Education
Abstract
This is an informational note on the product behavior. It explains the behavior of the SQL ERROR code being treated differently and recorded as "SQL ERROR - FLAT LOG" when the Flat Log Processing is performed on the audit data.
Content
For this scenario explanation, a simple MySQL database is being queried for a table which is not present in the database.
In case the alp_throttle is set to 1 and parse-flat-log is found to be true at some point of time, then all the SQL ERROR events will bear the error code (%%lastError parameter in message template as the "SQL ERROR - FLAT LOG" in the syslog.
When the same situation of parsing happens via the flat log by default or somehow using the alp_throttle, the sniffer buffer queue overflows and the traffic happens to be processed from the GDM_FLAT_LOG table, then the parse-flat-log condition is achieved and the SQL ERROR events will record the error code as "SQL ERROR - FLAT LOG" in syslog.
This happening is the product's feature as designed and not a bug.
With the current workflow the flat log parser sets the error code. Flat log processing happens via the internal table GDM_FLAT_LOG and with the current architecture of the product, it does not allow the storage of the error code for flat log processing.
This feature requirement can be proposed with an RFE for future releases of the product.
Related Information
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
More support for:
IBM Security Guardium
Software version:
All Versions
Operating system(s):
Linux
Document number:
1079715
Modified date:
14 October 2019
UID
ibm11079715
Manage My Notification Subscriptions