Search parameters

Edit online

Search parameters define additional conditions and can be used with different actions.

Request type (REQ_TYPE)

Request type acts as a filter for transform actions. In non-transform actions with search parameters, request type provides a hint for where to search.

Request types available for actions with search parameters:
  • LOGIN FAILED (LOGIN_FAILED)
  • PREPARED STATEMENT (PREP_STAT)
  • RPC (RPC)
  • SQL (SQL)
  • SQL ERROR (SQL_ERROR)
  • SQL SUCCESS (SQL_SUCCESS)
Request types available for actions with transform parameters:
  • LOGIN FAILED (LOGIN_FAILED)
  • PREPARED STATEMENT (PREP_STAT)
  • RPC (RPC)
  • SQL (SQL)
  • SQL ERROR (SQL_ERROR)
Note: In the SR language, write request types without quotation marks.

Search prefix (SEARCH_PREFIX)

Search prefix matches the defined pattern at the beginning of a value.

Use search prefix with or without request type for transform actions and for regular actions with search parameters. Request type acts as a filter for transform actions. In non-transform actions with search parameters, request type provides a hint for where to search.

Summary of actions taken depending on use of request type and search prefix parameters.
Rule criteria used
Request type defined Yes No Yes No
Search prefix defined Yes Yes No No
Actions taken
Search with search prefix Yes Yes No No
Search with request type No No Yes No
Search in DB User (DB_USER) No No No Yes
Example:
IGNORE_REQUEST REQ_TYPE = SQL SEARCH_PREFIX = 'GAT'
This matches SQL requests with the prefix GAT.
Example: 
IGNORE_REQUEST REQ_TYPE = SQL_ERROR SEARCH_PREFIX = 'TNS-'
This matches SQL errors with the prefix TNS-.

Search pattern (SEARCH_PATTERN)

Search pattern matches the defined pattern in any part of the value.

Example:
IGNORE_REQUEST REQ_TYPE = SQL SEARCH_PREFIX = 'SELECT' SEARCH_PATTERN = 'FROM SCOTT.'
This matches SELECT SQL requests that contain the pattern FROM SCOTT.

Match pattern (MATCH_PATTERN)

Match pattern is similar to search pattern but uses regular expressions to match the defined pattern in any part of the value.

Example: 
SELECT * FROM SCOTT.A WHERE SECRET = '1234'
MATCH_PATTERN = '^.*FROM (.*)\.A.*$'
OUTPUT_FORMAT = '\1'
This takes the first regular expression element in parenthesis and writes it to the output format.

Search offset (SEARCH_OFFSET)

Search offset works with search pattern and match pattern to cut the source string where the matched pattern is found. This can improve matching with regular expressions.

Example:
SELECT LAST_NAME FROM SCOTT.EMPLOYEES
TRANSFORM_STATEMENT SEARCH_PREFIX = 'SELECT' SEARCH_PATTERN = 'FROM SCOTT.' SEARCH_OFFSET MATCH_PATTERN = '^(.*)\.(.*)$' OUTPUT_FORMAT = '\1.\2'
This finds the string defined by search pattern while search offset cuts off everything before it allowing match pattern to work more efficiently.

Checking criteria for actions in search parameters

The default is DB_USER:guardium://empty, meaning that SEARCH_PREFIX matches if the value is empty. Other criteria can be checked:
  • ANALYZED_CLIENT_IP
  • APP_USER_NAME
  • AUTH_TYPE
  • CLIENT_HOST_NAME
  • CLIENT_IP
  • CLIENT_OS_NAME
  • COMMAND
  • CTIMEZONE
  • DB_NAME
  • DB_USER
  • DESCRIPTION
  • ERROR
  • OS_USER
  • SERVER_DESCRIPTION
  • SERVER_HOST_NAME
  • SERVER_IP
  • SERVER_OS_NAME
  • SERVICE_NAME
  • SOURCE_PROGRAM
  • STATEMENT
Examples:
  • Search prefix = DB_USER:NO_AUTH
  • Search pattern = STATEMENT:SELECT%
  • Match pattern = ERROR:%13%