Access domain
This domain contains traffic data collected by the inspection engines and other sources such as universal connectors and streaming data sources, every time a request is sent to a server being monitored. It includes all of the client/server, session, SQL, and access periods related data. This topic describes the domain's entities and attributes.
Available to roles: all
Client/Server Entity
This entity describes a specific client-server connection. An instance is created each time a unique set of attributes (excluding the Timestamp) is detected.
Client/Server By Session gets its count from the Client/Server and date conditions from the Session.
Client/Server gets its count from the Client/Server and date conditions also from the Client/Server.
If you select Client/Server, then the query is populated with ATTRIBUTE_ID = 1. If you select Client/Server By Session, then the query is populated with MAIN_ATTRIBUTE_ID = 0.
Attribute | Description |
---|---|
Access ID | A unique identifier for this unique set of client/server connection attributes. Only available to users with the admin role. |
Analyzed Client IP | Applies only to encrypted traffic; when set, client IP is set to
zeroes. Analyzed Client IP contains the IP for encrypted sessions. For unencrypted sessions Analyzed Client IP will be the same as Client IP. |
Client Host Name | Client host name. |
Client IP | Client IP address. For ASO traffic, CLIENT_IP is not the actual client IP; use the Analyzed Client IP, which is the correct IP. For Oracle ASO encrypted IPv6 traffic (local as well as remote), use the Client Host Name to identify the actual client session, due to limitations. For SSL traffic, Client IP is not the actual client IP and there is no Analyzed Client IP. |
ClientIP / DBUser | Paired attribute value consisting of the client IP address and database user name. |
Client IP/Src App/DB User/Server IP/Svc Name | A tuple group containing the named fields. For more information, see Tuple groups. |
Client IP/Src App/User | A tuple group containing the named fields. For more information, see Tuple groups. |
Client MAC | Client hardware address. |
Client OS | Client operating system. For Teradata, as there is no direct information about client/server OS, instead, the data format type is used; indicating how integer data are stored during db session. This has a close relation to the platform being used and may appear as follows: IBM MAINFRAME // IBM mainframe data format HONEYWELL MAINFRAME // Honeywell mainframe data format AT&T 3B2 // AT&T 3B2 data format. INTEL 8086 // Intel 8086 data format (IBM PC or compatible) VAX // VAX data format AMDAHL // Amdahl data format |
DB Protocol | Protocol specific to the database server For example, DRDA (Db2), TNS (Oracle), or TDS (MS SQL Server). |
DB Protocol Version | Protocol version for the DB Protocol. |
DB User Name | Database user name: user that connected to the database, either local or remote. |
Last Used | The timestamp of the last time the data was used. |
Network Protocol | Network protocol used (such as TCP or UDP. For K-TAP on Oracle, this displays as either IPC or BEQ) |
OS User | OS user as reported by the database client where supported by the database type. |
Server Description | Server description (if any). For example, displays cluster name of the Cloudera Data Platform. |
Server Host Name | Server host name. |
Server IP | Server IP address. |
Server IP/DB user | Paired attribute value consisting of Server IP address and database user name. |
Server IP/Svc Name/DB User | A tuple group containing the named fields. For more information, see Tuple groups. |
Server OS | Server operating system. For Informix, the OS may appear as follows: IEEEM indicating Unix or JDBCIEEEI indicating WindowsDEC indicating DEC Alpha For Teradata, as there is no direct information about client/server OS, instead, the data format type is used; indicating how integer data are stored during db session. This has a close relation to the platform being used and may appear as follows: IBM MAINFRAME // IBM mainframe data format HONEYWELL MAINFRAME // Honeywell mainframe data format AT&T 3B2 // AT&T 3B2 data format. INTEL 8086 // Intel 8086 data format (IBM PC or compatible) VAX // VAX data format AMDAHL // Amdahl data format |
Server Type | The type of database monitored, such as Dd2, Oracle, or Teradata. |
Service Name | Service name for the interaction. In some cases (AIX shared memory connections, for example), the service name is an alias that
is used until the actual service is connected. In those cases, once the actual service is connected,
a new session is started - so what the user experiences as a single session is logged as two
sessions. For Teradata, Service name contains the session logical host id value. |
Source Program | Source program as reported by the database client where supported by the database type. |
Client/ Server by session | Client/Server by session is also a Main Entity. Access this secondary entity by clicking on the Client/Server primary entity. |
Timestamp | The time on the collector when the client first connected to the server. For example, if a client is connecting to the server in the same way many days in a row this timestamp will be the time of the first connection. This may even be before the purge days of the appliance. |
Timestamp Date | Date only from the timestamp. |
Timestamp Time | Time only from the timestamp. |
Timestamp Weekday | Weekday only from the timestamp. |
Timestamp Year | Year only from the timestamp. |
Session Entity
This entity is created for each Client/Server database session.
Attribute | Description |
---|---|
Access ID | A unique identifier for this unique set of client/server connection attributes. Only available to users with the admin role. |
Client Port | Client port number. |
Database Name | Name of database for the session. For Oracle, Database Name may contain additional and application specific information such as the currently executing module for a session that has been set in the MODULE column of the V$SESSION view. |
Duration (secs) | Indicates the length of time between the Session Start and the Session End (in seconds). |
Global ID | Uniquely identifies the session - access. Only available to users with the admin role. |
Ignored Since | Timestamp created when starting to ignore this session. |
Inactive Flag |
|
Old Session ID | Points to the session from which this session was created. Zero if this is the first session of the connection. |
Original Timezone | The UTC offset. This is done in particular for aggregators that have
collectors in different time zones and so that activities that happened hours apart do not seem as
if they happened at the same time when imported to the aggregator. For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM). |
Process ID | The process ID of the client that initiated the connection (not always available). |
Server Port | Server port number. |
Session Encrypted | Whether the session is encrypted. 0: no; 1: yes. |
Session End | The time on the DB server when the session ended. Session End is also a Main Entity. Access this secondary entity by clicking on the Session primary entity. |
Session End Date | Date only from the Session End. |
Session End Time | Time only from the Session End. |
Session End Weekday | Weekday only from the Session End. |
Session End Year | Year only from the Session End. |
Session ID | Uniquely identifies the session. Only available to users with the admin role. |
Session Ignored | A Yes indicates that the session was ignored using the IGNORE SESSION policy action. |
Session Start | The time on the DB server when the session started. Session Start is also a Main Entity. Access this secondary entity by clicking on the Session primary entity. |
Session Start Date | Date only from the Session Start. |
Session Start Time | Time only from the Session Start. |
Session Start Weekday | Weekday only from the Session Start. |
Session Start Year | Year only from the Session Start. |
Terminal Id | Terminal ID of the connection, used internally to resolve session information. |
Timestamp | The time on the collector when the session information was most recently updated. Initially, a timestamp created for the first request on a client-server connection where there is not an active session in progress. Later, it is updated when the session is closed, or when it is marked inactive following an extended period of time with no observed activity. When tracking Session information, you are probably more interested in the Session Start and Session End attributes than the Timestamp attribute. If the session is closed it is be the same time as the Session End. |
Timestamp Date | Date only from the timestamp. |
Timestamp Time | Time only from the timestamp. |
Timestamp Weekday | Weekday only from the timestamp. |
Timestamp Year | Year only from the timestamp. |
TTL | Only available to users with the admin role. |
Uid Chain | For a session reported by Unix S-TAP (K-TAP mode only), or
FAM on Windows, this shows the chain of OS users, when users su with a different
user name. For more information, see Linux-Unix: UID
chains and UID chain for
FAM. |
Uid Chain Compressed | The UID chain excluding the first user and the last user. For more information, see Linux-Unix: UID chains and UID chain for FAM. |
Client/Server Session Entity
Attribute | Description |
---|---|
Client IP/Src App/DB User/Server IP/Svc. Name/OS User/DB Name | A tuple group containing the named fields. For more information, see Tuple groups. |
Server IP/Server Port | Server IP/Server Port |
PIM Session Entity
The Privileged Information Management (PIM) entity. For more information, see PIM Integration with Guardium DAM.
Attribute | Description |
---|---|
Checkin Timestamp | Time of credential checkin |
Checkout Timestamp | Time of credential checkout |
Credential Tag | |
Global Id | |
Justification | |
Resource Tag | |
Session Id | |
User name | The name of the user who checked out the credentials. |
Access Period Entity
Access Periods are related to Sessions. By default, an access period is one hour long, but this can be changed by the Guardium administrator in the Inspection Engine Configuration (it corresponds to the Logging Granularity).
Attribute | Description |
---|---|
Application Event ID | The application event ID if set from the API. Appears only when the main entity for the query permits this level of detail. Not available if either Client/Server or Session is the main entity. |
Avg Execution Ack Time | Average Execution Acknowledged time in milliseconds |
Avg Records Affected | The average number of records affected. Appears only when the main entity for the query permits this level of detail. Not available if either Client/Server or Session is the main entity. |
Application User | Can be one of the following attributes:
|
Average Execution Time | The average command execution time during the period. This is for SQL statements only. It does not apply to FTP traffic. |
Construct ID | Uniquely identifies a command construct (for example, select a from b). Only available to users with the admin role. |
Egress Kbyte count | Records the number of bytes in responses. |
Failed Sqls | The number of failed SQL requests. See note at the end of the table. Appears only when the main entity for the query permits this level of detail. Not available if either Client/Server or Session is the main entity. |
Ingress Kbyte count | Records the number of bytes in requests. |
Instance ID | Uniquely identifies an instance of a construct. Only available to users with the admin role. |
Original Timezone | The UTC offset. This is to point out that a UTC offset should be set so that the time from two different collectors that are in two different time zones aggregate correctly. If the offset was not set then there would exist a condition where users would not really be able to determine or see a true representation of when things happened in relation to time. For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM). |
Period End | The time on the collector when the period, as defined by the logging granularity on the appliance (default 1 hour), ended. |
Period End Date | Date only from the period end attribute. |
Period End Time | Time only from the period end attribute. |
Period End Weekday | Weekday only from the period end attribute. |
Period Start | The time on the collector when the period, as defined by the logging granularity on the appliance (default 1 hour), started. |
Period Start Date | Date only from the period start attribute. |
Period Start Time | Time only from the period start attribute. |
Period Start Weekday | Weekday only from the period start attribute. |
Response Length | The length of the sniffer response for a SQL instance. Not supported for Db2 z/OS systems. For more information, see store log_general_response_length. |
Session ID | Uniquely identifies a session. Only available to users with the admin role. |
Show Seconds | If a the number of accesses per second is being tracked, this contains counts for each second in the access period (usually one hour). |
Successful Sqls | The number of successful SQL requests. See note at the end of the table. Appears only when the main entity for the query permits this level of detail. Not available if either Client/Server or Session is the main entity. |
Timestamp | The time on the collector when an SQL construct was executed most recently
within a session and within a time period. If the same SQL construct is run 10 times
within the same session and time period, it shows the time of the most recent run for all 10 SQLs.
This timestamp is the most appropriate to use along with the SQL attribute in reports. Note: Universal Connector traffic may be delayed. In those cases the Timestamp is the
time of on the Collector for the most recent update to the SQL construct record for the session
within a time period. Period start still reflects the time of SQL execution according to the audit
data source, not the time of record update.
|
Total Access | Total count of construct instances for this access period. Only available to users with the admin role. |
Total Records Affected | The total number of records affected. Appears only when the main entity for the query permits this level of detail. Not available if either Client/Server or Session is the main entity. |
Total Records Affected (Desc) | If the Total Records Affected attribute is a character string instead of a
number, that value appears here (for example, Large Results Set, or N/A. Appears only when the main
entity for the query permits this level of detail. Not available if either Client/Server or Session
is the main entity. Records affected - Result set of the number of records which are affected by each execution of SQL statements. Note: The records affected option is a sniffer operation which
requires sniffer to process additional response packets and postpone logging of impacted data which
increases the buffer size and might potentially have a adverse effect on overall sniffer
performance. Significant impact comes from really large responses. To prevent large amount of
overhead associated with this operation, Guardium uses a set of default thresholds that allows
sniffer to decide to skip processing operation when exceeded.
You can use the store max_results_set_size, store max_result_set_packet_size, and store max_tds_response_packets CLI commands to set levels of granularity. Example of result set values:
|
Changed Data Value Entity
This entity is used with the IBM InfoSphere Change Data Capture (InfoSphere CDC) replication solution that allows the replication to and from supported databases. Maintenance of replicated databases can be used to reduce processing overheads and network traffic.
IBM® Guardium® Customers with Database Activities Monitoring will have access to InfoSphere CDC.
This Guardium feature uses Java CDC user exit to send value change information to the Guardium collector.
User exits for InfoSphere CDC lets the user define a set of actions the InfoSphere CDC can run before or after a database event occurs on a specified table.
Attribute | Description |
---|---|
Full SQL ID | Unique identifier for the Full SQL. |
Table Name | Table Name from database |
Column Name | Column Name from database |
Old Value | Value before the change. |
New Value | Value after the change. |
Timestamp | Time the record was created. |
Two files that need to be installed on the Database Server are for the Guardium agent that interfaces with IBM's InfoSphere Change Data Capture (InfoSphere CDC) application. They are in the sources/apps/GuardCDC/lib/ directory of the build. These files are: protobuf-java-2.4.1.jar; and, GuardCdc.jar
- Instructions for installation
-
Prerequisites - the InfoSphere Change Data Capture (InfoSphere CDC) application must already be installed on the DB Server.
Steps to install the Guardium agent on the Database server:- Copy these two files to the RepEngine/lib/ directory of the cdchome directory. An example of the full path would be /cdchome/cdc6.5.2/RepEngine/lib/
- Unzip each file
- Edit the guard_cdc_user_exit_config.mxl file to add the Guardium_Host name. An example of where this file would be located is /cdchome/cdc6.5.2/RepEngine/lib/com/guardium/cdc/userexit/
- Configure InfoSphere CDC to write to the GuardiumAgent. There are multiple steps to set up and configure the CDC application. These steps can be obtained from the InfoSphere CDC development/support team at IBM.
App User Name Entity
This entity displays the username from the App Event if the App Event exists. Otherwise, the user name displays from the Construct Instance.
Attribute | Description |
---|---|
APP User Name | Unique identifier for this App User Name entity. |
FULL SQL Values Entity
These entities are created only by the following policy rule actions: Log Full Details With Values, and Log Full Details Per Session With Values.
Attribute | Description |
---|---|
Values | One or more values from the logged construct. |
Timestamp | The time on the DB server that the SQL was executed. Traffic must be captured with log full details policy action to see this timestamp. |
FULL SQL Entity
Full SQL entities are created only by the following policy rule actions: Log Full Details,Log Full Details With Values, Log Full Details Per Session, or Log Full Details Per Session With Values.
Attribute | Description |
---|---|
Access Rule Description | Description of the policy rule whose action triggered the logging of the Full SQL record. |
Ack Response Time | Acknowledged Response Time in milliseconds. |
Auto-Commit | Entries are automatically numbered. |
Bind Variables Values | For DB2/zOS, a list of comma-separated bind variables. |
Full Sql | The logged SQL statement. |
Full SQL ID | Unique identifier for the Full SQL. Only available to users with the admin role. |
Instance ID | Unique identifier for the Full SQL instance. Only available to users with the admin role. |
Original Timezone |
The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator. For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM). |
Records Affected | The number of records affected for each session. On reports using this
attribute, we suggest that you turn on aliases to properly display special cases such as Large
Result Set or N/A. Records affected only supports find statements for Mongodb, and does not support insert, update, and delete statements. |
Records Affected (Desc) | When the Records Affected is a string value instead of a number, that string is stored here. For example: Large Result Set or N/A. |
Response Length | The length of the sniffer response for a SQL instance. Not supported for Db2 z/OS systems. For more information, see store log_general_response_length. |
Response Time | The response time for the request in milliseconds. When requests are monitored in network traffic, the response times are an accurate reflection of the time taken to respond to the request (Guardium timestamps both the client request and the server response). |
Returned Data | Data returned for this request (if any, and if available). |
Returned Data Count | Number of rows returned from the SQL statement used in the policy rule. |
Statement Type | The type of SQL statement. SQL: simple, direct SQL command, for example, typed directly into the CLI RAW: PREPARE of a SQL statement for later execution, for example, conn.prepareStatement (select a from b where c=:value) BIND: execution of a prepared statement including bound parameter values Statement type is part of the FULL SQL entity and is only audited if you have configured Log Full Details for this statement within the policy. You can not filter out specific statement types in the policy, for example, audit-only SQL and BIND statements. You can, however, filter these out in reports. |
Succeeded | Indicates if the call succeeded. Only available to users with the admin role. |
Timestamp | The time when the SQL started running in the database server. |
Application Events Entity
This entity is created each time that the system observes an Application Events API call (which sets these attribute values) or a stored procedure call that has been identified as a Custom Identification Procedure (which maps stored procedure parameters to these attributes).
Attribute | Description |
---|---|
Application Event ID | Unique identifier for this application events entity. Only available to users with the admin role. |
Event Date | Datetime value, set by GuardAppEvent:Start. It displays in the format
yyyy-mm-dd hh:mm:ss. Note: If an attempt is made to set the event date using a format other than
yyyy-mm-dd, it will contain all zeroes. The time portion (hh:mm:ss) is optional, and if omitted will
be 00:00:00.
|
Event Release Date | Datetime value, set by GuardAppEvent:Released. It displays in the format yyyy-mm-dd hh:mm:ss. |
Event Release Type | Type of event, set by GuardAppEvent: Released. |
Event Release User Name | User name, set by GuardAppEvent: Released. |
Event Release Value Num | Numeric value, set by GuardAppEvent: Released. |
Event Release Value Str | String value, set by GuardAppEvent: Released. |
Event Type | Type of event, set by GuardAppEvent:Start. |
Event User Name | User name, set by GuardAppEvent:Start. |
Event Value Str | String value, set by GuardAppEvent:Start. |
Event Value Num | Numeric value, set by GuardAppEvent:Start. |
Original Timezone | The UTC offset. This is done in particular for aggregators that have
collectors in different time zones and so that activities that happened hours apart do not seem as
if they happened at the same time when imported to the aggregator. For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM). |
Timestamp | Created only once, when the event is logged. Do not confuse this attribute with the Event Date attribute, which can be set using an API call or from a stored procedure parameter. (See a description of the Application Events API in Identify Users with API.) |
SQL Entity
This entity is created for each unique string of SQL. Values are replaced by question marks - only the format of the string is stored.
Attribute | Description |
---|---|
Bind Info | Bind information for this SQL string. |
Construct ID | Uniquely identifies the construct in which the SQL appeared |
Sql | SQL string. |
Truncated SQL | Indicates if the SQL has been truncated or not where: 0 - false/no, not truncated 1 - true/yes, truncated |
Command Entity
For each command, an entity is created for each parent node and position in which the command appears in a command construct.
Attribute | Description |
---|---|
Command Id | Uniquely identifies the command. Only available to users with the admin role. |
Construct Id | Uniquely identifies the construct (e.g., select a from b). Only available to users with the admin role. |
Depth | Depth of the command in the SQL parse tree. |
Parent | Identifier of parent node in the parse tree. |
SQL Verb | Main verb in SQL command (e.g., select, insert, delete, etc.). |
Object Command Entity
Describes an object-command entity.
Attribute | Description |
---|---|
Object/Command | An object value combined with a SQL verb. |
Object Entity
An instance of this entity is created for each object in a unique schema.
Attribute | Description |
---|---|
App Object Module1 | Uniquely identifies the application object module. |
Construct Id | Uniquely identifies the construct in which the object is referenced. Only available to users with the admin role. |
Object Id | Uniquely identifies the object. Only available to users with the admin role. |
Object Name | Name of the object. |
Schema | Database schema for the object. Note: This attribute is deprecated since it is
never populated
|
Join Entity
A join table is a way of implementing many-to-many relationships. Use join entity to join tables in a SELECT SQL statement.
Attribute | Description |
---|---|
Construct ID | Identifies the construct in which the join is referenced. |
Join ID | Unique identifier |
Join SQL | Join tables |
Timestamp | Date and Time that the Join Entity was created. |
Where SQL | Where clause (join conditions) |
Field SQL Value Entity
These entities are created only by policy rule actions that log with values, for example: Log Full Details With Values, and Log Full Details Per Session With Values. The field value logged may or may not be associated with a field name. For example, field names are available (in the Field entity) if the following statement is logged:
insert into t1 (foo, bar) (10, 20)
But not available when the following statement is logged:
insert into t2 (10, 20)
Attribute | Description |
---|---|
Value | A field value from the logged construct. |
Object Field Entity
Describes an object-field entity. Note fields with no objects will not show up in reports that include the object.
Attribute | Description |
---|---|
Object/Field | An object value combined with a field value. |
Field Entity
Each time Guardium encounters a new field, it creates a field entity.
Attribute | Description |
---|---|
Command ID | Uniquely identifies the main command from the construct in which it was referenced. Only available to users with the admin role. |
Construct ID | Uniquely identifies the construct in which it was referenced. Only available to users with the admin role. |
Field ID | Uniquely identifies the field. Only available to users with the admin role. |
Field Name | Name of the field. |
List Clause Where Clause Order by Clause Having Clause Group By Clause On Clause |
Use these attributes to order complex SQL queries. Example of SQL queries: Order by SELECT * FROM dept_costs WHERE dept_total > (SELECT avg FROM avg_cost) ORDER BY department Having SELECT column_name1, SUM(column_name2) FROM table_name GROUP BY column_name1 HAVING (numerical function condition) Group By SELECT column_name1, SUM(column_name2) FROM table_name GROUP BY column_name1 Where SELECT FirstName, LastName, City FROM Users WHERE City = Los Angeles |
Object ID | Uniquely identifies the object from the construct in which it was referenced. Only available to users with the admin role. |
Qualified Object Entity
A tuple allows multiple attributes to be combined together to form a single group member. In this case, the fields Server IP, Service name, DB name, DB user and Object are combined together. For more information, see Tuple groups.
Attribute | Description |
---|---|
Qualified Object | Tuple - Server IP, Service name, DB name, DB user, Object |