Predefined admin reports
This section provides a short description of all predefined reports on the default administrator layout.
- Report Configuration Tools;
- Guardium Operational Reports;
- Real-time Guardium Operational Reports;
- Guardium Configuration Items; and,
- Monitoring of Guardium System.
The predefined admin reports are listed in alphabetical order.
Active S-TAPs changed
This alert only runs on Central Manager systems. S-TAP® Host, S-TAP version, S-TAP changed, timestamp and count are shown.
Domain | Based on Query | Main Entity |
---|---|---|
internal - not available |
Active S-TAPs changed |
not available |
Run-Time Parameter |
Operator |
Default Value |
Period From |
none |
none |
Admin User Logins
Summary of logins to the database using a database user name defined in the Admin Users group. The report displays the client IP address from which the user with administrative privileges logged into the database, database user name, source program, session start date and time, and session total for that record.
Domain | Based on Query | Main Entity |
---|---|---|
Access |
Admin Users Login |
Session |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
Aggregation/Archive Log
This report lists Guardium® aggregation activity by Activity Type. Each row of the report contains the Activity Type, Start Time, File Name, Status, Comment, Guardium Host Name, Records Purged, Period Start, Period End, and count of log records for the row. You can limit the output by setting the Guardium Host Name run-time parameter, which is set to % by default (to select all servers). The Records Purged column contains a count of records purged only when the activity type is Purge.
Domain | Based on Query | Main Entity |
---|---|---|
Aggregation/Export/Import |
Aggregation/Archive Log |
Agg/Archive Log |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -1 WEEK |
Period To |
<= |
NOW |
Guardium Host Name |
LIKE |
% |
All Guardium Applications - Roles
This menu pane displays two reports: All Roles - Application Access - and All Roles; User.
All Roles - Application Access
For each role, this report lists the number of applications to which it is assigned. To list the applications to which a role is assigned, click on the role and drill down to the Record Details report.
Domain | Based on Query | Main Entity |
---|---|---|
internal - not available |
All Roles - Application Access |
not available |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -100 MONTH |
Period To |
<= |
NOW |
All Roles - User
For each role, this report lists the number of users to which it is assigned. To list the users to which a role is assigned, click on the role and drill down to the Record Details report.
Domain | Based on Query | Main Entity |
---|---|---|
internal - not available |
Role - User |
not available |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -100 MONTH |
Period To |
<= |
NOW |
Appliance Settings
This report displays configuration settings from a Guardium system. Use the appliance settings report to quickly review and validate Guardium settings.
Domain | Based on Query | Main Entity |
---|---|---|
internal - not available |
Active S-TAPs changed |
not available |
Run-Time Parameter |
Operator |
Default Value |
Show Aliases |
Radio buttons (On, Off, Default) |
|
Remote Data Source |
Drop-down menu |
Application Objects Summary
This report is a summary of every definition in the Guardium application. For instance, type Oracle in the ObjectNameLike space in the Run-Time Parameters page of Application Objects and find all the Object Types and Object Descriptions where Oracle is used.
Domain | Based on Query | Main Entity |
---|---|---|
Application Objects |
Application Objects Summary |
Application Objects |
Run-Time Parameter |
Operator |
Default Value |
ObjectNameLike |
% |
% |
ObjectTypeNameLike |
% |
% |
Approved TAP clients
Only specific S-TAPs are permitted to connect to the Guardium application. This report shows which S-TAP is approved and the status of it.
Domain | Based on Query | Main Entity |
---|---|---|
internal - not available |
Approved TAP Clients |
not available |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
Audit Process Log
Audit Process Log
This report shows a detailed activity log for all tasks including start and end times. This report is available for admin users via the Guardium Monitor tab. Audit tasks show start and end times, however the start and end of Security Assessments and Classifications (which go to a queue) is the same.
The Audit Process has been expanded to the signoff of specific rows beyond a user signing off on the entire audit process. Displays a list of what has been signed off and what is the status of specific rows.
Use this Audit Process Log to stop audit processes. Tasks can be stopped only if the tasks have not been run or are running. Any more tasks that have not started will not execute. Partial results will not be delivered. If tasks are complete, stopping the audit process will not stop the sending of the results. Stopping the audit process is done through a GrdAPI command, invoke api, from the Audit process Log report. For any user it only shows the line belonging to the user (but without all the details - just the tasks). Admin users get to see all the details and can stop anyone's runs. Users can only stop their own runs.
Stopping the audit process will not cancel queries running using a remote source. Neither will such online reports using a remote source.
Not supported for Privacy sets and External Feed. This means that if the Privacy set task was started or the External Feed has started - it will finish even if the process is stopped (as opposed to a query which will be killed).
Audit Process Log ID
Login Name
Run ID
Timestamp
Audit Process ID
Audit Process Description
Audit Task ID
Audit Task Description
Event Type
Detail
Count of Audit Process Log
Available Patches
Displays a list of available patches. There are no run-time parameters, and this reporting domain is system-only.
Buffer Usage Monitor
Provides an extensive set of buffer usage statistics. See the description of the Sniffer Buffer Usage entity for a description of the fields listed on this report.
Domain | Based on Query | Main Entity |
---|---|---|
Buffer Usage |
Buff Usage Monitor |
Sniffer Buffer Usage Monitor |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
CAS Deployment
This CAS reports details the Database type, OS name, Hostname and OS type.
Domain | Based on Query | Main Entity |
---|---|---|
CAS |
CAS Deployment |
N/A |
Run-Time Parameter |
Operator |
Default Value |
DB Type |
Like |
% |
OS_Name |
Like |
% |
Hostname |
Like |
% |
OS_Type |
Like |
% |
Changes (CAS)
CAS Change Details
For each monitored item, the changes are listed in order by owner.
Domain | Based on Query | Main Entity |
---|---|---|
CAS Changes |
CAS Change Details |
Host Configuration |
Run-Time Parameter |
Operator |
Default Value |
DB_Type |
Like |
% |
Host_Name |
Like |
% |
Instance_Name |
Like |
% |
Monitored_Item |
Like |
% |
OS_Type |
Like |
% |
Type |
Like |
% |
CAS Saved Data
This report lists the data saved for each change detected. This report is sorted by host name, and then by the most recent modification time.
Domain | Based on Query | Main Entity |
---|---|---|
CAS Changes |
CAS Saved Data |
Saved Data |
Run-Time Parameter |
Operator |
Default Value |
Host_Name |
Like |
% |
Monitored_Item |
Like |
% |
Saved_Data_Id |
Like |
% |
Configuration (CAS)
CAS Instances
This report lists CAS instance definitions (a CAS instance applies a template set to a specific CAS host). The default sort order for this report is non-standard. The sort keys are, from major to minor: Host Name (ascending), Instance (ascending) and Last Status Change (descending).
Domain | Based on Query | Main Entity |
---|---|---|
CAS Config |
CAS Instances |
Monitored Item Details |
Run-Time Parameter |
Operator |
Default Value |
Host_Name |
Like |
% |
OS_Type |
Like |
% |
DB_Type |
Like |
% |
Instance |
Like |
% |
CAS Instance Config
This report lists CAS instance configuration changes. The default sort order for this report is non-standard. The sort keys are, from major to minor: Host Name (ascending), Instance (ascending) and Last Status Change (descending). You can limit the output by using any of the following runtime parameters, which select all values by default.
Domain | Based on Query | Main Entity |
---|---|---|
CAS Config |
CAS Instance Config |
Monitored Item Details |
Run-Time Parameter |
Operator |
Default Value |
Host_Name |
Like |
% |
OS_Type |
Like |
% |
Template_Id |
Like |
% |
Connection Profiling List
Connection Profiling List is a group of all allowed connections (the Connection Profiling List show all connection details).
Domain | Based on Query | Main Entity |
---|---|---|
internal - not available |
Connection Profiling List |
Client Server |
Run-time parameter |
Operator |
Default Value |
Query From Date |
>= |
NOW -1 DAY |
Query To Date |
<= |
NOW |
Connections Quarantined
Guardium policies can be used to terminate or quarantine connections in real time. Use threshold alerts, based on queries. See Quarantine under the Policies topic for configuration instructions.
Domain | Based on Query | Main Entity |
---|---|---|
Connection Quarantine |
Connections Quarantined |
Connection Quarantine |
Run-Time Parameter |
Operator |
Default Value |
Server IP |
LIKE |
% |
DB User |
LIKE |
% |
Server Name |
LIKE |
% |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
CPU Tracker
Lists the Software TAP Host and number of CPUs on machines running S-TAPs.
Domain | Based on Query | Main Entity |
---|---|---|
internal - not available |
not available |
not available |
Run-Time Parameter |
Operator |
Default Value |
none |
n/a |
n/a |
CPU Usage
By default, displays the CPU usage for the last two hours. This graphical report is intended to display recent activity only. If you alter the From and To run-time parameters to include a larger timeframe, you may receive a message indicating that there is too much data. Use a tabular report to display a larger time period.
Domain | Based on Query | Main Entity |
---|---|---|
Sniffer Buffer |
CPU Usage |
Sniffer Buffer Usage Monitor |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -2 HOUR |
Period To |
<= |
NOW |
Databases by Type/ Number of DB per type
Server type and client sources for each database type monitored.
Domain | Based on Query | Main Entity |
---|---|---|
Access |
Number of db per type |
Client/Server |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
Databases Discovered
For the reporting period, for each Discovered Port entity where the DB Type attribute value is NOT LIKE Unknown, this report lists the Probe Timestamp, Server IP, Sever Host Name, DB Type, Port, Port Type, and count of Discovered Ports for the row.
Domain | Based on Query | Main Entity |
---|---|---|
Auto-discovery |
Databases Discovered |
Discovered Port |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
PortNotLike |
NOT LIKE |
No default value. |
DB Users Mapping List
The mapping between database users (Invokers of SQL that caused a violation) and email addresses for real time alerts.
Domain | Based on Query | Main Entity |
---|---|---|
Auto-discovery |
DB Users Mapping List |
Guardium Users Login |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
Default DB Users Enabled
This report details the default users found enabled after a database scan through the group of default users and list of servers supplied to the Non-credential Scan API. When an enabled user is found within a database, that occurrence of database/user is reported only once. Subsequent scans will update the timestamp and database version of the database. If a subsequent scan does not find a previously found user the timestamp remains unaffected so as to keep a history with the last time the user was found enabled on a database. Scans are run under the Classifier Listener and submitted jobs (with the non_credential_scan API) may be tracked using the Guardium Job Queue report.
Domain | Based on Query | Main Entity |
---|---|---|
Default DB Users Enabled |
Default DB Users Enabled |
Default DB Users Enabled |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
Data Sources
Lists all datasources defined: Data -Source Type, Data-Source Name , Data-Source Description, Host, Port, Service Name, User Name, Database Name, Last Connect, Shared, and Connection Properties..
You can restrict the output of this report using the Data Source Name run time parameter, which by default is set to “%” to select all datasources.
Domain | Based on Query | Main Entity |
---|---|---|
internal - not available |
Data-Sources |
not available |
Run-Time Parameter |
Operator |
Default Value |
Data Source Name |
LIKE |
% |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
Discovered Instances
This S-TAP report details the following information:
Timestamp, Host, Protocol, Port Min, Port Max, KTAP DB Port, Instance Name, Client, Exclude Client, Proc name, Named Pipe, DB Instance Dir, DB2® Shared Mem Adjust, DB2 Shared Mem Client Position, DB2 Shared Mem Size.
Domain | Based on Query | Main Entity |
---|---|---|
Exception |
Discovered Instances |
Exception |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
Datamart Extraction Log
A Data Mart is a subset of a Data Warehouse. A Data Warehouse aggregates and organizes the data in a generic fashion that can be used later for analysis and reports. A Data Mart begins with user-defined data analysis and emphasizes meeting the specific demands of the user in terms of content, presentation and ease-of-use.
The Data Mart extraction program runs in a batch according to the specified schedule. It summarizes the data to hours, days, weeks or months according to the granularity requested and then it saves the results in a new table in Guardium Analytic database.
The data is then accessible to the users via the standard Reports and Audit Process utilities, likewise any other traditional Domain/ Entity. The Data Mart extraction data are available under DM domain and the Entity name is set according to the new table name specified for the data mart data. Using the standard Query Builder and Report Builder, users can clone the default query and edit the Query and report, generate Portlet and add to a Pane.
The extraction log consists of the following - Data Mart Name, Collector IP, Server IP, from-time, to-time, ID, run started, run ended, number of records, status, error code.
Definitions Export/Import Log
This report lists Guardium export/import activity by Activity Type. Each row of the report contains the Activity Type, Start Time, File Name, Status, Comment, and count of log records for the row.
Domain | Based on Query | Main Entity |
---|---|---|
Aggregation/Archive |
Export-Import Definitions Log |
Agg/Archive Log |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
Dropped Requests
Tracks requests dropped by an inspection engine (Exception Description = Dropped database request). Under extremely rare, high-volume situations some requests may be lost. When this happens, the sessions from which the requests were lost are listed in the Dropped Requests report.
Domain | Based on Query | Main Entity |
---|---|---|
Exceptions |
Dropped Requests |
Exception |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
Exception Count
For the reporting period, the total number of exceptions logged.
Domain | Based on Query | Main Entity |
---|---|---|
Exceptions |
Exception Count |
Exception |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
Enterprise S-TAP (Detailed) View
See S-TAP Info (Central Manager) for information on this report.
Enterprise S-TAP Association History
Enterprise S-TAP Association History reports on how long the S-TAP reported to the specific Guardium system in the Load balancer environment.
Enterprise S-TAP View
See S-TAP Info (Central Manager) for information on this report.
Export Sensitive Data to Discovery
Guardium and InfoSphere® Discovery have mechanisms for the Classification of Sensitive Data.
A bidirectional interface is provided to transfer the identified sensitive data from Guardium to InfoSphere Discovery and from InfoSphere Discovery to Guardium.
This data will be transferred via CSV files. See External Data Correlation (Bidirectional Interface) for further information.
Domain | Based on Query | Main Entity |
---|---|---|
Internal - not available |
Export Sensitive Data to Discovery |
Classification Process Results |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -3 HOURS |
Period To |
<= |
NOW |
Rule Description |
LIKE |
|
Schema |
LIKE |
Enterprise Buffer Usage Monitor
This report shows the aggregate of sniffer buffer usage from all managed units. There is a need to set the schedule for the upload. See the description of the Sniffer Buffer Usage entity for a description of the fields listed on this report.
Domain | Based on Query | Main Entity |
---|---|---|
Enterprise Buffer Usage |
Enterprise Buffer Usage |
Sniffer Buffer Usage |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
Guardium Job Queue
Displays the Guardium Job Queue. Previously known as Classifier/Assessment Job Queue. For each job, it lists the Process Run ID, Process Type, Status, Guardium Job Process Id, Report Result Id, Guardium Job Description, Audit Task Description, Queue Time, Start Time, End Time, and Data Sources.
Domain | Based on Query | Main Entity |
---|---|---|
Internal - not available |
Guardium Job Queue |
not available |
Run-Time Parameter |
Operator |
Default Value |
Job Description |
LIKE |
% |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
The job queue
Assessments and Classifications run in their own separate process called the job queue. Jobs are queued and have their status maintained while a listener periodically polls the queue looking for waiting jobs to run.
Stopping
Running jobs, when right-clicked for drill-down, there is an option to stop the running job and cancel it. The job can not be restarted at this point.
Halting
Running jobs are monitored to reduce the number of hung jobs that might cause the job queue to be come overloaded. If a job is inactive for 30 minutes, the listener is terminated and restarted, effectively stopping the operation of a job. Before the listener is restarted, a process called the cleaner runs, the status is set from RUNNING to HALTED, and then the listener is restarted. A status of HALTED means the job was not able to run to completion.
Resubmitting
Sometimes the listener gets restarted for reasons other than a job hanging, for example rebooting the machine. When the cleaner halts the running jobs, it will see if the job has responded in the past 8 minutes. If it has, the job will be copied and that copy will be resubmitted onto the job queue. The original halted will still display on the queue, and still have the results it was able to process available.
Monitoring
The mechanism by which jobs maintain their active status is by touching the timestamp on the job queue record. It is important to note that the job queue record is used for the entire job. Each individual classifier rule or assessment test interacts with the timestamp for its parent process, and they do not have individual timestamps that are monitored.
The classifier will update its timestamp before every rule is tested and after every SQL operation. For example, if the classifier is scanning the data in a database that supports paging, it will touch the timestamp after each batch of data is brought back from the database. This is because, depending on the state of the target database, the classifier has the potential to invoke some long-running queries that will be limited to 30 minutes of execution.
Assessments touch the timestamp after each test in the assessment is evaluated. Most assessment tests run in a few seconds or less.
Observed Tests
The exception to the relatively quick-running assessment tests is the category of observed assessment tests. These tests are based on queries and reports that use the internal sniffing data on the Guardium appliance and can run for longer periods of time and are unable to update the timestamp while they are in process. Therefore, observed assessment tests have their timestamps set two hours into the future when they are started, essentially giving them two hours and thirty minutes to run to conclusion. This can be confusing when looking at the job queue and seeing the timestamp set to a time in the future. Just like any other assessment test, when the observed test ends, the timestamp will be touched. If the next test is an observed test, the timestamp will once again be set two hours into the future. Otherwise, the timestamp will be set to the current time.
GIM Clients Status
Displays a list of GIM clients.
Domain | Based on Query | Main Entity |
---|---|---|
GIM Clients Status |
GIM Clients Status |
GIM Clients |
Run-Time Parameter |
Operator |
Default Value |
Client Name |
% |
N/A |
Client OS |
% |
N/A |
GIM Events List
Displays a list of GIM Events.
Domain | Based on Query | Main Entity |
---|---|---|
GIM Events |
GIM Events |
GIM Events |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
GIM Installed Modules
Domain | Based on Query | Main Entity |
---|---|---|
GIM Installed Base |
GIM Installed Base |
GIM Installed |
Run-Time Parameter |
Operator |
Default Value |
none |
not applicable |
not applicable |
Group Usage Report
Displays the list of all defined groups and all the entities that rely on each group.
Guardium API Exceptions
Displays a time stamp and description of all GuardAPI exceptions. These are jobs where the Exception Type ID is GUARD_API_EXCEPTION.
Domain | Based on Query | Main Entity |
---|---|---|
Exception |
Guardium API Exceptions |
Exception |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
Guardium Applications
For each Guardium application, each row lists a security role assigned, or the word all, indicating that all roles are assigned.
Domain | Based on Query | Main Entity |
---|---|---|
internal - not available |
All Guardium Applications |
not available |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -100 Month DAY |
Period To |
<= |
NOW |
Guardium Group Details
For the reporting period, each row of the report lists a group member. The columns contain the following information: Group Description, Group Type, Group Subtype, Timestamp (from the Group Member entity), Group Member, and count of Group Member entities for the row. The value of the timestamp is set to the current time whenever the record is updated.
You can restrict the output of this report using the run-time parameters, both of which are used with the LIKE operator and a default value of %, which selects all values.
Domain | Based on Query | Main Entity |
---|---|---|
Group |
Guardium Group Details |
Group Member |
Run-Time Parameter |
Operator |
Default Value |
Group Description |
LIKE |
% |
Group Type |
LIKE |
% |
Period From |
>= |
NOW -100 MONTH |
Period To |
<= |
NOW |
Guardium Users
Lists each user, date of last activity, and number of roles assigned. For each user, you can drill down to the Record Details report to see the roles assigned to that user.
Domain | Based on Query | Main Entity |
---|---|---|
internal - not available |
User Role |
not available |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -100 MONTH |
Period To |
<= |
NOW |
Host History (CAS)
CAS Host History
This report lists CAS host events. The default sort order for this report is non-standard. The sort keys are, from major to minor: Host Name (ascending), Instance and Event Time (descending).
Domain | Based on Query | Main Entity |
---|---|---|
CAS Host History |
CAS Host History |
Host Event |
Run-Time Parameter |
Operator |
Default Value |
Host_Name |
Like |
% |
OS_Type |
Like |
% |
Event_Type |
Like |
% |
Inactive Inspection Engines
Lists all inactive inspection engines
Domain | Based on Query | Main Entity |
---|---|---|
internal - not available |
Inactive Inspection Engines |
S-TAP Verification Header |
Run-Time Parameter |
Operator |
Default Value |
Query from date |
>= |
NOW -3 HOUR |
Query to date |
>= |
NOW |
Inactive S-TAPs Since
Lists all inactive S-TAPs defined on the system. It has a single run-time parameter: Period From, which is set to now -1 hour by default. Use this parameter to control how you want to define inactive. This report contains the same columns of data for the S-TAP Status report with the addition of a count for each row of the report.
Domain | Based on Query | Main Entity |
---|---|---|
internal - not available |
Inactive S-TAPs Since |
not available |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -1 HOUR |
Installed Patches
Displays a list of installed patches. There are no run-time parameters, and this reporting domain is system-only.
Domain | Based on Query | Main Entity |
---|---|---|
internal - not available |
Installed Patches |
not available |
Run-Time Parameter |
Operator |
Default Value |
none |
not applicable |
not applicable |
Logins to Guardium
All values for this report are from the Guardium Logins entity. For the reporting period, each row of the report lists the User Name, Login Succeeded (1= Successful, 0=Failed), Login Date And Time, Logout Date And Time (which will be blank if the user has not yet logged out), Host Name, Remote Address (of the user) and count of logins for the row.
Domain | Based on Query | Main Entity |
---|---|---|
Guardium Logins |
Guardium Logins |
Guardium Users Login |
Run-Time Parameter |
Operator |
Default Value |
Host Name |
LIKE |
% |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
Logged R/T Alerts
For the reporting period, the total number of logged real time alerts, listed by rule description.
Domain | Based on Query | Main Entity |
---|---|---|
Policy Violations |
Logged R/T Alerts |
Policy Rule Violation |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
Logged Threshold Alerts
For the reporting period, the total number of threshold alerts logged.
Domain | Based on Query | Main Entity |
---|---|---|
Alert |
Logged Alerts |
Threshold Alert Details |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
Logging Collectors (valid only from aggregation unit)
The Logging Collectors report appears under the Daily Monitor Tab and it is valid only on an aggregator unit. This report shows the number of sessions per Server IP, per collector and per day. For example: on May 19, aggregator #1 collected 100 sessions for Server 192.168.x.x1, 50 sessions for Server 192.168.x.x2; aggregator #2 collected 30 sessions for Server 192.168.x.x3, 90 sessions for Server 192.168.x.x4; etc.
Domain | Based on Query | Main Entity |
---|---|---|
Exceptions |
Logging Collectors |
Logging Collectors |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
Managed Units (Central Manager)
Enterprise report on a Central Manager that shows which managed units are up. Use this report in a Statistical Alert to send an email to an ADMIN anytime a managed unit is down.
Domain | Based on Query | Main Entity |
---|---|---|
internal - not available |
Managed Units |
Managed Units |
Run-Time Parameter |
Operator |
Default Value |
Host Name |
LIKE |
% |
Remote Data Source |
Drop-down menu |
|
Show Aliases |
Radio buttons (On, Off, Default) |
Number of Active Audit Processes
Number of active Guardium audit processes. When central management is used, this report contains data only on the Central Manager, and is empty on all managed units (the standard message, No data found for requested query, displays). There are no run-time parameters for this report.
Domain | Based on Query | Main Entity |
---|---|---|
Audit Process |
Number of Active Processes |
Audit Process |
Run-Time Parameter |
Operator |
Default Value |
none |
not applicable |
not applicable |
Outstanding Audit Process Reviews
Number of outstanding Guardium audit processes, listed by Guardium users.
Domain | Based on Query | Main Entity |
---|---|---|
Audit Process |
Outstanding Audit Process Reviews |
Task Results To-Do List |
Run-Time Parameter |
Operator |
Default Value |
none |
not applicable |
not applicable |
Primary Guardium Host Change Log
Log of primary host changes for S-TAPs. The primary host is the Guardium unit to which the S-TAP sends data. Each line of the report lists the S-TAP Host, Guardium Host Name, Period Start and Period End.
Domain | Based on Query | Main Entity |
---|---|---|
internal - not available |
Primary SGuard host change log |
not available |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
Query Entities and Attributes
This report lists all the entities and attributes in Guardium reports and was created to simplify the linkage between the Guardium attributes to the GuardAPI calls.
Use this report to also invoke Use this report to also invoke create_constant_attribute, create_api_parameter_mapping, delete_api_parameter_mapping, or list_param_mapping_for_function.
Domain | Based on Query | Main Entity |
---|---|---|
Any of Guardium reporting domains |
Any of the entities for the reporting domain |
Any of the attributes within the entity |
Run-Time Parameter |
Operator |
Default Value |
Report Name Like if <> '%' it will show only the domain/entity and attributes used by reports that match the new parameter. IF '%' then all domains, queries and attributes are displayed (including those not used by any report). |
not applicable |
not applicable |
Replay Statistics
This report shows Replay Statistics for Execution Start/End Date; Configuration Name; Schedule Setup Name; Job Status; Statistic Description; Session ID; Successful Queries; Failed Queries; Total Queries; Type; Active/Waiting/Completed Tasks.
Domain | Based on Query | Main Entity |
---|---|---|
Replay Results Tracking |
Replay Statistics |
Replay Result Statistics |
Run-Time Parameter |
Operator |
Default Value |
Query from date |
>= |
NOW -1 DAY |
Query to date |
<= |
NOW |
Session |
>= |
N/A |
Session |
<= |
N/A |
Replay Summary
For the reporting period, a measure of what query failed or succeeded. Checkmark required in Replay Configuration for Query Failed or Query Succeeded.
Domain | Based on Query | Main Entity |
---|---|---|
Replay Results |
Replay Summary |
Replay Results |
Run-Time Parameter |
Operator |
Default Value |
Query from date |
>= |
NOW -1 DAY |
Query to date |
<= |
NOW |
Results status |
% |
N/A |
Schedule setup name |
% |
N/A |
Restored Data
This report has two columns: RESTORED_DAY and EXPIRATION_DATE. When the user restores data from archive, this table is populated according to the data restored and the duration specified for keeping this data. The purge process looks at this table to determine what data can be purged and cleans up records that expired. RESTORED_DAY is the date of the data that was restored and is in the past. EXPIRATION_DATE is the date when this data will be purged and is a date in the
future.
Domain | Based on Query | Main Entity |
---|---|---|
Restored Data |
Restored Data |
Restored Data |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -10 DAY |
Period To |
<= |
NOW +10 DAY |
Request Rate
By default, displays the request rate for the last two hours. This graphical report is intended to display recent activity only. If you alter the run-time parameters to include a larger timeframe, you may receive a message indicating that there is too much data. Use a tabular report to display a larger time period.
Domain | Based on Query | Main Entity |
---|---|---|
Sniffer Buffer |
Request Rate |
Sniffer Buffer Usage Monitor |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -2 HOUR |
Period To |
<= |
NOW |
Rogue Connections
This report is available only when the Hunter option is enabled on Unix servers. The Hunter option is only used when the Tee monitoring method is used. This report lists all local processes that have circumvented S-TAP to connect to the database.
Domain | Based on Query | Main Entity |
---|---|---|
Rogue Connections |
Rogue Connections |
Rogue Connections |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
Scheduled Job Exceptions
Displays a timestamp and the description for each scheduled job exception (including assessment errors). . These are jobs where the Exception Type ID is one of the following: SCHED_JOB_EXCEPTION, ASSESSMENT_EXCEPTION, or ASMT_ERROR.
Domain | Based on Query | Main Entity |
---|---|---|
Sniffer Buffer |
CPU Usage |
Sniffer Buffer Usage |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -2 HOUR |
Period To |
<= |
NOW |
Scheduled Jobs
Displays the list of currently scheduled jobs.
Domain | Based on Query | Main Entity |
---|---|---|
internal - not available |
Scheduled Jobs |
not available |
Run-Time Parameter |
Operator |
Default Value |
none |
not applicable |
not applicable |
Session Count
For the reporting period, the total number of different sessions open.
Domain | Based on Query | Main Entity |
---|---|---|
Access |
Session Count |
Session |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
SQL Count
For the reporting period, the total number of different SQL commands issued.
Domain | Based on Query | Main Entity |
---|---|---|
Access |
SQL Count |
SQL |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
S-TAP Configuration Change History
This report is displayed only when an inspection engine is added or changed. Lists S-TAP configuration changes - each inspection engine change will be displayed on a separate row. Each row lists the S-TAP Host, DB Server Type, DB Port From, DB Port To, DB Client IP, DB Client Mask, and Timestamp for the change.
Domain | Based on Query | Main Entity |
---|---|---|
internal - not available |
Configuration Change History |
not available |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
S-TAP Status
Displays status information about each inspection engine defined on each S-TAP Host. This report has no From and To date parameters, since it is reporting current status. Each row of the report lists the S-TAP Host, DB Server Type, Status, Last Response, Primary Host Name, Yes/No indicators for the following attributes: KTAP Installed, TEE Installed, Shared Memory Driver Installed, DB2 Shared Memory Driver Installed, Named Pipes Driver Installed, and App Server Installed. In addition, it lists the Hunter DBS.
Domain | Based on Query | Main Entity |
---|---|---|
internal - not available |
S-TAP Status |
not available |
Run-Time Parameter |
Operator |
Default Value |
none |
n/a |
n/a |
S-TAP Verification
List all results of S-TAP verifications.
Domain | Based on Query | Main Entity |
---|---|---|
internal - not available |
S-TAP Verification |
S-TAP Verification Header |
Run-Time Parameter |
Operator |
Default Value |
Query from date |
>= |
NOW -3 HOUR |
Query to date |
>= |
NOW |
S-TAP Events
Use this report for information on the S-TAP (from SOFTWARE_TAP_EVENT table in internal database).
Domain | Based on Query | Main Entity |
---|---|---|
internal - not available |
S-TAP Events |
not available |
Run-Time Parameter |
Operator |
Default Value |
event type |
LIKE |
% |
host type |
LIKE |
% |
Period From |
>= |
NOW -3 DAY |
Period To |
<= |
NOW |
S-TAP Info (Central Manager)
Report: See S-TAP Reports. On a Central Manager, an additional report, S-TAP Info, is available. This report monitors S-TAPs of the entire environment. Upload this data using the Custom Table Builder.
S-TAP info is a predefined custom domain which contains the S-TAP Info entity and is not modifiable like the entitlement domain.
When defining a custom query, go to upload page and click Check/Repair to create the custom table in CUSTOM database, otherwise save query will not validate it. This table loads automatically from all remote sources. A user cannot select which remote sources are used - it pulls from all of them.
Based on this custom table and custom domain, there are two reports:
Enterprise S-TAP view shows, from the Central Manager, information on an active S-TAP on a collector and/or managed unit (If there are duplicates for the same S-TAP engine, one being active and one being inactive, then the report will only use the active).
Detailed Enterprise S-TAP view shows, from the Central Manager, information on all active and inactive S-TAPs on all collectors and/or managed units.
If the Enterprise S-STAP view and Detailed Enterprise S-TAP view look the same, it is because there only one S-TAP on one managed unit being displayed. The Detailed Enterprise S-TAP view would look different if there is more S-TAPs and more managed units involved.
These two reports can be chosen from the TAP Monitor tab of a standalone system, but they will display no information.
Alert: See Viewing an Audit Process Definition for alert: Inspection Engines and S-TAP - alert on any activity related to inspection engine and S-TAP configuration
S-TAP Last Response
Pre-defined query and report are available, but not added to any panels.
The query/report displays All S-TAP Hosts and the last response (heartbeat) sent by each host.
The purpose of this query is to be able to define an alert that will trigger when S-TAP on a host did not respond for a given period of time.
The input parameters are: Last response From, and, Last Response To.
For example, when executed with Last response From = NOW -5 DAYS and Last Response To = NOW - 3 HOURS, it will display the host name and the last response time for those hosts that sent the last response in the last 5 days, but had no response in the last 3 hours.
S-TAP Status Monitor
For each S-TAP reporting to this Guardium appliance, this report identifies the S-TAP Host, S-TAP Version, DB Server Type, Status (active or inactive), Last Response Received (date and time), Primary Host Name, and true/false indicators for: KTAP, TEE, MS SQL Server Shared Memory, DB2 Shared Memory, Local TCP monitoring, Named Pipes Usage, and Encryption.
This report has no run-time parameters, and is based on a system-only query that cannot be modified.
STAP/Z Files
STAP/Z provides files with raw data collected from DB2 (on z/OS®) containing DB2 events, SQL statements, etc. This report lists an Interface ID, UA file name (Un-normalized Audit Event), UT file name (Un-normalized Audit Event text), UH file name (Un-normalized Audit Event host variables), File Status, Total Number of Events Processed, Number of Events Failed, and Timestamp. The Run-time parameters are FileName Like % and FileStatus Like %.
This report has two run-time parameters, FileName Like % and FileStatus Like %. It is based on a system-only query that cannot be modified.
TCP Exceptions
For the reporting period, for each exception where the Exception Description of the Exception Type entity is TCP/IP Protocol Exception, a row of this report lists the following attribute values from the Exception entity: Exception Timestamp, Exception Description, Source Address, Destination Address, Source Port, Destination Port, and count of Exceptions for that row.
Domain | Based on Query | Main Entity |
---|---|---|
Exceptions |
TCP Exceptions |
Exception |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
Templates (CAS)
CAS Templates
This report lists CAS templates. By default, all template items are listed.
Domain | Based on Query | Main Entity |
---|---|---|
CAS Templates |
CAS Templates |
Template |
Run-Time Parameter |
Operator |
Default Value |
Access_Name |
Like |
% |
Template_Set_Name |
Like |
% |
Audit_Type |
Like |
% |
Tests Exceptions
Indicate pairs of test/datasource that are exempted temporarily. See create_test_exception for more information on the use of Test Exceptions.
Domain | Based on Query | Main Entity |
---|---|---|
internal - not available |
Tests Exceptions |
not available |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -12 MONTH |
Period To |
<= |
NOW |
Throughput
For each Access Period in the reporting period, each row lists the Period Start time, the count of Server IP addresses, and the total number of accesses (Access Period entities).
You can restrict the output of this report using the Server IP run time parameter, which by default is set to % to select all IP addresses.
Domain | Based on Query | Main Entity |
---|---|---|
internal - not available |
DB Server Throughput |
not available |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
Server IP |
LIKE |
% |
Throughput (graphical)
This report is a Distributed Label Line chart version of the tabular Throughput report. It plots the total number of accesses over the reporting period, one data point per Period Start time.
You can restrict the output of this report using the Server IP run time parameter, which by default is set to % to select all IP addresses.
Domain | Based on Query | Main Entity |
---|---|---|
Access |
DB Server Throughput - Chart |
Access Period |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
Server IP |
LIKE |
% |
User Activity Audit Trail Reports
- User Activity Audit Trail
- System/Security Activities
- Detailed Guardium User Activity (Drill-Down)
User Activity Audit Trail
For the reporting period, for each User Name seen on a Guardium User Activity Audit entity, each row displays the Guardium User Name, an Activity Type Description (from the Guardium Activity Types entity), a Count of Modified Entity values, the Host Name, and the total number of Guardium Activity Audits entities for that row.
From any row of the this report, the Detailed Guardium User Activity report is available as a drill-down report.
Domain | Based on Query | Main Entity |
---|---|---|
Guardium Activity |
User Activity Audit Trail |
Guardium User Activity Audit |
Run-Time Parameter |
Operator |
Default Value |
Host Name |
LIKE |
% |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
System/Security Activities
For the reporting period, for each User Name seen on a Guardium User Activity Audit entity, each row displays the Guardium User Name, an Activity Type Description (from the Guardium Activity Types entity), a Count of Modified Entity values, the Host Name, and the total number of Guardium Activity Audits entities for that row.
From any row of the this report, the Detailed Guardium User Activity report is available as a drill-down report.
Domain | Based on Query | Main Entity |
---|---|---|
Guardium Activity |
User Activity Audit Trail |
Guardium User Activity Audit |
Run-Time Parameter |
Operator |
Default Value |
Host Name |
LIKE |
% |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
Detailed Guardium User Activity (Drill-Down)
This report is not available from the menu, but can be opened for any row of the User Activity Audit Trail report, or the System/Security Activities report. For the selected row of the report, based on the User Name and Activity Type Description, this report lists the following attribute values, all of which are from the Guardium User Activity Audit entity, except for the Activity Type Description, which is from the Guardium Activity Types entity: User Name, Timestamp, Modified Entity, Object Description, All Values, and a count of Guardium User Activity Audits entities for the row.
Domain | Based on Query | Main Entity |
---|---|---|
Guardium Activity |
Detailed Guardium User Activity |
Guardium User Activity Audit |
Run-Time Parameter |
Operator |
Default Value |
Activity Type Description |
value from calling report |
|
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
User Name |
value from calling report |
Warning: Users should be aware that activities of the root user, and other sensitive system accounts, are logged. Drilling down into the activity of these users may show sensitive commands and passwords that have been entered on the command line. Therefore users, whenever possible, should not enter sensitive command line information that they would not like to show on this drill-down report.
User To-Do Lists
Displays for each Guardium audit process: a description, login name, action required (review or approve), status, user who has signed or reviewed, and execution date of the specified task.
Domain | Based on Query | Main Entity |
---|---|---|
internal - not available |
Users To-do List |
not available |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
User Comments - Sharable
Sharable user comments are all comments except for inspection engine, installed policy, and audit process results comments. For each sharable user comment, this report lists the date created, the type of item to which it applies (an alert, for example), the user who created the comment, and the contents of the comment.
Note: Comments defined for inspection engines, installed policies, or audit process results can be viewed from the individual definitions, but they cannot be displayed on a report.
Domain | Based on Query | Main Entity |
---|---|---|
Comments |
Comments Defined |
Comments |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -2 MONTH |
Period To |
<= |
NOW |
Unit Utilization Levels
- Unit Utilization: Displays the maximum unit utilization level for each unit in the given timeframe. There is a drill-down that displays details for a unit across all periods within the timeframe of the report.
- Unit Utilization Distribution: Per-unit, this report displays the percent of periods in the report timeframe with utilization levels of low, medium, and high.
- Utilization Thresholds: This predefined report displays all low and high threshold values for all unit utilization parameters.
Unit Utilization Daily Summary - Provides a daily summary of unit utilization data.
Domain | Based on Query | Main Entity |
---|---|---|
Internal - not available |
Unit Utilization Distribution |
Unit Utilization Levels |
Run-Time Parameter |
Operator |
Default Value |
Period From |
>= |
NOW -24 HOUR |
Period To |
<= |
NOW |
Values Changed
- Server IP
- DB Type
- Audit Timestamp
- Audit Table Name
- Audit Owner
The query this report is based upon has a number of run-time parameters, all of which use the LIKE operator and default to the value %, meaning all values will be selected.
For each monitored value selected, a row of the report lists the Timestamp, Server IP, DB Type, Service Name, Database Name, Audit Login Name, Audit Timestamp, Audit Table Name, Audit Owner, Audit Action, Audit Old Value, Audit New Value, SQL Text, Triggered ID, and a count of Change Columns entities for that row.
Domain | Based on Query | Main Entity |
---|---|---|
Value Changed |
Values Changed |
Changed Columns |
Run-Time Parameter |
Operator |
Default Value |
Audit Action |
LIKE |
% |
Audit Login Name |
LIKE |
% |
Audit Owner |
LIKE |
% |
Audit Table Name |
LIKE |
% |
DB Type |
LIKE |
% |
Period From |
>= |
NOW -1 DAY |
Period To |
<= |
NOW |
Server IP |
LIKE |
% |