Install Audit Vault Agent to collect audit data from an

Oracle Database
Downloading JDK for the Agent

Oracle AVDF Agent requires at least the version 1.8 of JDK

In this case, I am downloading "Linux x64 - jdk-8u211-linux-x64.tar.gz":

If the server where you are installing the Agent has already Java 1.8 then you don’t have to do
these steps. In my case, the Oracle database home has only Java 1.6, that’s why I have to install
Java 1.8 in a different Java Home for the agent:

[oracle@druatdb ~]$ /u01/app/oracle/product/12.1.0/db1/jdk/bin/java -version

java version "1.6.0_75"
Java(TM) SE Runtime Environment (build 1.6.0_75-b13)
Java HotSpot(TM) 64-Bit Server VM (build 20.75-b01, mixed mode)
[oracle@druatdb ~]$

Transfer the java tar file to the database server where java will be installed:

[root@druatdb ~]# pwd

/root
[root@druatdb ~]# ls -ltr jdk-8u211-linux-x64.tar.gz
-rw-r--r-- 1 root root 194990602 Jun 18 08:20 jdk-8u211-linux-x64.tar.gz
 [root@druatdb ~]# mkdir -p /usr/java/

INSTALL AVDF AGENT TO COLLECT AUDIT DATA GIPF

[root@druatdb ~]# cd /usr/java/
[root@druatdb java]# mv /root/jdk-8u211-linux-x64.tar.gz .
[root@druatdb java]# tar zxvf jdk-8u211-linux-x64.tar.gz

[root@druatdb java]# ls
jdk1.8.0_211  jdk-8u211-linux-x64.tar.gz
[root@druatdb java]# rm -rf jdk-8u211-linux-x64.tar.gz
[root@druatdb java]# ls
jdk1.8.0_211
[root@druatdb java]#

Checking the version of the JDK:

[oracle@druatdb ~]$ /usr/java/jdk1.8.0_211/bin/java -version

java version "1.8.0_211"
Java(TM) SE Runtime Environment (build 1.8.0_211-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.211-b12, mixed mode)

[oracle@druatdb ~]$

Registering the Host in Oracle Audit Vault

Login in to Oracle Audit Vault:

INSTALL AVDF AGENT TO COLLECT AUDIT DATA GIPF

Click in “Hosts” menu

In “Hosts” tab click in “Register”

Enter the hostname of the Database Server that that will be monitored by Oracle Audit Vault
Enter the IP of the Database Server that will be monitored by Oracle Audit Vault

Click in “Save” Button

INSTALL AVDF AGENT TO COLLECT AUDIT DATA GIPF

Verify that the Host was added successfully.

Copy the “Agent Activation Key” because it will be used later in this article to activate the
agent.

Downloading the Agent Jar File from Audit Vault Server

Login in to Oracle Audit Vault Server

Click in "Hosts" menu

Click in "Hosts" tab
Click in "Agent": The Agent and host
monitor files are listed.
Click in "Download" Button next to the
Agent file, and then save the
"agent.jar" file in your machine. In this
case "Agent Release 12.2.0.10.0".

INSTALL AVDF AGENT TO COLLECT AUDIT DATA GIPF

Transfer the agent jar to the database server:

[oracle@druatdb ~]$ pwd

/home/oracle
[oracle@druatdb ~]$ ls -ltr agent.jar
-rw-r--r-- 1 oracle oinstall 30296508 Jun 18 08:12 agent.jar
[oracle@druatdb ~]$

[oracle@druatdb ~]$ export JAVA_HOME=/usr/java/jdk1.8.0_211

[oracle@druatdb ~]$ export PATH=$JAVA_HOME/bin:$PATH
[oracle@druatdb ~]$ java -jar agent.jar -d /u01/app/

Install the Agent:

Check connectivity from Database server to the Oracle Audit Vault:

[oracle@druatdb ~]$ ping 192.168.56.20

PING 192.168.56.20 (192.168.56.20) 56(84) bytes of data.
64 bytes from 192.168.56.20: icmp_seq=1 ttl=64 time=0.195 ms
64 bytes from 192.168.56.20: icmp_seq=2 ttl=64 time=0.310 ms
64 bytes from 192.168.56.20: icmp_seq=3 ttl=64 time=0.353 ms
^C
--- 192.168.56.20 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 0.195/0.286/0.353/0.066 ms
[oracle@druatdb ~]$

Check connectivity from the Oracle Audit Vault to the Database Server:

login as: support

support@192.168.56.20's password:
Last login: Thu Jun 13 13:27:30 2019 from 192.168.56.1

[support@avs08002778ad2b ~]$ su -
Password:
Last login: Thu Jun 13 13:27:33 UTC 2019 on pts/0
[root@avs08002778ad2b ~]# ping 192.168.56.30
PING 192.168.56.30 (192.168.56.30) 56(84) bytes of data.
64 bytes from 192.168.56.30: icmp_seq=1 ttl=64 time=0.355 ms

INSTALL AVDF AGENT TO COLLECT AUDIT DATA GIPF

64 bytes from 192.168.56.30: icmp_seq=2 ttl=64 time=0.435 ms
64 bytes from 192.168.56.30: icmp_seq=3 ttl=64 time=0.318 ms
64 bytes from 192.168.56.30: icmp_seq=4 ttl=64 time=0.239 ms
^C
--- 192.168.56.30 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3001ms
rtt min/avg/max/mdev = 0.239/0.336/0.435/0.074 ms
[root@avs08002778ad2b ~]#

Create the Agent Home:

mkdir -p /u01/app/av_agent_12c

Move the agent jar file to the new Agent Home:

[oracle@druatdb ~]$ mv /home/oracle/agent.jar /u01/app/av_agent_12c

Install the agent:

[oracle@druatdb ~]$ cd /u01/app/av_agent_12c/

[oracle@druatdb av_agent_12c]$ java -jar agent.jar -d /u01/app/av_agent_12c/
[oracle@druatdb av_agent_12c]$ java -jar agent.jar -d /u01/app/av_agent_12c/
Checking for updates...
Agent is updating. This operation may take a few minutes. Please wait...
Agent updated successfully.
Agent installed successfully.
If deploying hostmonitor please refer to product documentation for additional installation
steps.
[oracle@druatdb av_agent_12c]$

Activating the Agent:

To activate the agent you will need the “activation key” that was copied at the beginning of this
article. I

[oracle@druatdb av_agent_12c]$ bin/agentctl start -k

Enter Activation Key: --Enter here the Activation Key--
Agent started successfully.

[oracle@druatdb av_agent_12c]$

In  Audit Vault Server web console

Click in "Hosts" menu

INSTALL AVDF AGENT TO COLLECT AUDIT DATA GIPF

Click in "Hosts" tab
Confirm that the agent status is now "Running"

Checking status of Audit Agent:

[oracle@druatdb av_agent_12c]$ bin/agentctl status

Agent is running.
[oracle@druatdb av_agent_12c]$

Stop Audit Agent:

[oracle@druatdb av_agent_12c]$ bin/agentctl stop

Stopping Agent...
[oracle@druatdb av_agent_12c]$

Start Audit Agent: Activation key is only required in the first start.

[oracle@druatdb av_agent_12c]$ bin/agentctl start

Agent started successfully.
[oracle@druatdb av_agent_12c]$

If you need to troubleshoot the Agent, (database connection, etc), the Agent log is located in
$AGENT_HOME/av/log. In my case is "/u01/app/av_agent_12c/av/log/"

Registering an Oracle Database in Oracle Audit Vault Server to Collect Audit Data

Creating the Secured Target

INSTALL AVDF AGENT TO COLLECT AUDIT DATA GIPF

In Audit Vault Server web console
Click in "Secured Targets"
Click in "Targets"
Click in "Register"

Fill up the basic information of the Secured Target

Fill up the Section “Secured Target Location (For auditing)”

Click in “Save” Button

INSTALL AVDF AGENT TO COLLECT AUDIT DATA GIPF

Verify that the Secured Target was created successfully:

In Audit Vault Server web console

Click in “Secured Targets”
Click in “Audit Trails” under “Monitoring” Section

Click in “Add” Button

INSTALL AVDF AGENT TO COLLECT AUDIT DATA GIPF

Enter the “Audit Trail Type”, “Collection Host”, “Secured Target”, and “Trail Location” to
collect auditing data from the Secured Target.

Click in “Save” Button

Verify that the information for collect audit information is correct. You will see that the Status is
"Stopped", that's normal, the next step is actually start it up.

INSTALL AVDF AGENT TO COLLECT AUDIT DATA GIPF

Select the Audit Trail and then click in "Start" Button. And then click in "OK" Button to confirm.

The Audit Trail Status will change to "Starting"

NOTE: The status doesn't refresh automatically, you will have to refresh it "manually" (F5, or
click in "Audit Trails" Menu)

INSTALL AVDF AGENT TO COLLECT AUDIT DATA GIPF

And after some seconds the Status will be "Idle" which means waiting for the Database to
generate more audit data to be collected.

INSTALL AVDF AGENT TO COLLECT AUDIT DATA GIPF