This appendix contains:
This appendix describes the syslog messages that can be generated by Oracle Database Firewalls and Oracle Database Firewall Management Servers. The syslog messages include alerts, periodically-updated statistics and heartbeat messages. Oracle Database Firewall updates the syslog messages in real time.
The syslog message format is consistent with generally-accepted industry practices outlined in RFC 3164.
The syslog message format is as follows.
message = date time hostname source num: DBFW:id message_text
In this specification:
message
is the syslog message. The data up to the first colon is the message header; the data after the first colon is the message body. The text "DBFW" in the message body indicates that the syslog message is from Oracle Database Firewall. The maximum length of message
is 1024 bytes.
date
is the date the message was generated.
time
is the date the message was generated.
hostname
is the host name of the system that generated the message.
source
is "DBFW", except for DBFW:8 where it is "dbaudit".
num
is the instance number of the enforcement point that generated the message.
id
is the message identifier, in the range 1 to 12.This specifies the type of message described by message_text
. The meaning of each message identifier is described in the following sections.
message_text
is the message text, which depends on the type of message.
For example:
Aug 15 11:02:57 DBFW DBFW1: DBFW:1 Configuration file reloaded
The maximum size of a DBFW syslog message is 2kB.
Message identifier 1 is used for general messages, such as Configuration file reloaded
.
Message identifier 3 is for the heartbeat message, which is sent by the Oracle Database Firewall to indicate that it is operating and to provide current counters of the number of statements that have been passed, blocked, etc. The message text contains a number of fields, separated by spaces:
message_text = timestamp known_blocked known_warned known_passed unseen_blocked unseen_warned unseen_passed reset_time resilience_mode
For example:
Aug 15 11:02:57 DBFW DBFW1: DBFW:3 1147344001.516 0 0 0 6067 0 0 1147367001.097 0
In this specification:
timestamp
is the number of seconds since 1st January 1970 when the heartbeat was generated, in the format sec.msec
. The sec
value is the number of whole seconds, and msec
is the fractional part in milliseconds.
known_blocked
is an integer that specifies the number of known statements that have been blocked since monitoring started.
known_warned
is an integer that specifies the number of known statements that have generated a warning since monitoring started.
known_passed
is an integer that specifies the number of known statements that have been passed since monitoring started.
unseen_blocked
is an integer that specifies the number of previously unseen statements that have been blocked since monitoring started.
unseen_warned
is an integer that specifies the number of previously unseen statements that have generated a warning since monitoring started.
unseen_passed
is an integer that specifies the number of previously unseen statements that have been passed since monitoring started.
reset_time
is the number of seconds between 1st January 1970 and the time the counters were last reset, in the format sec.msec
. The sec
value is the number of whole seconds, and msec
is the fractional part in milliseconds.
resilience_mode
is an integer that specifies whether the device is currently the active device in a resilient set (0), or currently a passive device (1). If the device is not in a resilient set, the value is 0. This setting should always be 0 in the current version ofOracle Database Firewall.
Message identifier 4 is used for messages that indicate a change in the value of a property at the device, such as a change in the baseline used or a change in the IP address. The message text contains a number of fields, separated by spaces:
message_text = timestamp category name value comment
For example:
Aug 15 11:02:57 DBFW DBFW1: DBFW:4 1147344001.516 "category" "name" "value" "My comment is %22Hello World%22"
In this specification:
timestamp
is the number of seconds since 1st January 1970 when the change occurred, in the format sec.msec
. The sec
value is the number of whole seconds, and msec
is the fractional part in milliseconds.
category
indicates the general type of change that has been made, enclosed in quotation marks. The string can contain a maximum of 30 characters. Quotation mark ("), percent (%) and any characters with an ASCII value of less than 32 or greater than 126 are hexadecimal encoded (for example, %22
is used for quotation marks).
name
is the name of the property, enclosed in quotation marks (30 characters max.). Hexadecimal encoding is the same as category
.
value
is the new value of the property, enclosed in quotation marks (30 characters max.). Hexadecimal encoding is the same as category.
comment
is a comment added by the person who made the change, enclosed in quotation marks (30 characters max.). Hexadecimal encoding is the same as category.
This message is sent when a Stored Procedure Audit or User Role Audit has completed (see Chapter 5, "Configuring Stored Procedure Auditing," and Chapter 6, "Configuring and Using Role Auditing," respectively).
message_text = object_type type_of_scan audit_completion_flag target_database database_type protected_database audit_start_time object_collected_time audit_end_time database_counter database_object_counter new_counter modified_counter deleted counter unchanged_counter
For example:
Aug 15 11:02:57 multi000c2937e324 dbaudit1: DBFW:8 1 1 1 "192.168.0.57:5000/" 5 "test_pdb" 2009-03-24T11:59:59.123 2009-03-24T11:59:59.777 2009-03-24T11:59:59.801 15 2234 1000 0 0 1234
In this specification:
object_type
is 1 for stored procedure and 2 for user roles.
type_of_scan
is 0 for manual scan and 2 for scheduled scan.
audit_completion_flag
is 0 for failure and 1 for success.
target_database
is the connection string for audited database.
database_type
is 1 for Microsoft SQL Server, 2 for Oracle, 5 for Sybase ASE and 6 for Sybase SQL Anywhere.
protected_database
is the protected database name (as it appears in the Administration Console.
audit_start_time
is the time when the audit started.
object_collected_time
is the time when all information had been collected from the database.
audit_end_time
is the time when the audit finished.
database_counter
is the number of databases found and interrogated.
database_object_counter
is the number of objects found (in the complete set of databases) in this scan.
new_counter
is the number of objects created since the previous scan.
modified_counter
is the number of objects modified since the previous scan.
deleted_counter
is the number of objects deleted since the previous scan.
unchanged_counter
is the number of objects unchanged since the previous scan.
Message identifier 9 indicates a message resulting from a specific action that Oracle Database Firewall has taken after receiving an SQL statement. The message text contains a number of fields, separated by spaces:
message_text = action timestamp cluster_id threat_severity logging_level db_client_ip db_client_port db_server_ip db_server_port user_name database_name statement_id event_status database_status_code database_status_detail database_response_text statement
For example:
Nov 9 15:02:56 multi000c29198b62 DBFW1: DBFW:9 2 1257778976.429 4 4 3 "192.168.100.99" 1138 "192.168.100.100" 5000 "sa" "" 4af82f20df900003 2 14216 "Severity: 16" "Function 'db_property' not found." "SELECT db_property('name')"
In this specification:
action
is one of the following: 1 = known blocked; 2 = known alerted; 3 = unknown blocked; 4 = unknown alerted.
timestamp
is the number of seconds since 1st January 1970 when the alert occurred, in the format sec.msec.
The sec
value is the number of whole seconds, and msec
is the fractional part in milliseconds.
cluster_id
is an integer that specifies the id of the cluster the statement belongs to.
threat_severity
is an integer in the range 0 to 5 that specifies the threat severity of the message. The value 5 is the most severe.
logging_level
is an integer in the range 1 to 5 that specifies the logging of the message: 1 = do not log; 2 = log sample; 3 = always log; 5 = log unique.
db_client_ip
is the IP address of the client that sent the message, enclosed in quotation marks.
db_client_port
is an integer that specifies the port number of the database client that originated the statement.
db_server_ip
is the IP address of the database server, enclosed in quotation marks.
db_server_port
is an integer that specifies the port number of the database management system.
user_name
is the database user associated with the session in which the alerting statement occurred. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
database_name
is the name of the database associated with the session in which the alerting statement occurred. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement
.
statement_id
is a unique hexadecimal number for the monitored SQL statement.
event_status
is an integer that gives the database response (see Chapter 10, "Configuring and Using Database Response Monitoring") to the statement: 1 = success; 2 = failure; 3 = database response monitoring switched off; 4 = response not seen.
database_status_code
is an integer that gives the status code returned by the database. This applies only if database response monitoring is switched on.
database_status_detail
is the detailed response string returned from the database (such as database status codes and severity of the error). It is enclosed in quotation marks and uses the same hexadecimal encoding as statement
.
database_response_text
is the response string returned from the database (the text intended for the database client). It is enclosed in quotation marks and uses the same hexadecimal encoding as statement
.
statement
is the statement that caused the alert, enclosed in quotation marks (UTF-8 encoded). The string may be truncated to contain a maximum of 1024 characters (including a final ...", if necessary). Backslash (\) characters are preceded by an additional backslash (\\). Quotation marks (") are preceded by a backslash (\"). Character codes with a hexadecimal value of 00 to 1f are replaced by the string "\x00" to "\x1f". The character with a hexadecimal value of 7f is replaced by "\x7f".
Message identifier 10 indicates a message resulting from alerts from the F5 BIG-IP ASM Web application firewall and database response information. The message text contains a number of fields, separated by spaces:
message_text = action timestamp cluster_id threat_severity logging_level db_client_ip db_client_port db_server_ip db_server_port user_name database_name statement_id event_status database_status_code database_status_detail database_response_text web_user_name request response_code method protocol URL query_string web_application_name unit_host_name management_IP_address policy_name policy_apply_date support_id request_blocked session_cookies referrer http_host http_user_agent primary_violation cardinal_ip_address match_result statement
For example:
Nov 9 16:02:32 multi000c29198b62 DBFW1: DBFW:10 2 1257782551.757 9 4 3 "192.168.100.99" 1138 "192.168.100.100" 5000 "sa" "" 4af83d17f9200006 1 0 "" "" "Unknown_2" "GET /SearcStr.asp?txtSrc=CLASS+%27+or+1%3D1--+ HTTP/1.1\x0d\x0aAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\x0d\x0aReferer: http://10.190.0.203/SearcStr.asp?txtSrc=GEEZER+%27+or+1%3D1--+\x0d\x0aAccept-Language: en-gb\x0d\x0aUA-CPU: x86\x0d\x0aAccept-Encoding: gzip, deflate\x0d\x0aUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\x0d\x0aHost: 10.190.0.203\x0d\x0aConnection: Keep-Alive\x0d\x0aCookie: A-P$X123=123abc4561\x0d\x0a\x0d\x0a" "200" "GET" "HTTP" "/SearcStr.asp" "TaskIndex=3&TaskHTML=CACancelNoFields&TaskSectionReference=&TaskStreamType=Rule-Obj-FlowAction&TaskStatus=CAEndInteraction&TaskInstructions=&TaskHelpPresent=false&TaskHelpType=&TaskInstructionsCaption=Instructions&%24PpyWorkPage%24pCancelNotes=%27+or+1%3D1%0D%0A%3Ch1%3E+Hello+%3C%2Fh1%3E&fred=sp_jdbc_getcatalogs" "toolshed_class" "BIGIPASM01.SomeDomain.COM" "192.168.0.178" "toolshed_policy" "2008-10-10 16:02:59" "3776479346538055214" "" "" "http://10.190.0.203/SearcStr.asp?txtSrc=GEEZER+%27+or+1%3D1--+" "10.190.0.203" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" "Illegal meta character in parameter value" "10.190.0.3" "2" "rpc sp_jdbc_getcatalogs"
In this specification:
action
is one of the following: 1 = known blocked; 2 = known alerted; 3 = unknown blocked; 4 = unknown alerted; 5 = known passed; 6 = unknown passed.
timestamp
is the number of seconds since 1st January 1970 when the alert occurred, in the format sec.msec
. The sec
value is the number of whole seconds, and msec
is the fractional part in milliseconds.
cluster_id
is an integer that specifies the id of the cluster the statement belongs to.
threat_severity
is an integer in the range 0 to 5 that specifies the threat severity of the message. The value 5 is the most severe.
logging_level
is an integer in the range 1 to 5 that specifies the logging of the message: 1 = do not log; 2 = log sample; 3 = always log; 5 = log unique.
db_client_ip
is the IP address of the client that sent the message, enclosed in quotation marks.
db_client_port
is an integer that specifies the port number of the database client that originated the statement.
db_server_ip
is the IP address of the database server, enclosed in quotation marks.
db_server_port
is an integer that specifies the port number of the database management system.
user_name
is the database user associated with the session in which the alerting statement occurred. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement
.
database_name
is the name of the database associated with the session in which the alerting statement occurred. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement
.
statement_id
is a unique hexadecimal number for the statement.
event_status
is an integer that gives the database response (see Chapter 10, "Configuring and Using Database Response Monitoring") to the statement: 1 = success; 2 = failure; 3 = database response monitoring switched off; 4 = response not seen.
database_status_code
is an integer that gives the status code returned by the database. This applies only if database response monitoring is switched on.
database_status_detail
is the detailed response string returned from the database (such as database status codes and severity of the error). It is enclosed in quotation marks and uses the same hexadecimal encoding as statement
.
database_response_text
is the response string returned from the database (the text intended for the database client). It is enclosed in quotation marks and uses the same hexadecimal encoding as statement
.
web_user_name
is the name of the Web application user who originated the message, enclosed in quotation marks. Hexadecimal encoding is the same as statement
. For further information, XREF please refer to Understanding the Attributes in Appendix 11.
request
is the BIG-IP ASM "request" attribute. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
response_code
is the BIG-IP ASM "response_code" attribute. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
method
is the BIG-IP ASM "method" attribute. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
protocol
is the BIG-IP ASM "protocol" attribute. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
URL
is the BIG-IP ASM "uri" attribute. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
query_string
is the BIG-IP ASM "query_string" attribute. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
web_application_name
is the name of the Web application, as obtained from the BIG-IP ASM "web_application_name" attribute. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
unit_host_name
is the BIG-IP ASM "unit_hostname" attribute. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
management_IP_address
is the BIG-IP ASM "management_ip_address" attribute, enclosed in quotation marks.
policy_name
is the BIG-IP ASM "policy_name" attribute. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
policy_apply_date
is the BIG-IP ASM "policy_apply_date" attribute. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
support_id
is the BIG-IP ASM "support_id" attribute. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
request_blocked
is the BIG-IP ASM "request_blocked" attribute. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
session_cookies
provides the user-identification cookies, extracted from the header of the HTTP request. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
referrer
is the name of the referrer, extracted from the header of the HTTP request. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
http_host
is the host name, extracted from the header of the HTTP request. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
http_user_agent
is the name of the user agent, extracted from the header of the HTTP request. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
primary_violation
is the BIG-IP ASM violation associated with this statement, which the Database Firewall software believes is the most important. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
cardinal_ip_address
is the IP address that the Database Firewall software believes is the most important for client identification. The client HTTP request may have been forwarded several times through proxies.
match_result
is an integer that indicates whether the BIG-IP ASM syslog message has been successfully matched with the SQL statement. 1 = Policy Conflict; 2 = Policy Confirmed; 3 = WAF Blocked request; 4 = No Match Data Masked by WAF; 5 = No match made. For further information, XREF please refer to Understanding the Attributes in Appendix 11.
statement
is the statement that caused the alert, enclosed in quotation marks and hex encoded in UTF-8. The string may be truncated to contain a maximum of 1024 characters (including a final ...", if necessary). Backslash (\) characters are preceded by an additional backslash (\\). Quotation marks (") are preceded by a backslash (\"). Character codes with a hexadecimal value of 00 to 1f are replaced by "\x00" to "\x1f".
Message identifier 11 indicates that Oracle Database Firewall has identified a user login request. If database response monitoring is switched on (see Chapter 10, "Configuring and Using Database Response Monitoring"), the alert includes the database response information. The message text contains a number of fields, separated by spaces:
message_text = action timestamp threat_severity logging_level db_client_ip db_client_port db_server_ip db_server_port user_name database_name event_id connect_seen failure_threshold threshold_count event_status database_status_code database_status_detail database_response_text
For example:
Nov 9 16:21:18 multi000c29198b62 DBFW1: DBFW:11 2 1257783678.266 3 1 "192.168.100.99" 1137 "192.168.100.100" 5000 "sa" "" 4af8417e6e300001 1 0 0 2 4002 "Severity: 14" "Login failed.\x0a"
In this specification:
action
is one of the following: 1 = no alert; 2 = always alert; 3 = alert on request success; 4 = alert on request failure; 5 = block request.
timestamp
is the number of seconds since 1st January 1970 when the alert occurred, in the format sec.msec
. The sec
value is the number of whole seconds, and msec
is the fractional part in milliseconds.
threat_severity
is an integer in the range 0 to 5 that specifies the threat severity of the message. The value 5 is the most severe.
logging_level
is an integer that specifies the logging of the message: 0 = do not log in traffic log; 1 = log in traffic log.
db_client_ip
is the IP address of the client that sent the message, enclosed in quotation marks.
db_client_port
is an integer that specifies the port number of the database client that originated the statement.
db_server_ip
is the IP address of the database management system, enclosed in quotation marks.
db_server_port
is an integer that specifies the port number of the database management system.
user_name
is the database user associated with the session in which the alerting statement occurred. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
database_name
is the name of the database associated with the session in which the alerting statement occurred. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
event_id
is a unique hexadecimal number for the event.
connect_seen
is an integer that specifies whether Oracle Database Firewall encountered a session connection for the session. 0 = connect not seen; 1 = connect seen.
failure_threshold
is an integer that specifies the number of consecutive login failures that will trigger a change in policy (possibly to block logins).
threshold_count
is an integer that specifies the current number of consecutive login failures.
event_status
is an integer that gives the database response to the statement: 1 = success; 2 = failure; 3 = database response monitoring switched off; 4 = response not seen; 5 = request blocked.
database_status_code
is an integer that gives the status code returned by the database.
database_status_detail
is the detailed response string returned from the database (such as database status codes and severity of the error). It is enclosed in quotation marks and uses the same hexadecimal encoding as statement
.
database_response_text
is the response string returned from the database (the text intended for the database client). It is enclosed in quotation marks and uses the same hexadecimal encoding as statement
.
Message identifier 12 indicates that Oracle Database Firewall has identified a user logout request. If database response monitoring is switched on (see Chapter 10, "Configuring and Using Database Response Monitoring"), the alert includes the database response information. The message text contains a number of fields, separated by spaces:
message_text = action timestamp threat_severity logging_level db_client_ip db_client_port db_server_ip db_server_port user_name database_name event_id logout_seen end_of_session_seen session_dropped_seen
For example:
Nov 10 09:34:46 multi000c29198b62 DBFW1: DBFW:12 2 1257845676.891 2 1 "192.168.100.99" 1138 "192.168.100.100" 5000 "sa" "" 4af933acb7700006 4af933abfce00003 1 1 0
In this specification:
action
is one of the following: 1 = no alert; 2 = always alert.
timestamp
is the number of seconds since 1st January 1970 when the alert occurred, in the format sec.msec
. The sec
value is the number of whole seconds, and msec
is the fractional part in milliseconds.
threat_severity
is an integer in the range 0 to 5 that specifies the threat severity of the message. The value 5 is the most severe.
logging_level
is an integer that specifies the logging of the message: 0 = do not log in traffic log; 1 = log in traffic log.
db_client_ip
is the IP address of the client that sent the message, enclosed in quotation marks.
db_client_port
is an integer that specifies the port number of the database client that originated the statement.
db_server_ip
is the IP address of the database management system, enclosed in quotation marks.
db_server_port
is an integer that specifies the port number of the database management system.
user_name
is the database user associated with the session in which the alerting statement occurred. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement
.
database_name
is the name of the database associated with the session in which the alerting statement occurred. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement
.
event_id
is a unique hexadecimal number for the event.
first_event_id
is the unique event identifier for the first event recorded for this session (hexadecimal number).
logout_seen
is an integer that specifies whether Oracle Database Firewall encountered a logout for the session. 0 = logout not seen; 1 = logout seen.
end_of_session_seen
is an integer that specifies whether Oracle Database Firewall encountered an end-of-session event for the session. 0 = event not seen; 1 = event seen.
session_dropped_seen
is an integer that specifies whether Oracle Database Firewall encountered an session-dropped event for the session. 0 = event not seen; 1 = event seen.