Scribd
Upload
350 views

Clean Up Audit Vault

This document outlines steps to purge all existing data from an Oracle Audit Vault Server while maintaining the server configuration. This results in a "fresh start" with no existing audit data or alerts, but preserves things like firewall policies and custom reports. The steps stop audit collection, load a purge package, purge the data from tables, remove unused tablespaces, optionally clean up reports and alerts, reinitialize the server, and restart audit collection. Completing these steps will delete all existing audit data unless a backup was previously created.

Uploaded by

tareqfrak
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
350 views

Clean Up Audit Vault

This document outlines steps to purge all existing data from an Oracle Audit Vault Server while maintaining the server configuration. This results in a "fresh start" with no existing audit data or alerts, but preserves things like firewall policies and custom reports. The steps stop audit collection, load a purge package, purge the data from tables, remove unused tablespaces, optionally clean up reports and alerts, reinitialize the server, and restart audit collection. Completing these steps will delete all existing audit data unless a backup was previously created.

Uploaded by

tareqfrak
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 3

== Purpose ====

Enable customers to return to a "fresh start" as far as collected data is concerned


but maintaining configuration metadata.

Prerequisites

Any persons following this document must understand that following the steps
outlined below will result in data loss. If you wish to restore data in future,
Oracle recommends completeing a full backup of the system by following Note
1556200.1.
You must enable SSH access to the Audit Vault Server before proceeding.
You must know the support and root user passwords.
You must be able to login as a user with Super Admin privileges.
You must be able to login as a user with Super Auditor privileges.

Details

1. Stop Audit Trails and Enforcement Points

1.1. Login to the Audit Vault Server user interface as an avadmin

1.2. Navigate to the Secured Targets page

1.3. Click on the Audit Trails link and stop all Audit Trails

1.4. Click on the Enforcement Points link and stop all Enforcement Points

2. Copy the purge-avs-package.sql file - attached to SR - to the Audit Vault Server

scp remote_host:remote_path/purge-avs-package.sql /home/oracle/.

3. Login to the Audit Vault Server database

3.1. Open connection to the Audit Vault Server as 'root' user either via SSH or the
console

3.2. Become oracle user

su - oracle
3.3. Login to the database

sqlplus / as sysdba
4. Unlock avsys user

alter user avsys identified by Oracle_123 account unlock;


5. Load the purge_avs package from purge-avs-package.sql into the database

sqlplus avsys/Oracle_123

set serveroutput on size 1000000


set trimspool on
set long 5000
set linesize 1000
set pagesize 9999

@purge-avs-package.sql
6. Check to see which tablespaces have been archived and/or are offline. These must
be brought back online before attempting the purging (step 9).

execute purge_avs.offline_tablespaces;

(you may see output similar to below)

Tablespace: AV_ILM_0540_0546 filename


+EVENTDATA/dbfwdb/datafile/av_ilm_0540_0546.264.853499147 is offline
Tablespace: AV_ILM_0540_0552 filename
+EVENTDATA/dbfwdb/datafile/av_ilm_0540_0552.261.853499053 is offline
Tablespace: AV_ILM_0540_0625 filename
+EVENTDATA/dbfwdb/datafile/av_ilm_0540_0625.275.865976447 is offline
Tablespace: AV_ILM_0541_0547 filename
+EVENTDATA/dbfwdb/datafile/av_ilm_0541_0547.277.868201949 is offline
Tablespace: AV_ILM_0534_0546 filename
/var/lib/oracle/dbfw/ilm_staging/AV_ILM_0534_0546 is offline
Tablespace: AV_ILM_0535_0541 filename
/var/lib/oracle/dbfw/ilm_staging/AV_ILM_0535_0541 is offline
Tablespace: AV_ILM_0535_0547 filename
/var/lib/oracle/dbfw/ilm_staging/AV_ILM_0535_0547 is offline
Tablespace: AV_ILM_0536_0542 filename
/var/lib/oracle/dbfw/ilm_staging/AV_ILM_0536_0542 is offline

Tablespaces listed as being in /var/lib/oracle/dbfw/ilm_staging/ are tablespaces


which have been archived.

7. Copy all the archived tablespaces back to the Audit Vault Server and place in
the same directory, file ownership must be "oracle:oinstall". If the files are
owned by root, the following steps will fail. You do not have to run an archive
restore job in the Audit Vault server UI, a simple copy is sufficient.

8. Bring all the offline tablespaces back online

execute purge_avs.bring_tbsp_online;

8.1. Verify all tablespace files are restored and online by checking
purge_avs.offline_tablespaces as in step 8. If no filenames are returned proceed to
the next step.

9. Data can now be purged from the Audit Vault server.

*** IMPORTANT ***


Unless you have created a backup of the data using Note 1556200.1 , once this step
is completed all existing data in the Audit Vault Server repository will be lost.

execute purge_avs.purge_data;

10. Delete old tablespaces

execute purge_avs.drop_ilm_tablespaces;

11. The steps in this section are optional - if you do not wish to clear any of the
following, proceed to step 12.

11.1. Clean up old alerts

execute purge_avs.clean_alerts;
11.2. Clean up custom reports

execute purge_avs.clean_reports;

11.3. Clean up Firewall policies and associated cluster data. Before doing so, you
must login to the AVS UI as an AVAUDITOR and configure all Secured Targets which
have Enforcement Points configured to use one of the built-in policies (Pass all;
Unique; Log sample;Log all; Log all - no mask; Unique - no mask)

execute purge_avs.clean_fw_policies;

12. Re-initialise Audit Vault Server

12.1. Delete the purge_avs package

DROP PACKAGE purge_avs;

12.2. Reboot Audit Vault Server


(probably not necessary but at the very least it should relock the avsys account
and of course restart the DB)

12.3. Login to the Audit Vault Server user interface as an avadmin

12.4. Navigate to the Secured Targets page

12.5. Click on the Audit Trails link and start all Audit Trails

12.6. Click on the Enforcement Points link and start all Enforcement Points

You might also like