Flat Log Process

The Flat Log option is a process to allow the GuardiumĀ® appliance to log information without immediately parsing it in real time.

This saves processing resources, so that a heavier traffic volume can be handled. The parsing and amalgamation of that data to Guardium's internal database can be done later, either on a collector or an aggregator unit.

There are two Guardium features involving the Flat Log Process.
  • Flat Log by throttling mechanism. This feature is implemented by running the CLI command, store alp_throttle 1. The same policy that is applicable to real-time S-TAP traffic is used to process traffic that was logged by the flat log process. For Flat Log by throttling mechanism, do not select the Flat Log checkbox in the Policy Builder.
  • Flat Log by policy definition. Selection of this feature involves Setup > Tools and Views > Policy Installation and Manage > Activity Monitoring > Flat Log Process.
Note: Rules on flat does not work with policy rules involving a field, an object, SQL verb (command), Object/Command Group, and Object/Field Group. In the Flat Log process, "flat" means that a syntax tree is not built. If there is no syntax tree, then the fields, objects and SQL verbs cannot be determined.

The following actions do not work with rules on flat policies: LOG FULL DETAILS; LOG FULL DETAILS PER SESSION; LOG FULL DETAILS VALUES; LOG FULL DETAILS VALUES PER SESSION; LOG MASKED DETAILS.

When the Log Flat (Flat Log) checkbox option listed in the Create New Policy pane of the Policy Builder is checked,
  • Data is not parsed in real time.
  • The flat logs can be seen on a designated Flat Log List report.
  1. Navigate to Manage > Activity Monitoring > Flat Log Process.
  2. Select the activity to perform:
    • Process - Merge the flat log information to the internal database.
    • Archive/Aggregation/Purge - Archive or aggregate, and optionally purge, the flat log.
    • Purge Only - Purge the flat log data.
  3. Click Apply to save the configuration.
  4. For a Process activity, do one of the following:
    • Click Run Once Now to merge the flat log information to the internal database immediately.
    • Click Modify Schedule to define a schedule for this activity. You can select the start time, restart frequency, and repeat frequency. For the Schedule by.. field, you must select either Day/Week or Month. See Scheduling for more information about scheduling.