Predefined admin reports

Active S-TAPs changed

This alert only runs on Central Manager systems. S-TAP® Host, S-TAP version, S-TAP changed, timestamp and count are shown.

Admin User Logins

Summary of logins to the database using a database user name defined in the Admin Users group. The report displays the client IP address from which the user with administrative privileges logged into the database, database user name, source program, session start date and time, and session total for that record.

Aggregation/Archive Log

This report lists Guardium® aggregation activity by Activity Type. Each row of the report contains the Activity Type, Start Time, File Name, Status, Comment, Guardium Host Name, Records Purged, Period Start, Period End, and count of log records for the row. You can limit the output by setting the Guardium Host Name run-time parameter, which is set to % by default (to select all servers). The Records Purged column contains a count of records purged only when the activity type is Purge.

All Guardium Applications - Roles

This menu pane displays two reports: All Roles - Application Access - and All Roles; User.

All Roles - Application Access

For each role, this report lists the number of applications to which it is assigned. To list the applications to which a role is assigned, click on the role and drill down to the Record Details report.

All Roles - User

For each role, this report lists the number of users to which it is assigned. To list the users to which a role is assigned, click on the role and drill down to the Record Details report.

Appliance Settings

This report displays configuration settings from a Guardium system. Use the appliance settings report to quickly review and validate Guardium settings.

Application Objects Summary

This report is a summary of every definition in the Guardium application. For instance, type Oracle in the ObjectNameLike space in the Run-Time Parameters page of Application Objects and find all the Object Types and Object Descriptions where Oracle is used.

Approved TAP clients

Only specific S-TAPs are permitted to connect to the Guardium application. This report shows which S-TAP is approved and the status of it.

Audit Process Log

Audit Process Log

This report shows a detailed activity log for all tasks including start and end times. This report is available for admin users via the Guardium Monitor tab. Audit tasks show start and end times, however the start and end of Security Assessments and Classifications (which go to a queue) is the same.

The Audit Process has been expanded to the signoff of specific rows beyond a user signing off on the entire audit process. Displays a list of what has been signed off and what is the status of specific rows.

Use this Audit Process Log to stop audit processes. Tasks can be stopped only if the tasks have not been run or are running. Any more tasks that have not started will not execute. Partial results will not be delivered. If tasks are complete, stopping the audit process will not stop the sending of the results. Stopping the audit process is done through a GrdAPI command, invoke api, from the Audit process Log report. For any user it only shows the line belonging to the user (but without all the details - just the tasks). Admin users get to see all the details and can stop anyone's runs. Users can only stop their own runs.

Stopping the audit process will not cancel queries running using a remote source. Neither will such online reports using a remote source.

Not supported for Privacy sets and External Feed. This means that if the Privacy set task was started or the External Feed has started - it will finish even if the process is stopped (as opposed to a query which will be killed).

Audit Process Log ID

Login Name

Run ID

Timestamp

Audit Process ID

Audit Process Description

Audit Task ID

Audit Task Description

Event Type

Detail

Count of Audit Process Log

Available Patches

Displays a list of available patches. There are no run-time parameters, and this reporting domain is system-only.

Buffer Usage Monitor

Provides an extensive set of buffer usage statistics. See the description of the Sniffer Buffer Usage entity for a description of the fields listed on this report.

CAS Deployment

This CAS reports details the Database type, OS name, Hostname and OS type.

Changes (CAS)

CAS Change Details

For each monitored item, the changes are listed in order by owner.

CAS Saved Data

This report lists the data saved for each change detected. This report is sorted by host name, and then by the most recent modification time.

Configuration (CAS)

CAS Instances

This report lists CAS instance definitions (a CAS instance applies a template set to a specific CAS host). The default sort order for this report is non-standard. The sort keys are, from major to minor: Host Name (ascending), Instance (ascending) and Last Status Change (descending).

CAS Instance Config

This report lists CAS instance configuration changes. The default sort order for this report is non-standard. The sort keys are, from major to minor: Host Name (ascending), Instance (ascending) and Last Status Change (descending). You can limit the output by using any of the following runtime parameters, which select all values by default.

Connection Profiling List

Connection Profiling List is a group of all allowed connections (the Connection Profiling List show all connection details).

Connections Quarantined

Guardium policies can be used to terminate or quarantine connections in real time. Use threshold alerts, based on queries. See Quarantine under the Policies topic for configuration instructions.

CPU Tracker

Lists the Software TAP Host and number of CPUs on machines running S-TAPs.

CPU Usage

By default, displays the CPU usage for the last two hours. This graphical report is intended to display recent activity only. If you alter the From and To run-time parameters to include a larger timeframe, you may receive a message indicating that there is too much data. Use a tabular report to display a larger time period.

Databases by Type/ Number of DB per type

Server type and client sources for each database type monitored.

Databases Discovered

For the reporting period, for each Discovered Port entity where the DB Type attribute value is NOT LIKE Unknown, this report lists the Probe Timestamp, Server IP, Sever Host Name, DB Type, Port, Port Type, and count of Discovered Ports for the row.

DB Users Mapping List

The mapping between database users (Invokers of SQL that caused a violation) and email addresses for real time alerts.

Default DB Users Enabled

This report details the default users found enabled after a database scan through the group of default users and list of servers supplied to the Non-credential Scan API. When an enabled user is found within a database, that occurrence of database/user is reported only once. Subsequent scans will update the timestamp and database version of the database. If a subsequent scan does not find a previously found user the timestamp remains unaffected so as to keep a history with the last time the user was found enabled on a database. Scans are run under the Classifier Listener and submitted jobs (with the non_credential_scan API) may be tracked using the Guardium Job Queue report.

Data Sources

Lists all datasources defined: Data -Source Type, Data-Source Name , Data-Source Description, Host, Port, Service Name, User Name, Database Name, Last Connect, Shared, and Connection Properties..

You can restrict the output of this report using the Data Source Name run time parameter, which by default is set to “%” to select all datasources.

Discovered Instances

This S-TAP report details the following information:

Timestamp, Host, Protocol, Port Min, Port Max, KTAP DB Port, Instance Name, Client, Exclude Client, Proc name, Named Pipe, DB Instance Dir, DB2® Shared Mem Adjust, DB2 Shared Mem Client Position, DB2 Shared Mem Size.

Datamart Extraction Log

A Data Mart is a subset of a Data Warehouse. A Data Warehouse aggregates and organizes the data in a generic fashion that can be used later for analysis and reports. A Data Mart begins with user-defined data analysis and emphasizes meeting the specific demands of the user in terms of content, presentation and ease-of-use.

The Data Mart extraction program runs in a batch according to the specified schedule. It summarizes the data to hours, days, weeks or months according to the granularity requested and then it saves the results in a new table in Guardium Analytic database.

The data is then accessible to the users via the standard Reports and Audit Process utilities, likewise any other traditional Domain/ Entity. The Data Mart extraction data are available under DM domain and the Entity name is set according to the new table name specified for the data mart data. Using the standard Query Builder and Report Builder, users can clone the default query and edit the Query and report, generate Portlet and add to a Pane.

The extraction log consists of the following - Data Mart Name, Collector IP, Server IP, from-time, to-time, ID, run started, run ended, number of records, status, error code.

Definitions Export/Import Log

This report lists Guardium export/import activity by Activity Type. Each row of the report contains the Activity Type, Start Time, File Name, Status, Comment, and count of log records for the row.

Dropped Requests

Tracks requests dropped by an inspection engine (Exception Description = Dropped database request). Under extremely rare, high-volume situations some requests may be lost. When this happens, the sessions from which the requests were lost are listed in the Dropped Requests report.

Exception Count

For the reporting period, the total number of exceptions logged.

Enterprise S-TAP (Detailed) View

See S-TAP Info (Central Manager) for information on this report.

Enterprise S-TAP Association History

Enterprise S-TAP Association History reports on how long the S-TAP reported to the specific Guardium system in the Load balancer environment.

Enterprise S-TAP View

See S-TAP Info (Central Manager) for information on this report.

Export Sensitive Data to Discovery

Guardium and InfoSphere® Discovery have mechanisms for the Classification of Sensitive Data.

A bidirectional interface is provided to transfer the identified sensitive data from Guardium to InfoSphere Discovery and from InfoSphere Discovery to Guardium.

This data will be transferred via CSV files. See External Data Correlation (Bidirectional Interface) for further information.

Enterprise Buffer Usage Monitor

This report shows the aggregate of sniffer buffer usage from all managed units. There is a need to set the schedule for the upload. See the description of the Sniffer Buffer Usage entity for a description of the fields listed on this report.

Guardium Job Queue

Displays the Guardium Job Queue. Previously known as Classifier/Assessment Job Queue. For each job, it lists the Process Run ID, Process Type, Status, Guardium Job Process Id, Report Result Id, Guardium Job Description, Audit Task Description, Queue Time, Start Time, End Time, and Data Sources.

The job queue

Assessments and Classifications run in their own separate process called the job queue. Jobs are queued and have their status maintained while a listener periodically polls the queue looking for waiting jobs to run.

Stopping

Running jobs, when right-clicked for drill-down, there is an option to stop the running job and cancel it. The job can not be restarted at this point.

Halting

Running jobs are monitored to reduce the number of hung jobs that might cause the job queue to be come overloaded. If a job is inactive for 30 minutes, the listener is terminated and restarted, effectively stopping the operation of a job. Before the listener is restarted, a process called the cleaner runs, the status is set from RUNNING to HALTED, and then the listener is restarted. A status of HALTED means the job was not able to run to completion.

Resubmitting

Sometimes the listener gets restarted for reasons other than a job hanging, for example rebooting the machine. When the cleaner halts the running jobs, it will see if the job has responded in the past 8 minutes. If it has, the job will be copied and that copy will be resubmitted onto the job queue. The original halted will still display on the queue, and still have the results it was able to process available.

Monitoring

The mechanism by which jobs maintain their active status is by touching the timestamp on the job queue record. It is important to note that the job queue record is used for the entire job. Each individual classifier rule or assessment test interacts with the timestamp for its parent process, and they do not have individual timestamps that are monitored.

The classifier will update its timestamp before every rule is tested and after every SQL operation. For example, if the classifier is scanning the data in a database that supports paging, it will touch the timestamp after each batch of data is brought back from the database. This is because, depending on the state of the target database, the classifier has the potential to invoke some long-running queries that will be limited to 30 minutes of execution.

Assessments touch the timestamp after each test in the assessment is evaluated. Most assessment tests run in a few seconds or less.

Observed Tests

The exception to the relatively quick-running assessment tests is the category of observed assessment tests. These tests are based on queries and reports that use the internal sniffing data on the Guardium appliance and can run for longer periods of time and are unable to update the timestamp while they are in process. Therefore, observed assessment tests have their timestamps set two hours into the future when they are started, essentially giving them two hours and thirty minutes to run to conclusion. This can be confusing when looking at the job queue and seeing the timestamp set to a time in the future. Just like any other assessment test, when the observed test ends, the timestamp will be touched. If the next test is an observed test, the timestamp will once again be set two hours into the future. Otherwise, the timestamp will be set to the current time.

GIM Clients Status

Displays a list of GIM clients.

GIM Events List

Displays a list of GIM Events.

GIM Installed Modules

Group Usage Report

Displays the list of all defined groups and all the entities that rely on each group.

Guardium API Exceptions

Displays a time stamp and description of all GuardAPI exceptions. These are jobs where the Exception Type ID is GUARD_API_EXCEPTION.

Guardium Applications

For each Guardium application, each row lists a security role assigned, or the word all, indicating that all roles are assigned.

Guardium Group Details

For the reporting period, each row of the report lists a group member. The columns contain the following information: Group Description, Group Type, Group Subtype, Timestamp (from the Group Member entity), Group Member, and count of Group Member entities for the row. The value of the timestamp is set to the current time whenever the record is updated.

You can restrict the output of this report using the run-time parameters, both of which are used with the LIKE operator and a default value of %, which selects all values.

Guardium Users

Lists each user, date of last activity, and number of roles assigned. For each user, you can drill down to the Record Details report to see the roles assigned to that user.

Host History (CAS)

CAS Host History

This report lists CAS host events. The default sort order for this report is non-standard. The sort keys are, from major to minor: Host Name (ascending), Instance and Event Time (descending).

Inactive Inspection Engines

Lists all inactive inspection engines

Inactive S-TAPs Since

Lists all inactive S-TAPs defined on the system. It has a single run-time parameter: Period From, which is set to now -1 hour by default. Use this parameter to control how you want to define inactive. This report contains the same columns of data for the S-TAP Status report with the addition of a count for each row of the report.

Installed Patches

Displays a list of installed patches. There are no run-time parameters, and this reporting domain is system-only.

Logins to Guardium

All values for this report are from the Guardium Logins entity. For the reporting period, each row of the report lists the User Name, Login Succeeded (1= Successful, 0=Failed), Login Date And Time, Logout Date And Time (which will be blank if the user has not yet logged out), Host Name, Remote Address (of the user) and count of logins for the row.

Logged R/T Alerts

For the reporting period, the total number of logged real time alerts, listed by rule description.

Logged Threshold Alerts

For the reporting period, the total number of threshold alerts logged.

Logging Collectors (valid only from aggregation unit)

The Logging Collectors report appears under the Daily Monitor Tab and it is valid only on an aggregator unit. This report shows the number of sessions per Server IP, per collector and per day. For example: on May 19, aggregator #1 collected 100 sessions for Server 192.168.x.x1, 50 sessions for Server 192.168.x.x2; aggregator #2 collected 30 sessions for Server 192.168.x.x3, 90 sessions for Server 192.168.x.x4; etc.

Managed Units (Central Manager)

Enterprise report on a Central Manager that shows which managed units are up. Use this report in a Statistical Alert to send an email to an ADMIN anytime a managed unit is down.

Number of Active Audit Processes

Number of active Guardium audit processes. When central management is used, this report contains data only on the Central Manager, and is empty on all managed units (the standard message, No data found for requested query, displays). There are no run-time parameters for this report.

Outstanding Audit Process Reviews

Number of outstanding Guardium audit processes, listed by Guardium users.

Primary Guardium Host Change Log

Log of primary host changes for S-TAPs. The primary host is the Guardium unit to which the S-TAP sends data. Each line of the report lists the S-TAP Host, Guardium Host Name, Period Start and Period End.

Query Entities and Attributes

This report lists all the entities and attributes in Guardium reports and was created to simplify the linkage between the Guardium attributes to the GuardAPI calls.

Use this report to also invoke Use this report to also invoke create_constant_attribute, create_api_parameter_mapping, delete_api_parameter_mapping, or list_param_mapping_for_function.

Replay Statistics

This report shows Replay Statistics for Execution Start/End Date; Configuration Name; Schedule Setup Name; Job Status; Statistic Description; Session ID; Successful Queries; Failed Queries; Total Queries; Type; Active/Waiting/Completed Tasks.

Replay Summary

For the reporting period, a measure of what query failed or succeeded. Checkmark required in Replay Configuration for Query Failed or Query Succeeded.

Restored Data

This report has two columns: RESTORED_DAY and EXPIRATION_DATE. When the user restores data from archive, this table is populated according to the data restored and the duration specified for keeping this data. The purge process looks at this table to determine what data can be purged and cleans up records that expired. RESTORED_DAY is the date of the data that was restored and is in the past. EXPIRATION_DATE is the date when this data will be purged and is a date in the

future.

Request Rate

By default, displays the request rate for the last two hours. This graphical report is intended to display recent activity only. If you alter the run-time parameters to include a larger timeframe, you may receive a message indicating that there is too much data. Use a tabular report to display a larger time period.

Rogue Connections

This report is available only when the Hunter option is enabled on Unix servers. The Hunter option is only used when the Tee monitoring method is used. This report lists all local processes that have circumvented S-TAP to connect to the database.

Scheduled Job Exceptions

Displays a timestamp and the description for each scheduled job exception (including assessment errors). . These are jobs where the Exception Type ID is one of the following: SCHED_JOB_EXCEPTION, ASSESSMENT_EXCEPTION, or ASMT_ERROR.

Scheduled Jobs

Displays the list of currently scheduled jobs.

Session Count

For the reporting period, the total number of different sessions open.

SQL Count

For the reporting period, the total number of different SQL commands issued.

S-TAP Configuration Change History

This report is displayed only when an inspection engine is added or changed. Lists S-TAP configuration changes - each inspection engine change will be displayed on a separate row. Each row lists the S-TAP Host, DB Server Type, DB Port From, DB Port To, DB Client IP, DB Client Mask, and Timestamp for the change.

S-TAP Status

Displays status information about each inspection engine defined on each S-TAP Host. This report has no From and To date parameters, since it is reporting current status. Each row of the report lists the S-TAP Host, DB Server Type, Status, Last Response, Primary Host Name, Yes/No indicators for the following attributes: KTAP Installed, TEE Installed, Shared Memory Driver Installed, DB2 Shared Memory Driver Installed, Named Pipes Driver Installed, and App Server Installed. In addition, it lists the Hunter DBS.

S-TAP Verification

List all results of S-TAP verifications.

S-TAP Events

Use this report for information on the S-TAP (from SOFTWARE_TAP_EVENT table in internal database).

S-TAP Info (Central Manager)

Report: See S-TAP Reports. On a Central Manager, an additional report, S-TAP Info, is available. This report monitors S-TAPs of the entire environment. Upload this data using the Custom Table Builder.

S-TAP info is a predefined custom domain which contains the S-TAP Info entity and is not modifiable like the entitlement domain.

When defining a custom query, go to upload page and click Check/Repair to create the custom table in CUSTOM database, otherwise save query will not validate it. This table loads automatically from all remote sources. A user cannot select which remote sources are used - it pulls from all of them.

Based on this custom table and custom domain, there are two reports:

Enterprise S-TAP view shows, from the Central Manager, information on an active S-TAP on a collector and/or managed unit (If there are duplicates for the same S-TAP engine, one being active and one being inactive, then the report will only use the active).

Detailed Enterprise S-TAP view shows, from the Central Manager, information on all active and inactive S-TAPs on all collectors and/or managed units.

If the Enterprise S-STAP view and Detailed Enterprise S-TAP view look the same, it is because there only one S-TAP on one managed unit being displayed. The Detailed Enterprise S-TAP view would look different if there is more S-TAPs and more managed units involved.

These two reports can be chosen from the TAP Monitor tab of a standalone system, but they will display no information.

Alert: See Viewing an Audit Process Definition for alert: Inspection Engines and S-TAP - alert on any activity related to inspection engine and S-TAP configuration

S-TAP Last Response

Pre-defined query and report are available, but not added to any panels.

The query/report displays All S-TAP Hosts and the last response (heartbeat) sent by each host.

The purpose of this query is to be able to define an alert that will trigger when S-TAP on a host did not respond for a given period of time.

The input parameters are: Last response From, and, Last Response To.

For example, when executed with Last response From = NOW -5 DAYS and Last Response To = NOW - 3 HOURS, it will display the host name and the last response time for those hosts that sent the last response in the last 5 days, but had no response in the last 3 hours.

S-TAP Status Monitor

For each S-TAP reporting to this Guardium appliance, this report identifies the S-TAP Host, S-TAP Version, DB Server Type, Status (active or inactive), Last Response Received (date and time), Primary Host Name, and true/false indicators for: KTAP, TEE, MS SQL Server Shared Memory, DB2 Shared Memory, Local TCP monitoring, Named Pipes Usage, and Encryption.

This report has no run-time parameters, and is based on a system-only query that cannot be modified.

STAP/Z Files

STAP/Z provides files with raw data collected from DB2 (on z/OS®) containing DB2 events, SQL statements, etc. This report lists an Interface ID, UA file name (Un-normalized Audit Event), UT file name (Un-normalized Audit Event text), UH file name (Un-normalized Audit Event host variables), File Status, Total Number of Events Processed, Number of Events Failed, and Timestamp. The Run-time parameters are FileName Like % and FileStatus Like %.

This report has two run-time parameters, FileName Like % and FileStatus Like %. It is based on a system-only query that cannot be modified.

TCP Exceptions

For the reporting period, for each exception where the Exception Description of the Exception Type entity is TCP/IP Protocol Exception, a row of this report lists the following attribute values from the Exception entity: Exception Timestamp, Exception Description, Source Address, Destination Address, Source Port, Destination Port, and count of Exceptions for that row.

Templates (CAS)

CAS Templates

This report lists CAS templates. By default, all template items are listed.

Tests Exceptions

Indicate pairs of test/datasource that are exempted temporarily. See create_test_exception for more information on the use of Test Exceptions.

Throughput

For each Access Period in the reporting period, each row lists the Period Start time, the count of Server IP addresses, and the total number of accesses (Access Period entities).

You can restrict the output of this report using the Server IP run time parameter, which by default is set to % to select all IP addresses.

Throughput (graphical)

This report is a Distributed Label Line chart version of the tabular Throughput report. It plots the total number of accesses over the reporting period, one data point per Period Start time.

You can restrict the output of this report using the Server IP run time parameter, which by default is set to % to select all IP addresses.

User Activity Audit Trail Reports

User Activity Audit Trail

For the reporting period, for each User Name seen on a Guardium User Activity Audit entity, each row displays the Guardium User Name, an Activity Type Description (from the Guardium Activity Types entity), a Count of Modified Entity values, the Host Name, and the total number of Guardium Activity Audits entities for that row.

From any row of the this report, the Detailed Guardium User Activity report is available as a drill-down report.

System/Security Activities

For the reporting period, for each User Name seen on a Guardium User Activity Audit entity, each row displays the Guardium User Name, an Activity Type Description (from the Guardium Activity Types entity), a Count of Modified Entity values, the Host Name, and the total number of Guardium Activity Audits entities for that row.

From any row of the this report, the Detailed Guardium User Activity report is available as a drill-down report.

Detailed Guardium User Activity (Drill-Down)

This report is not available from the menu, but can be opened for any row of the User Activity Audit Trail report, or the System/Security Activities report. For the selected row of the report, based on the User Name and Activity Type Description, this report lists the following attribute values, all of which are from the Guardium User Activity Audit entity, except for the Activity Type Description, which is from the Guardium Activity Types entity: User Name, Timestamp, Modified Entity, Object Description, All Values, and a count of Guardium User Activity Audits entities for the row.

Warning: Users should be aware that activities of the root user, and other sensitive system accounts, are logged. Drilling down into the activity of these users may show sensitive commands and passwords that have been entered on the command line. Therefore users, whenever possible, should not enter sensitive command line information that they would not like to show on this drill-down report.

User To-Do Lists

Displays for each Guardium audit process: a description, login name, action required (review or approve), status, user who has signed or reviewed, and execution date of the specified task.

User Comments - Sharable

Sharable user comments are all comments except for inspection engine, installed policy, and audit process results comments. For each sharable user comment, this report lists the date created, the type of item to which it applies (an alert, for example), the user who created the comment, and the contents of the comment.

Note: Comments defined for inspection engines, installed policies, or audit process results can be viewed from the individual definitions, but they cannot be displayed on a report.

Unit Utilization Levels

Values Changed

The query this report is based upon has a number of run-time parameters, all of which use the LIKE operator and default to the value %, meaning all values will be selected.

For each monitored value selected, a row of the report lists the Timestamp, Server IP, DB Type, Service Name, Database Name, Audit Login Name, Audit Timestamp, Audit Table Name, Audit Owner, Audit Action, Audit Old Value, Audit New Value, SQL Text, Triggered ID, and a count of Change Columns entities for that row.