Audit and ignore session actions
Selective audit actions are triggered in analyzers before the parser/logger starts to receive session requests. Selective audit can save sniffer resources by reducing the load on relatively slower modules that limit sniffer performance.
Audit only
This action is only available for policies that use the Selective Audit Trail setting. Audit Only logs the construct that triggered the rule. For a Selective Audit Trail policy, no constructs are logged by default, so use this selection to indicate which constructs you want to log. For example, for the Application Events API, if you want to log database usernames for reporting, use this action (otherwise, in this example, the username is blank).
Discard session (DISCARD_SESSION)
Discard session filters out the entire session. It sends a request to the S-TAP to ignore the session and not forward network traffic to the collector, for example encrypted data. Discard session supports search parameters and works with all supported traffic.
SR_POLICIES
{
IF (DB_USER = 'SQLUSER1' SOURCE_PROGRAM = 'Vault')
{
DISCARD_SESSION
}
}
SR_POLICIES
{
IF (DB_USER = 'SQLUSER1' SOURCE_PROGRAM = 'Vault')
{
IGNORE_SESSION
}
}
During the login handshake, the S-TAP sends the initial DB_USER and SOURCE_PROGRAM values. Later, another packet might have the correct values for DB_USER and SOURCE_PROGRAM. The rule conditions for ignore session are checked earlier than the conditions for discard session, meaning that the discard session action is triggered later than the ignore session action.
Ignore session (IGNORE_SESSION)
Ignore session filters out the entire session. It sends a request to the S-TAP to ignore the session and not forward network traffic to the collector, for example encrypted data. Filtered sessions are not created, processed, or logged. Use ignore session with criteria that are known from the start of the session, for example database type, client IP address, or server IP address.
SR_POLICIES
{
IF (DB_TYPE = 'HADOOP')
{
IGNORE_SESSION
}
}
(*)
to unconditionally ignore any sessions that are
not logged after the first 50 packets arrive at the collector.SR_POLICIES
{
IF (*)
{
IGNORE_SESSION PACKETS_LIMIT = 50
}
}
Ignore request (IGNORE_REQUEST)
Ignore requests that match search parameters.
IGNORE_REQUEST WHERE REQ_TYPE = SQL SEARCH_PREFIX = 'SELECT' SEARCH_PATTERN = 'WARNING'
Select session (SELECT_SESSION)
Select session is the opposite of the ignore session action. It allows easy filtering and does not send a request to the S-TAP.
IF (DB_TYPE!='HADOOP')
{
SELECT_SESSION
}
IF (SENDER_IP = 'ad:f0:e1::1' SENDER_NET_MASK = 'ad:f0:e1::0' )
{
SELECT_SESSION
}
Soft discard (SOFT_DISCARD)
Soft discard is the same as discard session but does not send a command to the S-TAP and all processing is done on the collector. This provides something like a revocable discard that is available on a per-session basis. Soft discard is good for short sessions.
Stop soft discard (STOP_SOFT_DISCARD)
Used for revoking the soft discard action, stop soft discard can revoke soft discard for individual sessions based on search parameters.
Log access only (LOG_ACCESS_ONLY)
Log access forwards only the first required number of packets to the logger. No command is sent to the S-TAP. Log access allows only the following to pass to the logger: ACCESS INFO, FIRST REQUEST, LOGIN_FAILED, ERRORS, TYPE_UPDATE, TYPE_LOGOUT, and TYPE_LOGOUT_TIMEOUT.
Stop log access only (STOP_LOG_ACCESS_ONLY)
Used for revoking the log access only action, stop log access can revoke log access only for individual session based on search parameters.