Exceptions domain

This domain contains traffic details: all of the exceptions and exception-related data. These are SQL exceptions sent from a database server and collected by inspection engines, as well as exceptions generated by Guardium itself. This topic describes the domain's entities and attributes.

Available to roles: all

Client/Server Entity

This entity describes a specific client-server connection. An instance is created each time a unique set of attributes (excluding the Timestamp) is detected.

Note: For Access Tracking only, Client/Server Entity name appears in the menu as two possible entities - Client/Server and Client/Server By Session.

Client/Server By Session gets its count from the Client/Server and date conditions from the Session.

Client/Server gets its count from the Client/Server and date conditions also from the Client/Server.

If you select Client/Server, then the query is populated with ATTRIBUTE_ID = 1. If you select Client/Server By Session, then the query is populated with MAIN_ATTRIBUTE_ID = 0.

Attribute Description
Access ID A unique identifier for this unique set of client/server connection attributes. Only available to users with the admin role.
Analyzed Client IP Applies only to encrypted traffic; when set, client IP is set to zeroes.

Analyzed Client IP contains the IP for encrypted sessions. For unencrypted sessions Analyzed Client IP will be the same as Client IP.

Client Host Name Client host name.
Client IP Client IP address. For ASO traffic, CLIENT_IP is not the actual client IP; use the Analyzed Client IP, which is the correct IP. For Oracle ASO encrypted IPv6 traffic (local as well as remote), use the Client Host Name to identify the actual client session, due to limitations. For SSL traffic, Client IP is not the actual client IP and there is no Analyzed Client IP.
ClientIP / DBUser Paired attribute value consisting of the client IP address and database user name.
Client IP/Src App/DB User/Server IP/Svc Name A tuple group containing the named fields. For more information, see Tuple groups.
Client IP/Src App/User A tuple group containing the named fields. For more information, see Tuple groups.
Client MAC Client hardware address.
Client OS Client operating system.

For Teradata, as there is no direct information about client/server OS, instead, the data format type is used; indicating how integer data are stored during db session. This has a close relation to the platform being used and may appear as follows:

IBM MAINFRAME // IBM mainframe data format

HONEYWELL MAINFRAME // Honeywell mainframe data format

AT&T 3B2 // AT&T 3B2 data format.

INTEL 8086 // Intel 8086 data format (IBM PC or compatible)

VAX // VAX data format

AMDAHL // Amdahl data format

DB Protocol Protocol specific to the database server For example, DRDA (Db2), TNS (Oracle), or TDS (MS SQL Server).
DB Protocol Version Protocol version for the DB Protocol.
DB User Name Database user name: user that connected to the database, either local or remote.
Last Used The timestamp of the last time the data was used.
Network Protocol Network protocol used (such as TCP or UDP. For K-TAP on Oracle, this displays as either IPC or BEQ)
OS User OS user as reported by the database client where supported by the database type.
Server Description Server description (if any). For example, displays cluster name of the Cloudera Data Platform.
Server Host Name Server host name.
Server IP Server IP address.
Server IP/DB user Paired attribute value consisting of Server IP address and database user name.
Server IP/Svc Name/DB User A tuple group containing the named fields. For more information, see Tuple groups.
Server OS Server operating system.

For Informix, the OS may appear as follows:

IEEEM indicating Unix or JDBCIEEEI indicating WindowsDEC indicating DEC Alpha

For Teradata, as there is no direct information about client/server OS, instead, the data format type is used; indicating how integer data are stored during db session. This has a close relation to the platform being used and may appear as follows:

IBM MAINFRAME // IBM mainframe data format

HONEYWELL MAINFRAME // Honeywell mainframe data format

AT&T 3B2 // AT&T 3B2 data format.

INTEL 8086 // Intel 8086 data format (IBM PC or compatible)

VAX // VAX data format

AMDAHL // Amdahl data format

Server Type The type of database monitored, such as Dd2, Oracle, or Teradata.
Service Name Service name for the interaction. In some cases (AIX shared memory connections, for example), the service name is an alias that is used until the actual service is connected. In those cases, once the actual service is connected, a new session is started - so what the user experiences as a single session is logged as two sessions.

For Teradata, Service name contains the session logical host id value.

Source Program Source program as reported by the database client where supported by the database type.
Client/ Server by session Client/Server by session is also a Main Entity. Access this secondary entity by clicking on the Client/Server primary entity.
Timestamp The time on the collector when the client first connected to the server. For example, if a client is connecting to the server in the same way many days in a row this timestamp will be the time of the first connection. This may even be before the purge days of the appliance.
Timestamp Date Date only from the timestamp.
Timestamp Time Time only from the timestamp.
Timestamp Weekday Weekday only from the timestamp.
Timestamp Year Year only from the timestamp.

Session Entity

This entity is created for each Client/Server database session.

Attribute Description
Access ID A unique identifier for this unique set of client/server connection attributes. Only available to users with the admin role.
Client Port Client port number.
Database Name Name of database for the session.

For Oracle, Database Name may contain additional and application specific information such as the currently executing module for a session that has been set in the MODULE column of the V$SESSION view.

Duration (secs) Indicates the length of time between the Session Start and the Session End (in seconds).
Global ID Uniquely identifies the session - access. Only available to users with the admin role.
Ignored Since Timestamp created when starting to ignore this session.
Inactive Flag
  • -1: Session closed by timeout.
  • 0 (default): Open for sessions generated by SQL package.
  • 1: Closed (disconnect/ logout received).
  • 2: Closed due to timeout on Guardium system. The session is reopened when traffic is regenerated in the session.
  • 3: For sessions generated from non-SQL packets.
Old Session ID Points to the session from which this session was created. Zero if this is the first session of the connection.
Original Timezone The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator.

For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM).

Process ID The process ID of the client that initiated the connection (not always available).
Server Port Server port number.
Session Encrypted Whether the session is encrypted. 0: no; 1: yes.
Session End The time on the DB server when the session ended. Session End is also a Main Entity. Access this secondary entity by clicking on the Session primary entity.
Session End Date Date only from the Session End.
Session End Time Time only from the Session End.
Session End Weekday Weekday only from the Session End.
Session End Year Year only from the Session End.
Session ID Uniquely identifies the session. Only available to users with the admin role.
Session Ignored A Yes indicates that the session was ignored using the IGNORE SESSION policy action.
Session Start The time on the DB server when the session started. Session Start is also a Main Entity. Access this secondary entity by clicking on the Session primary entity.
Session Start Date Date only from the Session Start.
Session Start Time Time only from the Session Start.
Session Start Weekday Weekday only from the Session Start.
Session Start Year Year only from the Session Start.
Terminal Id Terminal ID of the connection, used internally to resolve session information.
Timestamp The time on the collector when the session information was most recently updated. Initially, a timestamp created for the first request on a client-server connection where there is not an active session in progress. Later, it is updated when the session is closed, or when it is marked inactive following an extended period of time with no observed activity. When tracking Session information, you are probably more interested in the Session Start and Session End attributes than the Timestamp attribute. If the session is closed it is be the same time as the Session End.
Timestamp Date Date only from the timestamp.
Timestamp Time Time only from the timestamp.
Timestamp Weekday Weekday only from the timestamp.
Timestamp Year Year only from the timestamp.
TTL Only available to users with the admin role.
Uid Chain For a session reported by Unix S-TAP® (K-TAP mode only), or FAM on Windows, this shows the chain of OS users, when users su with a different user name. For more information, see Linux-Unix: UID chains and UID chain for FAM.
Uid Chain Compressed The UID chain excluding the first user and the last user. For more information, see Linux-Unix: UID chains and UID chain for FAM.

Client/Server Session Entity

Attribute Description
Client IP/Src App/DB User/Server IP/Svc. Name/OS User/DB Name A tuple group containing the named fields. For more information, see Tuple groups.
Server IP/Server Port Server IP/Server Port

Exception Type Entity

There is a fixed set of exception types, one of which is associated with each exception logged. These are available for reporting only from the owning Exception Entity.

Attribute Description
Exception Description

A text description of the exception type, from the following list. Most of these should never be seen.

A new construct was used

Alert Process threw an exception

Custom Alerting Processing Exception

Database Server returned an error

For this message, a database error code will be stored in the Exception Description attribute of the Exception entity, and a text version of the database error message will be available in the Database Error Text attribute of the Database Error Text entity.

DB Protocol Exception

Debug prints through the EXCEPTIONs mechanism

Dropped database requests

Session information was dropped due to excess traffic.

Error During Configuration Auditing System Process

Error During Classification Process

Invalid Query Invocation

Login Failed

Low-level DB protocol Exception

QRW_EXCEPTION

Scheduled job threw an exception

Security Assessment Exception

Security Exception

For this message, a custom class exception has been raised when breaching code execution is blocked; such as when users use the Java™ API to define their own alerts or assessments.

Session closed prematurely

SQL Parser Exception

S-TAP Connectivity reconnect

For this message, the IP address or DNS name of the database server will be available in the Exception Description attribute of the Exception entity

S-TAP Connectivity timeout

For this message, the IP address or DNS name of the database server will be available in the Exception Description attribute of the Exception entity

TCP ERROR

For this message, additional information about the error will be included in the Exception Description attribute of the Exception entity

Turbine class threw an exception

Unable to purge report

Exception Entity

This entity is created for each exception encountered.

Attribute Description
App User Name Application user name.
Collector Id  
DB2 i Current User  
DB2 i/z Database  
DB2 i/z Program  
Database Protocol  
Destination Address Destination IP address.
Destination Port Destination port number.
Database Protocol Database protocol for the exception.
Event Microsec  
Exception Date Date only from the timestamp.
Exception Description Description of the exception.

For an S-TAP reconnect or timeout exception, this field contains the IP address or DNS name of the database server.

For a database exception, this is an error code from the database management system. For most common messages (about 54,000 of them), a longer text description is available in the Database Error Text attribute. That text comes from the internal Guardium® database table of error messages, not from the exception itself.

For Db2 z/OS systems, this field returns the Event ID return code if a negative SQL code is not available.

Exception ID Uniquely identifies the exception. Only available to users with the admin role.
Exception Time Time only from the timestamp.
Exception Timestamp The time on the DB Server (if the exception is from monitored traffic, for example, an SQL exception on the database) or Collector (if the exception is related to the collector for example, a parser error).
Exception Type ID Uniquely identifies the exception type. Only available to users with the admin role.
Exception Weekday Weekday only from the timestamp.
Exception Year Year only from the timestamp.
Global Id Global identifier for the exception.
Link to more information about the exception Optional link that is sometimes available, depending on the exception source.
New TTL value

Reserved for admin role use only.

Original Timezone The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator.

For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM).

SQL string that caused the Exception The SQL string that caused the exception.
Source Address Source IP address of the exception.
Source Port Source port number.
Timestamp(microsec)  
User Name Database user name. On encrypted traffic, where correlation is required, this value may not be available, but it is always available from the DB User Name attribute in the Client/Server entity.

Database Error Text Entity

The text of each common database error message is stored in a table in the Guardium internal database. It is available for reporting only from the owning Exception Entity for each exception that is a database error. Some types of exceptions, for example S-TAP disconnects or reconnects, do not have a database error text.

Attribute Description
Database Error Text A database error code followed by a short text description of the error. The error code is taken from the Exception Description attribute of the Exception entity. Using the error code as a key, the error text is obtained from an internal table on the Guardium appliance, which contains the most common error messages (about 54,000 of them).
For example: ORA-00942: table or view does not exist
Error Code Displays the database error code.