Big Data Intelligence with data streaming
Use data streaming to Guardium Big Data Intelligence (GBDI) to stream audit data directly from your Guardium system to the GBDI platform.
With GBDI data streaming, monitored event data from your site is sent to Guardium collectors. From there, it is processed by the Guardium collector and the selected audit data is formatted into JSON documents and streamed to the security data lake on the GBDI platform. From the GBDI platform, you can use GBDI reporting and analytic tools.
When you enable GBDI data streaming, the Guardium collector generates JSON documents for the events you choose to monitor and log. The JSON documents are sent to GBDI for storage and analysis. In addition, other information is stored in a MySQL database on the Guardium database server.
The following information can be collected and streamed to GBDI:
- Session: Contains details about the event session such as DB name, client and server ports, session start, and end, server type, client IP, and other information.
- Instance: For each SQL statement, the streamed data includes the ConstructID, original SQL
statement, any objects and verbs included in that statement, and other objects. Note: For Instances, the difference between MySQL and data streaming is as follows:
- For MySQL, detailed SQL construct information is logged in separate GDM tables: GDM_CONSTRUCT, GDM_SENTENCE, and GDM_OBJECT.
- With data streaming, construct information is part of the instance document, including original_sql, objects and verbs.
- Full_SQL: Includes all of the relative information relative to the event. This information includes data (masked or unmasked, depending on the policy rule action), the returned data count, and the total number of records affected.
- Policy_violations: Includes any policy violation information. Each policy violation message has a unique identifier, which is referenced in the Guardium alert when the alert template variable %%ViolationID is configured.
- Exception: Collects sniffer exceptions and errors. Depending on the policy rule action, the SQL string can be either full or masked.