{"id":1545,"date":"2013-10-22T08:25:31","date_gmt":"2013-10-22T06:25:31","guid":{"rendered":"http:\/\/www.oradba.ch\/?p=1545"},"modified":"2013-10-22T08:31:08","modified_gmt":"2013-10-22T06:31:08","slug":"avcli-doubles-audit-trails-bug-or-feature","status":"publish","type":"post","link":"https:\/\/www.oradba.ch\/wordpress\/2013\/10\/avcli-doubles-audit-trails-bug-or-feature\/","title":{"rendered":"AVCLI doubles audit trails, bug or feature?"},"content":{"rendered":"<p>I&#8217;ve start using the <a href=\"https:\/\/www.oradba.ch\/wordpress\/2013\/10\/avcli-audit-vault-command-line-interface\/\" title=\"AVCLI Audit Vault command line interface\">AV command line interface<\/a> to administer AVDF. I use the tool fairly often to start, stop and monitor the audit trails. But recently I ran in a small issue after a typo. I just want to start the audit trail on the ADUMP directory of a database.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"sql\">\r\nAVCLI&gt; LIST TRAIL FOR SECURED TARGET TDB11A;\r\n----------------------------------------------------------------------------------------------------------------------------------\r\n| AUDIT_TRAIL_TYPE | HOST   | LOCATION                            | STATUS  | REQUEST_STATUS | ERROR_MESSAGE                     |\r\n==================================================================================================================================\r\n| DIRECTORY        | urania | \/u00\/app\/oracle\/admin\/TDB11A\/adump  | STOPPED |                |                                   |\r\n| TABLE            | urania | SYS.AUD$                            | STOPPED |                |                                   |\r\n| TRANSACTION LOG  | urania |                                     | STOPPED |                |                                   |\r\n----------------------------------------------------------------------------------------------------------------------------------\r\n\r\nAVCLI&gt; START COLLECTION FOR SECURED TARGET TDB11A USING HOST urania FROM DIRECTORY &#039;\/u00\/app\/oracle\/admin\/TDB11A\/adump\/&#039;;\r\n\r\nRequest submitted successfully.\r\n<\/pre>\n<p>After submitting the start command I&#8217;ve checked the status of the audit trails. As expected the audit trail has been started and is now waiting in IDLE state on audit files. But wait there are two audit trails on the same directory?! One of them does have a backslash. <\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"sql\">AVCLI&gt; LIST TRAIL FOR SECURED TARGET TDB11A;\r\n--------------------------------------------------------------------------------------------------------------\r\n| AUDIT_TRAIL_TYPE | HOST   | LOCATION                            | STATUS  | REQUEST_STATUS | ERROR_MESSAGE |\r\n==============================================================================================================\r\n| DIRECTORY        | urania | \/u00\/app\/oracle\/admin\/TDB11A\/adump  | STOPPED |                |               |\r\n| DIRECTORY        | urania | \/u00\/app\/oracle\/admin\/TDB11A\/adump\/ | IDLE    |                |               |\r\n| TABLE            | urania | SYS.AUD$                            | STOPPED |                |               |\r\n| TRANSACTION LOG  | urania |                                     | STOPPED |                |               |\r\n--------------------------------------------------------------------------------------------------------------\r\n<\/pre>\n<p>It is also possible to start both of them.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"sql\">AVCLI&gt; START COLLECTION FOR SECURED TARGET TDB11A USING HOST urania FROM DIRECTORY &#039;\/u00\/app\/oracle\/admin\/TDB11A\/adump&#039;;\r\n\r\nRequest submitted successfully.\r\n\r\nAVCLI&gt; LIST TRAIL FOR SECURED TARGET TDB11A;\r\n---------------------------------------------------------------------------------------------------------------\r\n| AUDIT_TRAIL_TYPE | HOST   | LOCATION                            | STATUS  | REQUEST_STATUS  | ERROR_MESSAGE |\r\n===============================================================================================================\r\n| DIRECTORY        | urania | \/u00\/app\/oracle\/admin\/TDB11A\/adump  | STOPPED | START REQUESTED |               |\r\n| DIRECTORY        | urania | \/u00\/app\/oracle\/admin\/TDB11A\/adump\/ | IDLE    |                 |               |\r\n| TABLE            | urania | SYS.AUD$                            | STOPPED |                 |               |\r\n| TRANSACTION LOG  | urania |                                     | STOPPED |                 |               |\r\n---------------------------------------------------------------------------------------------------------------\r\n\r\n4 row(s) selected.\r\n\r\nThe command completed successfully. <\/pre>\n<p>Since it does not make sense to have two audit trails on the same directory I tried to drop the second audit trail.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"sql\">\r\nAVCLI&gt; STOP COLLECTION FOR SECURED TARGET TDB11A USING HOST urania FROM DIRECTORY &#039;\/u00\/app\/oracle\/admin\/TDB11A\/adump\/&#039;;\r\n\r\nRequest submitted successfully.\r\n\r\nAVCLI&gt; DROP TRAIL FOR SECURED TARGET TDB11A USING HOST urania FROM DIRECTORY &#039;\/u00\/app\/oracle\/admin\/TDB11A\/adump\/&#039;;\r\nERROR: \r\nOAV-3025: Audit data has been gathered for trail \/u00\/app\/oracle\/admin\/TDB11A\/adump\/ of type DIRECTORY for secured target TDB11A. cannot drop trail.\r\n<\/pre>\n<ul>\n<li>Why the heck I have a second audit trail? <\/li>\n<li>Why it is not possible to remove it?<\/li>\n<\/ul>\n<p>The answer to the second question is simple. Since both audit trails point to the same directory they also point somehow to the same audit data. In the current release 12.1.1 of Oracle Audit Vault and Database Firewall it is not possible to remove an audit trail if there were already collected audit data. Ok but why do I have a second audit trail to the same directory? The reason is not obvious but simply. Oracle did not implement a command to create new audit trails. Instead, they use the start command. If you execute <\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"sql\">START COLLECTION FOR SECURED TARGET<\/pre>\n<p> and the requested audit trail does not yet exist, it will be created. Unfortunately this behavior is not mentioned in the <a href=\"http:\/\/docs.oracle.com\/cd\/E37100_01\/doc.121\/e27776\/avcli_commands.htm#SIGAD371\" target=\"_blank\">AVCLI documentation<\/a>. I could test this successfully for other trail types. In the case of directories, Oracle checks whether the directory exists and is accessible, but they do not normalize the path name. Which is why I end up with two similar audit trails. <\/p>\n<h3>Solution<\/h3>\n<p>For now there are only two possibilities. We either have to live with the second audit trail or we could try to manually drop the audit data related to this audit trail. But dropping means losing audit data, which is in most cases not feasible for production systems. I&#8217;ll provide a possible solution to drop trail data later on this blog. Oracle itself addressed this issue in a Bug <a href=\"https:\/\/support.oracle.com\/epmos\/faces\/BugDisplay?id=17544636\" target=\"_blank\">17544636<\/a> <em>ONE CAN EASILY DUPLICATE AUDIT TRAILS WHEN USING AVCLI<\/em>. <\/p>\n<h3>Conclusion<\/h3>\n<p>It is a nice feature to easily create audit trails. But I except to better workaround simple user errors \/ typos \ud83d\ude42<\/p>\n<h3>References<\/h3>\n<p>Some links related to this post.<\/p>\n<ul>\n<li>Bug <em><a href=\"https:\/\/support.oracle.com\/epmos\/faces\/BugDisplay?id=17544636\" target=\"_blank\">17544636<\/a><\/em> One can easily duplicate Audit Trails when using AVCLI<\/li>\n<li>Oracle\u00ae Audit Vault and Database Firewall Administrator&#8217;s Guide Release 12.1.1<br \/>\n<a href=\"http:\/\/docs.oracle.com\/cd\/E37100_01\/doc.121\/e27776\/avcli_commands.htm#SIGAD371\" target=\"_blank\">START COLLECTION FOR SECURED TARGET<\/a><\/li>\n<li>OraDBA Post <a href=\"https:\/\/www.oradba.ch\/wordpress\/2013\/10\/avcli-audit-vault-command-line-interface\/\" title=\"AVCLI Audit Vault command line interface\">AVCLI Audit Vault command line interface<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>I&#8217;ve start using the AV command line interface to administer AVDF. I use the tool fairly often to start, stop and monitor the audit trails. But recently I ran in a small issue after a typo. I just want to start the audit trail on the ADUMP directory of a database. AVCLI&gt; LIST TRAIL FOR [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"AVCLI doubles audit trails, bug or feature? http:\/\/wp.me\/p1aErb-oV #trivadis #oracleavdf #AVDF","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[85,88,101,11],"tags":[119,111],"class_list":["post-1545","post","type-post","status-publish","format-standard","hentry","category-audit-vault-and-database-firewall","category-avdf","category-bug","category-security","tag-avcli","tag-tvdsecexpert"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p1aErb-oV","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":1527,"url":"https:\/\/www.oradba.ch\/wordpress\/2013\/10\/avcli-audit-vault-command-line-interface\/","url_meta":{"origin":1545,"position":0},"title":"AVCLI Audit Vault command line interface","author":"Stefan","date":"18. October 2013","format":false,"excerpt":"When I started to deal with Oracle Audit Vault and Database Firewall (AVDF), I have always worked with the Web console. Since a few weeks I regularly use the AVCLI and start to like it. It is a simple java based command line utility, from which you can access Audit\u2026","rel":"","context":"In &quot;Audit Vault and Database Firewall&quot;","block_context":{"text":"Audit Vault and Database Firewall","link":"https:\/\/www.oradba.ch\/wordpress\/category\/audit\/audit-vault-and-database-firewall\/"},"img":{"alt_text":"AVCLI_Download","src":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/AVCLI_Download-300x212.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":1970,"url":"https:\/\/www.oradba.ch\/wordpress\/2015\/05\/release-of-audit-vault-and-database-firewall-12-1-2-bundle-patch-5\/","url_meta":{"origin":1545,"position":1},"title":"Release of Audit Vault and Database Firewall 12.1.2 Bundle Patch 5","author":"Stefan","date":"15. May 2015","format":false,"excerpt":"Today Oracle released the new Bundle Patch for Audit Vault and Database Firewall 12.1.2. The patch can be downloaded as usual on Oracle Metalink as Patchset 20829881 for existing installations. The full installation image for new installations is not yet available on Oracle eDelivery. I guess this will follow in\u2026","rel":"","context":"In &quot;Audit Vault and Database Firewall&quot;","block_context":{"text":"Audit Vault and Database Firewall","link":"https:\/\/www.oradba.ch\/wordpress\/category\/audit\/audit-vault-and-database-firewall\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1396,"url":"https:\/\/www.oradba.ch\/wordpress\/2013\/08\/audit-vault-and-database-firewall-12-1-1-bundle-patch-1\/","url_meta":{"origin":1545,"position":2},"title":"Audit Vault and Database Firewall 12.1.1 Bundle Patch 1","author":"Stefan","date":"14. August 2013","format":false,"excerpt":"Oracle just released the new bundle patch for Audit Vault and Database Firewall 12.1.1. The patch can be downloaded on metaling as RPM patch set for existing installations or as full installation images for new installations. According the readme, the BP1 contains the July 2013 PSU 11.2.0.3.7 for the database\u2026","rel":"","context":"In &quot;Audit Vault and Database Firewall&quot;","block_context":{"text":"Audit Vault and Database Firewall","link":"https:\/\/www.oradba.ch\/wordpress\/category\/audit\/audit-vault-and-database-firewall\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2069,"url":"https:\/\/www.oradba.ch\/wordpress\/2015\/12\/audit-vault-and-database-firewall-12-2\/","url_meta":{"origin":1545,"position":3},"title":"Audit Vault and Database Firewall 12.2","author":"Stefan","date":"22. December 2015","format":false,"excerpt":"Oracle has just released a new major Release of its Oracle Audit Vault and Database Firewall. The new release is immediately available on Oracle's Software Delivery Cloud. But the OTN website have not been updated. Beside the upgrade of the OS and embedded Oracle Database to 12.1.0.2, Oracle added a\u2026","rel":"","context":"In &quot;Audit Vault and Database Firewall&quot;","block_context":{"text":"Audit Vault and Database Firewall","link":"https:\/\/www.oradba.ch\/wordpress\/category\/audit\/audit-vault-and-database-firewall\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1862,"url":"https:\/\/www.oradba.ch\/wordpress\/2014\/08\/release-of-audit-vault-and-database-firewall-12-1-2-bundle-patch-2\/","url_meta":{"origin":1545,"position":4},"title":"Release of Audit Vault and Database Firewall 12.1.2 Bundle Patch 2","author":"Stefan","date":"4. August 2014","format":false,"excerpt":"End of last week, Oracle has released the second Bundle Patch for Audit Vault and Database Firewall 12.1.2. I've missed the release due to public holiday here in Switzerland. :-) The patch can be downloaded as usual on Oracle Metalink as Patchset 19190265 for existing installations or on Oracle eDelivery\u2026","rel":"","context":"In &quot;Audit Vault&quot;","block_context":{"text":"Audit Vault","link":"https:\/\/www.oradba.ch\/wordpress\/category\/audit\/audit-vault\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2057,"url":"https:\/\/www.oradba.ch\/wordpress\/2015\/11\/release-of-audit-vault-and-database-firewall-12-1-2-bundle-patch-7\/","url_meta":{"origin":1545,"position":5},"title":"Release of Audit Vault and Database Firewall 12.1.2 Bundle Patch 7","author":"Stefan","date":"9. November 2015","format":false,"excerpt":"Today Oracle released the new Bundle Patch for Audit Vault and Database Firewall 12.1.2. The patch can be downloaded as usual on Oracle Metalink as Patchset 21920205 for existing installations. The full installation image for new installations is not yet available on Oracle eDelivery. I guess this will follow in\u2026","rel":"","context":"In &quot;Audit Vault and Database Firewall&quot;","block_context":{"text":"Audit Vault and Database Firewall","link":"https:\/\/www.oradba.ch\/wordpress\/category\/audit\/audit-vault-and-database-firewall\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts\/1545","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/comments?post=1545"}],"version-history":[{"count":2,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts\/1545\/revisions"}],"predecessor-version":[{"id":1547,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts\/1545\/revisions\/1547"}],"wp:attachment":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/media?parent=1545"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/categories?post=1545"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/tags?post=1545"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}