Exporting audit results

Reports that contain information that can be used by other applications, or reports that contain large amounts of data, can be exported to other file formats.

Exporting output to CSV, CEF or PDF format

You can export report, entity audit trail, and privacy task output to CSV files, and export database activity reports to a CEF file. When exporting to CEF or CSV files, keep in mind the following details,

  • Each record in the CSV or CEF file represents a row on the report.
  • CEF and CSV file output can be written to syslog. If the remote syslog capability is used, this results in the immediate forwarding of the output CEF or CSV file to the remote syslog locations. You can use the remote syslog function to direct messages from each facility and severity combination to a specific remote system. For more information, see Facility and priority of syslog messages. For more information about the remotelog (syslog) CLI command, see store remotelog
  • Guardium creates the file to export in addition to the standard task output, but does not replace it. Exporting the files can be useful for the following tasks,
    • Integrating with an existing SIEM (Security Incident and Event Manager) in your infrastructure (such as QRadar, ArcSight, Network Intelligence, LogLogic, or TSIEM).
    • Reviewing and analyzing very large compliance task results sets. Results sets exported to PDF are limited to 5,000 rows of output. There is no limit to the number of rows that can be written to an exported CSV or CEF file when using an audit process.
  • Exported CSV and CEF files are stored on the Guardium® system, and are named in the format:
    process_task_YYYY_MMM_DD-HHMMSS.<csv | cef>

    Where process is the process name and task is the task name that you defined for this audit process. The date-time stamp is generated when the task runs.

  • You cannot access the exported CSV or CEF files directly on the Guardium system. Your Guardium administrator must use the CSV/CEF Export function to move these files from the Guardium system to another location on the network. To access those files, check with your Guardium administrator to determine their location.
    The fact that exported files are sent outside of the Guardium system has two important implications:
    • The release of these files is not connected to the results distribution plan defined for the audit process. These files are exported on a schedule defined by the Guardium administrator.
    • Once the CSV/CEF Export function runs, all exported files will be available to anybody (Guardium user or not) who can access the destination directory defined for the CSV/CEF Export operation. For this reason, your Guardium administrator may want to schedule additional jobs (outside of the Guardium system) to copy sets of exported files from the Guardium CSV/CEF Export destination directory, to directories with appropriate access permissions.
  • CSV/CEF Export activity is available in the Aggregation/Archive Activity report.
    Note: If observed data level security is enabled, then audit process output (including files) is filtered so users will see only the information for their assigned databases. Files sent to an email receiver as an attachment will be filtered. However, files downloaded locally on the machine and then moved elsewhere using the Results Export function are not subject to data level security filtering.

The following table summarizes what happens when an audit process file is exported to CSV, CEF, or PDF.

Table 1. Exporting Audit Task Output to CSV, CEF or PDF Files
Function Level CSV CEF PDF
Attach to email Receiver Full Details radio --> PDF check box N/A

Full Details radio --> PDF check box

The radio buttons are only for receiver PDF

Export file Task Export CSV file check box Export CSV file check box Export CSV file check box
Report empty and Approve if Empty = yes Receiver

Export not affected (empty files will be exported)

Attachment, no email attachment

Export not affected (empty files will be exported)

Attachment, no email attachment

Export not affected (empty files will be exported)

Attachment, no email attachment

Zip attachment Audit Process

If no file generated, nothing to zip

Merge all CSVs into one ZIP file

N/A

If no file generated, nothing to zip

PDF is not zipped

Compress (export) Task

Compressed, separate file for each CSV file

Compressed, separate file for each CSV file

PDF is not compressed

How zip for email and compress work for audit task output

Zip for email is the highest level of control for Audit Task Export. Zip for email produces a set of CSV or CEF files. PDFs are never zipped or compressed.

Compress works on individual files.

Note: For CSV attachments, when Zip for Email is cleared, Compress can still be applied. And Compress can be per task. Thus one Audit Task may send a .csv file while another may send a .csv.gz file, in the same email.

The interaction of Zip for Email and Compress is as follows:

  • Zip for email checked (regardless of whether Compress is also checked), the attachment is one zip file of CSV files.
  • Zip for email not checked, and Compress checked, the attachment is a set of csv.gz files.
  • Zip for email not checked, and Compress not checked, the attachment is a set of CSV files.
  • Compress checked, Download All will be csv.gz.
  • Compress cleared, Download All will be csv.
  • Compress checked or cleared, download displayed will still be CSV.
  • Compress checked, export of CSV/CEF files will be gzipped.
  • Compress cleared, export of CSV/CEF files will not be gzipped.