Query Rewrite domain

This topic describes the domain's entities and attributes.

Query Rewrite Log Entity

Attribute Description
Applied QR Definition IDs Applied query rewrite definition ID
Applied QR Definition Names Applied query rewrite definition name.
Input SQL Input SQL
Instance ID Instance ID
Output SQL Query rewrite result SQL
QR Log Details Query rewrite detail log
QR Log ID Query rewrite log ID
Query Rewrite Log Query rewrite log

Client/Server Entity

Attribute Description
Access Id A unique identifier for this client/server connection.
Analyzed Client IP Applies only to encrypted traffic; when set, client IP is set to zeroes.

Analyzed Client IP has a map for CEF source. If the query used for the CEF does NOT contain the Client IP but contains the analyzed client IP, the analyzed client IP is used for the source. If both included in the query, then Client IP takes precedence.

Client Host Name Client host name.
Client IP Client IP address
Client IP/DB User Paired attribute value consisting of the client IP address and database user name.
Client IP/Src App/DB User/Server IP/Svc Name Client IP address / Source Application Program / Database User Name/ Server IP address / Service Name
Client IP/Src App/User Client IP address / Source Application Program / user name
Client MAC Client hardware address.
Client OS Client operating system.

For Teradata, as there is no direct information about client/server OS, instead, the data format type is used; indicating how integer data are stored during db session. This has a close relation to the platform being used and may appear as follows:

IBM MAINFRAME // IBM mainframe data format

HONEYWELL MAINFRAME // Honeywell mainframe data format

AT&T 3B2 // AT&T 3B2 data format.

INTEL 8086 // Intel 8086 data format (IBM PC or compatible)

VAX // VAX data format

AMDAHL // Amdahl data format

DB Protocol Protocol specific to the database server.
DB Protocol Version Protocol version for the DB Protocol.
DB User Name Database user name: user that connected to the database, either local or remote.
Network Protocol Network protocol used (e.g., TCP, UDP, etc. Note that for K-TAP on Oracle, this displays as either IPC or BEQ)
OS User OS user account for the interaction.
Server Description Server description (if any).
Server Host Name Server Host Name
Server IP Server IP address.
Server IP/DB User Paired attribute value consisting of Server IP address and database user name.
Server IP/Svc Name/DB User Server IP address / Service Name / Database user name
Server OS Server operating system.

For Informix, the OS may appear as follows:

IEEEM indicating Unix, or JDBCIEEEI indicating Windows, or DEC indicating DEC Alpha.

For Teradata, as there is no direct information about client/server OS, instead, the data format type is used; indicating how integer data is stored during db session. This has a close relation to the platform being used and may appear as follows:

IBM® MAINFRAME // IBM mainframe data format

HONEYWELL MAINFRAME // Honeywell mainframe data format

AT&T 3B2 // AT&T 3B2 data format.

INTEL 8086 // Intel 8086 data format (IBM PC or compatible)

VAX // VAX data format

AMDAHL // Amdahl data format

Server Type DB2, Oracle, Sybase, etc.
Service Name Service name for the interaction. In some cases (AIX® shared memory connections, for example), the service name is an alias that is used until the actual service is connected. In those cases, once the actual service is connected, a new session is started - so what the user experiences as a single session is logged as two sessions.

For Teradata, Service name contains the session logical host id value.

Source Program Source program for the interaction.
Timestamp Since all attributes in this entity contain static information, this timestamp is created only once, when Guardium observes a request on the defined client-server connection for the first time.
Timestamp Date Date only from the timestamp.
Timestamp Time Time only from the timestamp.
Timestamp Weekday Weekday only from the timestamp.
Timestamp Year Year only from the timestamp.

Session Entity

Attribute Description
Access Id A unique identifier for this client/server connection.
Client Port Client port number.
Collector Id The identifier of Guardium collector.
Database Name Name of database for the session (MSSQL or Sybase only).

For Oracle, Database Name may contain additional and application specific information such as the currently executing module for a session that has been set in the MODULE column of the V$SESSION view.

Duration (secs) The length of time between the Session Start and the Session End (in seconds).
Encryption Type The network traffic encryption type. This field is populated only for some database types. It is not an accurate indication of whether encryption is used, or the type of encryption.
Failover Flag  
Global Id Uniquely identifies the session - access.
Ignored Since Timestamp created when starting to ignore this session.
Inactive Flag
  • 0: Open for sessions generated by SQL package.
  • 1: Closed (disconnect/ logout received).
  • 2: Probably closed; unclosed with no packets for a long time.
  • 3: For sessions generated from non-SQL packets.
Inspection Engine Id Inspection engine identifier
Inspection Engine Name Name of inspection engine reporting this data
Last Used The timestamp of the last time the data was used.
Login Succeeded Whether or not the login succeeded
MS/ TD SID Microsoft / Teradata Session ID
Old session Id Points to the session from which this session was created. Zero if this is the first session of the connection.
Original Timezone The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator.

For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM).

Process ID The process ID of the client that initiated the connection (not always available).
Sender IP Sender's IP address.
Server Port Server port number.
Session End Date and time the session ended. Session End is also a Main Entity. Access this secondary entity by clicking on the Session primary entity.
Session End Date Date only from the Session End.
Session End Time Time only from the Session End.
Session End Weekday Weekday only from the Session End.
Session End Year Year only from the Session End.
Session Id Uniquely identifies the session.
Session Ignored Indicates whether or not some part of the session was ignored (beginning at some point in time).
Session Start Date and time session started. Session Start is also a Main Entity. Access this secondary entity by clicking on the Session primary entity.
Session Start Date Date only from the Session Start.
Session Start Weekday Weekday only from the Session Start.
Session Start Year Year only from the Session Start.
TTL Reserved for admin role use only.
Terminal Id Terminal ID of the connection, used internally to resolve session information.
Timestamp Initially, a timestamp created for the first request on a client-server connection where there is not an active session in progress. Later, it is updated when the session is closed, or when it is marked inactive following an extended period of time with no observed activity. When tracking Session information, you will probably be more interested in the Session Start and Session End attributes than the Timestamp attribute.
Timestamp Date Date only from the timestamp.
Timestamp Time Time only from the timestamp.
Timestamp WeekDay Weekday only from the timestamp.
Timestamp Year Year only from the timestamp.
Uid Chain For a session reported by Unix S-TAP (KTap mode only), this shows the chain of OS users, when users su with a different user name. The values that appear here vary by OS platform - for example, under AIX the string IBM IBM IBM may appear as a prefix.

Note: For Solaris Zones, user ids may be reported instead of user names in the Uid Chain.

Uid Chain Compressed Values compressed. See Uid Chain.

Access Period Entity

Attribute Description
Application Event Id The application event ID if set from the API. These attributes appear only when the main entity for the query permits this level of detail. These are not available if either Client/Server or Session is the main entity.
Application User Application user name.
Average Execution Time The average command execution time during the period. This is for SQL statements only. It does not apply to FTP traffic.
Avg Execution Ack Time The average command execution time during the period. This is for SQL statements only. It does not apply to FTP traffic.
Avg Records Affected The average number of records affected. See note at the end of the table. These attributes appear only when the main entity for the query permits this level of detail. These are not available if either Client/Server or Session is the main entity.
Collector Id The identifier of the Guardium collector.
Construct Id Uniquely identifies a command construct (for example, select a from b). Only available to users with the admin role.
DB2 i Current User DB2 i current user name
DB2 i/z Database DB2 i/z database name
DB2 i/z Program DB2 i/z program name
Egress Kbyte Count The count of egress data in Kilobytes
F5 Ip F5 IP address
F5 User Name F5 user name
Failed Sqls The number of failed SQL requests. These attributes appear only when the main entity for the query permits this level of detail. These are not available if either Client/Server or Session is the main entity.
IMS PSB Name IMS System Utilities - Program Specification Block (PSB) name.
Ingress Kbyte Count The count of ingress data in Kilobytes
instance Id Uniquely identifies an instance of a construct. Only available to users with the admin role.
Objects and Verbs SQL objects and commands
Original Timezone The original timezone of the Guardium collector machine as of GMT/UTC offset.
Period End Date and time for the end of the access period.
Period End Date Date only from the period end attribute.
Period End Time Time only from the period end attribute.
Period End Weekday Weekday only from the period end attribute.
Period Start Date Date only from the period start attribute.
Period Start Time Time only from the period start attribute.
Period Start Weekday Weekday only from the period start attribute.
Session Id Uniquely identifies a session. Only available to users with the admin role.
Show Seconds If a the number of accesses per second is being tracked, this contains counts for each second in the access period (usually one hour).
Successful SQLs The number of successful SQL requests. These attributes appear only when the main entity for the query permits this level of detail. These are not available if either Client/Server or Session is the main entity.
Timestamp Initially, the Timestamp value is set the first time that a request is observed on a client-server connection during an access period. By default, an access period is one hour long, but this can be changed by the Guardium administrator in the Inspection Engine Configuration. Thereafter, for each subsequent request, it is updated when the system updates the average execution time and the command count for this period.
Timestamp Date Date of the timestamp.
Timestamp Time Time of the timestamp.
Timestamp Weekday of the timestamp.
Timestamp Year Year of the timestamp.
Timestamp(microsec) UNIX Epoch time expressed in microseconds
Total Records Affected The total number of records affected. These attributes appear only when the main entity for the query permits this level of detail. These are not available if either Client/Server or Session is the main entity.

If the Total Records Affected attribute is a character string instead of a number, that value appears here (for example, Large Results Set, or N/A.

Records affected - Result set of the number of records which are affected by each execution of SQL statements.

Note: The records affected option is a sniffer operation which requires sniffer to process additional response packets and postpone logging of impacted data which increases the buffer size and might potentially have a adverse effect on overall sniffer performance. Significant impact comes from really large responses. To prevent large amount of overhead associated with this operation, Guardium uses a set of default thresholds that allows sniffer to decide to skip processing operation when exceeded.

You can use the store max_results_set_size, store max_result_set_packet_size, and store max_tds_response_packets CLI commands to set levels of granularity.

Example of result set values:
  • Case 1, record affected value, positive number - this represents correct size of the result set.
  • Case 2, record affected value, -2 - This means number of records exceeded configurable limit (This could be tuned through CLI interface).
  • Case 3, record affected value, -1 - This shows any unsupported cases of packets configurations by Guardium.
  • Case 4, record affected value, -2 - If the result set is sent by streaming mode.
  • Case 5, record affected value, -2 - Intermediate result during record count to update user about current value, ends up with positive number of total records.
Total Records Affected (Desc) These attributes appear only when the main entity for the query permits this level of detail. These are not available if either Client/Server or Session is the main entity.
Total Access Total count of construct instances for this access period. Only available to users with the admin role.