Entities and Attributes

Policy ID

Uniquely identifies an access policy

Policy Description

Describes the access policy

Selective Audit Trail

Indicates if this is a selective audit trail policy (T/F).

Audit Pattern

Test pattern used for a selective audit trail policy.

Timestamp

Timestamp for the creation of the record.

Session ID

Uniquely identifies a session.

Instance ID

Uniquely identifies an instance of a construct.

Construct ID

Uniquely identifies a command construct (for example, select a from b).

Total Access

Total count of construct instances for this access period.

Period Start Date

Date only from the period start attribute.

Period Start Weekday

Weekday only from the period start attribute.

Period Start Time

Time only from the period start attribute.

Timestamp

Initially, the Timestamp value is set the first time that a request is observed on a client-server connection during an access period. By default, an access period is one hour long, but this can be changed by the Guardium administrator in the Inspection Engine Configuration - see the Guardium Administrator Guide. Thereafter, for each subsequent request, it is updated when the system updates the average execution time and the command count for this period.

Period End

Date and time for the end of the access period.

Period End Date

Date only from the period end attribute.

Period End Weekday

Weekday only from the period end attribute.

Period End Time

Time only from the period end attribute.

Application User

Application user name.

Average Execution Time

The average command execution time during the period. This is for SQL statements only. It does not apply to FTP or Windows file share traffic.

Failed Sqls (2)

The number of failed SQL requests. See note at the end of the table.

Successful Sqls (2)

The number of successful SQL requests. See note at the end of the table.

Application Event ID

The application event ID if set from the API.

Total Records Affected (2)

The total number of records affected. See note at the end of the table.

Avg Records Affected (2)

The average number of records affected. See note at the end of the table.

Total Records Affected (Desc) (2)

If the Total Records Affected attribute is a character string instead of a number, that value appears here (for example, Large Results Set, or N/A.

Records affected - Result set of the number of records which are affected by each execution of SQL statements.

You can use the store max_results_set_size, store max_result_set_packet_size, and store max_tds_response_packets CLI commands to set levels of granularity.

Show Seconds

If a the number of accesses per second is being tracked, this contains counts for each second in the access period (usually one hour).

Avg Execution Ack Time

Average Execution Acknowledged time in milliseconds

Original Timezone

The UTC offset.

This is to point out that a UTC offset should be set so that the time from two different collectors that are in two different time zones aggregate correctly. If the offset was not set then there would exist a condition where users would not really be able to determine or see a true representation of when things happened in relation to time.

For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM).

Access Rule Description

Description from the access policy rule definition.

Activity Type

Description of an aggregation/import/export activity.

Timestamp

Updated at the start and end of the activity being logged (prepare for archiving, encrypt, send, etc.).

Status

Status of the aggregation/import/export log activity.

User Name

User name under which activity initiated.

Start Time

Starting time of activity.

End Time

Ending time of activity.

Period Start

Starting time for the data being acted upon. Each archiving or aggregation activity operates on one full day of activity.

Period End

Ending time for the activity being acted upon.

File Name

Name of file used for the activity. Files created by the archive and export operations are named as follows:

<daysequence>-<scp_host>-w<run_datestamp>-d<data_date>.dbdump.enc

For example:

732423-g1.guardium.com-w20050425.040042-d2005-04-22.dbdump.enc

The date of the data contained on the file, in yyyy-mm-dd format is data_date, near the end of the file name (just before .dbdump.enc). Take care that you do not confuse this date with the run date, which appears earlier in the file name, and is the date that the data was archived or exported.

Comment

Additional comment for the activity.

Guardium Host Name

The name of the Guardium host.

Records Purged

If the activity type is Purge, the number of records purged. Otherwise, N/A.

Original Timezone

The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator.

For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM).

ALERT_NOTIFICATION_ID

Identifies the alert notification.

ALERT_ID

Identifies the alert definition.

Alert Notification Type

Type of alert from the policy rule definition.

Alert User

Receiver of the alert.

Alert Destination

Type of alert (EMAIL, SNMP, SYSLOG, CUSTM).

Timestamp

Timestamp alert record created.

Application Data ID

Unique identifier for this data.

Application Code

The application type code.

Full SQL ID

Identifies the full SQL data.

Application Type

Application type.

User

Application user name.

Operation Type

The type of operation.

Change Date

Date of the change.

Time Stamp

Time stamp for this record.

Item Name

Name of the item affected.

Transaction Code

Transaction code.

System ID

Unique identifier for the system.

Record Detail 1

Varies by item type.

Record Detail 2

Varies by item type.

Record Detail 3

Varies by item type.

Record Detail 4

Varies by item type.

VBKey

The VBKey value.

Original Timezone

The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator.

For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM).

Application Event ID

Unique identifier for this application events entity.

Event User Name

User name, set by GuardAppEvent:Start.

Event Type

Type of event, set by GuardAppEvent:Start.

Event Value Str

String value, set by GuardAppEvent:Start.

Event Value Num

Numeric value, set by GuardAppEvent:Start.

Event Date

Datetime value, set by GuardAppEvent:Start. It displays in the format yyyy-mm-dd hh:mm:ss.

Timestamp

Created only once, when the event is logged. Do not confuse this attribute with the Event Date attribute, which can be set using an API call or from a stored procedure parameter. (See the Guardium Administrator Guide for a description of the Application Events API and Custom Identification Procedures.)

Event Release Type

Type of event, set by GuardAppEvent: Released.

Event Release User Name

User name, set by GuardAppEvent: Released.

Event Release Value Str

String value, set by GuardAppEvent: Released.

Event Release Value Num

Numeric value, set by GuardAppEvent: Released.

Event Release Date

Datetime value, set by GuardAppEvent:Released. It displays in the format yyyy-mm-dd hh:mm:ss.

Original Timezone

The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator.

For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM).

APP User Name

Unique identifier for this App User Name entity.

Assessment Log ID

Uniquely identifies the assessment.

Timestamp

Timestamp for the assessment.

Timestamp Date

Date portion of timestamp.

Timestamp Time

Time portion of the timestamp.

Assessment Log Type

Predefined, query or custom test.

Assessment Log Severity

The assessment test severity: Critical, Major, Minor, Cautionary, Informational. This is an ordered list of the level of severity classifications. Assessment test severity: Critical, Major, Minor, Cautionary, Informational. The highest severity is the first classification in this list. The lowest severity is the last classification in this list.

Assessment Result Id1

Identifies the assessment results set.

Message

Message returned by the assessment.

Details

Details for this assessment.

Assessment Result data source ID

Identifies a results set for a datasource.

Assessment Result ID

Identifies the result.

DB Type

Database type: Oracle, MS-SQL, DB2®, Sybase, Informix®, etc.

DB Name

Database name.

Version Level

Version level of the database.

Patch Level

Patch level of the database.

Full Version Info

Full version information for the datasource

Datasource name

Name of the datasource.

Description

Datasource description.

Host

Host name for the datasource.

Port

Port number on the host.

Service Name

Service name for the datasource.

User Name

User name used for datasource access.

Assessment Result ID

Identifies the assessment results set.

Assessment ID

Identifies the assessment.

Task ID

Identifies the task within the assessment.

Parameter Modified Flag

Indicates if parameters modified since last run.

Execution Date

Date that the assessment was run.

Received By All

Indicates whether or not these results have been received by all receivers on the distribution list.

Overall Score

Overall score for the assessment.

From Date

From date for the assessment.

To Date

To date for the assessment.

Assessment Description

Assessment name from the definition.

Filter Client IP

Clients selected: exact IP address, address with wildcards (*), or empty to select all.

Filter Server IP

Servers selected: exact IP address, address with wildcards (*), or empty to select all.

Recommendation

Recommendation returned for the task.

Test Description

Text description of the test

Test Type

Type of assessment test (Observed, Predefined, Custom, Query based, CVE)

Datasource Type

Type of Datasource (DB2, Informix, MYSQL, ORACLE, SYBASE, etc.)

Threshold

User defined threshold, to override the value define upon the test’s creation

Threshold Default Value

Default threshold that defines the success/fail criteria

Severity

Severity of the assessment (Critical, Major, Minor, Caution, Info)

Category

Category of the assessment (Privilege, Authentication, Configuration, Version, Other)

Timestamp

Timestamp test was created

Process Description

Description from audit process definition.

Active

Indicates if the process is active (able to be scheduled).

Keep Result Days

The number of days the results will be kept by the system.

Keep Results Quantity

The number of results sets that will be kept by the system.

Audit Process Comment

The text of the comment.

Audit Process Comment Creator

The creator of the comment.

Audit Process Comment Timestamp

Timestamp for the comment.

Task Type

A numeric value indicates whether the task is a report, security assessment, entity audit trail, privacy set, or classification process. Aliases are defined for these types, so reports with Aliases on will simplify reading of the report output.

Task Description

Name of the task from the task definition.

Execution Date

The date the audit process was executed.

Audit Process Comment

The text of the comment.

Audit Process Comment Creator

The creator of the comment.

Audit Process Comment Timestamp

Timestamp for the comment

Scan Timestamp

The time the scan executed.

Original Timezone

The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator.

For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM).

Changed Column Name

Name of the changed column on the database.

Old Value

Value before the change.

New Value

Value after the change.

Original Timezone

The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator.

For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM).

Full SQL ID

Unique identifier for the Full SQL.

Table Name

Table Name from database

Column Name

Column Name from database

Old Value

Value before the change.

New Value

Value after the change.

Timestamp

Time the record was created.

Catalog

Catalog location for results set.

Schema

Schema name if applicable.

Table Name

Table name from the rule definition.

Column Name

Column name from the rule definition.

Rule Description

The classifier policy rule description.

Comments

Any comments added to this rule definition.

Classification Name

Classification for the rule.

Category

Category for the rule.

Data Source Description

Data source for the rule.

Process Description

From the process definition.

Status

Job status.

Queue DateTime

Timestamp when the job was submitted to the classifier/assessment queue.

Start DateTime

Timestamp at start of job.

End DateTime

Timestamp at end of job.

Data Sources

Identifies the datasource list for the job.

Access ID

A unique identifier for this client/server connection.

Timestamp

Since all attributes in this entity contain static information, this timestamp is created only once, when Guardium observes a request on the defined client-server connection for the first time.

Timestamp Date

Date only from the timestamp.

Timestamp Time

Time only from the timestamp.

Timestamp Weekday

Weekday only from the timestamp.

Timestamp Year

Year only from the timestamp.

Server Type

DB2, Oracle, Sybase, etc.

Client IP

Client IP address.

Server IP

Server IP address.

Network Protocol

Network protocol used (e.g., TCP, UDP, etc. Note that for K-TAP on Oracle, this may display as either IPC or BEQ)

DB Protocol

Protocol specific to the database server.

DB Protocol Version

Protocol version for the DB Protocol.

DB User Name

Database user name. The DB user name is the person who connected to the database, either local or remote.

Source Program

Source program for the interaction.

Client MAC

Client hardware address.

Client Host Name

Client host name.

Service Name

Service name for the interaction. In some cases (AIX® shared memory connections, for example), the service name is an alias that is used until the actual service is connected. In those cases, once the actual service is connected, a new session is started - so what the user experiences as a single session will be logged as two sessions.

For Teradata, Service name contains the session logical host id value.

Server OS

Server operating system.

For Informix, the OS may appear as follows:

IEEEM indicating Unix or JDBCIEEEI indicating WindowsDEC indicating DEC Alpha

For Teradata, as there is no direct information about client/server OS, instead, the data format type is used; indicating how integer data are stored during db session. This has a close relation to the platform being used and may appear as follows:

IBM® MAINFRAME // IBM mainframe data format

HONEYWELL MAINFRAME // Honeywell mainframe data format

AT&T 3B2 // AT&T 3B2 data format.

INTEL 8086 // Intel 8086 data format (IBM PC or compatible)

VAX // VAX data format

AMDAHL // Amdahl data format

Client OS

Client operating system.

For Teradata, as there is no direct information about client/server OS, instead, the data format type is used; indicating how integer data are stored during db session. This has a close relation to the platform being used and may appear as follows:

IBM MAINFRAME // IBM mainframe data format

HONEYWELL MAINFRAME // Honeywell mainframe data format

AT&T 3B2 // AT&T 3B2 data format.

INTEL 8086 // Intel 8086 data format (IBM PC or compatible)

VAX // VAX data format

AMDAHL // Amdahl data format

OS User

OS user account for the interaction.

Server Host Name

Server host name.

Server Description

Server description (if any).

ClientIP/DBUser

Paired attribute value consisting of the client IP address and database user name.

Analyzed Client IP

Applies only to encrypted traffic; when set, client IP is set to zeroes.

Analyzed Client IP has a map for CEF source. If the query used for the CEF does NOT contain the Client IP but contains the analyzed client IP, the analyzed client IP will be used for the source. If both included in the query, then Client IP takes precedence.

Server IP/DB user

Paired attribute value consisting of Server IP address and database user name.

Client/ Server by session

Client/Server by session is also a Main Entity. Access this secondary entity by clicking on the Client/Server primary entity.

Sniffer Buffer Usage ID

Timestamp

Time the record was created.

Sniffer CPU PCT

Percentage of CPU used by sniffer.

Sniffer Mem PCT

Percentage of memory used by sniffer.

MySQL CPU PCT

Percentage of CPU used by MySQL.

MySQL MEM PCT

Percentage of memory used by MySQL.

PID

Sniffer process identifier.

Memory

Amount of memory used by sniffer.

Time

Elapsed time used by sniffer.

Free Buffer

Amount of free buffer space.

Analyzer Rate

Rate at which messages being analyzed.

Analyzer Queue

Size of the analyze queue.

Analyzer Total

Total number of messages analyzed.

Logger Queue

Size of logger queue.

Logger Total

Total number of message logged.

Session Queue

Size of session queue.

Session Total

Total number of sessions.

Handler Data

Internal sniffing engine data.

Extra STR

Internal sniffing engine data.

Sniffer Connections Used

Total number of connections currently being monitored since inspection engine was restarted.

Sniffer Packets Dropped

Packets dropped by sniffer.

Sniffer Packets Ignored

Packets ignored by sniffer.

Sniffer Packets Throttled

Total number of connections that have been ignored due to throttling since inspection engine was restarted.

Sniffer Connections Ended

Total number of connections that were monitored and have ended since inspection engine was restarted.

Logger Session Count

Count of sessions logged.

Logger Packets Ignored by Rule

Packets ignored by policy rule action.

Analyzer Lost Packets

Packets lost by analyzer.

Logger Dbs Monitored

List of database types currently being monitored.

Mysql Is Up

Boolean indicator for internal database restart (1=was restarted, 0=not restarted).

System Cpu Load

System CPU utilization.

System Uptime

Time since last start-up.

Mysql Disk Usage

MySQL disk usage.

System Memory Usage

System memory utilization.

System Var Disk Usage

System var disk utilization.

System Root Disk Usage

System Root disk utilization.

Eth0 Received

Messages received on ETH 0.

Eth0 Sent

Messages sent on ETH 0.

Promiscuous Received

Rate of received packets through the sniffing network cards (non-interface ports).

Open FDs

Open File Descriptors.

Open FDs MySQL

Database open File Descriptors

Sessions normal

Count of normal sessions.

Sessions not opened

Count of sessions not opened by sniffer.

Sessions timeout

Count of sessions timed-out.

Sessions ignored

Count of sessions ignored by sniffer.

Session Direct closed

Count of sessions directly closed .

Session guessed

Count of sessions guessed.

SqlGuard Timestamp

Is the time the record is inserted into the custom table

Datasource Name

Is the name of the data source used to upload the record

Command Id

Uniquely identifies the command.

Construct Id

Uniquely identifies the construct (e.g., select a from b).

SQL Verb

Main verb in SQL command (e.g., select, insert, delete, etc.).

Depth

Depth of the command in the SQL parse tree.

Parent

Identifier of parent node in the parse tree.

Comment Creator

The Guardium user who created the comment.

Comment Reference

Indicates the element to which the comment is attache - a query, audit process result, or another comment, for example.

Content of Comment

The complete comment text.

Timestamp

Date and time the comment was created.

Timestamp Year

Year only from the timestamp.

Timestamp WeekDay

Weekday only from the timestamp.

Timestamp Time

Time only from the timestamp.

Timestamp Date

Date only from the timestamp.

Object Description

The name of the object from which the comment was defined. For example, a comment defined on a policy has an object description of ACCESS_RULE_SET.

Record Associations

A list of records that this comment is associated with.

Database Error Text

A database error code followed by a short text description of the error. The error code is taken from the Exception Description attribute of the Exception entity. Using the error code as a key, the error text is obtained from an internal table on the Guardium appliance, which contains the most common error messages (about 54,000 of them).

For example: ORA-00942: table or view does not exist

Error Code

Displays the database error code.

Data source ID

Identifies a results set for a data source

Data source Type

Data source type - Oracle, MS-SQL, DB2, Sybase, Informix, etc.

Data source Name

Data source name

Data source Description

Description of the data source

Host

Host name for the data source

Port

Port Number on host

Service Name

Service name for the data source

User Name

User name for datasource access

Database Name

Database name

Last Comment

Last comment

Shared

Yes or No

Connection Properties

The Connection Property box has information in it only if additional connection properties must be included on the JDBC URL to establish a JDBC connection with this datasource.

Server IP

IP address of the discovered host.

Server Host Name

Host name of the discovered host.

Original Timezone

The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator.

For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM).

Timestamp

A timestamp value created when Guardium records this instance of the entity (every instance has a unique timestamp).

Host

Host name for this instance

Protocol

Protocol specific to this instance

Port Min

Port range, minimum port number for inspection-engines

Port Max

Port range, maximum port number for inspection-engines

Client IP

IP address/mask of client

Exclude Client IP

IP address/mask of clients to exclude

Proc Names

Name of database executable

Named Pipe

Pipe name used by database

KTAP DB Port

Database port for KTAP

DB Install Dir

Database Install Directory

Proc Name

Process name

DB2 Shared Mem Adjustment

Packet header size

DB2 Shared Mem Client Position

Client I/O area offset

DB2 Shared Mem Size

DB2 shared memory segment size

Instance Name

Name of the discovered instance

Informix Version

Informix Version

Port

Discovered port number.

Probe Attempted

Indicates if a probe for a supported database service has been attempted on this port. T=yes, F=no.

Port Type

Indicates the port type (usually TCP).

DB Type

If a probe of the port has found a supported database type, indicates the type (DB2, Informix, MS SQL Server etc.)

Probe Timestamp

The date and time that this specific port was probed.

Original Timezone

The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator.

For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM).

Exception ID

Uniquely identifies the exception.

Exception Type ID

Uniquely identifies the exception type.

Exception Timestamp

Date and time created when this Exception entity was logged.

Exception Date

Date only from the timestamp.

Exception Time

Time only from the timestamp.

Exception Weekday

Weekday only from the timestamp.

Exception Year

Year only from the timestamp.

Source Address

Source IP address of the exception.

Source Port

Source port number.

Destination Address

Destination IP address.

Destination Port

Destination port number.

Database Protocol

Database protocol for the exception.

New TTL value

Reserved for admin role use only.

Exception Description

Description of the exception.

For an S-TAP reconnect or timeout exception, this will contain the IP address or DNS name of the database server.

For a database exception, this is an error code from the database management system. For most common messages (about 54,000 of them), a longer text description is available in the Database Error Text attribute. That text comes from the internal Guardium database table of error messages, not from the exception itself.

SQL string that caused the exception

The SQL string that caused the exception.

User Name

Database user name. On encrypted traffic, where correlation is required, this value may not be available, but it is always available from the DB User Name attribute in the Client/Server entity.

App User Name

Application user name.

Link to more information about the exception1

Optional link that is sometimes available, depending on the exception source.

Global ID1

Global identifier for the exception.

Original Timezone

The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator.

For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM).

Exception Description

A text description of the exception type, from the following list. Most of these should never be seen. See the notes in italic for the most common exceptions and notes.

A new construct was used

Alert Process threw an exception

Custom Alerting Processing Exception

Database Server returned an error

For this message, a database error code will be stored in the Exception Description attribute of the Exception entity, and a text version of the database error message will be available in the Database Error Text attribute of the Database Error Text entity.

DB Protocol Exception

Debug prints through the EXCEPTIONs mechanism

Dropped database requests

Session information was dropped due to excess traffic.

Error During Configuration Auditing System Process

Error During Classification Process

Invalid Query Invocation

Login Failed

Low-level DB protocol Exception

Scheduled job threw an exception

Security Assessment Exception

Security Exception

For this message, a custom class exception has been raised when breaching code execution is blocked; such as when users use the Java™ API to define their own alerts or assessments.

Session closed prematurely

SQL Parser Exception

S-TAP Connectivity reconnect

For this message, the IP address or DNS name of the database server will be available in the Exception Description attribute of the Exception entity

S-TAP Connectivity timeout

For this message, the IP address or DNS name of the database server will be available in the Exception Description attribute of the Exception entity

TCP ERROR

For this message, additional information about the error will be included in the Exception Description attribute of the Exception entity

Turbine class threw an exception

Unable to purge report

Field ID

Uniquely identifies the field.

Construct ID

Uniquely identifies the construct in which it was referenced.

Command ID

Uniquely identifies the main command from the construct in which it was referenced.

Object ID

Uniquely identifies the object from the construct in which it was referenced.

Field Name

Name of the field.

List Clause

Where Clause

Order by Clause

Having Clause

Group By Clause

On Clause

Use these attributes to order complex SQL queries.

Example of SQL queries:

Order by

SELECT * FROM dept_costs

WHERE dept_total >

(SELECT avg FROM avg_cost)

ORDER BY department

Having

SELECT column_name1, SUM(column_name2)

FROM table_name

GROUP BY column_name1

HAVING (numerical function condition)

Group By

SELECT column_name1, SUM(column_name2)

FROM table_name

GROUP BY column_name1

Where

SELECT FirstName, LastName, City

FROM Users

WHERE City = Los Angeles

Value

A field value from the logged construct.

Full SQL

The full SQL logged.

Timestamp

Date and time stamp when logged.

Timestamp Date

Date portion of the timestamp.

Timestamp Time

Time portion of the timestamp.

Response Time

Response time for the request in milliseconds.

Records Affected

The number of records affected by the request.

Succeeded

Indicates if request was successful (True/False).

Statement Type

The type of SQL statement

SQL: simple, direct SQL command, for example, typed directly into the CLI

RAW: PREPARE of a SQL statement for later execution, for example, conn.prepareStatement (select a from b where c=:value)

BIND: execution of a prepared statement including bound parameter values

Statement type is part of the FULL SQL entity and is audited only if you have configured Log Full Details for this statement within the policy.

You can not filter out specific statement types in the policy, for example, audit-only SQL and BIND statements. You can, however, filter these out in reports.

Returned Data

Data returned (if any)

Bind Info

Bind information for the request

Bind Variables Values

For DB2/zOS, contains a list of comma separated bind variable

Original Timezone

The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator.

For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM).

Full Sql

Full SQL statement including values.

Timestamp

The timestamp records the time when the SQL is executed in the database server.

Response Time

The response time for the request in milliseconds. When requests are monitored in network traffic, the response times are an accurate reflection of the time taken to respond to the request (Guardium timestamps both the client request and the server response).

Records Affected

The number of records affected for each session. On reports using this attribute, we suggest that you turn on aliases to properly display special cases such as Large Result Set or N/A.

Returned Data

Data returned for this request (if any, and if available).

Full SQL ID

Unique identifier for the Full SQL.

Instance ID

Unique identifier for the Full SQL instance.

Succeeded

Indicates if the call succeeded.

Records Affected (Desc)

When the Records Affected is a string value instead of a number, that string is stored here. For example: Large Result Set or N/A.

Access Rule Description

Description of the policy rule used

Returned Data Count

Number of rows returned from the SQL statement used in the policy rule.

Auto-Commit

Entries are automatically numbered.

Ack Response Time

Acknowledged Response Time in milliseconds.

Ingress Kbyte count

Records the number of bytes in requests.

Egress Kbyte count

Records the number of bytes in responses.

Statement Type

The type of SQL statement

SQL: simple, direct SQL command, for example, typed directly into the CLI

RAW: PREPARE of a SQL statement for later execution, for example, conn.prepareStatement (select a from b where c=:value)

BIND: execution of a prepared statement including bound parameter values

Statement type is part of the FULL SQL entity and is only audited if you have configured Log Full Details for this statement within the policy.

You can not filter out specific statement types in the policy, for example, audit-only SQL and BIND statements. You can, however, filter these out in reports.

Bind Variables Values

For DB2/zOS, contains a list of comma separated bind variable

Original Timezone

The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator.

For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM).

Values

One or more values from the logged construct.

Timestamp

Date and Time Full SQL Values Entity was created.

Event Generator

IP address of the client (i.e. DB-Server) which generated the event.

Event Description

Event Description.

Event Time

The time when the event occurred.

Group Description

The name of the group.

Group Subtype

Subtype, if any, defined for the group.

Timestamp

Date and time the group entity was created.

Group Member

The name of the group member.

Timestamp

Date and time the group member was created or updated.

Timestamp Date

Date only from the timestamp.

Timestamp Time

Time only from the timestamp.

Timestamp Year

Year only from the timestamp.

Timestamp Weekday

Weekday only from the timestamp.

Group Type

Identifies the group type.

Timestamp

Date and time the group type was created.

Activity Type Description

Description of the activity

Activity Type ID

Uniquely identifies the activity type.

Role Identifier

ID of role identified.

Role

Guardium role listed.

Application Identifier

ID of application identified.

Application

Guardium application listed (foe example, Query Builder, Policy Builder, etc.).

Activity Types Description

Description of an activity.

Login ID

ID used for login.

User Name

Guardium user name for the activity.

Timestamp

Created when the activity was logged.

Modified Entity

The Guardium entity modified (a group definition, for example).

Entity Key Used

Key used to access the entity.

Key Value

New value of the entity.

All Values

All values altered.

Object Description

The name of specific object altered.

Global ID

A unique global ID for the session.

Host Name

Host name of the user.

Login ID

ID used for login.

User Name

Created when the Guardium user logs in or out (there will be one entity per Guardium session).

Login Date And Time

Date and time user logged in.

Logout Date And Time

Date and time user logged out.

Login Succeeded

Indicates if login was successful.

Global Id

A unique global ID for the session.

Host Name

Host name of the user.

Remote Address

Remote address of the user.

Host Name

Database server host name (may display as IP address)

OS Type

Operating system: UNIX or WIN

Is Online

Online status (Yes/No) when record was written

Host Id

Identifies the host record

Audit State Label Id

Unique numeric identifier for the configuration item

Timestamp

Timestamp for creation of the entity

Host Name

Database server host name or IP address

OS Type

Operating system: Unix or Windows.

DB Type

Database type: Oracle, MS-SQL, DB2, Sybase, Informix, or N/A if the change is to an operating system instance

Instance Name

Name of the template set instance

Type

Type of monitored item that changed.

OS Script or SQL Script: A change triggered by the OS script contained in the monitored item template definition.

Environment Variable: An environment variable (Unix only)

Registry Variable: A registry variable (Windows only)

File: A specific file. There is no host configuration entity for a file pattern defined in the template set used by the instance. Instead, there is a separate host configuration entity for each file that matches the pattern.

Monitored Item

The name of the changed item, from the Description (if entered), otherwise a default name depending on the Type (a file name, for example).

Audit Host Event Id

Identifies the host event entity

Event Time

Date and time that the event was recorded

Event Type

Identifies the event being recorded:

Client Up - CAS started on database server host

Client Down - CAS stopped on database server host

Failover Off - A server is available (following a disruption), so CAS data is being written to the server

Failover On - The server is not available, so CAS data is being written to the failover file

Server Down - The database server stopped

Server Up - The database server started

Timestamp

Timestamp for creation of the entity

Audit Host Id

Identifies the host

Original Timezone

The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator.

For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM).

Timestamp

Time the incident was created.

Category Name

Category assigned to the incident.

Incident Number

Incident number (assigned sequentially).

Incident Severity Description

The severity code will be one of the following:

INFO, LOW, MED, HIGH

Status Description

Will be one of the following values:

OPEN - The incident has not yet been assigned to a user.

ASSIGNED - The incident has been assigned.

CLOSED - The incident is closed.

ID

Identifies the policy installation record.

Rule Set Id

Identifies the set of rules.

Policy Description

Description from the policy definition.

Selective Audit Trail

Indicates if this is a selective audit trail policy (T/F).

Audit Pattern

Test pattern used for a selective audit trail policy.

Timestamp

Timestamp for the creation of the record.

Sequence

Sets the order of sequence when there is multiple installed policies.

Config Id

Identifies this configuration record.

Timestamp

Timestamp record created.

DB Type

Database type: Oracle, MS-SQL, DB2, Sybase, Informix; or N/A for an operating system instance

Instance

The name of the instance

User

The user name that CAS uses to log onto the database; or N/A for an operating system instance.

Port

The port number CAS uses to connect to the database; or empty for an operating system instance

DB Home Dir

The home directory for the database; or empty for an operating system instance

Template Set Id

Identifies the template set used by this instance

OS Type

Operating system of the host: UNIX or Windows

Join ID

Unique identifier

Construct ID

Identifies the construct in which the join is referenced.

Join SQL

Join tables

Where SQL

Where clause (join conditions)

Timestamp

Date and Time that the Join Entity was created.

Comment Creator

The Guardium user who created the comment.

Comment Reference

Indicates the element to which the comment is attached - a query, audit process result, or another comment, for example.

Content of Comment

The complete comment text.

Timestamp

Date and time the comment was created.

Timestamp Year

Year only from the timestamp.

Timestamp WeekDay

Weekday only from the timestamp.

Timestamp Time

Time only from the timestamp.

Timestamp Date

Date only from the timestamp.

Object Description

The name of the object from which the comment was defined. For example, a comment defined on an incident has an object description of INCIDENT.

Record Associations

A list of records that this local comment is associated with.

From Date

The start date

To Date

The finish date

Aggregator

The Guardium system where the file was generated on. However this can be a collector, not just a Aggregator

Host

Host name

User Name

Name of user

Path

Path name to files

System Type

What protocol was used while archiving - if it was SCP or FTP or Centera or TSM

Count of Destinations

Archive destinations

Message Text ID

Uniquely identifies the message text

Message Subject

Message subject (for an email message, for example).

Message Text

Message text.

Original Timezone

The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator.

For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM).

Message ID

Uniquely identifies the message

Message Type

Type of message.

Sent To

One or more recipients of message.

Message Status

Status of message:

FAIL The send operation failed.

WAIT The message has not yet been sent.

SENT The message was sent.

Message Date

Date message sent.

Message Context

Message type:

INFO Informational message.

WARNING Possible error condition.

ALERT Real time or threshold alert.

ERROR Software or hardware error condition.

DEBUG Debugging message.

Message Originator

The module creating the message; for example monitor or GuardiumJetspeedUser.

Original Timezone

The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator.

For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM).

Timestamp

Date and time the change was recorded on the Guardium appliance. This timestamp is created during the data upload operation. It is not the time that the change was recorded on the audit database. To obtain that time, use the Audit Timestamp entity.

Timestamp Date

Date only from the timestamp.

Timestamp Time

Time only from the timestamp.

Timestamp Year

Year only from the timestamp.

Timestamp Weekday

Weekday only from the timestamp.

Server IP

IP address of the database server.

DB Type

Database type.

Service Name

Oracle only. Database service name.

Database Name

DB2, Informix, Sybase, MS SQL Server only. Database name.

Audit PK

For Sybase and MS SQL Server only. A primary key used to relate old and new values (which must be logged separately for these database types).

Audit Login Name

Database user name defined in the datasource.

Audit Table Name

Name of the table that changed.

Audit Owner

Owner of the changed table.

Audit Action

Insert, Update or Delete.

Audit Old Value

A comma-separated list of old values, in the format:column-name=column_value,

Audit New Value

A comma-separated list of new values, in the format:column-name=column_value,

SQL Text

Available only with Oracle 9. The complete SQL statement causing the value change.

Triggered ID

Unique ID (on this audit database) generated for the change.

Audit Timestamp

Date and time that the trigger was executed.

Audit Timestamp Date

Date portion of Audit Timestamp.

Audit Timestamp Time

Time portion of Audit Timestamp.

Audit Timestamp WeekDay

Day of week of the Audit Timestamp.

Audit Timestamp Year

Year of the Audit Timestamp.

Original Timezone

The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator.

For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM).

Change Identifier

Unique identifier for the change

Sample Time

Timestamp (date and time on host) that sample was taken

Audit Config Id

Identifies the host configuration

Saved Data Id

Identifies the Saved Data entity for this change

Audit State Label Id

Identifies the Host Configuration entity for this change

Timestamp

Date and time this change record was created on the server (Guardium appliance server clock)

MD5

Indicates whether or not the comparison is done by calculating a checksum using the MD5 algorithm and comparing that value with the value calculated the last time the item was checked. The default is to not use MD5. If MD5 is used but the size of the raw data is greater than the MD5 Size Limit configured for the CAS host, the MD5 calculation and comparison will be skipped. Regardless of whether or not MD5 is used, both the current value of the last modified timestamp for the item and the size of the item are compared with the values saved the last time the item was checked.

Owner

Unix only. If the item type is a file, the file owner

Permissions

Unix only. If the item type is a file, the file permissions

Size

File size, but there are special values as follows:

-1 = File exists, but has a zero bytes

0 (zero) = File does not exist, but this file name is being monitored (it never existed or may have been deleted)

Last Modified

Timestamp for the last modification, taken from the file system at the sample time

Last Modified Date

Date for the last modification

Last Modified Time

Time for the last modification

Last Modified Weekday

Day of week for the last modification

Last Modified Year

Year for the last modification

Group

Unix only. If the item type is a file, the group owner

Audit Config Id

Identifies the host configuration

Timestamp

Timestamp for creation of the entity

Template ID

Identifies the item template for this monitored item

Monitored Item

Depending on the Audit Type, this is the OS or SQL script, environment, or registry variable, or file name. Regarding a file pattern defined in an item template, there will be a separate monitored item detail entity for each file that matches the pattern, but there is no monitored item details entity for the file pattern itself. If a file pattern is used, it is always available in the Template Content attribute.

Audit Config Set Id

Identifies the template set in the host configuration

Audit Type

Type of monitored item:

OS Script or SQL Script: The actual text or the path to an operating system or SQL script, whose output will be compared with the output produced the next time it runs

Environment Variable or Registry Variable: An environment variable or a (Windows) registry variable

File: A specific file or a pattern to identify a set of files

Enabled

Indicates whether or not the template is enabled

In Synch

Indicates whether or not the template item definition on the server matches the template item definition on the CAS host

Audit Frequency

The maximum interval at which the item is to be tested

Use MD5

Indicates whether or not the comparison is done by calculating a checksum using the MD5 algorithm and comparing that value with the value calculated the last time the item was checked. The default is to not use MD5. If MD5 is used but the size of the raw data is greater than the MD5 Size Limit configured for the CAS host, the MD5 calculation and comparison will be skipped. Regardless of whether or not MD5 is used, both the current value of the last modified timestamp for the item and the size of the item are compared with the values saved the last time the item was checked.

Save Data

When marked, previous version of the item can be compared with the current version

Description

Optional description of the instance

Template Content

The template entry that is the basis for this monitored item, set from the Template entity Access Name attribute when the instance was created. Typically this will be the same as the monitored item, but in the case where a file pattern was used in the template, this will be the file pattern

Object Id

Uniquely identifies the object.

Construct Id

Uniquely identifies the construct in which the object is referenced.

Schema

Object Name

Name of the object.

App Object Module1

Uniquely identifies the application object module.

Object/Command

An object value combined with a command value.

Object/Field

An object value combined with a field value.

Violation Log Id

Uniquely identifies the violation entity.

Application User Name

Name of the user creating the policy rule violation.

Full SQL String

SQL string causing the policy rule violation.

Timestamp

Created when the policy rule violation is logged. Not all policy rule violations are logged - see the description of the rule actions in Chapter 11: Building Policies.

Timestamp Date

Date only from the timestamp.

Timestamp Time

Time only from the timestamp.

Timestamp Weekday

Weekday only from the timestamp.

Timestamp Year

Year only from the timestamp.

Message Sent

The text of the policy rule violation message that was sent.

Total Occurrences

Occurrence count that triggered the violation.

Application Event Id

Application event ID (if any - these are set using the application events API)

Access Rule Description

The description of the rule from its definition.

Category Name

Category defined for the rule.

Severity

Severity defined for the rule (the severity of an incident to which this is assigned may be different).

Incident Number

If assigned to an incident, this is the incident number.

Classification Name

Name of classification process.

Construct ID

Uniquely identifies the construct in which it was referenced.

CLS Process Run ID

Classification process job execution ID.

Original Timezone

The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator.

For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM).

Qualified Object

Tuple - Server IP, Service name, DB name, DB user, Object

Timestamp

A timestamp value created when the Guardium appliance records the rogue connection reported by the Hunter.

Server Host Name

Database server host name.

Source Program

Source program name for the connection.

Source Port

Source port for the connection.

Source PID

Source process ID.

Target Program

Target program name for the connection.

Target Port

Target port for the connection.

Target PID

Target process ID.

OS User

Operating system user account name.

IPC Type

Type of inter-process communications used for the connection, which may be from the following list:

SHM Shared memory

IPv4 Internet Protocol version 4

IPv5 Internet Protocol version 6

FIFO Named pipe

PIPE Simple pipe

INET Internet Protocol (HPUX)

DB Server Type

Database server type: Oracle, DB2, Informix, or Sybase.

Original Timezone

The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator.

For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM).

Saved Data ID

Uniquely identifies the saved data item

Saved Data

The actual data saved

Timestamp

Timestamp for when the saved data entity was recorded in the server database

Change Identifier

Identifies the monitored changes entity for this saved data entity

Server IP/Server Port

A server IP value combined with a server port value.

Global ID

Uniquely identifies the session - access.

Session ID

Uniquely identifies the session.

Access ID

Uniquely identifies the access period.

Timestamp

Initially, a timestamp created for the first request on a client-server connection where there is not an active session in progress. Later, it is updated when the session is closed, or when it is marked inactive following an extended period of time with no observed activity. When tracking Session information, you will probably be more interested in the Session Start and Session End attributes than the Timestamp attribute.

Timestamp Date

Date only from the timestamp.

Timestamp Time

Time only from the timestamp.

Timestamp Weekday

Weekday only from the timestamp.

Timestamp Year

Year only from the timestamp.

Session Start

Date and time session started. Session Start is also a Main Entity. Access this secondary entity by clicking on the Session primary entity.

Session Start Date

Date only from the Session Start.

Session Start Time

Time only from the Session Start.

Session Start Weekday

Weekday only from the Session Start.

Session Start Year

Year only from the Session Start.

Client Port

Client port number.

Server Port

Server port number.

Inactive Flag

Default 0 - Open for sessions generated by SQL package.

1 - Closed (disconnect/ logout received).

2 - Probably closed; unclosed with no packets for a long time.

3 - For sessions generated from non-SQL packets.

TTL

Reserved for admin role use only.

Session End

Date and time the session ended. Session End is also a Main Entity. Access this secondary entity by clicking on the Session primary entity.

Session End Date

Date only from the Session End.

Session End Time

Time only from the Session End.

Session End Weekday

Weekday only from the Session End.

Session End Year

Year only from the Session End.

Database Name

Name of database for the session (MSSQL or Sybase only).

Note: For Oracle, Database Name may contain additional and application specific information such as the currently executing module for a session that has been set in the MODULE column of the V$SESSION view

Session Ignored

Indicates whether or not some part of the session was ignored (beginning at some point in time).

Ignored Since

Timestamp created when starting to ignore this session.

Uid Chain

For a session reported by Unix S-TAP (K-Tap mode only), this shows the chain of OS users, when users su with a different user name. The values that appear here vary by OS platform - for example, under AIX the string IBM IBM IBM may appear as a prefix.

Note: For Solaris Zones, user ids may be reported instead of user names in the Uid Chain.

Old Session ID

Points to the session from which this session was created. Zero if this is the first session of the connection.

Terminal Id

Terminal ID of the connection, used internally to resolve session information.

Process ID

The process ID of the client that initiated the connection (not always available).

Uid Chain Compressed

Values compressed. See Uid Chain.

Duration (secs)

Indicates the length of time between the Session Start and the Session End (in seconds).

Original Timezone

The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator.

For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM).

Severity Description

The severity code will be one of the following:

INFO, LOW, MED, HIGH

Timestamp

Time the record was created.

% CPU Sniffer

Percentage of CPU used by sniffer.

% Mem Sniffer

Percentage of memory used by sniffer.

% CPU Mysql

Percentage of CPU used by MySQL.

% Mem Mysql

Percentage of memory used by MySQL.

Sniffer Process ID

Sniffer process identifier.

Mem Sniffer

Amount of memory used by sniffer.

Time Sniffer

Elapsed time used by sniffer.

Free Buffer Space

Amount of free buffer space.

Analyzer Rate

Rate at which messages being analyzed.

Logger Rate

Rate at which messages being logged.

Analyzer Queue Length

Size of the analyze queue.

Analyzer Total

Total number of messages analyzed.

Logger Queue Length

Size of logger queue.

Logger Total

Total number of message logged.

Session Queue Length

Size of session queue.

Session Total

Total number of sessions.

Handler Data

Internal sniffing engine data.

Extra Info

Internal sniffing engine data.

Analyzer Lost Packets

Packets lost by analyzer.

Eth0 Received

Messages received on ETH 0.

Eth0 Sent

Messages sent on ETH 0.

Logger Dbs Monitored

List of database types currently being monitored.

Logger Packets Ignored by Rule

Packets ignored by policy rule action.

Logger Session Count

Count of sessions logged.

Mysql Disk Usage

MySQL disk usage.

Mysql Is Up

Boolean indicator for internal database restart (1=was restarted, 0=not restarted).

Promiscuous Received

Rate of received packets through the sniffing network cards (non-interface ports).

Sniffer Connections Ended

Total number of connections that were monitored and have ended since inspection engine was restarted.

Sniffer Connections Used

Total number of connections currently being monitored since inspection engine was restarted.

Sniffer Packets Dropped

Packets dropped by sniffer.

Sniffer Packets Ignored

Packets ignored by sniffer.

Sniffer Packets Throttled

Total number of connections that have been ignored due to throttling since inspection engine was restarted.

System Cpu Load

System CPU utilization.

System Memory Usage

System memory utilization.

System Root Disk Usage

System Root disk utilization.

System Uptime

Time since last start-up.

System Var Disk Usage

System var disk utilization.

Sessions normal

Count of normal sessions.

Sessions not opened

Count of sessions not opened by sniffer.

Sessions timeout

Count of sessions timed-out.

Sessions ignored

Count of sessions ignored by sniffer.

Session Direct closed

Count of sessions directly closed .

Session guessed

Count of sessions guessed.

Open FDs

Open File Descriptors.

DB Open FDs

Database open File Descriptors

Di Rate

Di Queue Length

Di Total

Di Lost Packets

Flat Log Requests

Bind Out Var

Optional. Determines if the entered text in SQL statement is a procedural block of code that will return a value that should be bound to an internal Guardium variable that will be used in the comparison to the Compare to value.

Compare To Value

Compare value that will be used to compare against the return value from the SQL statement using the compare operator.

External Reference

Reference to the Center for Internet Security (CIS) or Common Vulnerabilities and Exposures (CVE).

Operator

Operator that will be used for the condition.

Recommendation Text Fail

The Recommended text for fail that will be displayed when the test fails.

Recommendation Text Pass

The Recommended text for pass that will be displayed when the test passes.

Result Text Fail

The Result text for fail that will be displayed when the test fails.

Result Text Pass

The Result text for pass that will be displayed when the test passes.

Return Type

The Return type that will be returned from the SQL statement.

Short Description

The short description for the assessment test.

SQL For Details

A SQL Statement for Detail, a SQL statement that retrieves a list of strings to generate a detail string of Detail prefix + list of strings.

SQL

The SQL statement that will be executed for the test.

Sql

SQL string.

Construct ID

Uniquely identifies the construct in which the SQL appeared

Bind Info

Bind information for this SQL string.

Truncated SQL

Indicates if the SQL has been truncated or not where:

0 - false/no, not truncated

1 - true/yes, truncated

Action Required

Indicates if signing action is required.

Status

Indicates the current status of the results.

(Esca) Action Required

Indicates if to-do list action is required.

Action Required

Indicates if signing action is required.

Template ID

A unique identifier for the item template within the set of all item templates

Template Set ID

Unique identifier for the template set

Access Name

Depending on the Audit Type, this is the OS or SQL script, environment or registry value, or a file name or a file name pattern

Audit Type

The type of monitored item

Audit Frequency (Min)

The maximum interval (in minutes) between tests

Use MD5

Indicates whether or not the comparison is done by calculating a checksum using the MD5 algorithm and comparing that value with the value calculated the last time the item was checked. The default is to not use MD5. If MD5 is used but the size of the raw data is greater than the MD5 Size Limit configured for the CAS host, the MD5 calculation and comparison will be skipped. Regardless of whether or not MD5 is used, both the current value of the last modified timestamp for the item and the size of the item are compared with the values saved the last time the item was checked.

Save Data

Indicates if the Keep data checkbox has been marked. If so, previous versions of the item can be compared with the current version

Editable

Indicates whether or not this template can be modified. The default Guardium templates cannot be modified. In addition once a template set has been used in a CAS instance, it cannot be modified. In any case, a template set can always be cloned and the cloned set can be modified

Description

Optional description of the template

Timestamp

Date and time this template was last updated

Template Set Id

A unique identifier for the template set, numbered sequentially

OS Type

Operating system: Unix or Windows

DB Type

Database Type: Oracle, MS-SQL, DB2, Sybase, Informix, or N/A for an operating system template

Template Set Name

The template name

IsDefault

Indicates whether or not this template is the default for the specified OS Type and DB Type combination

Editable

Indicates whether or not this template can be modified. The default Guardium templates cannot be modified. In addition once a template set has been used in a CAS instance, it cannot be modified. In any case, a template set can always be cloned and the cloned set can be modified

Timestamp

Date and time the template was last updated

Test Result Id

Identifies the test result.

Assessment Result Id

Identifies the assessment results set.

Test Id1

Identifies the test.

Assessment Test Id

Identifies the assessment test (task).

Test Score

Returned test score.

Report Result Id

Identifies the report result.

Parameter Modified Flag

Indicates if parameters were modified since the last test.

Result Text

Text returned by the test.

Test Description

Description from the test definition.

Recommendation

Recommendation returned by the test.

Score Description

Description of the score.

Threshold String

The threshold prompt for the test (e.g. Maximum Number of Different IP's Allowed per user)

Severity

Severity assigned for the test result.

Category

Category for the test result.

Assessment Result data source Id1

Identifies the test result data source.

Result Details

Details of the test.

Exceptions Group Desc

Exceptions Group Description. Populated when test is executed.

Alert Log ID

Uniquely identifies the alert details entity.

Query Value

Value returned by query.

Base Value

Value assigned for the statistical alert.

Checked From Date

The starting date and time checked for by the alert condition.

Checked To Date

The ending date and time checked for by the alert condition.

Alert Threshold

Alert threshold defined for the alert.

Notification Sent

Text of notification sent.

Timestamp

Created only once, when the statistical alert is logged.

Alert Description

The description contained in the alert definition.

Login Name

Guardium user name.

First Name

First name for the Guardium user.

Last Name

Last name for the Guardium user.

EMAIL Address

Email address defined for the Guardium user.

Last Active

Timestamp for last activity for this user.