Log flat

Log flat allows Guardium to log information without immediately parsing it.

This saves processing resources, so that a heavier traffic volume can be handled. The parsing and merging of that data to Guardium's internal database can be done later, either on a collector or an aggregator unit.

There are two Guardium features involving the Flat Log Process - Flat Log by policy definition and Flat Log by throttling mechanism.

Flat Log by throttling mechanism - This is the feature implemented by running the CLI command, store alp_throttle 1. The same policy that is applicable to real-time S-TAP traffic is used to process traffic that was logged into the GDM_FLAT_LOG table.

For Flat Log by throttling mechanism, the Flat Log checkbox should NOT be checked in Policy Builder.

Flat Log by policy definition - Selection of this feature involves the Policy Builder menu in Setup >Tools and Views and Flat Log Process menu in Manage > Activity Monitoring.

Note: Rules on flat does not work with policy rules involving a field, an object, SQL verb (command), Object/Command Group, and Object/Field Group. In the Flat Log process, "flat" means that a syntax tree is not built. If there is no syntax tree, then the fields, objects and SQL verbs cannot be determined.

The following actions do not work with rules on flat policies: LOG FULL DETAILS; LOG FULL DETAILS PER SESSION; LOG FULL DETAILS VALUES; LOG FULL DETAILS VALUES PER SESSION; LOG MASKED DETAILS.

When the Log Flat (Flat Log) checkbox option listed in the Policy Definition screen of the Policy Builder is checked,
  • Data will not be parsed in real time .
  • The flat logs can be seen on a designated Flat Log List report.