQzscQZAV-KmBtzF8wnSPJo3uPv-2avAn3YPBBjzBmOVfA.

Ensure you change <your_ip> to the IP address of your Oracle AVDF instance.

A.2 Database Firewall Monitored Activity Report - Error Bad Gateway

Problem

In Oracle AVDF 20.4 and earlier, when you try to fetch the Database Firewall Monitored Activity report for more than 24 hours, you see the following error:

Error: Bad Gateway

To reproduce the error, log in to the Audit Vault Server console as a super auditor (AVAUDITOR). Select the Reports tab and navigate to Activity Reports, then Database Firewall Reports, then Database Firewall Monitored Activity. Try to fetch Database Firewall Monitored Activity report for more than 24 hours.

Solution

Note:

This issue was fixed in Oracle AVDF 20.5.

In Oracle AVDF 20.4 and earlier, use the following workaround:

  1. Log in to the Audit Vault Server console as an auditor.
  2. Click the Reports tab.
  3. Click the All Activity report.
  4. Add a filter for Location = 'Network'.
  5. Save the report as "Database Firewall Activity."
  6. Click the Saved Report tab and open the report that you just saved.

A.3 Is the Audit Vault 20.X EVENT_LOG column RECORD_ID Generated Sequentially or Randomly

It is not guaranteed that the RECORD_ID column will come in sequence. It is guaranteed that RECORD_ID will be unique.

A.4 There is No Option to Filter All Activity Report Using Timestamp/Time

Issue

There is no option to filter the All Activity Report using timestamp/time so that data on a specific day and time can be extracted.

Workaround

Add a row filter in the interactive report. Follow these steps:

  1. Log in to the Audit Vault Server Console as an auditor.

  2. Click on the Reports tab.
  3. Click on the All Activity report.
  4. Select Filter from the Actions menu.
  5. Select the Row tab.
  6. Enter the following expression:
     to_timestamp(to_char(BZ,'MM/DD/YYYY HH:MI:SS PM'),'MM/DD/YYYY HH:MI:SS PM') >= to_timestamp('11/17/2021 12:35:55 PM','MM/DD/YYYY HH:MI:SS PM') AND to_timestamp(to_char(BZ,'MM/DD/YYYY HH:MI:SS PM') ,'MM/DD/YYYY HH:MI:SS PM') <= to_timestamp('11/17/2021 1:05:59 PM' ,'MM/DD/YYYY HH:MI:SS PM')

    Change timestamp in the filter to fit your requirements.

  7. Click Apply.

A.5 Issue with Data Population in All Activity by Privileged Users Report in AVDF 20.4 Installation

Despite successful installation of AVDF 20.4, the All Activity by Privileged Users report does not display any data; this is because the Entitlement Job has not yet been executed. This is resolved after executing the job and re-fetching the report.

Symptoms

After a successful AVDF 20.4 installation on a Virtual Machine (VM), with the Agent and Host Monitor successfully installed on the Secured Target, along with Directory and Network trails added, the system is fully operational. All monitoring points are active, and the health indicators of the database firewall are green. The SYS user data and Application users data populate in all reports, except the All Activity by Privileged Users report.

Cause

The data is not populating in the All Activity by Privileged Users report because the Entitlement Job has not been executed for populating the data.

Solution

To resolve this issue, execute the User Entitlement job at least once; see Retrieving User Entitlement Data for Oracle Database Targets for more information. After the successful completion of the job, attempt to fetch the report again. The data should then populate in the All Activity by Privileged Users report.

A.6 How to Purge Alert Queue and Alert Store

Issue

If the alerts queue table is long then email notifications for the generated alerts do not send.

Workaround

Perform the following as the avsys user.

  1. Purge the alert queue table:
    declare
po dbms_aqadm.aq$_purge_options_t;
begin
po.block := TRUE;
DBMS_AQADM.PURGE_QUEUE_TABLE(
    queue_table=>'avsys.av_alert_qt',
    purge_condition=>NULL,
    purge_options=>po);
END;
  2. Truncate the tables alert_store, ALERT_TROUBLETICKET_JOB,ALERT_EMAIL_JOB,ALERT_NOTE:
    ALTER TABLE ALERT_TROUBLETICKET_JOB DISABLE CONSTRAINT ALRT_TTKT_JOB_ALRT_STORE_FK;
ALTER TABLE ALERT_EMAIL_JOB DISABLE CONSTRAINT ALRT_EMAIL_JOB_ALRT_STORE_FK;
ALTER TABLE ALERT_NOTE DISABLE CONSTRAINT ALERT_NOTE_ALERT_STORE_FK;

truncate table alert_store cascade;
truncate table ALERT_TROUBLETICKET_JOB;
truncate table ALERT_EMAIL_JOB;
truncate table ALERT_NOTE;
  3. Reenable the contraints:
    ALTER TABLE ALERT_NOTE ENABLE CONSTRAINT ALERT_NOTE_ALERT_STORE_FK;
ALTER TABLE ALERT_TROUBLETICKET_JOB ENABLE CONSTRAINT ALRT_TTKT_JOB_ALRT_STORE_FK;
ALTER TABLE ALERT_EMAIL_JOB ENABLE CONSTRAINT ALRT_EMAIL_JOB_ALRT_STORE_FK;