Query Rewrite domain
This topic describes the domain's entities and attributes.
Query Rewrite Log Entity
Attribute | Description |
---|---|
Applied QR Definition IDs | Applied query rewrite definition ID |
Applied QR Definition Names | Applied query rewrite definition name. |
Input SQL | Input SQL |
Instance ID | Instance ID |
Output SQL | Query rewrite result SQL |
QR Log Details | Query rewrite detail log |
QR Log ID | Query rewrite log ID |
Query Rewrite Log | Query rewrite log |
Client/Server Entity
Attribute | Description |
---|---|
Access Id | A unique identifier for this client/server connection. |
Analyzed Client IP | Applies only to encrypted traffic; when set, client IP is set to zeroes. Analyzed Client IP has a map for CEF source. If the query used for the CEF does NOT contain the Client IP but contains the analyzed client IP, the analyzed client IP is used for the source. If both included in the query, then Client IP takes precedence. |
Client Host Name | Client host name. |
Client IP | Client IP address |
Client IP/DB User | Paired attribute value consisting of the client IP address and database user name. |
Client IP/Src App/DB User/Server IP/Svc Name | Client IP address / Source Application Program / Database User Name/ Server IP address / Service Name |
Client IP/Src App/User | Client IP address / Source Application Program / user name |
Client MAC | Client hardware address. |
Client OS | Client operating system. For Teradata, as there is no direct information about client/server OS, instead, the data format type is used; indicating how integer data are stored during db session. This has a close relation to the platform being used and may appear as follows: IBM MAINFRAME // IBM mainframe data format HONEYWELL MAINFRAME // Honeywell mainframe data format AT&T 3B2 // AT&T 3B2 data format. INTEL 8086 // Intel 8086 data format (IBM PC or compatible) VAX // VAX data format AMDAHL // Amdahl data format |
DB Protocol | Protocol specific to the database server. |
DB Protocol Version | Protocol version for the DB Protocol. |
DB User Name | Database user name: user that connected to the database, either local or remote. |
Network Protocol | Network protocol used (e.g., TCP, UDP, etc. Note that for K-TAP on Oracle, this displays as either IPC or BEQ) |
OS User | OS user account for the interaction. |
Server Description | Server description (if any). |
Server Host Name | Server Host Name |
Server IP | Server IP address. |
Server IP/DB User | Paired attribute value consisting of Server IP address and database user name. |
Server IP/Svc Name/DB User | Server IP address / Service Name / Database user name |
Server OS | Server operating system. For Informix, the OS may appear as follows: IEEEM indicating Unix, or JDBCIEEEI indicating Windows, or DEC indicating DEC Alpha. For Teradata, as there is no direct information about client/server OS, instead, the data format type is used; indicating how integer data is stored during db session. This has a close relation to the platform being used and may appear as follows: IBM® MAINFRAME // IBM mainframe data format HONEYWELL MAINFRAME // Honeywell mainframe data format AT&T 3B2 // AT&T 3B2 data format. INTEL 8086 // Intel 8086 data format (IBM PC or compatible) VAX // VAX data format AMDAHL // Amdahl data format |
Server Type | DB2, Oracle, Sybase, etc. |
Service Name | Service name for the interaction. In some cases (AIX® shared memory connections, for
example), the service name is an alias that is used until the actual service is connected. In those
cases, once the actual service is connected, a new session is started - so what the user experiences
as a single session is logged as two sessions. For Teradata, Service name contains the session logical host id value. |
Source Program | Source program for the interaction. |
Timestamp | Since all attributes in this entity contain static information, this timestamp is created only once, when Guardium observes a request on the defined client-server connection for the first time. |
Timestamp Date | Date only from the timestamp. |
Timestamp Time | Time only from the timestamp. |
Timestamp Weekday | Weekday only from the timestamp. |
Timestamp Year | Year only from the timestamp. |
Session Entity
Attribute | Description |
---|---|
Access Id | A unique identifier for this client/server connection. |
Client Port | Client port number. |
Collector Id | The identifier of Guardium collector. |
Database Name | Name of database for the session (MSSQL or Sybase only). For Oracle, Database Name may contain additional and application specific information such as the currently executing module for a session that has been set in the MODULE column of the V$SESSION view. |
Duration (secs) | The length of time between the Session Start and the Session End (in seconds). |
Encryption Type | The network traffic encryption type. This field is populated only for some database types. It is not an accurate indication of whether encryption is used, or the type of encryption. |
Failover Flag | |
Global Id | Uniquely identifies the session - access. |
Ignored Since | Timestamp created when starting to ignore this session. |
Inactive Flag |
|
Inspection Engine Id | Inspection engine identifier |
Inspection Engine Name | Name of inspection engine reporting this data |
Last Used | The timestamp of the last time the data was used. |
Login Succeeded | Whether or not the login succeeded |
MS/ TD SID | Microsoft / Teradata Session ID |
Old session Id | Points to the session from which this session was created. Zero if this is the first session of the connection. |
Original Timezone | The UTC offset. This is done in particular for aggregators that have
collectors in different time zones and so that activities that happened hours apart do not seem as
if they happened at the same time when imported to the aggregator. For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM). |
Process ID | The process ID of the client that initiated the connection (not always available). |
Sender IP | Sender's IP address. |
Server Port | Server port number. |
Session End | Date and time the session ended. Session End is also a Main Entity. Access this secondary entity by clicking on the Session primary entity. |
Session End Date | Date only from the Session End. |
Session End Time | Time only from the Session End. |
Session End Weekday | Weekday only from the Session End. |
Session End Year | Year only from the Session End. |
Session Id | Uniquely identifies the session. |
Session Ignored | Indicates whether or not some part of the session was ignored (beginning at some point in time). |
Session Start | Date and time session started. Session Start is also a Main Entity. Access this secondary entity by clicking on the Session primary entity. |
Session Start Date | Date only from the Session Start. |
Session Start Weekday | Weekday only from the Session Start. |
Session Start Year | Year only from the Session Start. |
TTL | Reserved for admin role use only. |
Terminal Id | Terminal ID of the connection, used internally to resolve session information. |
Timestamp | Initially, a timestamp created for the first request on a client-server connection where there is not an active session in progress. Later, it is updated when the session is closed, or when it is marked inactive following an extended period of time with no observed activity. When tracking Session information, you will probably be more interested in the Session Start and Session End attributes than the Timestamp attribute. |
Timestamp Date | Date only from the timestamp. |
Timestamp Time | Time only from the timestamp. |
Timestamp WeekDay | Weekday only from the timestamp. |
Timestamp Year | Year only from the timestamp. |
Uid Chain | For a session reported by Unix S-TAP (KTap mode only), this shows the chain of
OS users, when users su with a different user name. The values that appear here vary by OS platform
- for example, under AIX the string IBM IBM IBM may appear as a prefix. Note: For Solaris Zones, user ids may be reported instead of user names in the Uid Chain. |
Uid Chain Compressed | Values compressed. See Uid Chain. |
Access Period Entity
Attribute | Description |
---|---|
Application Event Id | The application event ID if set from the API. These attributes appear only when the main entity for the query permits this level of detail. These are not available if either Client/Server or Session is the main entity. |
Application User | Application user name. |
Average Execution Time | The average command execution time during the period. This is for SQL statements only. It does not apply to FTP traffic. |
Avg Execution Ack Time | The average command execution time during the period. This is for SQL statements only. It does not apply to FTP traffic. |
Avg Records Affected | The average number of records affected. See note at the end of the table. These attributes appear only when the main entity for the query permits this level of detail. These are not available if either Client/Server or Session is the main entity. |
Collector Id | The identifier of the Guardium collector. |
Construct Id | Uniquely identifies a command construct (for example, select a from b). Only available to users with the admin role. |
DB2 i Current User | DB2 i current user name |
DB2 i/z Database | DB2 i/z database name |
DB2 i/z Program | DB2 i/z program name |
Egress Kbyte Count | The count of egress data in Kilobytes |
F5 Ip | F5 IP address |
F5 User Name | F5 user name |
Failed Sqls | The number of failed SQL requests. These attributes appear only when the main entity for the query permits this level of detail. These are not available if either Client/Server or Session is the main entity. |
IMS PSB Name | IMS System Utilities - Program Specification Block (PSB) name. |
Ingress Kbyte Count | The count of ingress data in Kilobytes |
instance Id | Uniquely identifies an instance of a construct. Only available to users with the admin role. |
Objects and Verbs | SQL objects and commands |
Original Timezone | The original timezone of the Guardium collector machine as of GMT/UTC offset. |
Period End | Date and time for the end of the access period. |
Period End Date | Date only from the period end attribute. |
Period End Time | Time only from the period end attribute. |
Period End Weekday | Weekday only from the period end attribute. |
Period Start Date | Date only from the period start attribute. |
Period Start Time | Time only from the period start attribute. |
Period Start Weekday | Weekday only from the period start attribute. |
Session Id | Uniquely identifies a session. Only available to users with the admin role. |
Show Seconds | If a the number of accesses per second is being tracked, this contains counts for each second in the access period (usually one hour). |
Successful SQLs | The number of successful SQL requests. These attributes appear only when the main entity for the query permits this level of detail. These are not available if either Client/Server or Session is the main entity. |
Timestamp | Initially, the Timestamp value is set the first time that a request is observed on a client-server connection during an access period. By default, an access period is one hour long, but this can be changed by the Guardium administrator in the Inspection Engine Configuration. Thereafter, for each subsequent request, it is updated when the system updates the average execution time and the command count for this period. |
Timestamp Date | Date of the timestamp. |
Timestamp Time | Time of the timestamp. |
Timestamp | Weekday of the timestamp. |
Timestamp Year | Year of the timestamp. |
Timestamp(microsec) | UNIX Epoch time expressed in microseconds |
Total Records Affected | The total number of records affected. These attributes appear only when the
main entity for the query permits this level of detail. These are not available if either
Client/Server or Session is the main entity. If the Total Records Affected attribute is a character string instead of a number, that value appears here (for example, Large Results Set, or N/A. Records affected - Result set of the number of records which are affected by each execution of SQL statements. Note: The records affected option is a sniffer operation which requires sniffer to process additional response packets and postpone logging of impacted data which increases the buffer size and might potentially have a adverse effect on overall sniffer performance. Significant impact comes from really large responses. To prevent large amount of overhead associated with this operation, Guardium uses a set of default thresholds that allows sniffer to decide to skip processing operation when exceeded.You can use the store max_results_set_size, store max_result_set_packet_size, and store max_tds_response_packets CLI commands to set levels of granularity. Example of result set values:
|
Total Records Affected (Desc) | These attributes appear only when the main entity for the query permits this level of detail. These are not available if either Client/Server or Session is the main entity. |
Total Access | Total count of construct instances for this access period. Only available to users with the admin role. |