B Application-Specific Internal Monitoring Capabilities

The following sections describe the application-specific monitoring capabilities for supported applications:

Oracle 8i (Snapshot)
Oracle 9i/10g (Snapshot)
Microsoft SQL Server (Snapshot)
Microsoft Active Directory - See Active Directory Internal Monitoring Information.
Microsoft Windows Registry
SNMP Traps
Active Directory/LDAP (User, Group, Computer configuration monitoring)

Database Internal Monitoring: Tracked Changes

By default, database monitoring detects changes to the structure of the database tables or views, such as the addition or deletion of a column. You can also configure it to track changes to table values.

To monitor changes to specific objects for a database, you must first create a component for the database, and then fully specify the database instance, database, schema, table, procedure/function, column or attribute.

Data Collected by Database Snapshots

The following table lists the change events that are reported for database objects.

Table B-1 Change Events Reported For Database Objects

Entity Type	Event Type	Definition
instance	NA	The database instance
database	NA	The database name
schema	NA	The schema name
table	added, deleted	A table is added or deleted
table.attribute	modified	A change occurs to an attribute of a table
table.column	added, deleted	Add or delete a column of a table or a view
table.column.attribute	modified	Change an attribute of a column
table.constraint	added, deleted	Add or delete a constraint of a table
table.constraint.attribute	modified	Change an attribute of a constraint
view	added, deleted	Add or delete a view
view.attribute	modified	Change an attribute of a view
view.column	added, deleted	Add or delete a view column
view.column.attribute	modified	Change an attribute of a view
procedure	added, deleted	Add or delete a stored procedure or function
procedure.attribute	modified	Change an attribute of a stored procedure or function

Database User Permissions

The Configuration Change Console agent queries system tables to determine changes that occur to objects specified in application monitoring policies.

The database user account configured in the Internal Configuration screen must have the proper privileges assigned in order to monitor selected tables. The easiest way to do this is to have an Administrator assign read or select permissions, such as SELECT_CATALOG_ROLE in Oracle, to the specified user account. If this is not acceptable, then providing the user with SELECT access to the tables listed below is sufficient.

The following tables are queried for data:

Table B-2 Oracle 8

Oracle 8
sys.dba_tables
sys.dba_tab_columns
sys.dba_constraints
sys.dba_views
sys.dba_objects
(no sys.dba_procedures)

Table B-3 Oracle 9

Oracle 9
sys.dba_tables
sys.dba_tab_columns
sys.dba_constraints
sys.dba_views
sys.dba_objects
sys.dba_procedures

Table B-4 SQL Server (7 and 2000) (for each database)

SQL Server (7 and 2000) (for each database)
<database_name>.dbo.sysuserssystables
<database_name>.dbo.sysobjectssysprocedures
<database_name>.dbo.syscolumnssyscolumns
<database_name>.dbo.systypessysconstraints
<database_name>.dbo.sysconstraintssyschecks

Exceptions and Limitations

For Oracle 8 agent modules, packages and objects within packages are not monitored in the current version. For Oracle 9 agent modules, procedure objects within packages can be tracked for change activity, assuming they are defined as public rather than private. Procedures with packages are monitored as if they were any other procedure. Packages themselves are not monitored, nor are any of their attributes.

Component Rules

The agent matches the full name of an object or attribute with an inclusion/exclusion rules of a component. An asterisk can be used as a wildcard to match any string that begins or ends an object name. Use care when fully qualifying names of database objects as monitoring will not occur if a table name is misspelled or a period or asterisk is used improperly.

An example of a full name of a column is:

instance_name.database_name.schema_name.table_name_column_name

An example of a full name of an attribute is:

instance_name.database_name.schema_name.table_name_column_name.datatype

All patterns are case insensitive. Therefore, "AbC" and "aBc" have the same effect.

SQL Audit and SQL Trace Internal Monitoring Information

For supported databases, the Configuration Change Console agent can monitor the actions of users by tracking the SQL statements they execute. The agent uses connection events to identify users that created the connections to the database.

The Configuration Change Console agent will track the SQL statements that are executed by specific users based on policies and rules. Note that tracing these events can impose a significant impact on database performance. If there is high event volume, the named pipe through which events are captured may become a bottleneck, causing some events to be lost. As a result, we recommend that you configure monitoring of partial SQL statements through include/exclude monitoring policies.

Supported SQL Pattern Types

The following table provides a quick reference for the pattern types supported for specific Trace and Audit Modules:

Table B-5 Supported SQL Pattern Types

SQL Trace Modules	SQL Audit Modules
SQL 2000 sqltext user appname host	N/A
Oracle 8i/9i/10g user host terminal osuser objname event	SQL Server 2000 user host appname objname dbname

SQL Trace Modules

SQL Audit Modules

SQL 2000

sqltext
user
appname
host

N/A

Oracle 8i/9i/10g

user
host
terminal
osuser
objname
event

SQL Server 2000

user
host
appname
objname
dbname

SQL Trace: Data Collected

The agent generates an event for each SQL statement executed that matches the monitoring rules created for that application. Each event contains the following information, if available:

Username of the database, or system (NT) user that executed the SQL query
Domain name to which the user belongs (SQL Server 2000 only)
Timestamp of the event (both start time and end time)
Database name
Database ID
Operation
ID number of the application that created the SQL connection for this event (Connection ID)
Name of the application that created the SQL connection for this event
An output text of the SQL statement that was executed
Statement of success or failure of the SQL statement that was executed
Number of rows written
Number of rows read

Includes/Excludes

You can include/exclude the following pattern types:

Table B-6 Include/Exclude Pattern Types

Include/Exclude Entity	Description	Details
user	Database or system user that executed the SQL query.	The pattern is case insensitive. Default is to exclude *
appname	Name of the application that connected to the database.	Pattern is case sensitive. Default is to exclude *
sqltext	Specific text string to monitor in a SQL query.	This entity does not support wildcards, and is case insensitive. The default behavior is to include *. If there is no exclude rule in this pattern type, all events will be included
host	Name of the device.	The pattern is case insensitive. Default is to exclude *

Database User Permissions

The database user specified in the Internal Configuration screen must have specific privileges assigned in order for SQL Trace Monitoring to function properly. The permission requirements for each database can be found below:

SQL Server 2000 -- The specified system or database user must have sysadmin privileges assigned

Active Directory Internal Monitoring Information

Active Directory monitoring tracks and reports user additions, user permission changes and account deletions. The Configuration Change Console agent can be installed on the same device on which the Domain Controller is running, or it can monitor the Domain Controller remotely.

To monitor changes to specific objects, you must first create an application template for the application, and then fully specify the objects to be monitored.

Active Directory Data Collected

The table below lists the change events that are reported.

Table B-7 Change Events Reported

Entity Type	Event Type	Definition
user	added, deleted	Add or delete a user
user.attribute	modified	User password changes
user.memberOf	added, deleted	Add a user to a group, or remove a user from a group
user.managedObject	added, deleted	Assign a user to manage a computer
group added	deleted	Add or delete a group
computer	added, deleted	Add or remove a computer into or from the domain
computer.attribute	modified	Change a computer attribute

Active Directory Include/Exclude Patterns

Both Active Directory (Trace) and Active Directory (Snapshot) support the following pattern types:

User
Computer
Group

Registry Internal Monitoring Information

The Windows Registry Monitor module tracks changes in the Registry values and keys. The agent tracks whether Registry objects have been added, modified, or deleted.

Windows Registry Data Collected

The Windows Registry monitoring policies are based on additions, modifications and deletions of Registry keys and values.

The Patterns must start with HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, HKEY_CLASSES_ROOT, HKEY_USERS or HKEY_CURRENT_CONFIG.

You may specify exclusion of sub-directories under the inclusion directories. For example, to monitor HKEY_LOCAL_MACHINE\Software, but not HKEY_LOCAL_MACHINE\Software\Oracle:

Include HKEY_LOCAL_MACHINE\Software

Exclude HKEY_LOCAL_MACHINE\Software\Oracle

Any changes under HKEY_LOCAL_MACHINE\Software will be reported. No changes will be reported under HKEY_LOCAL_MACHINE\Software\Oracle.