Predefined user Reports

This section provides a short description of all predefined reports on the default user layout.

For a description of the reports on the default administrator layout, see Predefined admin reports.

Note: If data level security at the observed data level has been enabled (see Global Profile settings), then audit process output will be filtered so users will see only the information of their databases.

View Installed Policy

The Currently-Installed Policy report displays information about the installed policy. Click the installed policy link to display the policy rules in a separate window.

Number of db per type

Displays the number of servers and clients for each monitored database type (default time period is the current day).

Request Rate

By default, displays the request rate for the last two hours. This graphical report is intended to display recent activity only. If you alter the From and To run-time parameters to include a larger timeframe, you may receive a message indicating that there is too much data. (Use a tabular report to display a larger time period.)

Sessions By Server Type

For each server type (DB2®, Informix®, etc.), a row of this report displays the total number of sessions that were open during the reporting period (by default, the last three hours).

DML Execution on Sensitive Objects

For each SQL Verb from the DML Commands group that references an Object Name in the Sensitive Objects group, this report displays a row for each Access Period, Client IP, and Source Program, with a total count of objects referenced in that row. Although the report title contains the word Executions, there is no guarantee that all commands reported were actually executed.

Sensitive Objects Usage

For each object in the Sensitive Objects group, displays a row for each Client IP and Source Program that referenced the object during the reporting period, and a count of object references.

The Sensitive Objects group is empty at installation time. Someone at your company must populate the group with the appropriate set of members.

Activity By Client IP

For each Client IP address seen during the reporting period, a row counts the number of SQL Verbs, Object Names, and the total number of sessions.

Database Servers

For each Server IP address accessed during the reporting period, a row of the report displays the Server Type, Database Name, Service Name, a count of source programs accessing that server, and the total number of sessions for that row.

IMS Access (z/OS)

Use this to report access to IMS™ (z/OS®).

Table 1. IMS Access (z/OS)
Domain Based on Query Main Entity

Access

IMS Access

Client Server

Run-Time Parameter

Operator

Default Value

Period From

>=

NOW -2 HOUR

Period To

<=

NOW

IMS Object (z/OS)

Use this to report object to IMS (z/OS).

Table 2. IMS Object (z/OS)
Domain Based on Query Main Entity

Access

IMS Object

Object

Run-Time Parameter

Operator

Default Value

Period From

>=

NOW -2 HOUR

Period To

<=

NOW

IMS Event (z/OS)

Use this to report event to IMS (z/OS).

Table 3. IMS Event (z/OS)
Domain Based on Query Main Entity

Access

IMS Event

SQL

Run-Time Parameter

Operator

Default Value

Period From

>=

NOW -2 HOUR

Period To

<=

NOW

IMS Data Access Details (z/OS)

Use this to report data access details to IMS (z/OS).

Table 4. IMS Data Access Details (z/OS)
Domain Based on Query Main Entity

Access

IMS Data Access Details

Full SQL

Run-Time Parameter

Operator

Default Value

Period From

>=

NOW -2 HOUR

Period To

<=

NOW

Client IP

LIKE

 

DBUserName

LIKE

 

IMS Name

LIKE

 

ServerIP

LIKE

 

Policy Violations

For every policy rule violation logged during the reporting period, this report provides the Timestamp from the Policy Rule Violation entity, Access Rule Description, Client IP, Server IP, DB User Name, Full SQL String from the Policy Rule Violation entity, Severity Description, and a count of violations for that row. You cannot access the query that this report is based upon (Policy Violations List with Severity), but you can clone the report.

Exceptions Distribution

Each wedge of the pie chart represents the proportion of exceptions for each Exception Description attribute value (from the Exception Type entity) that was logged during the reporting period.

As with any chart, you can drill down on the pie chart to display the tabular version of the query on which the chart is based. There are several exceptions reports that are accessible from this tabular report (or drill-downs from it) that are available here, but are not included on any menu.

Exceptions Monitor

A count of exceptions logged during the reporting period. One datapoint is created each time that you refresh the report on your portal.

Failed User Login Attempts

For each failed login attempt during the reporting period, lists the User Name, Source Address, Destination Address, and Database Protocol Type for the server the user was attempting to log into.

SQL Errors

For each SQL error during the reporting period, displays the Client IP address, Server IP address, Server Type, database user name, database error text, and error occurrence total for that record.

Exception Count

The total number of exceptions (Exception entities) logged during the reporting period.

Terminated Users Logins

Lists all logins by database users who are members of the Terminated DB User group. Each row lists a DB User Name, Client IP, Server IP, Server Type, Source Program, last login time (the maximum value of the Session Start attribute), and the count of sessions for the row.

The Terminated DB Users group is empty at installation time. It must be populated by someone at your location. The query that this report is based upon (Terminated Users Logins) cannot be accessed from any query builder.

Active Users Last Login

Last login recorded during the reporting period for each member of the Active Users group. All members of the group will be listed, even if there were no logins during the reporting period. This is unlike most other reports based on members of a group. In the “normal” case, if no activity is found for a member, that member is not listed.

Each row lists a DB User Name, Client IP, Server IP, Server Type, Source Program, last login time (the maximum value of the Session Start attribute), and the count of sessions for the row.

The Active Users group is empty at installation time. It must be populated by someone at your location. The query that this report is based upon (Active Users Last Logins) cannot be accessed from any query builder.

Active Users with no Activity

Listing of members in the Active Users group who have had no activity during the reporting period. This report will be empty if all users have had activity during the reporting period.

The Active Users group is pre-defined, but empty at installation time. It must be populated by someone at your location. The query that this report is based upon (Active Users with no Activity) cannot be accessed from any query builder.

Terminated Users Failed Login Attempts

Lists failed login attempts by database users who are members of the Terminated DB User group. This report will be empty if there were no failed login attempts by anyone in this group during the reporting period.

The Terminated DB Users group is pre-defined, but empty at installation time. It must be populated by someone at your location. The built-in query for this report cannot be accessed. The query that this report is based upon (Terminated Users Failed Login Attempts) cannot be accessed from any query builder.

Excessive Errors per period

Display #Errors/Period; E.g., more than N errors in 60min for the same Client IP address, Server IP address, Server Type, database user name.

Users inactive since

Show User and Last Session Start for all users having Access records and having max Session Start time earlier than 90 days ago. (an inactive user is missed if they never once logged in, or if all their old logins have been purged)

Admin Users Login

For each DB User Name included in the Admin Users group, who had one or more sessions during the reporting period, each row lists the Client IP, DB User Name, Source Program, Session Start time, and Count of Sessions for that row.

DB Predefined Users Login

For each DB User Name included in the DB Predefined Users group, who had one or more sessions during the reporting period, each row lists the DB User Name, Client IP, Server IP, Source Program, Database Name, Service Name, and Count of Sessions for that row.

Administrative Commands Usage

For each SQL Verb included in the Administrative Commands group that was seen during the reporting period, this report lists the SQL Verb, Depth, Object Name, and Client IP, and a count of objects referenced.

Administrative Objects Usage

For each Object Name included in the Administration Objects group that was seen during the reporting period, each row lists the Object Name, Client IP, Server IP, Service Name, Database Name, Source Program, DB User Name, and Count of Objects for that row.

DML Execution on Administrative Objects

For each SQL Verb from the DML Commands group that references an Object Name in the Administration Objects group, this report displays a row for the DB User Name, Client IP, Server IP, Server Type, Service Name, Database Name, SQL Verb, Object Name, and Count of Objects referenced in the row.

BACKUP Commands Execution

For each SQL Verb from the BACKUP Commands group seen during the reporting period, this report displays the Client IP, Server IP, Service Name, DB User Name, Source Program, Database Name, Object Name, SQL Verb, and Count of Objects referenced in the row.

RESTORE Commands Execution

For each SQL Verb from the BACKUP Commands group seen during the reporting period, this report displays the Client IP, Server IP, Service Name, DB User Name, Source Program, Database Name, Object Name, SQL Verb, and Count of Objects referenced in the row.

REVOKE Commands Execution

For each SQL Verb from the REVOKE Commands group seen during the reporting period, this report displays the Client IP, Server IP, Service Name, DB User Name, Source Program, Database Name, Object Name, SQL Verb, and Count of Objects referenced in the row.

KILL Commands Execution

For each SQL Verb from the KILL Commands group seen during the reporting period, this report displays the Client IP, Server IP, Service Name, DB User Name, Source Program, Database Name, Object Name, SQL Verb, and Count of Objects referenced in the row.

DBCC Commands Execution

For each SQL Verb from the DBCC Commands group seen during the reporting period, this report displays the Client IP, Server IP, Service Name, DB User Name, Source Program, Database Name, SQL statement, and Count of Objects referenced in the row.

GRANT Commands Execution

For each SQL Verb from the GRANT Commands group seen during the reporting period, this report displays the Client IP, Server IP, Service Name, DB User Name, Source Program, Database Name, Object Name, SQL Verb, and Count of Objects referenced in the row.

Privileged Account Utilization

Show User, Verb, and the Count of Periods within which the Verb was performed by a User in the group Admin Users

Privileged User Access of Business Objects

Show User, Verb, Object where the User in Admin Users and the Verb was performed by the on an Object that is in a selected group of Business Objects

CREATE Commands Execution

For each SQL Verb from the CREATE Commands group seen during the reporting period, this report displays the Client IP, Server IP, Service Name, DB User Name, Source Program, Database Name, Object Name, SQL Verb, and Count of Objects referenced in the row.

DDL Commands

All DDL commands sent to the database. The report displays the client IP from which the DDL was requested, the main SQL verb (a specific DDL command), and the total objects accessed for that record.

For each SQL Verb from the DDL Commands group seen during the reporting period, this report displays the Client IP, Server IP, Server Type, SQL Verb, and Count of Commands referenced in the row.

ALTER Commands Execution

All ALTER commands issued. The report displays the client IP from which the DDL was requested, server IP address, service name, database user name, source program, database name, object name, and main SQL verb (a specific DDL command) for each combination of client IP/DDL command listed on that specific line.

For each SQL Verb from the ALTER Commands group seen during the reporting period, this report displays the Client IP, Server IP, Service Name, DB User Name, Source Program, Database Name, Object Name, SQL Verb, and Count of Objects referenced in the row.

DDL Distribution

This bar graph displays the distribution of commands seen from the DDL Commands group during the reporting period. For each command seen, a single bar represents the total number of objects affected.

DROP Commands Execution

For each SQL Verb from the DROP Commands group seen during the reporting period, this report displays the Client IP, Server IP, Service Name, DB User Name, Source Program, Database Name, Object Name, SQL Verb, and Count of Objects referenced in the row.

One User One IP

For each DB User Name for which session data was collected during the reporting period, each line of this report displays the count of Client IP addresses from which the user logged in, and a total number of sessions.

Client IP Activity Summary

This report displays reporting period activity from a single Client IP address, which is specified as a run time parameter. Each row of the report displays the Client IP, Source Program, SQL Verb, Depth (of sentence within the SQL command), an Object Name, and a count of times that object was referenced for that row.

Sessions List

This report lists all database sessions for the reporting period. For each session, the report displays the session (entity) Timestamp, the Session Start (timestamp), Server Type, Client IP, Server IP, Client Port, Server Port, Network Protocol, DB Protocol, DB Protocol Version, DB User Name username, Source Program, and Count of Sessions for that row (which should always be 1).

As with most reports, drill-down reports are available. There are a number of session reports that are accessible from this report, but are not included on any menu. This includes the following reports, with the run time parameters for those reports set by using values from the selected row of the report:

Table 5. Sessions List
Report Run-time Parameters

Sessions by Client IP

Server IP, Server Type

Sessions by Server IP

Server Type

Sessions by Source Program

Server Type, Sever IP

Sessions by User

Server Type, Server IP

Sessions Details by Server

Server Type, Server IP

Commands List

This report lists all SQL Verbs seen during the reporting period. At the outermost level, commands are grouped by the Period Start time from the Access Period entity, which is usually one hour, on the hour. Your Guardium® administrator can modify the access period length by changing the logging granularity, which is one hour by default. For each Access Period in the reporting period, each row lists the access Period Start time, a SQL Verb, Depth of the verb in the SQL statement, Parent (a pointer to the owning verb), and a count of occurrences for the row.

Objects List

This report lists all objects seen during the reporting period. At the outermost level, objects are grouped by the Period Start time from the Access Period entity, which is usually one hour, on the hour. Your SQL Guard administrator can modify the access period length by changing the logging granularity, which is one hour by default. For each Access Period in the reporting period, each row lists the access Period Start time, an Object Name, and the count of occurrences for that row.

Object Activity Summary

This report displays reporting period activity for a single Object Name, which is specified as a run time parameter. Each row of the report displays the Client IP, Source Program, SQL Verb, Depth (of sentence within the SQL command), an Object Name, and a count of times that object was referenced for that row.

Archive Candidates

This report lists objects (database tables or stored procedures, for example) that have not been accessed for an extended period of time. You cannot access the query this report is based upon.

Windows File Share Activity

This report lists all Windows File Share SQL activity seen during the reporting period. At the outermost level, the SQL commands are grouped by the Period Start time from the Access Period entity, which is usually one hour, on the hour. Your Guardium administrator can modify the access period length by changing the logging granularity, which is one hour by default. For each Access Period in the reporting period, each row lists the access Period Start time, the Service Name, Client IP, Server IP, Source Program, SQL (from the SQL entity), and a count of occurrences for the row. You cannot access the query this report is based upon, but you can clone the report.

Hourly Access Details

This report produces a highly detailed listing for each DB User Name seen in the reporting period, which is one hour by default for this report. Each row of the report lists a DB User Name, Client IP, Server IP, Period Start, Source Program, SQL (from the SQL entity), and a count of occurrences during the access period.

Full SQL By DB User Name

This report displays reporting period Full SQL attribute values that have been logged for a single DB User Name, which is specified as a run time parameter. Each row of the report displays the Full SQL ID, Timestamp (of the Full SQL entity), Client IP, DB User Name, Session Start, Source Program, Full SQL, and a count of occurrences for the row.

Full SQL By Client IP

This report displays reporting period Full SQL attribute values that have been logged for a single Client IP, which is specified as a run time parameter. Each row of the report displays the Full SQL ID, Timestamp (of the Full SQL entity), Client IP, DB User Name, Session Start, Source Program, Full SQL, and a count of occurrences for the row.

Flat LOG List

Lists flat log processing tasks.

Classification Process Results

Lists classification process tasks.

DW Dormant Objects

Shows all the members of one group that are not members in a second group, with a focus on dormant tables. For example, this report shows objects that are in the all objects group, but have not been used in a Select.

DW Dormant Objects/Fields

Shows all the members of one group that are not members in a second group, with a focus on dormant tables and columns. In this instance, groups are a 2-tuple type (members that are a composite of a pair of value attributes). For example, this report shows objects that are in the all objects and fields group, but have not been used in a Select.

DW EXECUTE Object Access

Use this report to populate the group called DW EXECUTE Objects with a set of stored procedure names that being executed. Then use indirect mapping in Group Builder/Auto Generate Calling Prox to generate all the objects being used within these procedures.

DW SELECT Object Access

This report shows all object names that have been accessed through a SELECT statement.

DW SELECT Object-Field Access

This report shows all object and field names that have been accessed through a SELECT statement.

Long Running Queries

For the reporting period, this report lists the longest running queries, with the longest average execution time first. For each query, lists the Client IP, Server IP, SQL, Period Start (from the Access Period entity), Average Execution Time, and the count of occurrences for this row. You cannot access the query this report is based upon.

Throughput

This report produces a count of all Server IPs seen, and total accesses, during the reporting period. At the outermost level, accesses are grouped by the Period Start time from the Access Period entity, which is usually one hour, on the hour. Your Guardium administrator can modify the access period length by changing the logging granularity, which is one hour by default. Each row lists the Period Start time, the count of Server IPs seen, and a total count of accesses for the row.

You can restrict the output of this report using the Server IP run time parameter, which by default is set to “%” to select all IP addresses.

Throughput (Graphical)

This report is a Distributed Label Line chart version of the tabular Throughput report, plotting the total number of accesses over the reporting period, one data point per Period Start time.

You can restrict the output of this report using the Server IP run time parameter, which by default is set to “%” to select all IP addresses.

Number of Active Privacy Set Tasks

Number of active Guardium audit processes that contain one or more privacy set tasks. When central management is used, this report contains data on the Central Manager only, and is empty on all managed units (the standard message, No data found for requested query, displays). This report has non-standard run time parameters: there are no from and to date parameters, so all audit processes containing one or more privacy set tasks will be reported. You can clone the query that this report is based upon (Number of Active Privacy Set Processes), but you cannot clone or regenerate the default report. The cloned query will have all of the standard run-time parameters (including the from and to dates).

Guardium Job Queue

Displays the Guardium Job Queue. For each job, lists the Process Run ID, Process Type, Status, Cls/Asmt Process Id, Report Result Id, Cls/Asmt Description, Audit Task Description, Queue Time, Start Time, End Time, and Data Sources.

Table 6. Guardium Job Queue
Domain Based on Query Main Entity

internal - not available

Guardium Job Queue

not available

Run-Time Parameter

Operator

Default Value

Job Description

LIKE

%

Period From

>=

NOW -1 DAY

Period To

<=

NOW

Databases Discovered

For the reporting period, for each Discovered Port entity where the DB Type attribute value is NOT LIKE Unknown, this report lists the Probe Timestamp, Server IP, Sever Host Name, DB Type, Port, Port Type, and count of Discovered Ports for the row.

Table 7. Databases Discovered
Domain Based on Query Main Entity

Auto-discovery

Databases Discovered

Discovered Port

Run-Time Parameter

Operator

Default Value

Period From

>=

NOW -1 DAY

Period To

<=

NOW

Data Sources

This report appears on the default layout for both administrators and users. See Data Sources on the Predefined Reports - Common page.

Data Source Version History

This report appears on the default layout for both administrators and users. See Data Source Version History on the Predefined Reports - Common page.

Guardium Job Queue

Displays the Guardium Job Queue. For each job, lists the Process Run ID, Process Type, Status, Cls/Asmt Process Id, Report Result Id, Cls/Asmt Description, Audit Task Description, Queue Time, Start Time, End Time, and Data Sources.

Outstanding Audit Process Reviews

For each Guardium user Login Name, this report lists the number and type of outstanding Guardium audit processes. An outstanding audit process has a Status attribute value (in the Task Results To-Do-List entity) other than Reviewed or Signed. This report has non-standard run time parameters: there are no from and to dates, which means that all outstanding task results will be reported. You can clone the query that this report is based upon (it has the same name), but you cannot clone or regenerate the default report. The cloned query will have all of the standard run-time parameters (including the from and to dates).

Number of Active Audit Processes

The number of active Guardium audit processes. When central management is used, this report contains data on the Central Manager only, and is empty on all managed units (the standard message, No data found for requested query, displays). This report has non-standard run time parameters: there are no from and to date parameters, so all active audit processes will be reported. You can clone the query that this report is based upon (Number of Active Processes), but you cannot clone or regenerate the default report. The cloned query will have all of the standard run-time parameters (including the from and to dates).

View Installed Policy

In the Currently Installed Policy panel, this special report displays the information about the installed policy such as the policy name, the number of rules it contains, and its policy definition settings. You cannot access the query this report is based upon.

Policy Violation Count

For the reporting period, this report displays the number of policy violations logged.

Logged Threshold Alerts

This report displays a bar representing the total number of alerts logged during the reporting period, for each type of threshold alert logged, based on the Alert Description attribute of the Threshold Alert Details entity.

Logged R/T Alerts

This report displays a bar representing the total number of alerts logged during the reporting period, for each type of real-time alert logged, based on the Access Rule Description attribute of the Policy Rule Violation entity.

Violations/Incidents

See the Incident Management topic.