DocsICP FilingConsole
官方文档
首页

Alert log

更新时间:
复制 MD 格式
产品详情
我的收藏

This topic describes how to query the alert log in Database Audit. Use the alert log to find alert information for your databases.

View alert logs

Step 1: Log on to Database Audit

  1. Log on to Database Audit. For more information, see Log on to Database Audit.

  2. In the left-side navigation pane, choose Query and Analysis > Alert log.

Step 2: Set search criteria

Use the search feature to pinpoint specific operations or statements. On the Alert log page, set your search criteria on the Alert log tab.

  1. Select a Time Range.

  2. Set the packet filter.

    Enter keywords for the packets to query. Separate multiple keywords with a half-width comma (,) or a space. A comma functions as an OR operator, and a space functions as an AND operator.

  3. Set more search criteria.

    By default, the Alert log page displays common filter criteria. To set more filter criteria, click More Conditions, select your desired criteria, and configure them. The following table describes the supported filter criteria.

    Filter criteria and descriptions

    Criterion

    Description

    alert ID

    The ID of the alert that you want to query.

    audit ID

    The unique ID of the audit record.

    session ID

    The ID of the session that you want to query.

    SQL template ID

    The ID of the SQL template that you want to query.

    Time

    The time when the SQL statement was executed.

    Rule type

    The type of the rule that was matched.

    Rule name

    The name of the rule that was matched.

    Alert level

    The level of the alert that was triggered.

    client IP

    The IP address of the client. Both IPv4 and IPv6 addresses are supported.

    client port

    The port number of the client.

    client MAC

    The MAC address of the client.

    client tool

    The client tool used to log on to the database.

    hostname

    The hostname of the database server.

    operating system user

    The username of the operating system on the client.

    asset name

    The name of the asset on which the SQL statement was executed.

    server IP

    The IP address of the server. Both IPv4 and IPv6 addresses are supported.

    server port

    The port number of the server.

    server MAC

    The MAC address of the server.

    Database account

    The account used to log on to the database.

    Database type

    The type of the database.

    Database name/instance name

    The database name or instance name.

    Object

    Database objects, such as databases, tables, fields, views, stored procedures, functions, triggers, indexes, users, roles, and permissions.

    packet

    The audited SQL statement. You can enter multiple keywords. Keywords separated by a space are combined with an AND operator.

    Original SQL length (bytes)

    The length of the executed SQL statement.

    Operation type

    The operation type of the SQL statement.

    affected rows

    The number of rows affected by the SQL statement.

    execution duration

    The execution duration of the SQL statement.

    Execution status

    The execution result of the SQL statement. Valid values:

    • All (default)

    • Unknown

    • Success

    • Failure

    Execution result description

    A description of the SQL execution result, such as ORA-00942: table or view does not exist.

    Associated IP

    The client IP address associated with the user.

    Associated account

    The client account associated with the user.

    Associated URL

    The client URL associated with the user.

    executor

    The user who executed the SQL statement.

    Statement description

    The description of the SQL statement.

    Note

    Different search criteria are combined with an AND operator.

  4. Save search criteria.

    After you set the search criteria, click Save to save them for later use.

    You can select saved search criteria from the drop-down list.

  5. Click Search to run the query.

    Note

    A single query returns a maximum of 10,000 records.

  6. View the returned records at the bottom of the Alert log page.

    Click the 设置 icon to the right of the search criteria. In the Set Displayed Columns dialog box, select the columns to display in the results.

Step 3: Alert log details

  • View details

    In the Log List, click Details in the Actions column to view the Basic information, Client, Server, Request, and Response information for an alert log entry.

  • Set an alias

    Client IP alias

    1. Click Set Alias next to client IP.

    2. On the Add IP Alias page, enter a Name, an IP/Network, and Remarks, and then click Save.

    3. On the Auxiliary Functions page, view the list of IP aliases on the IP Alias tab.

    Database account alias

    1. Click Set Alias next to Database account.

    2. On the Add Account Alias page, enter a Name, select an asset, enter a Database account, and add Remarks. Then, click Save.

    3. On the Auxiliary Functions page, view the list of database account aliases on the Account Alias tab.

  • Forensics

    At the bottom of the Alert log details page, click Forensics. In the Download dialog box, click Download to save a complete copy of the audit log details.

  • Rule configuration

    At the bottom of the Alert log details page, click Suppress Alerts for This Log, and then select Add to trusted rule or Add to rule whitelist to configure rules.

    Trusted rule

    In the Add to trusted rule dialog box, enter a Trusted rule name, select one or more conditions under Optional properties for trusted rule, and then click OK.

    The Rule Configuration > Trusted rule page shows the list of trusted rules.

    Rule whitelist

    In the Add to rule whitelist dialog box, enter a Whitelist name, select properties from Optional properties for whitelist, and then click OK.

    The Whitelist management tab of the Rule Configuration > Security rule page shows the list of whitelists.

  • Click Previous or Next to view the adjacent log entry.

Alert analysis

Step 1: Set search criteria

Use the search feature to narrow your query. On the Alert log page, set your search criteria on the Alert analysis tab.

  1. Click Time Range to expand the search criteria drop-down menu. The search criteria include Time Range, Rule Name, asset, Database account, and client IP. To display all criteria at once, click Expand All Conditions.

    Note

    Different search criteria are combined with an AND operator.

  2. Click the 设置显示列图标 settings icon. In the Set Displayed Columns dialog box, select the columns that you want to display in the result list, and then click OK.

  3. Click Search to run the query. View the query results in the Alert log analysis list.

Step 2: Alert statistics details

  • View details

    In the result list, click Details in the Actions column. The Alert statistics details page shows information such as Rule details, Alerting asset, Alert source, and SQL templates that triggered alerts.

  • Rule details

    • Set assets for a trusted rule

      Click the image icon next to Number of assets. On the Set assets for rule (Delete data without WHERE condition) or Select asset group tab, select the asset or asset group to apply the rule to, and then click OK.

    • Set a rule whitelist

      Click the number next to Number of whitelists. In the Set whitelist for rule (Delete data without WHERE condition) dialog box, view the list of rule whitelists. Click the image icon in the Status column for a whitelist to change its status for the rule.

  • Alert source

    • In the Alert source section, view the list of alert sources. Click the number in the Alert Count column to go to the alert log page. On the Alert log tab, view the list of alert logs that matched the alert rule.

    • Click Suppress Alert in the Actions column. In the Suppress Alert dialog box, select the Conditions and Method, and then click OK.

      Note

      • After you add an item to a whitelist, operations matching its conditions no longer trigger alerts for the rule.

      • After you add an item to a trusted rule, sources matching its conditions no longer trigger alerts for any rule. For more information, see Rule Configuration.

  • SQL templates that triggered alerts

    • In the SQL templates that triggered alerts section, view the list of SQL templates that triggered alerts. Click the number in the Alert Count column to go to the alert log page. On the Alert log tab, view the list of alert logs that matched the SQL template.

    • Click Suppress Alert in the Actions column. In the Suppress Alert dialog box, select Add to whitelist or Add to trusted rule in the Method section, and then click OK.

      Note

      • After you add an item to a whitelist, operations matching its conditions no longer trigger alerts for the rule.

      • After you add an item to a trusted rule, sources matching its conditions no longer trigger alerts for any rule. For more information, see Rule Configuration.

Previous:View audit logsNext:View session logs