Filtering

IBM Security Guardium S-TAP for Db2 enables filtering to occur at the point of collection regardless of the field types included in the rules for the active collection policy. Filtering occurs at the point of collection with or without the specification of object types, which results in efficient CPU usage.

Filtering occurs when you create a filter that uses one or more of the following filter fields:

Net Prtcl: Specifies the appliance connection type to Db2®.
OS User: Specifies the original operator user ID that is used to connect to Db2.
DB User: Specifies the primary AUTHID that is used for authorization within Db2. In most situations, this value is the same as OS User.
App. User (PROG=program): Specifies a valid DB2 program name, such as DSNTEP2.
App. User (PLAN=plan): Specifies a valid DB2 plan name, such as DSNTEP2.
Client Info (APPL=transaction name): Specifies a valid program (or user workstation transaction) name, such as db2.exe.
Client Info (WKSTN=workstation name): Specifies a valid user workstation name, such as PCsys1.
Client Info (USER=user name): Specifies a valid user name, such as PCuser1.
Object type (%/SYSIBM.SYSTABLE): Specifies a table.

These fields can be fully qualified, or partially qualified by using the percent sign wildcard character. For more information about using wildcard characters, see Filter wildcard support.

The most efficient CPU usage is achieved when you create a filter that eliminates the greatest number of events. To increase filtering efficiency, refine your filtering criteria by indicating the additional filtering types with specific values that are associated with the data that you want to collect.

Improving filtering efficiency

You can improve the CPU efficiency of filtering by including filter types in the filter. Specifying the plan, auth ID, connection type, operator ID, program, workstation user, workstation name, or object filter types that are associated with the performed action improves efficiency, as shown in the following example.

Example

To capture access to a table called MY.TABLE, you could create the following filter:

Filter 1: Schema.Table equal to MY.TABLE

This filter causes IBM Security Guardium S-TAP for Db2 to capture only those events that access MY.TABLE.

To increase efficiency in this example, specify a filter field, such as plan, even if you are sure that plan is the only plan that accesses this table. To capture access to the table MY.TABLE for an application that runs under a specific plan, such as MYPLAN, the following is an example of a more efficient filter:

Filter 2: Plan equal to MYPLAN; Schema.Table equal to MY.TABLE

Specifying the plan results in only those events with the specified plan and object being streamed to appliance. Fewer events streamed to the appliance results in improved CPU usage.