Entities and Attributes
This topic contains a description of the attributes contained in each entity.
For an overview of domains, entities, and attributes, see Domains, Entities, and Attributes. For a description of all domains, see Domains.
Access Policy Entity
Describes all available policies on the system. Similar to Installed Policies entity used for all installed policies on system.
Entity List for Access Policy- Access Policy Entity; Rule Policy Entity; Rule Action Entity; and, Alert Notification. See Rule Entity for a list of attributes. See Rule Action Entity for a list of attributes. See Alert Notification Entity for a list of attributes.
Attribute | Description |
---|---|
Policy ID |
Uniquely identifies an access policy |
Policy Description |
Describes the access policy |
Selective Audit Trail |
Indicates if this is a selective audit trail policy (T/F). |
Audit Pattern |
Test pattern used for a selective audit trail policy. |
Timestamp |
Timestamp for the creation of the record. |
Access Period Entity
Access Periods are related to Sessions. By default, an access period is one hour long, but this can be changed by the Guardium administrator in the Inspection Engine Configuration (it corresponds to the Logging Granularity).
Timeout values depend on the number of the sessions opened by analyzer thread. For each analyzer thread there are following default values: If number of open sessions >0 and < 250, then timeout is 60 minutes. If number of open sessions >=250 and < 500, then timeout is 30 minutes. If number of open sessions >= 500 and < 750, then timeout is 15 minutes, If number of open sessions >= 750 and < 1200, then timeout is 5 minutes. If number of open sessions is >= 1200, then timeout is 2 minutes.
Attribute | Description |
---|---|
Session ID |
Uniquely identifies a session. |
Instance ID |
Uniquely identifies an instance of a construct. |
Construct ID |
Uniquely identifies a command construct (for example, select a from b). |
Total Access |
Total count of construct instances for this access period. |
Period Start Date |
Date only from the period start attribute. |
Period Start Weekday |
Weekday only from the period start attribute. |
Period Start Time |
Time only from the period start attribute. |
Timestamp |
Initially, the Timestamp value is set the first time that a request is observed on a client-server connection during an access period. By default, an access period is one hour long, but this can be changed by the Guardium administrator in the Inspection Engine Configuration - see the Guardium Administrator Guide. Thereafter, for each subsequent request, it is updated when the system updates the average execution time and the command count for this period. |
Period End |
Date and time for the end of the access period. |
Period End Date |
Date only from the period end attribute. |
Period End Weekday |
Weekday only from the period end attribute. |
Period End Time |
Time only from the period end attribute. |
Application User |
Application user name. |
Average Execution Time |
The average command execution time during the period. This is for SQL statements only. It does not apply to FTP or Windows file share traffic. |
Failed Sqls (2) |
The number of failed SQL requests. See note at the end of the table. |
Successful Sqls (2) |
The number of successful SQL requests. See note at the end of the table. |
Application Event ID |
The application event ID if set from the API. |
Total Records Affected (2) |
The total number of records affected. See note at the end of the table. |
Avg Records Affected (2) |
The average number of records affected. See note at the end of the table. |
Total Records Affected (Desc) (2) |
If the Total Records Affected attribute is a character string instead of a number, that value appears here (for example, Large Results Set, or N/A. Records affected - Result set of the number of records which are affected by each execution of SQL statements. Note: The
records affected option is a sniffer operation which requires sniffer
to process additional response packets and postpone logging of impacted
data which increases the buffer size and might potentially have a
adverse effect on overall sniffer performance. Significant impact
comes from really large responses. To prevent large amount of overhead
associated with this operation, Guardium uses a set of default thresholds
that allows sniffer to decide to skip processing operation when exceeded.
You can use the store max_results_set_size, store max_result_set_packet_size, and store max_tds_response_packets CLI commands to set levels of granularity. Example
of result set values:
|
Show Seconds |
If a the number of accesses per second is being tracked, this contains counts for each second in the access period (usually one hour). |
Avg Execution Ack Time |
Average Execution Acknowledged time in milliseconds |
Original Timezone |
The UTC offset. This is to point out that a UTC offset should be set so that the time from two different collectors that are in two different time zones aggregate correctly. If the offset was not set then there would exist a condition where users would not really be able to determine or see a true representation of when things happened in relation to time. For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM). |
Session ID, Instance ID, Construct ID, and Total Access are only available to users with the admin role.
Failed Sqls, Successful Sqls, Application Event ID, Total Records Affected, Avg Records Affected, and Total Records Affected (Desc) are attributes that only appear when the main entity for the query permits this level of detail. These are not available if either Client/Server or Session is the main entity.
Access Rule Entity
The name assigned to an access rule when it was defined. This is available for reporting only from the owning Policy Rule Violation entity (described later), when an access rule violation is logged.
Attribute | Description |
---|---|
Access Rule Description |
Description from the access policy rule definition. |
Activity Types Entity
Available only from the Aggregation/Archive domain, which by default is available to users assigned the admin role only. The Activity Types entity can be accessed only from the owning Aggregation/Import/Export Log Entity. It identifies a type of action (Prepare for Aggregation, Encrypt, Send, etc.).
Attribute | Description |
---|---|
Activity Type |
Description of an aggregation/import/export activity. |
Agg/Archive Log Entity
Available only from the Aggregation/Archive domain, which by default is available to users assigned the admin role only. One or more Aggregation/Import/Export Log entities are created for each activity. For example, when an aggregator system imports data, you will typically see at least four activities:
Prepare for Aggregation
Check Duplicate Import (one per file exported to this aggregator)
Extract (one per file to be merged)
Merge (one per file merged)
Attribute | Description |
---|---|
Timestamp |
Updated at the start and end of the activity being logged (prepare for archiving, encrypt, send, etc.). |
Status |
Status of the aggregation/import/export log activity. |
User Name |
User name under which activity initiated. |
Start Time |
Starting time of activity. |
End Time |
Ending time of activity. |
Period Start |
Starting time for the data being acted upon. Each archiving or aggregation activity operates on one full day of activity. |
Period End |
Ending time for the activity being acted upon. |
File Name |
Name of file used for the activity. Files created by the archive and export operations are named as follows: <daysequence>-<scp_host>-w<run_datestamp>-d<data_date>.dbdump.enc For example: 732423-g1.guardium.com-w20050425.040042-d2005-04-22.dbdump.enc The date of the data contained on the file, in yyyy-mm-dd format is data_date, near the end of the file name (just before .dbdump.enc). Take care that you do not confuse this date with the run date, which appears earlier in the file name, and is the date that the data was archived or exported. |
Comment |
Additional comment for the activity. |
Guardium Host Name |
The name of the Guardium host. |
Records Purged |
If the activity type is Purge, the number of records purged. Otherwise, N/A. |
Original Timezone |
The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator. For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM). |
Alert Notification Entity
Describes a policy alert notification.
Attribute | Description |
---|---|
ALERT_NOTIFICATION_ID |
Identifies the alert notification. |
ALERT_ID |
Identifies the alert definition. |
Alert Notification Type |
Type of alert from the policy rule definition. |
Alert User |
Receiver of the alert. |
Alert Destination |
Type of alert (EMAIL, SNMP, SYSLOG, CUSTM). |
Timestamp |
Timestamp alert record created. |
ALERT_NOTIFICATION_ID and ALERT_ID are only available to users with the admin role.
Application Data Entity
Used for the SAP and Siebel reports.
Attribute | Description |
---|---|
Application Data ID |
Unique identifier for this data. |
Application Code |
The application type code. |
Full SQL ID |
Identifies the full SQL data. |
Application Type |
Application type. |
User |
Application user name. |
Operation Type |
The type of operation. |
Change Date |
Date of the change. |
Time Stamp |
Time stamp for this record. |
Item Name |
Name of the item affected. |
Transaction Code |
Transaction code. |
System ID |
Unique identifier for the system. |
Record Detail 1 |
Varies by item type. |
Record Detail 2 |
Varies by item type. |
Record Detail 3 |
Varies by item type. |
Record Detail 4 |
Varies by item type. |
VBKey |
The VBKey value. |
Original Timezone |
The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator. For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM). |
Application Events Entity
This entity is created each time that the system observes an Application Events API call (which sets these attribute values) or a stored procedure call that has been identified as a Custom Identification Procedure (which maps stored procedure parameters to these attributes).
Attribute | Description |
---|---|
Application Event ID |
Unique identifier for this application events entity. |
Event User Name |
User name, set by GuardAppEvent:Start. |
Event Type |
Type of event, set by GuardAppEvent:Start. |
Event Value Str |
String value, set by GuardAppEvent:Start. |
Event Value Num |
Numeric value, set by GuardAppEvent:Start. |
Event Date |
Datetime value, set by GuardAppEvent:Start. It displays in the format yyyy-mm-dd hh:mm:ss. Note: If an attempt is made to set the event date using a format
other than yyyy-mm-dd, it will contain all zeroes. The time portion
(hh:mm:ss) is optional, and if omitted will be 00:00:00.
|
Timestamp |
Created only once, when the event is logged. Do not confuse this attribute with the Event Date attribute, which can be set using an API call or from a stored procedure parameter. (See the Guardium Administrator Guide for a description of the Application Events API and Custom Identification Procedures.) |
Event Release Type |
Type of event, set by GuardAppEvent: Released. |
Event Release User Name |
User name, set by GuardAppEvent: Released. |
Event Release Value Str |
String value, set by GuardAppEvent: Released. |
Event Release Value Num |
Numeric value, set by GuardAppEvent: Released. |
Event Release Date |
Datetime value, set by GuardAppEvent:Released. It displays in the format yyyy-mm-dd hh:mm:ss. |
Original Timezone |
The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator. For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM). |
Application Event ID is only available to users with the admin role.
App User Name Entity
This entity will display the username from the App Event if the App Event exists. Otherwise, the user name will display from the Construct Instance.
Attribute | Description |
---|---|
APP User Name |
Unique identifier for this App User Name entity. |
Assessment Log Entity
This entity is created each time that an assessment is run.
Attribute | Description |
---|---|
Assessment Log ID |
Uniquely identifies the assessment. |
Timestamp |
Timestamp for the assessment. |
Timestamp Date |
Date portion of timestamp. |
Timestamp Time |
Time portion of the timestamp. |
Assessment Log Type |
Predefined, query or custom test. |
Assessment Log Severity |
The assessment test severity: Critical, Major, Minor, Cautionary, Informational. This is an ordered list of the level of severity classifications. Assessment test severity: Critical, Major, Minor, Cautionary, Informational. The highest severity is the first classification in this list. The lowest severity is the last classification in this list. |
Assessment Result Id1 |
Identifies the assessment results set. |
Message |
Message returned by the assessment. |
Details |
Details for this assessment. |
Assessment Log ID is only available to users with the admin role.
Assessment Result Datasource Entity
This entity is identifies a datasource accessed by the assessment test.
Attribute | Description |
---|---|
Assessment Result data source ID |
Identifies a results set for a datasource. |
Assessment Result ID |
Identifies the result. |
DB Type |
Database type: Oracle, MS-SQL, DB2®, Sybase, Informix®, etc. |
DB Name |
Database name. |
Version Level |
Version level of the database. |
Patch Level |
Patch level of the database. |
Full Version Info |
Full version information for the datasource |
Datasource name |
Name of the datasource. |
Description |
Datasource description. |
Host |
Host name for the datasource. |
Port |
Port number on the host. |
Service Name |
Service name for the datasource. |
User Name |
User name used for datasource access. |
Assessment Result data source ID and Assessment Result ID are only available to users with the admin role.
Assessment Result Header Entity
This entity is created for each task in the assessment results set.
Attribute | Description |
---|---|
Assessment Result ID |
Identifies the assessment results set. |
Assessment ID |
Identifies the assessment. |
Task ID |
Identifies the task within the assessment. |
Parameter Modified Flag |
Indicates if parameters modified since last run. |
Execution Date |
Date that the assessment was run. |
Received By All |
Indicates whether or not these results have been received by all receivers on the distribution list. |
Overall Score |
Overall score for the assessment. |
From Date |
From date for the assessment. |
To Date |
To date for the assessment. |
Assessment Description |
Assessment name from the definition. |
Filter Client IP |
Clients selected: exact IP address, address with wildcards (*), or empty to select all. |
Filter Server IP |
Servers selected: exact IP address, address with wildcards (*), or empty to select all. |
Recommendation |
Recommendation returned for the task. |
Assessment Result ID, Assessment ID, and Task ID are only available to users with the admin role.
Assessment Tests Entity
This entity contains entries for available tests.
Attribute | Description |
---|---|
Test Description |
Text description of the test |
Test Type |
Type of assessment test (Observed, Predefined, Custom, Query based, CVE) |
Datasource Type |
Type of Datasource (DB2, Informix, MYSQL, ORACLE, SYBASE, etc.) |
Threshold |
User defined threshold, to override the value define upon the test’s creation |
Threshold Default Value |
Default threshold that defines the success/fail criteria |
Severity |
Severity of the assessment (Critical, Major, Minor, Caution, Info) |
Category |
Category of the assessment (Privilege, Authentication, Configuration, Version, Other) |
Timestamp |
Timestamp test was created |
Audit Process Entity
This entity contains basic definition parameters for an audit process.
Attribute | Description |
---|---|
Process Description |
Description from audit process definition. |
Active |
Indicates if the process is active (able to be scheduled). |
Keep Result Days |
The number of days the results will be kept by the system. |
Keep Results Quantity |
The number of results sets that will be kept by the system. |
Audit Process Comments Entity
This entity has comments attached to an audit process definition. Comments attached to audit process results are contained the Audit Process Results Comments entity.
Attribute | Description |
---|---|
Audit Process Comment |
The text of the comment. |
Audit Process Comment Creator |
The creator of the comment. |
Audit Process Comment Timestamp |
Timestamp for the comment. |
Audit Task Entity
This entity describes a single audit task (within an audit process).
Attribute | Description |
---|---|
Task Type |
A numeric value indicates whether the task is a report, security assessment, entity audit trail, privacy set, or classification process. Aliases are defined for these types, so reports with Aliases on will simplify reading of the report output. |
Task Description |
Name of the task from the task definition. |
Audit Process Result Entity
This entity contains the execution date for a set of audit process results.
Attribute | Description |
---|---|
Execution Date |
The date the audit process was executed. |
Audit Process Results Comments Entity
This entity has comments attached to an audit process results. Comments attached to an audit process definition are contained the Audit Process Comments entity.
Attribute | Description |
---|---|
Audit Process Comment |
The text of the comment. |
Audit Process Comment Creator |
The creator of the comment. |
Audit Process Comment Timestamp |
Timestamp for the comment |
Auto-discovery Scan Entity
This entity identifies when a scan executed.
Attribute | Description |
---|---|
Scan Timestamp |
The time the scan executed. |
Original Timezone |
The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator. For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM). |
Changed Columns Entity
This entity describes a changed column.
Attribute | Description |
---|---|
Changed Column Name |
Name of the changed column on the database. |
Old Value |
Value before the change. |
New Value |
Value after the change. |
Original Timezone |
The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator. For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM). |
Changed Data Values Entity
This entity is used with the IBM InfoSphere Change Data Capture (InfoSphere CDC) replication solution that allows the replication to and from supported databases. Maintenance of replicated databases can be used to reduce processing overheads and network traffic.
IBM Guardium Customers with Database Activities Monitoring will have access to InfoSphere CDC.
This Guardium feature uses Java CDC user exit to send value change information to the Guardium collector.
User exits for InfoSphere CDC lets the user define a set of actions the InfoSphere CDC can run before or after a database event occurs on a specified table.
Attribute | Description |
---|---|
Full SQL ID |
Unique identifier for the Full SQL. |
Table Name |
Table Name from database |
Column Name |
Column Name from database |
Old Value |
Value before the change. |
New Value |
Value after the change. |
Timestamp |
Time the record was created. |
Two files that need to be installed on the Database Server are for the Guardium agent that interfaces with IBM's InfoSphere Change Data Capture (InfoSphere CDC) application. They are in the sources/apps/GuardCDC/lib/ directory of the build. These files are: protobuf-java-2.4.1.jar; and, GuardCdc.jar
- Instructions for installation
-
Prerequisites - the InfoSphere Change Data Capture (InfoSphere CDC) application must already be installed on the DB Server.
Steps to install the Guardium agent on the Database server:- Copy these two files to the RepEngine/lib/ directory of the cdchome directory. An example of the full path would be /cdchome/cdc6.5.2/RepEngine/lib/
- Unzip each file
- Edit the guard_cdc_user_exit_config.mxl file to add the Guardium_Host name. An example of where this file would be located is /cdchome/cdc6.5.2/RepEngine/lib/com/guardium/cdc/userexit/
- Configure InfoSphere CDC to write to the GuardiumAgent. There are multiple steps to set up and configure the CDC application. These steps can be obtained from the InfoSphere CDC development/support team at IBM.
Classification Process Results Entity
This entity is created for each classification process rule that is fired.
Attribute | Description |
---|---|
Catalog |
Catalog location for results set. |
Schema |
Schema name if applicable. |
Table Name |
Table name from the rule definition. |
Column Name |
Column name from the rule definition. |
Rule Description |
The classifier policy rule description. |
Comments |
Any comments added to this rule definition. |
Classification Name |
Classification for the rule. |
Category |
Category for the rule. |
Data Source Description |
Data source for the rule. |
Classification Process Run Entity
This entity describes a classification process job execution.
Attribute | Description |
---|---|
Process Description |
From the process definition. |
Status |
Job status. |
Queue DateTime |
Timestamp when the job was submitted to the classifier/assessment queue. |
Start DateTime |
Timestamp at start of job. |
End DateTime |
Timestamp at end of job. |
Data Sources |
Identifies the datasource list for the job. |
Client/Server Entity
This entity describes a specific client-server connection. An instance is created each time a unique set of attributes (excluding the Timestamp) is detected.
Attribute | Description |
---|---|
Access ID |
A unique identifier for this client/server connection. |
Timestamp |
Since all attributes in this entity contain static information, this timestamp is created only once, when Guardium observes a request on the defined client-server connection for the first time. |
Timestamp Date |
Date only from the timestamp. |
Timestamp Time |
Time only from the timestamp. |
Timestamp Weekday |
Weekday only from the timestamp. |
Timestamp Year |
Year only from the timestamp. |
Server Type |
DB2, Oracle, Sybase, etc. |
Client IP |
Client IP address. |
Server IP |
Server IP address. |
Network Protocol |
Network protocol used (e.g., TCP, UDP, etc. Note that for K-TAP on Oracle, this may display as either IPC or BEQ) |
DB Protocol |
Protocol specific to the database server. |
DB Protocol Version |
Protocol version for the DB Protocol. |
DB User Name |
Database user name. The DB user name is the person who connected to the database, either local or remote. |
Source Program |
Source program for the interaction. |
Client MAC |
Client hardware address. |
Client Host Name |
Client host name. |
Service Name |
Service name for the interaction. In some cases (AIX® shared memory connections, for example), the service name is an alias that is used until the actual service is connected. In those cases, once the actual service is connected, a new session is started - so what the user experiences as a single session will be logged as two sessions. For Teradata, Service name contains the session logical host id value. |
Server OS |
Server operating system. For Informix, the OS may appear as follows: IEEEM indicating Unix or JDBCIEEEI indicating WindowsDEC indicating DEC Alpha For Teradata, as there is no direct information about client/server OS, instead, the data format type is used; indicating how integer data are stored during db session. This has a close relation to the platform being used and may appear as follows: IBM® MAINFRAME // IBM mainframe data format HONEYWELL MAINFRAME // Honeywell mainframe data format AT&T 3B2 // AT&T 3B2 data format. INTEL 8086 // Intel 8086 data format (IBM PC or compatible) VAX // VAX data format AMDAHL // Amdahl data format |
Client OS |
Client operating system. For Teradata, as there is no direct information about client/server OS, instead, the data format type is used; indicating how integer data are stored during db session. This has a close relation to the platform being used and may appear as follows: IBM MAINFRAME // IBM mainframe data format HONEYWELL MAINFRAME // Honeywell mainframe data format AT&T 3B2 // AT&T 3B2 data format. INTEL 8086 // Intel 8086 data format (IBM PC or compatible) VAX // VAX data format AMDAHL // Amdahl data format |
OS User |
OS user account for the interaction. |
Server Host Name |
Server host name. |
Server Description |
Server description (if any). |
ClientIP/DBUser |
Paired attribute value consisting of the client IP address and database user name. |
Analyzed Client IP |
Applies only to encrypted traffic; when set, client IP is set to zeroes. Analyzed Client IP has a map for CEF source. If the query used for the CEF does NOT contain the Client IP but contains the analyzed client IP, the analyzed client IP will be used for the source. If both included in the query, then Client IP takes precedence. |
Server IP/DB user |
Paired attribute value consisting of Server IP address and database user name. |
Client/ Server by session |
Client/Server by session is also a Main Entity. Access this secondary entity by clicking on the Client/Server primary entity. |
Access ID is only available to users with the admin role.
Client/Server By Session will get count from Client/Server and date conditions from Session.
Client/Server will get count from Client/Server and date conditions also from Client/Server.
If the user chooses Client/Server, then the query will be populated with ATTRIBUTE_ID = 1. If the user chooses Client/Server By Session, then the query will be populated with MAIN_ATTRIBUTE_ID = 0.
CM Buffer Usage Monitor Entity
Within Central Manager, shows the aggregate of all Sniffer Buffer Usage Entity that have been uploaded.
Attribute | Description |
---|---|
Sniffer Buffer Usage ID |
|
Timestamp |
Time the record was created. |
Sniffer CPU PCT |
Percentage of CPU used by sniffer. |
Sniffer Mem PCT |
Percentage of memory used by sniffer. |
MySQL CPU PCT |
Percentage of CPU used by MySQL. |
MySQL MEM PCT |
Percentage of memory used by MySQL. |
PID |
Sniffer process identifier. |
Memory |
Amount of memory used by sniffer. |
Time |
Elapsed time used by sniffer. |
Free Buffer |
Amount of free buffer space. |
Analyzer Rate |
Rate at which messages being analyzed. |
Analyzer Queue |
Size of the analyze queue. |
Analyzer Total |
Total number of messages analyzed. |
Logger Queue |
Size of logger queue. |
Logger Total |
Total number of message logged. |
Session Queue |
Size of session queue. |
Session Total |
Total number of sessions. |
Handler Data |
Internal sniffing engine data. |
Extra STR |
Internal sniffing engine data. |
Sniffer Connections Used |
Total number of connections currently being monitored since inspection engine was restarted. |
Sniffer Packets Dropped |
Packets dropped by sniffer. |
Sniffer Packets Ignored |
Packets ignored by sniffer. |
Sniffer Packets Throttled |
Total number of connections that have been ignored due to throttling since inspection engine was restarted. |
Sniffer Connections Ended |
Total number of connections that were monitored and have ended since inspection engine was restarted. |
Logger Session Count |
Count of sessions logged. |
Logger Packets Ignored by Rule |
Packets ignored by policy rule action. |
Analyzer Lost Packets |
Packets lost by analyzer. |
Logger Dbs Monitored |
List of database types currently being monitored. |
Mysql Is Up |
Boolean indicator for internal database restart (1=was restarted, 0=not restarted). |
System Cpu Load |
System CPU utilization. |
System Uptime |
Time since last start-up. |
Mysql Disk Usage |
MySQL disk usage. |
System Memory Usage |
System memory utilization. |
System Var Disk Usage |
System var disk utilization. |
System Root Disk Usage |
System Root disk utilization. |
Eth0 Received |
Messages received on ETH 0. |
Eth0 Sent |
Messages sent on ETH 0. |
Promiscuous Received |
Rate of received packets through the sniffing network cards (non-interface ports). |
Open FDs |
Open File Descriptors. |
Open FDs MySQL |
Database open File Descriptors |
Sessions normal |
Count of normal sessions. |
Sessions not opened |
Count of sessions not opened by sniffer. |
Sessions timeout |
Count of sessions timed-out. |
Sessions ignored |
Count of sessions ignored by sniffer. |
Session Direct closed |
Count of sessions directly closed . |
Session guessed |
Count of sessions guessed. |
SqlGuard Timestamp |
Is the time the record is inserted into the custom table |
Datasource Name |
Is the name of the data source used to upload the record |
Command Entity
For each command, an entity is created for each parent node and position in which the command appears in a command construct.
Attribute | Description |
---|---|
Command Id |
Uniquely identifies the command. |
Construct Id |
Uniquely identifies the construct (e.g., select a from b). |
SQL Verb |
Main verb in SQL command (e.g., select, insert, delete, etc.). |
Depth |
Depth of the command in the SQL parse tree. |
Parent |
Identifier of parent node in the parse tree. |
Command ID and Construct ID are only available to users with the admin role.
Comments Entity
This entity describes a user comment. It is available in the Comments domain only, which is restricted to admin users. This domain includes only sharable comments, which are all comments except for those that run locally (see the Local Comments entity).
Attribute | Description |
---|---|
Comment Creator |
The Guardium user who created the comment. |
Comment Reference |
Indicates the element to which the comment is attache - a query, audit process result, or another comment, for example. |
Content of Comment |
The complete comment text. |
Timestamp |
Date and time the comment was created. |
Timestamp Year |
Year only from the timestamp. |
Timestamp WeekDay |
Weekday only from the timestamp. |
Timestamp Time |
Time only from the timestamp. |
Timestamp Date |
Date only from the timestamp. |
Object Description |
The name of the object from which the comment was defined. For example, a comment defined on a policy has an object description of ACCESS_RULE_SET. |
Record Associations |
A list of records that this comment is associated with. |
Database Error Text Entity
The text of each common database error message is stored in a table in the Guardium internal database. It is available for reporting only from the owning Exception Entity for each exception that is a database error. Some types of exceptions - S-TAP® disconnects or reconnects, for example - will have no database error text.
Attribute | Description |
---|---|
Database Error Text |
A database error code followed by a short text description of the error. The error code is taken from the Exception Description attribute of the Exception entity. Using the error code as a key, the error text is obtained from an internal table on the Guardium appliance, which contains the most common error messages (about 54,000 of them). For example: ORA-00942: table or view does not exist |
Error Code |
Displays the database error code. |
Data Source Entity
This entity (under CAS Config Tracking/ Monitored Item Details Entity) identifies a data source.
Attribute | Description |
---|---|
Data source ID |
Identifies a results set for a data source |
Data source Type |
Data source type - Oracle, MS-SQL, DB2, Sybase, Informix, etc. |
Data source Name |
Data source name |
Data source Description |
Description of the data source |
Host |
Host name for the data source |
Port |
Port Number on host |
Service Name |
Service name for the data source |
User Name |
User name for datasource access |
Database Name |
Database name |
Last Comment |
Last comment |
Shared |
Yes or No |
Connection Properties |
The Connection Property box has information in it only if additional connection properties must be included on the JDBC URL to establish a JDBC connection with this datasource. |
Discovered Host Entity
This entity identifies a discovered host.
Attribute | Description |
---|---|
Server IP |
IP address of the discovered host. |
Server Host Name |
Host name of the discovered host. |
Original Timezone |
The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator. For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM). |
Discovered Instances Entity
This entity identifies discovered instances.
Attribute | Description |
---|---|
Timestamp |
A timestamp value created when Guardium records this instance of the entity (every instance has a unique timestamp). |
Host |
Host name for this instance |
Protocol |
Protocol specific to this instance |
Port Min |
Port range, minimum port number for inspection-engines |
Port Max |
Port range, maximum port number for inspection-engines |
Client IP |
IP address/mask of client |
Exclude Client IP |
IP address/mask of clients to exclude |
Proc Names |
Name of database executable |
Named Pipe |
Pipe name used by database |
KTAP DB Port |
Database port for KTAP |
DB Install Dir |
Database Install Directory |
Proc Name |
Process name |
DB2 Shared Mem Adjustment |
Packet header size |
DB2 Shared Mem Client Position |
Client I/O area offset |
DB2 Shared Mem Size |
DB2 shared memory segment size |
Instance Name |
Name of the discovered instance |
Informix Version |
Informix Version |
Discovered Port Entity
This entity identifies a discovered port.
Attribute | Description |
---|---|
Port |
Discovered port number. |
Probe Attempted |
Indicates if a probe for a supported database service has been attempted on this port. T=yes, F=no. |
Port Type |
Indicates the port type (usually TCP). |
DB Type |
If a probe of the port has found a supported database type, indicates the type (DB2, Informix, MS SQL Server etc.) |
Probe Timestamp |
The date and time that this specific port was probed. |
Original Timezone |
The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator. For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM). |
Exception Entity
This entity is created for each exception encountered.
Attribute | Description |
---|---|
Exception ID |
Uniquely identifies the exception. |
Exception Type ID |
Uniquely identifies the exception type. |
Exception Timestamp |
Date and time created when this Exception entity was logged. |
Exception Date |
Date only from the timestamp. |
Exception Time |
Time only from the timestamp. |
Exception Weekday |
Weekday only from the timestamp. |
Exception Year |
Year only from the timestamp. |
Source Address |
Source IP address of the exception. |
Source Port |
Source port number. |
Destination Address |
Destination IP address. |
Destination Port |
Destination port number. |
Database Protocol |
Database protocol for the exception. |
New TTL value |
Reserved for admin role use only. |
Exception Description |
Description of the exception. For an S-TAP reconnect or timeout exception, this will contain the IP address or DNS name of the database server. For a database exception, this is an error code from the database management system. For most common messages (about 54,000 of them), a longer text description is available in the Database Error Text attribute. That text comes from the internal Guardium database table of error messages, not from the exception itself. |
SQL string that caused the exception |
The SQL string that caused the exception. |
User Name |
Database user name. On encrypted traffic, where correlation is required, this value may not be available, but it is always available from the DB User Name attribute in the Client/Server entity. |
App User Name |
Application user name. |
Link to more information about the exception1 |
Optional link that is sometimes available, depending on the exception source. |
Global ID1 |
Global identifier for the exception. |
Original Timezone |
The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator. For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM). |
Exception ID and Exception Type ID are only available to users with the admin role.
Exception Type Entity
There is a fixed set of exception types, one of which will be associated with each exception logged. These are available for reporting only from the owning Exception Entity.
Attribute | Description |
---|---|
Exception Description |
A text description of the exception type, from the following list. Most of these should never be seen. See the notes in italic for the most common exceptions and notes. A new construct was used Alert Process threw an exception Custom Alerting Processing Exception Database Server returned an error For this message, a database error code will be stored in the Exception Description attribute of the Exception entity, and a text version of the database error message will be available in the Database Error Text attribute of the Database Error Text entity. DB Protocol Exception Debug prints through the EXCEPTIONs mechanism Dropped database requests Session information was dropped due to excess traffic. Error During Configuration Auditing System Process Error During Classification Process Invalid Query Invocation Login Failed Low-level DB protocol Exception Scheduled job threw an exception Security Assessment Exception Security Exception For this message, a custom class exception has been raised when breaching code execution is blocked; such as when users use the Java™ API to define their own alerts or assessments. Session closed prematurely SQL Parser Exception S-TAP Connectivity reconnect For this message, the IP address or DNS name of the database server will be available in the Exception Description attribute of the Exception entity S-TAP Connectivity timeout For this message, the IP address or DNS name of the database server will be available in the Exception Description attribute of the Exception entity TCP ERROR For this message, additional information about the error will be included in the Exception Description attribute of the Exception entity Turbine class threw an exception Unable to purge report |
Field Entity
Each time Guardium encounters a new field, it creates a field entity.
Attribute | Description |
---|---|
Field ID |
Uniquely identifies the field. |
Construct ID |
Uniquely identifies the construct in which it was referenced. |
Command ID |
Uniquely identifies the main command from the construct in which it was referenced. |
Object ID |
Uniquely identifies the object from the construct in which it was referenced. |
Field Name |
Name of the field. |
List Clause Where Clause Order by Clause Having Clause Group By Clause On Clause |
Use these attributes to order complex SQL queries. Example of SQL queries: Order by SELECT * FROM dept_costs WHERE dept_total > (SELECT avg FROM avg_cost) ORDER BY department Having SELECT column_name1, SUM(column_name2) FROM table_name GROUP BY column_name1 HAVING (numerical function condition) Group By SELECT column_name1, SUM(column_name2) FROM table_name GROUP BY column_name1 Where SELECT FirstName, LastName, City FROM Users WHERE City = Los Angeles |
Field ID, Construct ID, Command ID, and Object ID are only available to users with the admin role.
Field SQL Value Entity
These entities are created only by policy rule actions that log with values; for example: Log Full Details With Values, and Log Full Details Per Session With Values. The field value logged may or may not be associated with a field name. For example, field names will be available (in the Field entity) if the following statement is logged:
insert into t1 (foo, bar) (10, 20)
But not available when the following statement is logged:
insert into t2 (10, 20)
Attribute | Description |
---|---|
Value |
A field value from the logged construct. |
Flat Log Entity
This entity describes flat log processing activity.
Attribute | Description |
---|---|
Full SQL |
The full SQL logged. |
Timestamp |
Date and time stamp when logged. |
Timestamp Date |
Date portion of the timestamp. |
Timestamp Time |
Time portion of the timestamp. |
Response Time |
Response time for the request in milliseconds. |
Records Affected |
The number of records affected by the request. |
Succeeded |
Indicates if request was successful (True/False). |
Statement Type |
The type of SQL statement SQL: simple, direct SQL command, for example, typed directly into the CLI RAW: PREPARE of a SQL statement for later execution, for example, conn.prepareStatement (select a from b where c=:value) BIND: execution of a prepared statement including bound parameter values Statement type is part of the FULL SQL entity and is audited only if you have configured Log Full Details for this statement within the policy. You can not filter out specific statement types in the policy, for example, audit-only SQL and BIND statements. You can, however, filter these out in reports. |
Returned Data |
Data returned (if any) |
Bind Info |
Bind information for the request |
Bind Variables Values |
For DB2/zOS, contains a list of comma separated bind variable |
Original Timezone |
The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator. For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM). |
FULL SQL Entity
Full SQL entities are created only by the following policy rule actions: Log Full Details,Log Full Details With Values, Log Full Details Per Session, or Log Full Details Per Session With Values.
Attribute | Description |
---|---|
Full Sql |
Full SQL statement including values. |
Timestamp |
The timestamp records the time when the SQL is executed in the database server. |
Response Time |
The response time for the request in milliseconds. When requests are monitored in network traffic, the response times are an accurate reflection of the time taken to respond to the request (Guardium timestamps both the client request and the server response). |
Records Affected |
The number of records affected for each session. On reports using this attribute, we suggest that you turn on aliases to properly display special cases such as Large Result Set or N/A. |
Returned Data |
Data returned for this request (if any, and if available). |
Full SQL ID |
Unique identifier for the Full SQL. |
Instance ID |
Unique identifier for the Full SQL instance. |
Succeeded |
Indicates if the call succeeded. |
Records Affected (Desc) |
When the Records Affected is a string value instead of a number, that string is stored here. For example: Large Result Set or N/A. |
Access Rule Description |
Description of the policy rule used |
Returned Data Count |
Number of rows returned from the SQL statement used in the policy rule. |
Auto-Commit |
Entries are automatically numbered. |
Ack Response Time |
Acknowledged Response Time in milliseconds. |
Ingress Kbyte count |
Records the number of bytes in requests. |
Egress Kbyte count |
Records the number of bytes in responses. |
Statement Type |
The type of SQL statement SQL: simple, direct SQL command, for example, typed directly into the CLI RAW: PREPARE of a SQL statement for later execution, for example, conn.prepareStatement (select a from b where c=:value) BIND: execution of a prepared statement including bound parameter values Statement type is part of the FULL SQL entity and is only audited if you have configured Log Full Details for this statement within the policy. You can not filter out specific statement types in the policy, for example, audit-only SQL and BIND statements. You can, however, filter these out in reports. |
Bind Variables Values |
For DB2/zOS, contains a list of comma separated bind variable |
Original Timezone |
The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator. For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM). |
Full SQL ID, Instance ID, and Succeeded are only available to users with the admin role.
FULL SQL Values Entity
These entities are created only by the following policy rule actions: Log Full Details With Values, and Log Full Details Per Session With Values.
Attribute | Description |
---|---|
Values |
One or more values from the logged construct. |
Timestamp |
Date and Time Full SQL Values Entity was created. |
GIM Events Entity
This entity describes events that have occurred while using the Guardium Installation Manager (GIM).
Attribute | Description |
---|---|
Event Generator |
IP address of the client (i.e. DB-Server) which generated the event. |
Event Description |
Event Description. |
Event Time |
The time when the event occurred. |
Group Entity
This entity describes a group that has been defined to Guardium.
Attribute | Description |
---|---|
Group Description |
The name of the group. |
Group Subtype |
Subtype, if any, defined for the group. |
Timestamp |
Date and time the group entity was created. |
Group Member Entity
This entity describes a member of a group that has been defined to Guardium.
Attribute | Description |
---|---|
Group Member |
The name of the group member. |
Timestamp |
Date and time the group member was created or updated. |
Timestamp Date |
Date only from the timestamp. |
Timestamp Time |
Time only from the timestamp. |
Timestamp Year |
Year only from the timestamp. |
Timestamp Weekday |
Weekday only from the timestamp. |
Group Type Entity
This entity describes a type of Guardium group (user, client IP address, command, etc.).
Attribute | Description |
---|---|
Group Type |
Identifies the group type. |
Timestamp |
Date and time the group type was created. |
Guardium Activity Types
This entity describes the various user activities
Attribute | Description |
---|---|
Activity Type Description |
Description of the activity |
Activity Type ID |
Uniquely identifies the activity type. |
Guardium Role Entity
This entity (under User Entity) identifies a Guardium role.
Attribute | Description |
---|---|
Role Identifier |
ID of role identified. |
Role |
Guardium role listed. |
Guardium Applications Entity
This entity (under User Entity) identifies a Guardium application.
Attribute | Description |
---|---|
Application Identifier |
ID of application identified. |
Application |
Guardium application listed (foe example, Query Builder, Policy Builder, etc.). |
Guardium Activity Types Entity
An instance is defined in the internal Guardium database for each type of activity.
Attribute | Description |
---|---|
Activity Types Description |
Description of an activity. |
Guardium User Activity Audit Entity
This entity is created for each Guardium user activity.
Attribute | Description |
---|---|
Login ID |
ID used for login. |
User Name |
Guardium user name for the activity. |
Timestamp |
Created when the activity was logged. |
Modified Entity |
The Guardium entity modified (a group definition, for example). |
Entity Key Used |
Key used to access the entity. |
Key Value |
New value of the entity. |
All Values |
All values altered. |
Object Description |
The name of specific object altered. |
Global ID |
A unique global ID for the session. |
Host Name |
Host name of the user. |
Guardium Users Login Entity
This entity is created each time a user logs in to the Guardium appliance.
Attribute | Description |
---|---|
Login ID |
ID used for login. |
User Name |
Created when the Guardium user logs in or out (there will be one entity per Guardium session). |
Login Date And Time |
Date and time user logged in. |
Logout Date And Time |
Date and time user logged out. |
Login Succeeded |
Indicates if login was successful. |
Global Id |
A unique global ID for the session. |
Host Name |
Host name of the user. |
Remote Address |
Remote address of the user. |
Host Entity
A CAS Host entity is created the first time that CAS is seen on a database server host. It is updated each time that the online/offline status changes. The Host entity is also available in the CAS Host History domain.
Attribute | Description |
---|---|
Host Name |
Database server host name (may display as IP address) |
OS Type |
Operating system: UNIX or WIN |
Is Online |
Online status (Yes/No) when record was written |
Host Id |
Identifies the host record |
Host Configuration Entity
A Host Configuration entity is created for each item in a CAS instance.
Attribute | Description |
---|---|
Audit State Label Id |
Unique numeric identifier for the configuration item |
Timestamp |
Timestamp for creation of the entity |
Host Name |
Database server host name or IP address |
OS Type |
Operating system: Unix or Windows. |
DB Type |
Database type: Oracle, MS-SQL, DB2, Sybase, Informix, or N/A if the change is to an operating system instance |
Instance Name |
Name of the template set instance |
Type |
Type of monitored item that changed. OS Script or SQL Script: A change triggered by the OS script contained in the monitored item template definition. Environment Variable: An environment variable (Unix only) Registry Variable: A registry variable (Windows only) File: A specific file. There is no host configuration entity for a file pattern defined in the template set used by the instance. Instead, there is a separate host configuration entity for each file that matches the pattern. |
Monitored Item |
The name of the changed item, from the Description (if entered), otherwise a default name depending on the Type (a file name, for example). |
Host Event Entity
A host event entity is created each time an event is detected or signaled (see the event types) by CAS.
Attribute | Description |
---|---|
Audit Host Event Id |
Identifies the host event entity |
Event Time |
Date and time that the event was recorded |
Event Type |
Identifies the event being recorded: Client Up - CAS started on database server host Client Down - CAS stopped on database server host Failover Off - A server is available (following a disruption), so CAS data is being written to the server Failover On - The server is not available, so CAS data is being written to the failover file Server Down - The database server stopped Server Up - The database server started |
Timestamp |
Timestamp for creation of the entity |
Audit Host Id |
Identifies the host |
Original Timezone |
The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator. For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM). |
Incident Entity
Incident entities are created by incident generation processes, or manually by assigning a policy violation to an incident.
Attribute | Description |
---|---|
Timestamp |
Time the incident was created. |
Category Name |
Category assigned to the incident. |
Incident Number |
Incident number (assigned sequentially). |
Incident Severity Entity
The incident severity description for an incident.
Attribute | Description |
---|---|
Incident Severity Description |
The severity code will be one of the following: INFO, LOW, MED, HIGH |
Incident Status Entity
Describes the status of an Incident entity.
Attribute | Description |
---|---|
Status Description |
Will be one of the following values: OPEN - The incident has not yet been assigned to a user. ASSIGNED - The incident has been assigned. CLOSED - The incident is closed. |
Installed Policy Entity
Describes the installed policy.
Attribute | Description |
---|---|
ID |
Identifies the policy installation record. |
Rule Set Id |
Identifies the set of rules. |
Policy Description |
Description from the policy definition. |
Selective Audit Trail |
Indicates if this is a selective audit trail policy (T/F). |
Audit Pattern |
Test pattern used for a selective audit trail policy. |
Timestamp |
Timestamp for the creation of the record. |
Sequence |
Sets the order of sequence when there is multiple installed policies. |
Instance Config Entity
An Instance Config entity is created each time that an instance configuration is defined. This entity defines how the CAS instance connects to the database (if necessary), and identifies the template set used by the instance. It provides current status of the instance (in use, enabled, or disabled) and the date of the last revision.
Instance Config Entity Attributes
Attribute | Description |
---|---|
Config Id |
Identifies this configuration record. |
Timestamp |
Timestamp record created. |
DB Type |
Database type: Oracle, MS-SQL, DB2, Sybase, Informix; or N/A for an operating system instance |
Instance |
The name of the instance |
User |
The user name that CAS uses to log onto the database; or N/A for an operating system instance. |
Port |
The port number CAS uses to connect to the database; or empty for an operating system instance |
DB Home Dir |
The home directory for the database; or empty for an operating system instance |
Template Set Id |
Identifies the template set used by this instance |
OS Type |
Operating system of the host: UNIX or Windows |
Join Entity
A join table is a way of implementing many-to-many relationships. Use join entity to join tables in a SELECT SQL statement.
Attribute | Description |
---|---|
Join ID |
Unique identifier |
Construct ID |
Identifies the construct in which the join is referenced. |
Join SQL |
Join tables |
Where SQL |
Where clause (join conditions) |
Timestamp |
Date and Time that the Join Entity was created. |
Local Comments Entity
This entity describes a local comment. It is available in the Comments domain only, which is restricted to admin users. This entity includes only local comments, for processes and results sets that run locally. Comments that are sharable are defined in the Comments entity.
Attribute | Description |
---|---|
Comment Creator |
The Guardium user who created the comment. |
Comment Reference |
Indicates the element to which the comment is attached - a query, audit process result, or another comment, for example. |
Content of Comment |
The complete comment text. |
Timestamp |
Date and time the comment was created. |
Timestamp Year |
Year only from the timestamp. |
Timestamp WeekDay |
Weekday only from the timestamp. |
Timestamp Time |
Time only from the timestamp. |
Timestamp Date |
Date only from the timestamp. |
Object Description |
The name of the object from which the comment was defined. For example, a comment defined on an incident has an object description of INCIDENT. |
Record Associations |
A list of records that this local comment is associated with. |
Location View
How to determine what days are not archived
Use a query (Tools tab > Report Building > Report Builder > query Location View) that can be modified to create a report showing the files that are archived. This report lists all the files with archive dates. Dates not on this report indicate that those dates have not been archived. Run archive for the dates not on the list, if required.
Attribute | Description |
---|---|
From Date |
The start date |
To Date |
The finish date |
Aggregator |
The Guardium system where the file was generated on. However this can be a collector, not just a Aggregator |
Host |
Host name |
User Name |
Name of user |
Path |
Path name to files |
System Type |
What protocol was used while archiving - if it was SCP or FTP or Centera or TSM |
Count of Destinations |
Archive destinations |
Login Correlation Entity
Obsolete beginning with version 4.0 of Guardium. This was the only entity of the Access Trace Tracking domain, which was obsolete beginning with version 4.0 of S-TAP. If you have old queries or reports using that domain, they will not work in this release, and any database login information recorded in that domain would pre-date the installation of version 4.0 of S-TAP.
Message Text Entity
For a threshold alert, the text of the message.
Attribute | Description |
---|---|
Message Text ID |
Uniquely identifies the message text |
Message Subject |
Message subject (for an email message, for example). |
Message Text |
Message text. |
Original Timezone |
The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator. For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM). |
Messages Sent Entity
For each threshold alert message sent, the message type, recipients, status, and date of that message.
Attribute | Description |
---|---|
Message ID |
Uniquely identifies the message |
Message Type |
Type of message. |
Sent To |
One or more recipients of message. |
Message Status |
Status of message: FAIL The send operation failed. WAIT The message has not yet been sent. SENT The message was sent. |
Message Date |
Date message sent. |
Message Context |
Message type: INFO Informational message. WARNING Possible error condition. ALERT Real time or threshold alert. ERROR Software or hardware error condition. DEBUG Debugging message. |
Message Originator |
The module creating the message; for example monitor or GuardiumJetspeedUser. |
Original Timezone |
The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator. For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM). |
Monitor Values Entity
A monitor values entity is created for each insert, update or delete recorded, contains the details of the change (table name, action, SQL text, etc.).
Attribute | Description |
---|---|
Timestamp |
Date and time the change was recorded on the Guardium appliance. This timestamp is created during the data upload operation. It is not the time that the change was recorded on the audit database. To obtain that time, use the Audit Timestamp entity. |
Timestamp Date |
Date only from the timestamp. |
Timestamp Time |
Time only from the timestamp. |
Timestamp Year |
Year only from the timestamp. |
Timestamp Weekday |
Weekday only from the timestamp. |
Server IP |
IP address of the database server. |
DB Type |
Database type. |
Service Name |
Oracle only. Database service name. |
Database Name |
DB2, Informix, Sybase, MS SQL Server only. Database name. |
Audit PK |
For Sybase and MS SQL Server only. A primary key used to relate old and new values (which must be logged separately for these database types). |
Audit Login Name |
Database user name defined in the datasource. |
Audit Table Name |
Name of the table that changed. |
Audit Owner |
Owner of the changed table. |
Audit Action |
Insert, Update or Delete. |
Audit Old Value |
A comma-separated list of old values, in the format:column-name=column_value, |
Audit New Value |
A comma-separated list of new values, in the format:column-name=column_value, |
SQL Text |
Available only with Oracle 9. The complete SQL statement causing the value change. |
Triggered ID |
Unique ID (on this audit database) generated for the change. |
Audit Timestamp |
Date and time that the trigger was executed. |
Audit Timestamp Date |
Date portion of Audit Timestamp. |
Audit Timestamp Time |
Time portion of Audit Timestamp. |
Audit Timestamp WeekDay |
Day of week of the Audit Timestamp. |
Audit Timestamp Year |
Year of the Audit Timestamp. |
Original Timezone |
The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator. For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM). |
Monitored Changes Entity
This entity is created each time a monitored item changes. It identifies the monitored item within the CAS instance, and points to the saved data for the change.
Attribute | Description |
---|---|
Change Identifier |
Unique identifier for the change |
Sample Time |
Timestamp (date and time on host) that sample was taken |
Audit Config Id |
Identifies the host configuration |
Saved Data Id |
Identifies the Saved Data entity for this change |
Audit State Label Id |
Identifies the Host Configuration entity for this change |
Timestamp |
Date and time this change record was created on the server (Guardium appliance server clock) |
MD5 |
Indicates whether or not the comparison is done by calculating a checksum using the MD5 algorithm and comparing that value with the value calculated the last time the item was checked. The default is to not use MD5. If MD5 is used but the size of the raw data is greater than the MD5 Size Limit configured for the CAS host, the MD5 calculation and comparison will be skipped. Regardless of whether or not MD5 is used, both the current value of the last modified timestamp for the item and the size of the item are compared with the values saved the last time the item was checked. |
Owner |
Unix only. If the item type is a file, the file owner |
Permissions |
Unix only. If the item type is a file, the file permissions |
Size |
File size, but there are special values as follows: -1 = File exists, but has a zero bytes 0 (zero) = File does not exist, but this file name is being monitored (it never existed or may have been deleted) |
Last Modified |
Timestamp for the last modification, taken from the file system at the sample time |
Last Modified Date |
Date for the last modification |
Last Modified Time |
Time for the last modification |
Last Modified Weekday |
Day of week for the last modification |
Last Modified Year |
Year for the last modification |
Group |
Unix only. If the item type is a file, the group owner |
Monitored Item Details Entity
A Monitored Item Details entity is created for each monitored item in a CAS instance.
Attribute | Description |
---|---|
Audit Config Id |
Identifies the host configuration |
Timestamp |
Timestamp for creation of the entity |
Template ID |
Identifies the item template for this monitored item |
Monitored Item |
Depending on the Audit Type, this is the OS or SQL script, environment, or registry variable, or file name. Regarding a file pattern defined in an item template, there will be a separate monitored item detail entity for each file that matches the pattern, but there is no monitored item details entity for the file pattern itself. If a file pattern is used, it is always available in the Template Content attribute. |
Audit Config Set Id |
Identifies the template set in the host configuration |
Audit Type |
Type of monitored item: OS Script or SQL Script: The actual text or the path to an operating system or SQL script, whose output will be compared with the output produced the next time it runs Environment Variable or Registry Variable: An environment variable or a (Windows) registry variable File: A specific file or a pattern to identify a set of files |
Enabled |
Indicates whether or not the template is enabled |
In Synch |
Indicates whether or not the template item definition on the server matches the template item definition on the CAS host |
Audit Frequency |
The maximum interval at which the item is to be tested |
Use MD5 |
Indicates whether or not the comparison is done by calculating a checksum using the MD5 algorithm and comparing that value with the value calculated the last time the item was checked. The default is to not use MD5. If MD5 is used but the size of the raw data is greater than the MD5 Size Limit configured for the CAS host, the MD5 calculation and comparison will be skipped. Regardless of whether or not MD5 is used, both the current value of the last modified timestamp for the item and the size of the item are compared with the values saved the last time the item was checked. |
Save Data |
When marked, previous version of the item can be compared with the current version |
Description |
Optional description of the instance |
Template Content |
The template entry that is the basis for this monitored item, set from the Template entity Access Name attribute when the instance was created. Typically this will be the same as the monitored item, but in the case where a file pattern was used in the template, this will be the file pattern |
Object Entity
An instance of this entity is created for each object in a unique schema.
Attribute | Description |
---|---|
Object Id |
Uniquely identifies the object. |
Construct Id |
Uniquely identifies the construct in which the object is referenced. |
Schema |
Database schema for the
object.
Note: This attribute is deprecated since it is never populated
|
Object Name |
Name of the object. |
App Object Module1 |
Uniquely identifies the application object module. |
Object Id and Construct Id are available to users with the admin role only.
Object Command Entity
Describes an object-command entity.
Attribute | Description |
---|---|
Object/Command |
An object value combined with a command value. |
Object Field Entity
Describes an object-field entity. Note fields with no objects will not show up in reports that include the object.
Attribute | Description |
---|---|
Object/Field |
An object value combined with a field value. |
Policy Rule Violation Entity
This entity is created each time that a policy rule violation is logged. Not all policy rule violations are logged - see the description of the rule actions in Chapter 11: Building Policies. The access rule causing the violation will be available in the dependent Access Rule Entity (described earlier).
Attribute | Description |
---|---|
Violation Log Id |
Uniquely identifies the violation entity. |
Application User Name |
Name of the user creating the policy rule violation. |
Full SQL String |
SQL string causing the policy rule violation. |
Timestamp |
Created when the policy rule violation is logged. Not all policy rule violations are logged - see the description of the rule actions in Chapter 11: Building Policies. |
Timestamp Date |
Date only from the timestamp. |
Timestamp Time |
Time only from the timestamp. |
Timestamp Weekday |
Weekday only from the timestamp. |
Timestamp Year |
Year only from the timestamp. |
Message Sent |
The text of the policy rule violation message that was sent. |
Total Occurrences |
Occurrence count that triggered the violation. |
Application Event Id |
Application event ID (if any - these are set using the application events API) |
Access Rule Description |
The description of the rule from its definition. |
Category Name |
Category defined for the rule. |
Severity |
Severity defined for the rule (the severity of an incident to which this is assigned may be different). |
Incident Number |
If assigned to an incident, this is the incident number. |
Classification Name |
Name of classification process. |
Construct ID |
Uniquely identifies the construct in which it was referenced. |
CLS Process Run ID |
Classification process job execution ID. |
Original Timezone |
The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator. For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM). |
Violation Log Id are available to users with the admin role only.
Qualified Object Entity
A tuple allows multiple attributes to be combined together to form a single group member. In this case, the fields Server IP, Service name, DB name, DB user and Object are combined together.
Attribute | Description |
---|---|
Qualified Object |
Tuple - Server IP, Service name, DB name, DB user, Object |
Rogue Connections Entity
An instance is created for each database connection seen by the S-TAP Hunter process, but not by S-TAP itself, indicating that the connection has bypassed the access paths monitored by S-TAP.
Attribute | Description |
---|---|
Timestamp |
A timestamp value created when the Guardium appliance records the rogue connection reported by the Hunter. |
Server Host Name |
Database server host name. |
Source Program |
Source program name for the connection. |
Source Port |
Source port for the connection. |
Source PID |
Source process ID. |
Target Program |
Target program name for the connection. |
Target Port |
Target port for the connection. |
Target PID |
Target process ID. |
OS User |
Operating system user account name. |
IPC Type |
Type of inter-process communications used for the connection, which may be from the following list: SHM Shared memory IPv4 Internet Protocol version 4 IPv5 Internet Protocol version 6 FIFO Named pipe PIPE Simple pipe INET Internet Protocol (HPUX) |
DB Server Type |
Database server type: Oracle, DB2, Informix, or Sybase. |
Original Timezone |
The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator. For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM). |
Rule Entity
Can be used for Installed policy rule entity or access policy rule entity. There is one for each rule of the installed policy/policies or access policy/policies. Apart from the ID fields (which uniquely identify components on the internal database), all of these fields are described in the Policies help topic.
- GDM_INSTALLED_POLICY_RULES_ID - Identifies an installed policy rule.
- ACCESS_RULE_ID - Identifies an access rule.
- Rule Description - From the policy definition.
- Rule Position - Position within the policy.
- Rule Type - Access, Exception, or Extrusion.
- LAST_ACCESSED - Last
- Client IP - From the rule definition.
- Client Net Mask - From the rule definition.
- Client IP Group - From the rule definition.
- Server IP - From the rule definition.
- Server IP Mask - From the rule definition.
- Client MAC - From the rule definition.
- Net Protocol - From the rule definition.
- Net Protocol Group - From the rule definition.
- Field - From the rule definition.
- Field Group - From the rule definition.
- Object - From the rule definition.
- Object Group - From the rule definition.
- Command - From the rule definition.
- Command Group - From the rule definition.
- Object-Field Group - From the rule definition.
- DB Type - From the rule definition.
- Service Name - From the rule definition.
- Service Name Group - From the rule definition.
- DB Name - From the rule definition.
- DB Name Group - From the rule definition.
- DB User - From the rule definition.
- DB User Group - From the rule definition.
- App. User - From the rule definition.
- App User Group - From the rule definition.
- OS User - From the rule definition.
- OS User Group - From the rule definition.
- Src App. - From the rule definition.
- Source Program Group - From the rule definition.
- Pattern/ XML Pattern - From the rule definition.
- Period - From the rule definition.
- Min. Ct. - From the rule definition.
- Reset Interval - From the rule definition.
- Continue to next Rule/ Revoke - From the rule definition.
- Rec. Vals. - From the rule definition.
- App Event Exists - From the rule definition.
- Event Type - From the rule definition.
- App Event Text Value - From the rule definition.
- App Event Date Value - From the rule definition.
- Event User Name - From the rule definition.
- Error Code - From the rule definition.
- Exception Type - From the rule definition.
- Category Name- From the rule definition.
- Classification Name - From the rule definition.
- Severity - From the rule definition.
- Data Pattern - From the rule definition.
- SQL Pattern - From the rule definition.
- Masking Pattern - From the rule definition.
- Client IP/ Group - Provides the ability to display a single attribute and its related (if any) in a single column of the report.
- Sever IP/ Group - Provides the ability to display a single attribute and its related (if any) in a single column of the report.
- Net Protocol/ Group - Provides the ability to display a single attribute and its related (if any) in a single column of the report.
- Field Name/ Group - Provides the ability to display a single attribute and its related (if any) in a single column of the report.
- Object Name/ Group - Provides the ability to display a single attribute and its related (if any) in a single column of the report.
- Command/ Group - Provides the ability to display a single attribute and its related (if any) in a single column of the report.
- Service Name/ Group - Provides the ability to display a single attribute and its related (if any) in a single column of the report.
- DB Name/ Group - Provides the ability to display a single attribute and its related (if any) in a single column of the report.
- App. User/ Group - Provides the ability to display a single attribute and its related (if any) in a single column of the report.
- OS User/ Group - Provides the ability to display a single attribute and its related (if any) in a single column of the report.
- Source Program/ Group - Provides the ability to display a single attribute and its related (if any) in a single column of the report.
- Error Code/ Group - Provides the ability to display a single attribute and its related (if any) in a single column of the report.
- App. Event Text/ Numeric/ Date - The application events text, numeric, and date attributes.
- Category/ Classification - The combined category and classification for the rule.
- GDM_Installed_Policy_Header_ID - Identifies an installed policy header.
Rule Action Entity
Can be used Installed policy rule action entity or access policy rule action entity. There is one for each rule of the installed policy/policies or access policy/policies .
- Sequence - Sequence of the action within the rule.
- Action
- Block the request - See Blocking Actions in Policies.
- Log or ignore the violation or the traffik - See Log or Ignore Actions in Policies.
- Alert - See Alerting Actions in Policies.
Saved Data Entity
A Saved Data entity is created each time a change is detected for an item being monitored, if the Keep data box is marked for that item in the item template definition.
Attribute | Description |
---|---|
Saved Data ID |
Uniquely identifies the saved data item |
Saved Data |
The actual data saved |
Timestamp |
Timestamp for when the saved data entity was recorded in the server database |
Change Identifier |
Identifies the monitored changes entity for this saved data entity |
Saved Data ID is only available to users with the admin role.
Server IP-Server Port Entity
Describes a server IP-server port entity.
Attribute | Description |
---|---|
Server IP/Server Port |
A server IP value combined with a server port value. |
Session Entity
This entity is created for each Client/Server database session.
Attribute | Description |
---|---|
Global ID |
Uniquely identifies the session - access. |
Session ID |
Uniquely identifies the session. |
Access ID |
Uniquely identifies the access period. |
Timestamp |
Initially, a timestamp created for the first request on a client-server connection where there is not an active session in progress. Later, it is updated when the session is closed, or when it is marked inactive following an extended period of time with no observed activity. When tracking Session information, you will probably be more interested in the Session Start and Session End attributes than the Timestamp attribute. |
Timestamp Date |
Date only from the timestamp. |
Timestamp Time |
Time only from the timestamp. |
Timestamp Weekday |
Weekday only from the timestamp. |
Timestamp Year |
Year only from the timestamp. |
Session Start |
Date and time session started. Session Start is also a Main Entity. Access this secondary entity by clicking on the Session primary entity. |
Session Start Date |
Date only from the Session Start. |
Session Start Time |
Time only from the Session Start. |
Session Start Weekday |
Weekday only from the Session Start. |
Session Start Year |
Year only from the Session Start. |
Client Port |
Client port number. |
Server Port |
Server port number. |
Inactive Flag |
Default 0 - Open for sessions generated by SQL package. 1 - Closed (disconnect/ logout received). 2 - Probably closed; unclosed with no packets for a long time. 3 - For sessions generated from non-SQL packets. |
TTL |
Reserved for admin role use only. |
Session End |
Date and time the session ended. Session End is also a Main Entity. Access this secondary entity by clicking on the Session primary entity. |
Session End Date |
Date only from the Session End. |
Session End Time |
Time only from the Session End. |
Session End Weekday |
Weekday only from the Session End. |
Session End Year |
Year only from the Session End. |
Database Name |
Name of database for the session (MSSQL or Sybase only). Note: For Oracle, Database Name may contain additional and application specific information such as the currently executing module for a session that has been set in the MODULE column of the V$SESSION view |
Session Ignored |
Indicates whether or not some part of the session was ignored (beginning at some point in time). |
Ignored Since |
Timestamp created when starting to ignore this session. |
Uid Chain |
For a session reported by Unix S-TAP (K-Tap mode only), this shows the chain of OS users, when users su with a different user name. The values that appear here vary by OS platform - for example, under AIX the string IBM IBM IBM may appear as a prefix. Note: For Solaris Zones, user ids may be reported instead of user names in the Uid Chain. |
Old Session ID |
Points to the session from which this session was created. Zero if this is the first session of the connection. |
Terminal Id |
Terminal ID of the connection, used internally to resolve session information. |
Process ID |
The process ID of the client that initiated the connection (not always available). |
Uid Chain Compressed |
Values compressed. See Uid Chain. |
Duration (secs) |
Indicates the length of time between the Session Start and the Session End (in seconds). |
Original Timezone |
The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened hours apart do not seem as if they happened at the same time when imported to the aggregator. For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these events occurred 3 hours apart, but at the same respective local time (9 PM). |
Global ID, Session ID, and Access ID are only available to users with the admin role.
Severity Entity
The incident severity for an incident or policy violation
Attribute | Description |
---|---|
Severity Description |
The severity code will be one of the following: INFO, LOW, MED, HIGH |
Sniffer Buffer Usage Entity
The system creates this entity at the interval set by the store system netfilter-buffer-size CLI command (every 60 seconds by default).
Attribute | Description |
---|---|
Timestamp |
Time the record was created. |
% CPU Sniffer |
Percentage of CPU used by sniffer. |
% Mem Sniffer |
Percentage of memory used by sniffer. |
% CPU Mysql |
Percentage of CPU used by MySQL. |
% Mem Mysql |
Percentage of memory used by MySQL. |
Sniffer Process ID |
Sniffer process identifier. |
Mem Sniffer |
Amount of memory used by sniffer. |
Time Sniffer |
Elapsed time used by sniffer. |
Free Buffer Space |
Amount of free buffer space. |
Analyzer Rate |
Rate at which messages being analyzed. |
Logger Rate |
Rate at which messages being logged. |
Analyzer Queue Length |
Size of the analyze queue. |
Analyzer Total |
Total number of messages analyzed. |
Logger Queue Length |
Size of logger queue. |
Logger Total |
Total number of message logged. |
Session Queue Length |
Size of session queue. |
Session Total |
Total number of sessions. |
Handler Data |
Internal sniffing engine data. |
Extra Info |
Internal sniffing engine data. |
Analyzer Lost Packets |
Packets lost by analyzer. |
Eth0 Received |
Messages received on ETH 0. |
Eth0 Sent |
Messages sent on ETH 0. |
Logger Dbs Monitored |
List of database types currently being monitored. |
Logger Packets Ignored by Rule |
Packets ignored by policy rule action. |
Logger Session Count |
Count of sessions logged. |
Mysql Disk Usage |
MySQL disk usage. |
Mysql Is Up |
Boolean indicator for internal database restart (1=was restarted, 0=not restarted). |
Promiscuous Received |
Rate of received packets through the sniffing network cards (non-interface ports). |
Sniffer Connections Ended |
Total number of connections that were monitored and have ended since inspection engine was restarted. |
Sniffer Connections Used |
Total number of connections currently being monitored since inspection engine was restarted. |
Sniffer Packets Dropped |
Packets dropped by sniffer. |
Sniffer Packets Ignored |
Packets ignored by sniffer. |
Sniffer Packets Throttled |
Total number of connections that have been ignored due to throttling since inspection engine was restarted. |
System Cpu Load |
System CPU utilization. |
System Memory Usage |
System memory utilization. |
System Root Disk Usage |
System Root disk utilization. |
System Uptime |
Time since last start-up. |
System Var Disk Usage |
System var disk utilization. |
Sessions normal |
Count of normal sessions. |
Sessions not opened |
Count of sessions not opened by sniffer. |
Sessions timeout |
Count of sessions timed-out. |
Sessions ignored |
Count of sessions ignored by sniffer. |
Session Direct closed |
Count of sessions directly closed . |
Session guessed |
Count of sessions guessed. |
Open FDs |
Open File Descriptors. |
DB Open FDs |
Database open File Descriptors |
Di Rate |
|
Di Queue Length |
|
Di Total |
|
Di Lost Packets |
|
Flat Log Requests |
Flat log requests. |
SQL Based Assessment Definition
This entity describes a SQL based assessment definition
Attribute | Description |
---|---|
Bind Out Var |
Optional. Determines if the entered text in SQL statement is a procedural block of code that will return a value that should be bound to an internal Guardium variable that will be used in the comparison to the Compare to value. |
Compare To Value |
Compare value that will be used to compare against the return value from the SQL statement using the compare operator. |
External Reference |
Reference to the Center for Internet Security (CIS) or Common Vulnerabilities and Exposures (CVE). |
Operator |
Operator that will be used for the condition. |
Recommendation Text Fail |
The Recommended text for fail that will be displayed when the test fails. |
Recommendation Text Pass |
The Recommended text for pass that will be displayed when the test passes. |
Result Text Fail |
The Result text for fail that will be displayed when the test fails. |
Result Text Pass |
The Result text for pass that will be displayed when the test passes. |
Return Type |
The Return type that will be returned from the SQL statement. |
Short Description |
The short description for the assessment test. |
SQL For Details |
A SQL Statement for Detail, a SQL statement that retrieves a list of strings to generate a detail string of Detail prefix + list of strings. |
SQL |
The SQL statement that will be executed for the test. |
SQL Entity
SQL Entity
This entity is created for each unique string of SQL. Values are replaced by question marks - only the format of the string is stored.
Attribute | Description |
---|---|
Sql |
SQL string. |
Construct ID |
Uniquely identifies the construct in which the SQL appeared |
Bind Info |
Bind information for this SQL string. |
Truncated SQL |
Indicates if the SQL has been truncated or not where: 0 - false/no, not truncated 1 - true/yes, truncated |
Task Receiver Entity
Indicates the action required by the results receiver.
Attribute | Description |
---|---|
Action Required |
Indicates if signing action is required. |
Task Results To-Do List Entity
Indicates the current status of the results.
Attribute | Description |
---|---|
Status |
Indicates the current status of the results. |
(Esca) Action Required |
Indicates if to-do list action is required. |
Action Required |
Indicates if signing action is required. |
Template Entity
A CAS template entity is created for each item template within a template set. An item is a specific file or file pattern, an environment or registry variable, the output of an OS or SQL script, or the list of logged-in users.
Attribute | Description |
---|---|
Template ID |
A unique identifier for the item template within the set of all item templates |
Template Set ID |
Unique identifier for the template set |
Access Name |
Depending on the Audit Type, this is the OS or SQL script, environment or registry value, or a file name or a file name pattern |
Audit Type |
The type of monitored item |
Audit Frequency (Min) |
The maximum interval (in minutes) between tests |
Use MD5 |
Indicates whether or not the comparison is done by calculating a checksum using the MD5 algorithm and comparing that value with the value calculated the last time the item was checked. The default is to not use MD5. If MD5 is used but the size of the raw data is greater than the MD5 Size Limit configured for the CAS host, the MD5 calculation and comparison will be skipped. Regardless of whether or not MD5 is used, both the current value of the last modified timestamp for the item and the size of the item are compared with the values saved the last time the item was checked. |
Save Data |
Indicates if the Keep data checkbox has been marked. If so, previous versions of the item can be compared with the current version |
Editable |
Indicates whether or not this template can be modified. The default Guardium templates cannot be modified. In addition once a template set has been used in a CAS instance, it cannot be modified. In any case, a template set can always be cloned and the cloned set can be modified |
Description |
Optional description of the template |
Timestamp |
Date and time this template was last updated |
Template ID and Template Set ID are only available to users with the admin role.
Template Set Entity
A CAS Template Set entity is created for each template set, which is a set of template items for a particular operating system or database.
Attribute | Description |
---|---|
Template Set Id |
A unique identifier for the template set, numbered sequentially |
OS Type |
Operating system: Unix or Windows |
DB Type |
Database Type: Oracle, MS-SQL, DB2, Sybase, Informix, or N/A for an operating system template |
Template Set Name |
The template name |
IsDefault |
Indicates whether or not this template is the default for the specified OS Type and DB Type combination |
Editable |
Indicates whether or not this template can be modified. The default Guardium templates cannot be modified. In addition once a template set has been used in a CAS instance, it cannot be modified. In any case, a template set can always be cloned and the cloned set can be modified |
Timestamp |
Date and time the template was last updated |
Template Set ID is only available to users with the admin role.
Test Result Entity
This entity is created for each set of test results.
Attribute | Description |
---|---|
Test Result Id |
Identifies the test result. |
Assessment Result Id |
Identifies the assessment results set. |
Test Id1 |
Identifies the test. |
Assessment Test Id |
Identifies the assessment test (task). |
Test Score |
Returned test score. |
Report Result Id |
Identifies the report result. |
Parameter Modified Flag |
Indicates if parameters were modified since the last test. |
Result Text |
Text returned by the test. |
Test Description |
Description from the test definition. |
Recommendation |
Recommendation returned by the test. |
Score Description |
Description of the score. |
Threshold String |
The threshold prompt for the test (e.g. Maximum Number of Different IP's Allowed per user) |
Severity |
Severity assigned for the test result. |
Category |
Category for the test result. |
Assessment Result data source Id1 |
Identifies the test result data source. |
Result Details |
Details of the test. |
Exceptions Group Desc |
Exceptions Group Description. Populated when test is executed. |
Test Result ID, Assessment Result ID, and Assessment Test ID are only available to users with the admin role.
Threshold Alert Details Entity
This entity is created each time that a correlation alert is triggered.
Attribute | Description |
---|---|
Alert Log ID |
Uniquely identifies the alert details entity. |
Query Value |
Value returned by query. |
Base Value |
Value assigned for the statistical alert. |
Checked From Date |
The starting date and time checked for by the alert condition. |
Checked To Date |
The ending date and time checked for by the alert condition. |
Alert Threshold |
Alert threshold defined for the alert. |
Notification Sent |
Text of notification sent. |
Timestamp |
Created only once, when the statistical alert is logged. |
Alert Description |
The description contained in the alert definition. |
Alert Log ID is only available to users with the admin role.
Unit Utilization Level
- Unit Utilization: Displays the maximum unit utilization level for each unit in the given timeframe. There is a drill-down that displays details for a unit across all periods within the timeframe of the report.
- Unit Utilization Distribution: Per-unit, this report displays the percent of periods in the report timeframe with utilization levels of low, medium, and high.
- Utilization Thresholds: This predefined report displays all low and high threshold values for all unit utilization parameters.
Unit Utilization Daily Summary - Provides a daily summary of unit utilization data.
- Host name
- Period start
- Number of restarts
- Number of restarts level
- Sniffer memory
- Sniffer memory Level
- Percent MySQL memory
- Percent MySQL memory level
- Free buffer space
- Free buffer space level
- Analyzer queue
- Analyzer queue level
- Logger queue
- Logger queue level
- MySQL disk usage
- MySQL disk usage level
- System CPU load
- System CPU load level
- System var disk usage
- System var disk usage level
- Overall unit utilization level
- Number of requests
- Number of requests level
- Number of full SQLs
- Number of full SQLs level
- Number of exceptions
- Number of exceptions level
- Number of policy violations
- Number of policy violations level
- Number of flat log requests
- Number of flat log requests level
User Entity
Identifies the Guardium user defined as an audit process results receiver.
Attribute | Description |
---|---|
Login Name |
Guardium user name. |
First Name |
First name for the Guardium user. |
Last Name |
Last name for the Guardium user. |
EMAIL Address |
Email address defined for the Guardium user. |
Last Active |
Timestamp for last activity for this user. |