This appendix contains:
This appendix describes the syslog messages that can be generated by Oracle Database Firewalls and Oracle Database Firewall Management Servers. The syslog messages include alerts, periodically-updated statistics and heartbeat messages. Oracle Database Firewall updates the syslog messages in real time.
The syslog message format is consistent with generally-accepted industry practices outlined in RFC 3164.
The syslog message format is as follows.
message = date time hostname source num: DBFW:id message_text
In this specification:
message is the syslog message. The data up to the first colon is the message header; the data after the first colon is the message body. The text "DBFW" in the message body indicates that the syslog message is from Oracle Database Firewall. The maximum length of message is 1024 bytes.
date is the date the message was generated.
time is the date the message was generated.
hostname is the host name of the system that generated the message.
source is "DBFW", except for DBFW:8 where it is "dbaudit".
num is the instance number of the enforcement point that generated the message.
id is the message identifier, in the range 1 to 12.This specifies the type of message described by message_text. The meaning of each message identifier is described in the following sections.
message_text is the message text, which depends on the type of message.
For example:
Aug 15 11:02:57 DBFW DBFW1: DBFW:1 Configuration file reloaded
The maximum size of a DBFW syslog message is 2kB.
Message identifier 1 is used for general messages, such as Configuration file reloaded.
Message identifier 3 is for the heartbeat message, which is sent by the Oracle Database Firewall to indicate that it is operating and to provide current counters of the number of statements that have been passed, blocked, etc. The message text contains a number of fields, separated by spaces:
message_text = timestamp known_blocked known_warned known_passed unseen_blocked unseen_warned unseen_passed reset_time resilience_mode
For example:
Aug 15 11:02:57 DBFW DBFW1: DBFW:3 1147344001.516 0 0 0 6067 0 0 1147367001.097 0
In this specification:
timestamp is the number of seconds since 1st January 1970 when the heartbeat was generated, in the format sec.msec. The sec value is the number of whole seconds, and msec is the fractional part in milliseconds.
known_blocked is an integer that specifies the number of known statements that have been blocked since monitoring started.
known_warned is an integer that specifies the number of known statements that have generated a warning since monitoring started.
known_passed is an integer that specifies the number of known statements that have been passed since monitoring started.
unseen_blocked is an integer that specifies the number of previously unseen statements that have been blocked since monitoring started.
unseen_warned is an integer that specifies the number of previously unseen statements that have generated a warning since monitoring started.
unseen_passed is an integer that specifies the number of previously unseen statements that have been passed since monitoring started.
reset_time is the number of seconds between 1st January 1970 and the time the counters were last reset, in the format sec.msec. The sec value is the number of whole seconds, and msec is the fractional part in milliseconds.
resilience_mode is an integer that specifies whether the device is currently the active device in a resilient set (0), or currently a passive device (1). If the device is not in a resilient set, the value is 0. This setting should always be 0 in the current version ofOracle Database Firewall.
Message identifier 4 is used for messages that indicate a change in the value of a property at the device, such as a change in the baseline used or a change in the IP address. The message text contains a number of fields, separated by spaces:
message_text = timestamp category name value comment
For example:
Aug 15 11:02:57 DBFW DBFW1: DBFW:4 1147344001.516 "category" "name" "value" "My comment is %22Hello World%22"
In this specification:
timestamp is the number of seconds since 1st January 1970 when the change occurred, in the format sec.msec. The sec value is the number of whole seconds, and msec is the fractional part in milliseconds.
category indicates the general type of change that has been made, enclosed in quotation marks. The string can contain a maximum of 30 characters. Quotation mark ("), percent (%) and any characters with an ASCII value of less than 32 or greater than 126 are hexadecimal encoded (for example, %22 is used for quotation marks).
name is the name of the property, enclosed in quotation marks (30 characters max.). Hexadecimal encoding is the same as category.
value is the new value of the property, enclosed in quotation marks (30 characters max.). Hexadecimal encoding is the same as category.
comment is a comment added by the person who made the change, enclosed in quotation marks (30 characters max.). Hexadecimal encoding is the same as category.
This message is sent when a Stored Procedure Audit or User Role Audit has completed (see Chapter 5, "Configuring Stored Procedure Auditing," and Chapter 6, "Configuring and Using Role Auditing," respectively).
message_text = object_type type_of_scan audit_completion_flag target_database database_type protected_database audit_start_time object_collected_time audit_end_time database_counter database_object_counter new_counter modified_counter deleted counter unchanged_counter
For example:
Aug 15 11:02:57 multi000c2937e324 dbaudit1: DBFW:8 1 1 1 "192.168.0.57:5000/" 5 "test_pdb" 2009-03-24T11:59:59.123 2009-03-24T11:59:59.777 2009-03-24T11:59:59.801 15 2234 1000 0 0 1234
In this specification:
object_type is 1 for stored procedure and 2 for user roles.
type_of_scan is 0 for manual scan and 2 for scheduled scan.
audit_completion_flag is 0 for failure and 1 for success.
target_database is the connection string for audited database.
database_type is 1 for Microsoft SQL Server, 2 for Oracle, 5 for Sybase ASE and 6 for Sybase SQL Anywhere.
protected_database is the protected database name (as it appears in the Administration Console.
audit_start_time is the time when the audit started.
object_collected_time is the time when all information had been collected from the database.
audit_end_time is the time when the audit finished.
database_counter is the number of databases found and interrogated.
database_object_counter is the number of objects found (in the complete set of databases) in this scan.
new_counter is the number of objects created since the previous scan.
modified_counter is the number of objects modified since the previous scan.
deleted_counter is the number of objects deleted since the previous scan.
unchanged_counter is the number of objects unchanged since the previous scan.
Message identifier 9 indicates a message resulting from a specific action that Oracle Database Firewall has taken after receiving an SQL statement. The message text contains a number of fields, separated by spaces:
message_text = action timestamp cluster_id threat_severity logging_level db_client_ip db_client_port db_server_ip db_server_port user_name database_name statement_id event_status database_status_code database_status_detail database_response_text statement
For example:
Nov 9 15:02:56 multi000c29198b62 DBFW1: DBFW:9 2 1257778976.429 4 4 3 "192.168.100.99" 1138 "192.168.100.100" 5000 "sa" "" 4af82f20df900003 2 14216 "Severity: 16" "Function 'db_property' not found." "SELECT db_property('name')"
In this specification:
action is one of the following: 1 = known blocked; 2 = known alerted; 3 = unknown blocked; 4 = unknown alerted.
timestamp is the number of seconds since 1st January 1970 when the alert occurred, in the format sec.msec. The sec value is the number of whole seconds, and msec is the fractional part in milliseconds.
cluster_id is an integer that specifies the id of the cluster the statement belongs to.
threat_severity is an integer in the range 0 to 5 that specifies the threat severity of the message. The value 5 is the most severe.
logging_level is an integer in the range 1 to 5 that specifies the logging of the message: 1 = do not log; 2 = log sample; 3 = always log; 5 = log unique.
db_client_ip is the IP address of the client that sent the message, enclosed in quotation marks.
db_client_port is an integer that specifies the port number of the database client that originated the statement.
db_server_ip is the IP address of the database server, enclosed in quotation marks.
db_server_port is an integer that specifies the port number of the database management system.
user_name is the database user associated with the session in which the alerting statement occurred. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
database_name is the name of the database associated with the session in which the alerting statement occurred. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
statement_id is a unique hexadecimal number for the monitored SQL statement.
event_status is an integer that gives the database response (see Chapter 10, "Configuring and Using Database Response Monitoring") to the statement: 1 = success; 2 = failure; 3 = database response monitoring switched off; 4 = response not seen.
database_status_code is an integer that gives the status code returned by the database. This applies only if database response monitoring is switched on.
database_status_detail is the detailed response string returned from the database (such as database status codes and severity of the error). It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
database_response_text is the response string returned from the database (the text intended for the database client). It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
statement is the statement that caused the alert, enclosed in quotation marks (UTF-8 encoded). The string may be truncated to contain a maximum of 1024 characters (including a final ...", if necessary). Backslash (\) characters are preceded by an additional backslash (\\). Quotation marks (") are preceded by a backslash (\"). Character codes with a hexadecimal value of 00 to 1f are replaced by the string "\x00" to "\x1f". The character with a hexadecimal value of 7f is replaced by "\x7f".
Message identifier 10 indicates a message resulting from alerts from the F5 BIG-IP ASM Web application firewall and database response information. The message text contains a number of fields, separated by spaces:
message_text = action timestamp cluster_id threat_severity logging_level db_client_ip db_client_port db_server_ip db_server_port user_name database_name statement_id event_status database_status_code database_status_detail database_response_text web_user_name request response_code method protocol URL query_string web_application_name unit_host_name management_IP_address policy_name policy_apply_date support_id request_blocked session_cookies referrer http_host http_user_agent primary_violation cardinal_ip_address match_result statement
For example:
Nov 9 16:02:32 multi000c29198b62 DBFW1: DBFW:10 2 1257782551.757 9 4 3 "192.168.100.99" 1138 "192.168.100.100" 5000 "sa" "" 4af83d17f9200006 1 0 "" "" "Unknown_2" "GET /SearcStr.asp?txtSrc=CLASS+%27+or+1%3D1--+ HTTP/1.1\x0d\x0aAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\x0d\x0aReferer: http://10.190.0.203/SearcStr.asp?txtSrc=GEEZER+%27+or+1%3D1--+\x0d\x0aAccept-Language: en-gb\x0d\x0aUA-CPU: x86\x0d\x0aAccept-Encoding: gzip, deflate\x0d\x0aUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\x0d\x0aHost: 10.190.0.203\x0d\x0aConnection: Keep-Alive\x0d\x0aCookie: A-P$X123=123abc4561\x0d\x0a\x0d\x0a" "200" "GET" "HTTP" "/SearcStr.asp" "TaskIndex=3&TaskHTML=CACancelNoFields&TaskSectionReference=&TaskStreamType=Rule-Obj-FlowAction&TaskStatus=CAEndInteraction&TaskInstructions=&TaskHelpPresent=false&TaskHelpType=&TaskInstructionsCaption=Instructions&%24PpyWorkPage%24pCancelNotes=%27+or+1%3D1%0D%0A%3Ch1%3E+Hello+%3C%2Fh1%3E&fred=sp_jdbc_getcatalogs" "toolshed_class" "BIGIPASM01.SomeDomain.COM" "192.168.0.178" "toolshed_policy" "2008-10-10 16:02:59" "3776479346538055214" "" "" "http://10.190.0.203/SearcStr.asp?txtSrc=GEEZER+%27+or+1%3D1--+" "10.190.0.203" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" "Illegal meta character in parameter value" "10.190.0.3" "2" "rpc sp_jdbc_getcatalogs"
In this specification:
action is one of the following: 1 = known blocked; 2 = known alerted; 3 = unknown blocked; 4 = unknown alerted; 5 = known passed; 6 = unknown passed.
timestamp is the number of seconds since 1st January 1970 when the alert occurred, in the format sec.msec. The sec value is the number of whole seconds, and msec is the fractional part in milliseconds.
cluster_id is an integer that specifies the id of the cluster the statement belongs to.
threat_severity is an integer in the range 0 to 5 that specifies the threat severity of the message. The value 5 is the most severe.
logging_level is an integer in the range 1 to 5 that specifies the logging of the message: 1 = do not log; 2 = log sample; 3 = always log; 5 = log unique.
db_client_ip is the IP address of the client that sent the message, enclosed in quotation marks.
db_client_port is an integer that specifies the port number of the database client that originated the statement.
db_server_ip is the IP address of the database server, enclosed in quotation marks.
db_server_port is an integer that specifies the port number of the database management system.
user_name is the database user associated with the session in which the alerting statement occurred. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
database_name is the name of the database associated with the session in which the alerting statement occurred. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
statement_id is a unique hexadecimal number for the statement.
event_status is an integer that gives the database response (see Chapter 10, "Configuring and Using Database Response Monitoring") to the statement: 1 = success; 2 = failure; 3 = database response monitoring switched off; 4 = response not seen.
database_status_code is an integer that gives the status code returned by the database. This applies only if database response monitoring is switched on.
database_status_detail is the detailed response string returned from the database (such as database status codes and severity of the error). It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
database_response_text is the response string returned from the database (the text intended for the database client). It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
web_user_name is the name of the Web application user who originated the message, enclosed in quotation marks. Hexadecimal encoding is the same as statement. For further information, XREF please refer to Understanding the Attributes in Appendix 11.
request is the BIG-IP ASM "request" attribute. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
response_code is the BIG-IP ASM "response_code" attribute. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
method is the BIG-IP ASM "method" attribute. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
protocol is the BIG-IP ASM "protocol" attribute. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
URL is the BIG-IP ASM "uri" attribute. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
query_string is the BIG-IP ASM "query_string" attribute. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
web_application_name is the name of the Web application, as obtained from the BIG-IP ASM "web_application_name" attribute. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
unit_host_name is the BIG-IP ASM "unit_hostname" attribute. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
management_IP_address is the BIG-IP ASM "management_ip_address" attribute, enclosed in quotation marks.
policy_name is the BIG-IP ASM "policy_name" attribute. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
policy_apply_date is the BIG-IP ASM "policy_apply_date" attribute. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
support_id is the BIG-IP ASM "support_id" attribute. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
request_blocked is the BIG-IP ASM "request_blocked" attribute. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
session_cookies provides the user-identification cookies, extracted from the header of the HTTP request. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
referrer is the name of the referrer, extracted from the header of the HTTP request. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
http_host is the host name, extracted from the header of the HTTP request. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
http_user_agent is the name of the user agent, extracted from the header of the HTTP request. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
primary_violation is the BIG-IP ASM violation associated with this statement, which the Database Firewall software believes is the most important. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
cardinal_ip_address is the IP address that the Database Firewall software believes is the most important for client identification. The client HTTP request may have been forwarded several times through proxies.
match_result is an integer that indicates whether the BIG-IP ASM syslog message has been successfully matched with the SQL statement. 1 = Policy Conflict; 2 = Policy Confirmed; 3 = WAF Blocked request; 4 = No Match Data Masked by WAF; 5 = No match made. For further information, XREF please refer to Understanding the Attributes in Appendix 11.
statement is the statement that caused the alert, enclosed in quotation marks and hex encoded in UTF-8. The string may be truncated to contain a maximum of 1024 characters (including a final ...", if necessary). Backslash (\) characters are preceded by an additional backslash (\\). Quotation marks (") are preceded by a backslash (\"). Character codes with a hexadecimal value of 00 to 1f are replaced by "\x00" to "\x1f".
Message identifier 11 indicates that Oracle Database Firewall has identified a user login request. If database response monitoring is switched on (see Chapter 10, "Configuring and Using Database Response Monitoring"), the alert includes the database response information. The message text contains a number of fields, separated by spaces:
message_text = action timestamp threat_severity logging_level db_client_ip db_client_port db_server_ip db_server_port user_name database_name event_id connect_seen failure_threshold threshold_count event_status database_status_code database_status_detail database_response_text
For example:
Nov 9 16:21:18 multi000c29198b62 DBFW1: DBFW:11 2 1257783678.266 3 1 "192.168.100.99" 1137 "192.168.100.100" 5000 "sa" "" 4af8417e6e300001 1 0 0 2 4002 "Severity: 14" "Login failed.\x0a"
In this specification:
action is one of the following: 1 = no alert; 2 = always alert; 3 = alert on request success; 4 = alert on request failure; 5 = block request.
timestamp is the number of seconds since 1st January 1970 when the alert occurred, in the format sec.msec. The sec value is the number of whole seconds, and msec is the fractional part in milliseconds.
threat_severity is an integer in the range 0 to 5 that specifies the threat severity of the message. The value 5 is the most severe.
logging_level is an integer that specifies the logging of the message: 0 = do not log in traffic log; 1 = log in traffic log.
db_client_ip is the IP address of the client that sent the message, enclosed in quotation marks.
db_client_port is an integer that specifies the port number of the database client that originated the statement.
db_server_ip is the IP address of the database management system, enclosed in quotation marks.
db_server_port is an integer that specifies the port number of the database management system.
user_name is the database user associated with the session in which the alerting statement occurred. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
database_name is the name of the database associated with the session in which the alerting statement occurred. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
event_id is a unique hexadecimal number for the event.
connect_seen is an integer that specifies whether Oracle Database Firewall encountered a session connection for the session. 0 = connect not seen; 1 = connect seen.
failure_threshold is an integer that specifies the number of consecutive login failures that will trigger a change in policy (possibly to block logins).
threshold_count is an integer that specifies the current number of consecutive login failures.
event_status is an integer that gives the database response to the statement: 1 = success; 2 = failure; 3 = database response monitoring switched off; 4 = response not seen; 5 = request blocked.
database_status_code is an integer that gives the status code returned by the database.
database_status_detail is the detailed response string returned from the database (such as database status codes and severity of the error). It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
database_response_text is the response string returned from the database (the text intended for the database client). It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
Message identifier 12 indicates that Oracle Database Firewall has identified a user logout request. If database response monitoring is switched on (see Chapter 10, "Configuring and Using Database Response Monitoring"), the alert includes the database response information. The message text contains a number of fields, separated by spaces:
message_text = action timestamp threat_severity logging_level db_client_ip db_client_port db_server_ip db_server_port user_name database_name event_id logout_seen end_of_session_seen session_dropped_seen
For example:
Nov 10 09:34:46 multi000c29198b62 DBFW1: DBFW:12 2 1257845676.891 2 1 "192.168.100.99" 1138 "192.168.100.100" 5000 "sa" "" 4af933acb7700006 4af933abfce00003 1 1 0
In this specification:
action is one of the following: 1 = no alert; 2 = always alert.
timestamp is the number of seconds since 1st January 1970 when the alert occurred, in the format sec.msec. The sec value is the number of whole seconds, and msec is the fractional part in milliseconds.
threat_severity is an integer in the range 0 to 5 that specifies the threat severity of the message. The value 5 is the most severe.
logging_level is an integer that specifies the logging of the message: 0 = do not log in traffic log; 1 = log in traffic log.
db_client_ip is the IP address of the client that sent the message, enclosed in quotation marks.
db_client_port is an integer that specifies the port number of the database client that originated the statement.
db_server_ip is the IP address of the database management system, enclosed in quotation marks.
db_server_port is an integer that specifies the port number of the database management system.
user_name is the database user associated with the session in which the alerting statement occurred. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
database_name is the name of the database associated with the session in which the alerting statement occurred. It is enclosed in quotation marks and uses the same hexadecimal encoding as statement.
event_id is a unique hexadecimal number for the event.
first_event_id is the unique event identifier for the first event recorded for this session (hexadecimal number).
logout_seen is an integer that specifies whether Oracle Database Firewall encountered a logout for the session. 0 = logout not seen; 1 = logout seen.
end_of_session_seen is an integer that specifies whether Oracle Database Firewall encountered an end-of-session event for the session. 0 = event not seen; 1 = event seen.
session_dropped_seen is an integer that specifies whether Oracle Database Firewall encountered an session-dropped event for the session. 0 = event not seen; 1 = event seen.