A Troubleshooting Oracle Audit Vault and Database Firewall for Auditors
Learn how to resolve issues that auditors using Oracle Audit Vault and Database Firewall may encounter.
A.1 Server Error 500 When Logging Into
UI as avauditor
This error and workaround only applies to Oracle AVDF 20.1-20.4. Starting with Oracle AVDF 20.5 this fix is built into Oracle AVDF.
Issue
The main dashboard page of Oracle AVDF is timing out and causing server error 500
when logging into UI as avauditor
.
Workaround
Log in to auditor console without accessing the dashboard, by using the following link:
https://<your_ip>/console/f?p=7700:170:840803006486::NO:170::&cs=3sUkbsmjyA0l4dG7esmazo5QHpcHUH-VMcnBdG0LMRQzscQZAV-KmBtzF8wnSPJo3uPv-2avAn3YPBBjzBmOVfA.
Ensure you change <your_ip> to the IP address of your Oracle AVDF instance.
A.2 Database Firewall Monitored Activity Report - Error Bad Gateway
Problem
In Oracle AVDF 20.4 and earlier, when you try to fetch the Database Firewall Monitored Activity report for more than 24 hours, you see the following error:
Error: Bad Gateway
To reproduce the error, log in to the Audit Vault Server console as a
super auditor (AVAUDITOR
). Select the
Reports tab and navigate to
Activity Reports, then
Database Firewall Reports,
then Database Firewall Monitored
Activity. Try to fetch Database Firewall
Monitored Activity report for more than 24 hours.
Solution
Note:
This issue was fixed in Oracle AVDF 20.5.In Oracle AVDF 20.4 and earlier, use the following workaround:
- Log in to the Audit Vault Server console as an auditor.
- Click the Reports tab.
- Click the All Activity report.
- Add a filter for Location = 'Network'.
- Save the report as "Database Firewall Activity."
- Click the Saved Report tab and open the report that you just saved.
A.3 Is the Audit Vault 20.X
EVENT_LOG
column RECORD_ID
Generated Sequentially or
Randomly
It is not guaranteed that the RECORD_ID
column will come in sequence. It
is guaranteed that RECORD_ID
will be unique.
A.4 There is No Option to Filter All Activity Report Using Timestamp/Time
Issue
There is no option to filter the All Activity Report using timestamp/time so that data on a specific day and time can be extracted.
Workaround
-
Log in to the Audit Vault Server Console as an
auditor
. - Click on the Reports tab.
- Click on the All Activity report.
- Select Filter from the Actions menu.
- Select the Row tab.
- Enter the following
expression:
to_timestamp(to_char(BZ,'MM/DD/YYYY HH:MI:SS PM'),'MM/DD/YYYY HH:MI:SS PM') >= to_timestamp('11/17/2021 12:35:55 PM','MM/DD/YYYY HH:MI:SS PM') AND to_timestamp(to_char(BZ,'MM/DD/YYYY HH:MI:SS PM') ,'MM/DD/YYYY HH:MI:SS PM') <= to_timestamp('11/17/2021 1:05:59 PM' ,'MM/DD/YYYY HH:MI:SS PM')
Change timestamp in the filter to fit your requirements.
- Click Apply.
A.5 Issue with Data Population in All Activity by Privileged Users Report in AVDF 20.4 Installation
Despite successful installation of AVDF 20.4, the All Activity by Privileged Users report does not display any data; this is because the Entitlement Job has not yet been executed. This is resolved after executing the job and re-fetching the report.
Symptoms
After a successful AVDF 20.4 installation on a Virtual Machine (VM), with the Agent and Host Monitor successfully installed on the Secured Target, along with Directory and Network trails added, the system is fully operational. All monitoring points are active, and the health indicators of the database firewall are green. The SYS
user data and Application users data populate in all reports, except the All Activity by Privileged Users report.
Cause
The data is not populating in the All Activity by Privileged Users report because the Entitlement Job has not been executed for populating the data.
Solution
To resolve this issue, execute the User Entitlement job at least once; see Retrieving User Entitlement Data for Oracle Database Targets for more information. After the successful completion of the job, attempt to fetch the report again. The data should then populate in the All Activity by Privileged Users report.
A.6 How to Purge Alert Queue and Alert Store
Issue
If the alerts queue table is long then email notifications for the generated alerts do not send.
Workaround
Perform the following as the avsys
user.
- Purge the alert queue
table:
declare po dbms_aqadm.aq$_purge_options_t; begin po.block := TRUE; DBMS_AQADM.PURGE_QUEUE_TABLE( queue_table=>'avsys.av_alert_qt', purge_condition=>NULL, purge_options=>po); END;
- Truncate the tables
alert_store, ALERT_TROUBLETICKET_JOB,ALERT_EMAIL_JOB,ALERT_NOTE
:ALTER TABLE ALERT_TROUBLETICKET_JOB DISABLE CONSTRAINT ALRT_TTKT_JOB_ALRT_STORE_FK; ALTER TABLE ALERT_EMAIL_JOB DISABLE CONSTRAINT ALRT_EMAIL_JOB_ALRT_STORE_FK; ALTER TABLE ALERT_NOTE DISABLE CONSTRAINT ALERT_NOTE_ALERT_STORE_FK; truncate table alert_store cascade; truncate table ALERT_TROUBLETICKET_JOB; truncate table ALERT_EMAIL_JOB; truncate table ALERT_NOTE;
- Reenable the
contraints:
ALTER TABLE ALERT_NOTE ENABLE CONSTRAINT ALERT_NOTE_ALERT_STORE_FK; ALTER TABLE ALERT_TROUBLETICKET_JOB ENABLE CONSTRAINT ALRT_TTKT_JOB_ALRT_STORE_FK; ALTER TABLE ALERT_EMAIL_JOB ENABLE CONSTRAINT ALRT_EMAIL_JOB_ALRT_STORE_FK;