The auditing feature of Database Audit Service identifies source IP addresses but cannot trace requests back to a specific application user. To include this source information in your audit logs, use the application-based identification feature. This topic describes how to use this feature.
Prerequisites
An agent must be installed on the server. For more information, see Install an agent.
How it works
Application-based identification, also known as three-layer association, works by installing a dedicated plug-in on your database server or an associated application server. This plug-in injects contextual information, such as the URL, username, and client IP, into each SQL statement as a comment. The Database Audit system then parses these comments to link user details with specific database operations. The following example shows an SQL statement after this feature injects the information. The content within /**/ is the injected information:
/*SIP:127.16.XX.XX; URL:http://127.16.XX.XX:8080/ssm-login/user/login.do; USERNANME:admin; sql:*/
select * from ssm_user where userName= 'admin' and password= 'e10adc3949ba59abbe56e057f20f****'The application-based identification feature supports two modes, depending on your application architecture:
Name | Mechanism | Application scenario |
B/S-based application identification (browser/server model) | After you add a configuration, the system automatically generates a JAR package. You download this JAR package and deploy it on your application server. When a user performs an operation that accesses the database, the system audits the username, application URL, and the user's IP. | This mode is for applications that use a B/S architecture and require audit logs to contain the end user's identity. In a typical B/S model, a user interacts with your web application, which in turn queries the database. The Database Audit system logs these queries as originating from the web application, making it impossible to trace actions back to the individual user. This feature injects the end user's access details into the audit logs, ensuring full traceability and accountability. |
C/S-based application identification (client/server model) | An administrator configures a username extraction rule based on an audited SQL statement from a login event. This creates an SQL template for identifying similar login patterns. Subsequently, when the Database Audit system detects an SQL statement that matches the template, it automatically extracts the username and includes it in the audit log. | For C/S applications where username information must be captured in audit logs. |
B/S application identification
To use B/S-based application identification, you must configure rules and then deploy the generated JAR package to your application server.
Limitations
The web application must be developed in Java. Applications developed in PHP or .NET are not supported.
Supported data sources: DBCP, C3P0, Druid, Hikari, and Tomcat-Jdbc-pool.
You must modify the
driverClassNameandurlparameters in the database connection configuration as instructed in the documentation.The application must contain aweb.xml file.
Supported database types: Oracle, MySQL, SQLServer, MariaDB, PostgreSQL, DB2, and Informix.
Procedure
Log on to the Database Audit system. For more information, see Log on to the Database Audit system.
In the left-side navigation pane, choose .
On the Auxiliary Tools page, click the Application-based identification tab.
On the B/S-based application identification tab, click Add.
In the Add B/S-based application identification configuration panel, configure the parameters and click Save.
The Database Audit system uses this configuration to match audit logs and inject the specified source information.
Parameter
Description
Application name
The name of the web application. The name must be 1 to 64 characters in length and can contain Chinese characters, letters, digits, periods (.), underscores (_), and hyphens (-).
Middleware type
The type of middleware. Valid values: Weblogic, Tomcat, and Jboss.
Middleware version
The version of the middleware. The console displays the available versions based on the selected middleware type.
JDK version
The version of the Java Development Kit (JDK).
Database type
The type of database. Select the type that matches your database. Valid values:
Oracle
MySQL
SQLServer
PostgreSQL
DB2
Login URL keyword
A keyword from the URL that users use to log in to the application server.
Login user keyword
A keyword from the username that users use to log in to the application server.
Client IP extraction method
This parameter is optional. Select a method based on your web application architecture. Valid values:
x-forwarded-for: Select this option for standard web applications.
proxy: Select this option for web applications that use multi-layer proxies.
After you save the configuration, the Database Audit system automatically generates a JAR package.
In the Actions column of the configuration, click Download to download the generated JAR package.
The JAR package for application-based identification downloads to your browser's default download directory.
Click Download Documentation, select your middleware type, and follow the instructions in the downloaded document to install the JAR package on your application server.
After the installation is complete, you can view detailed user information in the audit logs.
If you modify a B/S-based application identification configuration, you must download the newly generated JAR package and upload it to your application server, overwriting the existing package.
C/S application identification
Configure C/S-based application identification on the Audit Log page.
Configure C/S application identification
Log on to the Database Audit system. For more information, see Log on to the Database Audit system.
In the left-side navigation pane, choose .
Find the audit log for an SQL statement that corresponds to a client login event and click Details in the Actions column.
In the Audit Log dialog box, click C/S Application Username Extraction.
In the Edit C/S Application Identity Recognition Configuration dialog box, select the part of the SQL statement that represents the application username and click OK.
The configuration takes effect immediately, and the system automatically adds it to the list of C/S-based application identification configurations.
View C/S identification configurations
Log on to the Database Audit system. For more information, see Log on to the Database Audit system.
In the left-side navigation pane, choose .
On the Auxiliary Tools page, click the Application-based identification tab.
Click the C/S-based application identification tab.
On the C/S-based application identification tab, view the list of configurations.
You can edit or delete configurations as needed.