Oracle Audit Vault

This note applies to audit vault

Oracle Audit Vault Overview

Oracle Audit Vault automates the collection and consolidation of audit data into a secure repository, enabling
efficient monitoring and reporting. Oracle Audit Vault is providing a secure repository for audit data, built-in
reporting, event alerting, and separation-of-duty.
Oracle Audit Vault collects database audit data from the following Oracle audit sources:

audit trail tables

database audit files on the operating system
syslog & EventLog
archived redo log files to capture before/after value changes of transactions.

Oracle Audit Vault can also collect audit data produced by the following database products(other than Oracle

Microsoft SQL Server

Sybase ASE

Oracle Audit Vault Architecture

The architecture of Audit Vault consists of two major components that work together to collect, store and secure the
audit data:

Audit Vault Server A stand-alone stacked application that contains a data warehouse built on a customized
installation of Oracle Database. Oracle Database Vault is protecting the Audit Vault datawarehouse. The Audit
Vault Server contains also the OC4J components that support the Audit Vault Console.

Audit Vault Collection Agent The Agent is responsible for managing the collectors, which are specific to an
audit source and act as the middleman between the source database and the Audit Vault Server by pulling
the audit trail data from the source and sending it to the Audit Vault Server over SQL*Net.

P ag e |1
Oracle Audit Vault

This note applies to audit vault

Audit Vault Server Components


Database Client

Configuration and

Oracle container for Web applications consisting of:
Audit Vault Administrator's Console User interface to manage Audit Vault. Collection
Agents, Collectors, and so forth
Audit Vault Auditor's Console - User interface to manage Audit Vault. Audit Policy
Manager, Reports, Alerts, and so forth
Oracle Enterprise Manager Database Control console User interface to manage the
raw audit data store or audit repository database
Management Framework Sends management commands to the Audit Vault Collection
Agent to start or stop collection agents and collectors, collect metrics, receive
management commands from AVCTL, AVCA, AVORCLDB, and AVMSSQLDB commandline interfaces using HTTP protocol or HTTPS mutual certificate-based authentication
Audit Policy System A service to retrieve and provision audit settings on the Oracle
Database source; and a system to create and manage alerts raised by audit events from
all sources as they are stored in the audit event repository
Infrastructure to communicate to the audit repository, consisting of:
Oracle Wallet Contains credentials to authenticate Audit Vault users
Configuration Files Files used by Audit Vault for networking, preferences, and so
Utilities used to configure and manage Oracle Audit Vault, such as the AVCA, AVCTL,

P ag e |2
Oracle Audit Vault


Audit repository

This note applies to audit vault

AVORCLDB, and AVMSSQLDB command-line utilities. They let you define and configure
information about what sources are known to Oracle Audit Vault. Oracle Audit Vault stores
information (metadata) about the sources of audit data and policy information (Oracle
database audit setting and alerts defined for all incoming audit records).
Oracle database to consolidate and manage audit trail records, consisting of:
Raw audit data store A partitioned table where audit records are inserted as rows
Warehouse schema Open schema of normalized audit trail records. This is a published
data warehouse that can be used with reporting tools like Oracle Business Intelligence
Publisher to create customized reports
Job scheduler Database jobs used to populate and manage the warehouse
Alerts Queue maintains alerts
Apply Process used by the REDO collector to insert before or after values of data

Audit Vault Collection Agents


Database Client

Configuration and

Oracle container for Web applications consisting of:
Audit Vault Collector Manager Receives management commands from Audit Vault
Server to start and stop collectors, collect and return metrics, and so forth.
Audit Settings Manager Receives commands from Oracle Audit Vault to extract audit
settings from an Oracle Database source.
Infrastructure to communicate to the audit repository, consisting of:
Oracle Wallet Contains credentials to authenticate Audit Vault users
Configuration Files Files used by Audit Vault for networking, preferences, and so forth.
Utilities used to configure and manage Audit Vault, such as the AVCA, AVCTL, AVORCLDB, and
AVMSSQLDB command-line utilities
A collector is specific to an audit source and acts as the middleman between the source and the
Audit Vault Server by pulling the audit trail data from the source and sending it to the Audit
Vault Server over SQL*Net
Collector Type Audit Source Audit Trail
On Linux and UNIX platforms: the operating system logs
(audit logs) (SYS$AUD) (.aud) and XML (.xml) files)
On Linux and UNIX-based platforms: the operating system
logs or syslog
On Windows platforms: the operating system Windows
event log and operating system logs (audit logs) XML (.xml)
Oracle Database audit trail, where standard audit events are
written to the SYS.AUD$ dictionary table
Oracle Database fine-grained audit trail, where audit events
are written to the SYS.FGA_LOG$ dictionary table
Oracle Database Vault audit trail, where audit events are
written to the DVSYS.AUDIT_TRAIL$ dictionary table
Logical change records (LCRs) from the REDO logs
C2 audit logs, Server-side trace logs, and Windows Event log
SQL Server

P ag e |3
Oracle Audit Vault

This note applies to audit vault

Oracle Audit Vault Installation

Oracle Audit Vault Server Preinstallation Requirements

Create the Oracle Groups and User Account

groupadd oinstall
groupadd dba
mkdir -p /export/home/oracle
mkdir /u01
useradd -d /export/home/oracle -g oinstall -G dba -s /bin/ksh oracle
chown oracle:dba /export/home/oracle /u01
passwd oracle

Create the filesystem directory structure for Oracle Homes

# mkdir -p /u01/app/oracle/product/ 10.2.3/av_1

# chown -R oracle.oinstall /u01/app/oracle

Increase the shell limits for the Oracle user

Use a text editor and add the lines listed below to /etc/security/limits.conf, /etc/pam.d/login, and /etc/profile


nproc 2047
nproc 16384
nofile 1024
nofile 65536

session required /lib/security/
session required

if [ $USER = "oracle" ]; then
if [ $SHELL = "/bin/ksh" ]; then
ulimit -p 16384
ulimit -n 65536
ulimit -u 16384 -n 65536

Configure the kernel parameters

Use a text editor and add the lines listed below to /etc/sysctl.conf.
fs.file-max = 65536
kernel.shmall = 2097152
kernel.shmmax = 2147483648
kernel.shmmni = 4096
kernel.sem = 250 32000 100 128
net.core.rmem_default = 1048576
net.core.rmem_max = 1048576
net.core.wmem_default = 262144
net.core.wmem_max = 262144
net.ipv4.ip_forward = 0

P ag e |4
Oracle Audit Vault

This note applies to audit vault

net.ipv4.conf.default.rp_filter = 1
net.ipv4.ip_local_port_range = 1024 65000

To make the changes effective immediately, execute

/sbin/sysctl p

Configure /etc/hosts file :

The /etc/hosts file must contain a fully qualified name for the server:
<IP-address> <fully-qualified-machine-name> <machine-name>
[oracle@oravaultserver log]$ cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
localhost oravaultserver oravaultagent

Create the oracle user environment file

umask 022
ORACLE_HOME=/u01/app/oracle/product/ 10.2.3/av_1

Install Required Linux Packages

Check from below URL Depending on OS version ( in this note Im using Oracle Enterprise Linux 5)

to check the package is installed, execute

rpm qa |grep xxxxxx

to install or upgrade packages, execute

rpm Uvh


P ag e |5
Oracle Audit Vault

This note applies to audit vault

Installing the Oracle Audit Vault Server

This section describes the advanced installation for single instance installation
Run Oracle Universal Installer (OUI) to install Oracle Audit Vault.
cd <directory containing the Oracle Audit Vault installation files>

On the Select Installation Type screen, select the Advanced Installation option, then click Next.

Enter the following information on the Advanced Installation Details screen.

1. Audit Vault Name A unique name for the Audit Vault database
2. Audit Vault Home Specify the path to the Audit Vault home where you want to install Oracle Audit Vault.
3. Audit Vault Administrator and Audit Vault Auditor account

P ag e |6
Oracle Audit Vault

This note applies to audit vault

Enter the following information on the Database Vault User Credentials screen.
Database Vault Owner and Database Vault Account Manage Accounts

Review the installation prerequisite checks on the Prerequisite Check screen, then click Next

On the Specify Database Storage Options screen, you can select one of the following storage options: File system,
Automatic Storage Management (ASM), or Raw Devices.
If you select the File System, specify or browse to the database file location for the data files. If you select Raw
Devices, specify the path or browse to the Raw Devices mapping file. If you select Automated Storage Management
(ASM), you must have already installed ASM. Make a selection and click Next.
Then On the Specify Backup and Recovery Options screen, you can choose either to not enable automated backups or
to enable automated backups.
P ag e |7
Oracle Audit Vault

This note applies to audit vault

On the Specify Database Schema Passwords screen, you can choose to enter different passwords for each privileged
database account or select the Use the same passwords for all account

Review the installation summary information on the Advanced Installation Summary screen. After reviewing this
installation information, click Install to begin the installation procedure. The installation will copy files, link binaries,
apply patches, run configuration assistants, including DBCA to create and start the Audit Vault Server, DVCA to secure
the server, and AVCA to configure and start Audit Vault Console

P ag e |8
Oracle Audit Vault

This note applies to audit vault

P ag e |9
Oracle Audit Vault

This note applies to audit vault

Run scripts as the root user when prompted by Oracle Universal Installer

After the installation completes, take note of the Oracle Enterprise Manager Database Control URL and the Audit
Vault Console URL. On the Exit page, click Exit. Then, on the Confirmation message box, click Yes to exit Oracle
Universal Installer.

P a g e | 10
Oracle Audit Vault

This note applies to audit vault

Audit Vault Agent Installation

Audit Vault Agent Preinstallation : You must add or register the Oracle Audit Vault Agent at Oracle Audit Vault Server
avca add_agent agentname <avagent name> [-agentdesc <agent description>]
-agenthost <name of host where agent will be installed>

Installing the Oracle Audit Vault Agent

Run Oracle Universal Installer (OUI) to install Oracle Audit Vault Agent.
cd <directory containing the Oracle Audit Vault Agent installation files>

Specify the following information on the Agent Details page, then click Next:
1) Audit Vault Agent Name The name of the agent (created in preinstallation)
2) Audit Vault Agent Home Specify the path to the Audit Vault Agent home where you want to install Oracle
Audit Vault Agent
3) Agent User Name The account name of the Audit Vault Agent User (created in preinstallation)
4) Agent User Password The password for the Audit Vault Agent user
5) Specify the Audit Vault Server Connect String that takes the form hostname:port:service name in that order
using a (:) colon delimiter between each item

Review the installation prerequisite checks on the Prerequisite Check screen, then click Next

P a g e | 11
Oracle Audit Vault

This note applies to audit vault

On the installation Summary page, review the installation summary information. After reviewing this installation
information, click Install to begin the installation procedure.

P a g e | 12
Oracle Audit Vault

This note applies to audit vault

Run scripts as the root user when prompted by Oracle Universal Installer

After the installation completes, on the Exit page, click Exit. Then, on the Confirmation message box, click Yes to exit
Oracle Universal Installer.

Start the Audit Vault Agent

Agent process can be started from Audit Vault Server home shell with 'avctl start_agent'. However, for this command
to be successful the oc4j should already be running on the agent oracle home. oc4j on the agent oracle home can be
started with 'avctl start_oc4j' from the Agent home Shell.
$ avctl start_oc4j
$ avctl start_agent -agentname agnt_secsvr1

P a g e | 13
Oracle Audit Vault

This note applies to audit vault

Registering Oracle Database Sources and Collectors with Audit Vault Server
Create a user on source database server.
SQL> create user avuser identified by oracle;

The source user avuser, must have a set of required privileges and roles granted to it. The required privileges and
roles are listed in $ORACLE_HOME/av/scripts/streams/source/zarsspriv.sql. This script is located in both the Audit
Vault Server and the Audit Vault Collection Agent Oracle home.
Run this script on the source database as SYS user to grant this user avuser the required privileges using the following
SQL> zarsspriv.sql srcusr mode

SETUP For OSAUD and DBAUD collectors, and for policy management
REDO_COLL For the REDO log collector; includes all privileges that are granted using the argument mode SETUP.

Add the source database to Audit Vault

From the Audit Vault Server home shell, execute 'avorcldb add_source' command to add the source database with
the Audit Vault Server.

Note : After successful execution of 'avorcldb add_source', you can notice an entry being created in tnsnames.ora file
for the source database. It is located in $ORACLE_HOME/network/admin directory on the Audit Vault Server Oracle

Collector Configurations
Verify if the source database is ready for DBAUD collector. This can be done from both Audit Vault Server and the
Agent home. The same for REDO and OSAUD collectors

P a g e | 14
Oracle Audit Vault

This note applies to audit vault

From the Audit Vault Server home shell, execute 'avorcldb add_collector' to add DBAUD collector.

From the Audit Vault Server home shell, execute 'avorcldb add_collector' to add OSAUD collector.

From the Audit Vault Server home shell, execute 'avorcldb add_collector' to configure REDO collector. If you want to
add REDO collector
$ avorcldb add_collector -srcname

ORCLDB -agentname avagent1 -colltype REDO -av

Enable to Audit Vault agent to run the Oracle Database collectors

Use AVORCLDB setup command to update the tnsnames.ora file, store credentials in wallet and verify connection
using the wallet

Starting Collectors
Using the AVCTL start_collector command to start collectors
DBAUD Collector

OSAUD Collector

P a g e | 15
Oracle Audit Vault

This note applies to audit vault

Registering Microsoft SQL Server Database Sources and Collector with Audit Vault Server

Download the Microsoft SQL Server JDBC Driver

Oracle Audit Vault requires a JDBC connection to the SQL Server database. Audit Vault supports Microsoft SQL Server
JDBC Driver version 1.2. Ensure that you have downloaded the JDBC driver (sqljdbc.jar) to the $ORACLE_HOME/jlib
directories in both the Audit Vault Server and Audit Vault collection agent homes.

Create a User Account on the Microsoft SQL Server Database Instance

The collector must use this user account to access audit data from the Microsoft SQL Server source database
instance. After you create the user account, the privileges that you assign to this user depend on whether the source
database instance is Microsoft SQL Server 2000, 2005, or 2008.
Create the user account:
1. Log in to the Microsoft SQL Server source database instance.
2. Create a user account. for example, to create a user account named srcuser_mss:
EXEC sp_addlogin srcuser_mss, password
For a Microsoft SQL Server 2005 or 2008 database, grant this user the alter_trace privilege.
1. Log in as the SYSADMIN user.
2. Run the following command to grant the alter trace privilege to the user.
For a Microsoft SQL Server 2000 database instance, grant the user the SYSADMIN fixed server role.
1. Click Security.
2. Click Logins.
3. Right-click the login you created (srcuser_mss).
4. Click Properties.
5. On the left pane, click Server Roles.
6. Select the sysadmin option setting, and then click OK.

Register the SQL Server Source Database Instance with Audit Vault

To register the SQL Server source database instance with Oracle Audit Vault, Run the avmssqldb add_source
avmssqldb add_source -src '\hr_db' -srcname mssqldb1 -desc 'HR Database'
Enter a username: srcuser_mss
Enter a password : password

Add the MSSQLDB Collector to Oracle Audit Vault

To add the MSSQLDB collector to Oracle Audit Vault, Run the avmssqldb add_collector command.
avmssqldb add_collector -srcname mssqldb1 -agentname agent1
Enter a username: srcuser_mss
Enter a password: password

Enable the Audit Vault Agent to Run the MSSQLDB Collector

To enable the Oracle Audit Vault agent to run the MSSQLDB collector, Run the avmssqldb setup command.
avmssqldb setup -srcname mssqldb1
Enter a username : srcuser_mss
Enter a password : password
P a g e | 16
Oracle Audit Vault

This note applies to audit vault

Audit Vault Log Files

Audit Vault Server Log Files
Much like the Oracle Database, the Oracle Audit Vault server generates log files that provide current status and
diagnostic information. The log files should be monitored and periodically removed to control the amount of disk
space used by the log files. These log files may be found in <Audit_Vault_Server_Home>/av/log.
Server Log File Name



This log file tracks the commands issued by the
avorcldb facility. Avorcldb facility is used during the
initial configuration of audited sources and Audit
Vault agents and collectors.
This log file tracks the creation of collectors and the
starting and stopping of Audit Vault agents and
This log file contains information about collection
metrics from the Audit Vault Collection Agent. The
%g is a generation number that starts from 0 (zero)
and increases once the file size reaches the 10 MB

It is safe to delete this file at any

This file may only be deleted after

the Audit Vault Server is shutdown.
The files, which contain an extension
of .log.n, for example av_client0.log.1, may be deleted at any time.

Enterprise Manager stores its logs in the directory <AuditVault_Server_Home>/<Host_Name>_<SID>/sysman/log .

The file emdb.nohup in this directory contains a log of activity for the Audit Vault web application, including GUI
conversations, requests from the avctlutility and communication with the various Audit Vault collection agents. This
can be used to debug communication issues between the server and the agents

Audit Vault Collection Agent Log Files

The Audit Vault Collection Agent creates several log files and also must be maintained to control the amount of disk
space used by the log files. These log files may be found <Audit_Vault_Collection_Agent_Home>/av/log.
Agent Log File Name

Contains a log of all errors encountered in agent
initialization and operation.
Contains a log of all primary agent-related
operations and activity.

It is safe to delete this file at any
This file may only be deleted after
the Audit Vault Collection Agent is
It is safe to delete this file at any


Contains a log of all AVCA commands that have

been run and the results of running each command.


Contains a log of all AVORCLDB commands that

have been run and the results of running each

It is safe to delete this file at any



Contains a log of collection operations for the

DBAUD and OSAUD collectors.


Contains a log of the agent operations and any

errors returned from those operations. The %g is a
generation number that starts from 0 (zero) and
increases once the file size reaches the 10 MB limit.

This file may only be deleted after

the Audit Vault Collection Agent is
The files which contain an extension
of .log.n may be deleted at any time.

P a g e | 17
Oracle Audit Vault


This note applies to audit vault

A concurrent existence of this file is indicated by a
.n suffix appended to the file type name, such as
av_client-%g.log.n, where n is an integer issued in
sequence, for example av_client-0.log.1.
Contains a log of SQL*Net information.

The directory <Audit_Vault_Collection_Agent_Home>/oc4j/j2ee/home/logcontains the logs generated by the

Collection Agent OC4J. In this directory, the file AVAgent-access.log contains a log of requests the agent receives from
the Audit Vault Server. This can be used to debug communication issuesbetween the server and the agent.

P a g e | 18
