Alerting rule actions

Alert actions send notifications to one or more recipients.

For each alert action, multiple notifications can be sent, and the notifications can be a combination of one or more of the following notification types:
  • Email messages: You can specify a Guardium user email, or an external email. Emails are sent using the SMTP server configured for the Guardium system. Additional receivers for email notification are the invoker (the user that initiated the actual SQL command that caused the trigger of the policy) and the owner (the owner of the database). The invoker and owner are identified by retrieving user IDs (IP-based) configured via Guardium APIs. To view these mappings, log in as accessmgr and go to Data Security > User-DB Association or use the list_db_user_mapping API command.
  • SNMP traps: alerts the trap community configured for the Guardium system.
  • Syslog messages: generates messages that are written to the syslog.
    Attention: The %%RecordsAffected variable does not return values when used in a message template for alert only rule actions that specify the syslog notification type.
  • Custom notifications: user-created notification handlers implemented as Java classes.
Attention: Alert definitions and notifications are not subject to data-level security for the following reasons: alerts are not evaluated in the context of users, alerts may be related to databases associated with multiple users, and to avoid situations where no one receives the alert notification.

Alert messages

The contents of an alert are defined by message templates. Navigate to Setup > Global Profile, locate the Named template field, and click Edit. Use the Named Template Finder to create, review, and modify message templates.

Alert behaviors

There are several types of alert actions, including the following:
  • Alert Daily: sends notifications only the first time the rule is matched each day.
  • Alert Once Per Session: sends notifications only once for each session in which the rule is matched. This action might be appropriate in situations where you want to know that a certain event has occurred, but not for every instance of that event during a single session. For example, you may want a notification sent when a certain sensitive object is updated, but if a program updates thousands of instances of that object in a single session, you would not want thousands of notifications sent to the receivers of the alert.
  • Alert Only: when Alert Only is used with the syslog notification type, messages go directly to /var/log/messages. For other notification types, Alert Only sends messages to the MESSAGE table. Alert Only does not notify of policy violations.
    Attention: The %%RecordsAffected variable does not return values when used in a message template for alert only rule actions that specify the syslog notification type.
  • Alert Per Match: sends notifications each time the rule is satisfied. This is appropriate for a condition requiring attention each and every time it occurs.
  • Alert Per Time Granularity: sends notifications once per logging granularity period. For example, if the logging granularity is set to one hour, notifications are sent for only the first match of the rule during each hour.
    Tip: The Guardium administrator sets logging granularity using the Manage > Activity Monitoring > Inspection Engines tool.