Skip Headers
Oracle® Database Firewall Administration Guide
Release 5.0

Part Number E18695-08
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

D Traffic Log Attributes

This appendix describes the meaning of each attribute that is displayed when you expand a record in the traffic log Search Results dialog box.

This appendix contains:

Transaction Status

Table D-1 Transaction Status

Attribute Meaning or Source

SQL Request

SQL statement text, or text that indicates the response from logging in or out (e.g. "CONNECTED, FAILED LOGIN"). "CONNECTED" indicates that there is a connection between the database and database client.

Response Status

This shows whether or not the statement or login was successfully executed by the database.

Response Code

An integer response code as returned from the monitored database. The value and meaning are dependent on the database type. Please refer to your database system documentation for further information.

Response Detailed Status

Response status information as returned from the monitored database. Please refer to your database system documentation for further information.

Response Text

Detailed verbose response message as returned from the monitored database. For errors, this is typically the same as the error message displayed at the client. This information is available only if the Full error message annotation check box is selected (see "Configuring Database Response Monitoring").

Record Type

The type of record that is being displayed ("session" for a login or logout, or "statement" for SQL requests).


Performance

Table D-2 Performance

Attribute Meaning or Source

Request Time

The time that the SQL request was sent to the database.

Response Time

The time that the database response was generated.

Transaction Time

The time taken to execute the SQL request.


Context

Table D-3 Context

Attribute Meaning or Source

Traffic Source

The source of the SQL request. For example, "network", "local monitor" or "remote monitor".

DB User Name

Database login name.

DB User Name Origin

Method used to obtain the DB User Name. The possible value is: "generated" (the name "unknown_username" was assumed), "dbquery" (the name was obtained from a database query) or "network" (the name was obtained from the SQL traffic).

DB User Name (raw)

The DB User Name that was used at the time Oracle Database Firewall applied the statement policy. This may be the same as DB User Name (if the name was available from the statement or derived from a previous statement) or "unknown_username".

DB Client Program Name

Name of the software being used to connect to the database.

DB Client Program Name Origin

Method used to obtain the DB Client Program Name. See DB User Name Origin for possible values.

DB Client IP Address

IP address of the database client that originated the SQL request.

DB Client Port

Port of the database client that originated the SQL request.

DB Server IP Address

IP address of the database management system (i.e. the IP address used by database clients to send traffic to the database).

DB Server Port

Port number of the database management system.

Database Type

Name of the database type that the baseline applies to.

OS User Name

Operating system login name.

OS User Name Origin

Method used to obtain the DB Client Program Name. See DB User Name Origin for possible values.


Attributes (F5)

Table D-4 Attributes (F5)

Attribute Meaning or Source

Authentication Method

Obtained from the BIG-IP ASM "authentication method" defined in the iRule (e.g. "webform").

Cardinal IP Address

The client HTTP request may have been forwarded several times through proxies. The IP address shown in this attribute is the one the Oracle Database Firewall software believes is the most important for client identification.

Management IP Address

Obtained from the BIG-IP ASM "management_ip_address" attribute.

Match Result

This can display:

PolicyConfirmed ‒BIG-IP ASM generated an alert, and the associated SQL statement generated a "block" or "warn" in Oracle Database Firewall.

NoMatch: ‒The BIG-IP ASM syslog message containing the information displayed in the traffic log record has not been matched with an SQL statement.

NoMatchDataMasked ‒The BIG-IP ASM syslog message containing the information displayed in the traffic log record has at least one field containing star ("*") characters, which indicates sensitive data that has been obliterated by BIG-IP ASM. The Oracle Database Firewall software is not able to match syslog messages containing obliterated fields, as configured in BIG-IP ASM.

PolicyConflict ‒BIG-IP ASM generated an alert, but the associated SQL statement did not generate a "block" or "warn" in Oracle Database Firewall.

WAFBlocked‒ BIG-IP ASM blocked a request. Although a syslog message was generated, the Web application server generated no SQL statements for this request.

Match Tokens

This is for Oracle Database Firewall engineers only. It indicates the tokens that were used to match syslog messages with the SQL statement.

Method (http)

Obtained from the BIG-IP ASM "method" attribute.

Policy Apply Date

Obtained from the BIG-IP ASM "policy_apply_date" attribute.

Policy Name

Obtained from the BIG-IP ASM "policy_name" attribute.

Primary Violation

The BIG-IP ASM violation associated with this statement, which the Oracle Database Firewall software believes is the most important.

Protocol (http)

Obtained from the BIG-IP ASM "protocol" attribute.

Query String (http)

Obtained from the BIG-IP ASM "query_string" attribute.

Referer (http)

This is the name of the referrer, extracted from the header of the HTTP request.

Request (http)

Obtained from the BIG-IP ASM "request" attribute.

Request Blocked

Obtained from the BIG-IP ASM "request_blocked" attribute.

Response Code (http)

Obtained from the BIG-IP ASM "response_code" attribute.

Session Cookies

This provides the user-identification cookies, extracted from the header of the HTTP request.

Support ID

Obtained from the BIG-IP ASM "support_id" attribute. Clicking the link provides details of the violation in BIG-IP ASM. Note: The link does not function if ASM is restarted after monitoring the traffic.

URI (http)

Obtained from the BIG-IP ASM "uri" attribute.

Unit Hostname (http)

Obtained from the BIG-IP ASM "unit_hostname" attribute.

User Agent (http)

Name of user agent, from the header of the HTTP request.

Violations

Obtained from the BIG-IP ASM "violations" attribute.

Web Application Name

Provides the name of the Web application, as obtained from the BIG-IP ASM "web_application_name" attribute.

Web Client IP Address

Displays the IP address of the Web client, as obtained from the BIG-IP ASM "ip" attribute.

Web Host

WAF host name, extracted from the header of the HTTP request.

Web Username

If known, this provides the login username of the user. If the user is not known, but cookies with the specified prefix are provided, this displays "Anonymous_<cookie value>". If the HTTP request in the syslog message contains no cookies with the specified prefix, "Unknown_<auto incrementing number>" is displayed.