Though this environment is based on Single instance Oracle database but you can easily use this document for RAC database Oracle Audit Vault Collection Agent Configuration. In this document the following configuration is used.
Audit Vault
Hostname: rac1
Product : Oracle Audit Vault Server 10.2.3.0
Product : Oracle Audit Vault Agent 10.2.3.0
This host contains Oracle Audit Vault Server.
Single Instance Oracle database
database name: a
version : 10.2.0.4
hostname: notebook
ip address: 172.15.10:33
listener port:1523
A)Audit Vault Server Installation
I have installed Oracle Audit Vault Server on Red Hat Enterprise Linux 64 bit edition. So download the Audit Vault Server from Audit Vault Software Download and run the runInstaller. Just follow the installation wizard and complete the installation.
B) Register the Source Database with Audit Vault Server
Step 01: Create a user on the RAC database which is the source database server
Once you have installed Oracle Audit Vault Server now go to the database to which you want to collect audit information. In our case our source database is a. So, connect to source database and create user named src.
SQL> create user src identified by s; User created.The source user, src, must have a set of required privileges and roles granted to it. The required privileges and roles are listed in script $ORACLE_HOME/av/scripts/streams/source/zarsspriv.sql. This script is located in both the Audit Vault Server and the Audit Vault Collection Agent Oracle home. Run this script on the source database as SYS user to grant this user src the required privileges using the following syntax:
zarsspriv.sql srcusr mode
where mode can be SETUP or REDO_COLL.
■SETUP – For OSAUD and DBAUD collectors, and for policy management
■REDO_COLL – For the REDO log collector; includes all privileges that are granted using the argument mode SETUP.
In our environment we ran the following:
SQL> conn / as sysdba Connected. SQL> @D:\oracle\product\10.2.3\av_agent_1\av\scripts\streams\source\zarsspriv.sql Enter value for 1: src Enter value for 2: SETUP Granting privileges to SRC ... Done.We choose SETUP as we want to use database audit (DBAUD) collectors.
Step 02: Verify That the Source Database is Compatible with the Collectors
1) For the source database, run the following command and note the host, port, and service settings:
C:>lsnrctl status LSNRCTL for 32-bit Windows: Version 10.2.0.3.0 - Production on 13-SEP-2011 20:38:37 Copyright (c) 1991, 2006, Oracle. All rights reserved. Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1))) STATUS of the LISTENER ------------------------ Alias LISTENER Version TNSLSNR for 32-bit Windows: Version 10.2.0.3.0 - Production Start Date 13-SEP-2011 20:37:05 Uptime 0 days 0 hr. 1 min. 31 sec Trace Level off Security ON: Local OS Authentication SNMP OFF Listener Parameter File D:\oracle\network\admin\listener.ora Listener Log File D:\oracle\network\log\listener.log Listening Endpoints Summary... (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1ipc))) (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=notebook)(PORT=1523))) Services Summary... Service "PLSExtProc" has 1 instance(s). Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service... Service "a" has 1 instance(s). Instance "a", status UNKNOWN, has 1 handler(s) for this service... The command completed successfully
2)Log in to the source database and verify the type of auditing that has been configured. In case our database auditing we will see result similar like below.
SQL> SHOW PARAMETER AUDIT_TRAIL NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ audit_trail string DB3) Set environmental variable $ORACLE_HOME to audit vault server or collection agent. Once you set environmental variable run the avorcldb verify command, using the values that the LSNRCTL utility returned.
In our case it was following:
[oracle@rac1 ~]$ avorcldb verify -src 172.15.10.33:1523:a -colltype ALL Enter Source user name: src Enter Source password: source A.REGRESS.RDBMS.DEV.US.ORACLE.COM verified for OS File Audit Collector collector source A.REGRESS.RDBMS.DEV.US.ORACLE.COM verified for Aud$/FGA_LOG$ Audit Collector collector source A.REGRESS.RDBMS.DEV.US.ORACLE.COM verified for REDO Log Audit Collector collectorHere we ran it in our audit vault server and instead of hostname of database server we used ip address of source database. Also we used listener port 1523.
If you see it is partially verified or missing or incorrect initialization parameters then adjust the parameter in pfile or spfile and then run the above command again.
Step 03: Add the source database to Audit Vault.
From the Audit Vault Server home shell, execute 'avorcldb add_source' command to add the source database with the Audit Vault Server.
[oracle@rac1 ~]$ avorcldb add_source -src 172.15.10.33:1523:a -srcname a -desc 'Local Arju Database' Enter Source user name: src Enter Source password: Adding source... Source added successfully. source successfully added to Audit Vault remember the following information for use in avctl Source name (******rcname): a Storing user credentials in wallet... Create credential oracle.security.client.connect_string3 done.Where,
-src: Enter the source database connection information: host name, port number, and service name, separated by a colon. If you are unsure of this information, run the lsnrctl status command on the computer where you installed the source database, or check the tnsnames.ora file.
-srcname: Enter a name for the source database. If you omit this option, then Oracle Audit Vault names the source database after the global database name, which in this example is ORCL. Remember that the source database name is case sensitive.
-desc: Optionally, enter a brief description for the source database.
Source user name and password: Enter the user account information.
After successful execution of 'avorcldb add_source', you can notice an entry being created in tnsnames.ora file for the source database. It is located in $ORACLE_HOME/network/admin directory on the Audit Vault Server Oracle Home.
Note that, the default tnsnames entry does not include all the RAC nodes. Modify this entry so that it includes all the RAC nodes's listeneing address. Enable both load balancing and failover for high available connectivity between Audit Vault Server and Source RAC database.
In case of RAC it will look like,
SRCDB1 =
(DESCRIPTION=
(LOAD_BALANCE=on)
(FAILOVER=on)
(ADDRESS=(PROTOCOL=tcp)(HOST=172.15.10.33)(PORT=1523))
(ADDRESS=(PROTOCOL=tcp)(HOST=172.15.10.35)(PORT=1523))
(CONNECT_DATA=
(SERVICE_NAME=a)
)
)
C) Audit Vault Agent ConfigurationDownload Oracle Audit Vault Collection Agent software from the link http://www.oracle.com/technetwork/database/audit-vault/downloads/index.html and then install the software in source database machine.
Step 01: Create Agent User:
From the Audit Vault Server home shell, create agent user with 'avca add_agent' command.
[oracle@rac1 ~]$ avca add_agent -agentname avagent4 -agenthost 172.15.10.33 AVCA started Adding agent... Enter agent user name: avagent Enter agent user password: Re-enter agent user password: Agent added successfully.Step 02: Setup Agent for Source Database Connectivity.
From Agent Oracle Home, execute 'avorcldb setup' which will configure the necessary information for the Agent connectivity to the source database.
In our case, we have windows machine where we have installed agent collection software.
So, we ran it as
D:\oracle\product\10.2.3\av_agent_1\bin>avorcldb.bat setup -srcname a Enter Source user name: src Enter Source password: adding credentials for user src for connection [SRCDB1] Storing user credentials in wallet... Create credential oracle.security.client.connect_string3 done. updated tnsnames.ora with alias [SRCDB1] to source database verifying SRCDB1 connection using walletRemember you must set $ORACLE_HOME to agent home.
On successful completion of 'avorcldb setup' in the Agent Oracle Home, the $ORACLE_HOME/network/admin/tnsnames.ora file would contain the tnsnames entry for the source database.
Step 03: Start the Audit Vault Agent
Agent process can be started from Audit Vault Server home shell with 'avctl start_agent'. However, for this command to be successful the oc4j should already be running on the agent oracle home. oc4j on the agent oracle home can be started with 'avctl start_oc4j' from the Agent home Shell.
From Agent shell, start oc4j:
[oracle@rac1] $ avctl start_oc4j AVCTL started Starting OC4J... OC4J started successfully. From Audit Vault Server shell, start the agent: [oracle@rac1] $ avctl start_agent -agentname avagent4 AVCTL started Starting agent... Agent started successfully.D) Collector Configurations
Step 01: Make sure that the agent is already in running state before you add collectors for the source database server.
In case our DBAUD Collector,
[oracle@rac1 ~]$ avorcldb verify -srcname a -agentname avagent4 -colltype DBAUD Enter Source user name: src Enter Source password: source ********** verified for Aud$/FGA_LOG$ Audit Collector collector
[oracle@rac1 ~]$ avorcldb add_collector -srcname a -agentname avagent4 -colltype DBAUD source ********** verified for Aud$/FGA_LOG$ Audit Collector collector Adding collector... Collector added successfully. collector successfully added to Audit Vault remember the following information for use in avctl Collector name (collname): DBAUD_CollectorStep 02: Start Collector
[oracle@rac1 ~]$ avctl start_collector -collname DBAUD_Collector -srcname a AVCTL started Starting collector... Collector started successfully.Step 03: Check the status of Collector.
[oracle@rac1 ~]$ avctl show_collector_status -collname DBAUD_Collector -srcname a AVCTL started Getting collector metrics... -------------------------------- Collector is running Records per second = 0.00 Bytes per second = 0.00 --------------------------------
