This appendix describes the meaning of each attribute that is displayed when you expand a record in the traffic log Search Results dialog box.
This appendix contains:
| Attribute | Meaning or Source |
|---|---|
|
|
SQL statement text, or text that indicates the response from logging in or out (e.g. "CONNECTED, FAILED LOGIN"). "CONNECTED" indicates that there is a connection between the database and database client. |
|
|
This shows whether or not the statement or login was successfully executed by the database. |
|
|
An integer response code as returned from the monitored database. The value and meaning are dependent on the database type. Please refer to your database system documentation for further information. |
|
|
Response status information as returned from the monitored database. Please refer to your database system documentation for further information. |
|
|
Detailed verbose response message as returned from the monitored database. For errors, this is typically the same as the error message displayed at the client. This information is available only if the Full error message annotation check box is selected (see "Configuring Database Response Monitoring"). |
|
|
The type of record that is being displayed ("session" for a login or logout, or "statement" for SQL requests). |
| Attribute | Meaning or Source |
|---|---|
|
|
The source of the SQL request. For example, "network", "local monitor" or "remote monitor". |
|
|
Database login name. |
|
|
Method used to obtain the DB User Name. The possible value is: "generated" (the name "unknown_username" was assumed), "dbquery" (the name was obtained from a database query) or "network" (the name was obtained from the SQL traffic). |
|
|
The DB User Name that was used at the time Oracle Database Firewall applied the statement policy. This may be the same as DB User Name (if the name was available from the statement or derived from a previous statement) or "unknown_username". |
|
|
Name of the software being used to connect to the database. |
|
|
Method used to obtain the DB Client Program Name. See DB User Name Origin for possible values. |
|
|
IP address of the database client that originated the SQL request. |
|
|
Port of the database client that originated the SQL request. |
|
|
IP address of the database management system (i.e. the IP address used by database clients to send traffic to the database). |
|
|
Port number of the database management system. |
|
|
Name of the database type that the baseline applies to. |
|
|
Operating system login name. |
|
|
Method used to obtain the DB Client Program Name. See DB User Name Origin for possible values. |
| Attribute | Meaning or Source |
|---|---|
|
|
Obtained from the BIG-IP ASM "authentication method" defined in the iRule (e.g. "webform"). |
|
|
The client HTTP request may have been forwarded several times through proxies. The IP address shown in this attribute is the one the Oracle Database Firewall software believes is the most important for client identification. |
|
|
Obtained from the BIG-IP ASM "management_ip_address" attribute. |
|
|
This can display: PolicyConfirmed ‒BIG-IP ASM generated an alert, and the associated SQL statement generated a "block" or "warn" in Oracle Database Firewall. NoMatch: ‒The BIG-IP ASM syslog message containing the information displayed in the traffic log record has not been matched with an SQL statement. NoMatchDataMasked ‒The BIG-IP ASM syslog message containing the information displayed in the traffic log record has at least one field containing star ("*") characters, which indicates sensitive data that has been obliterated by BIG-IP ASM. The Oracle Database Firewall software is not able to match syslog messages containing obliterated fields, as configured in BIG-IP ASM. PolicyConflict ‒BIG-IP ASM generated an alert, but the associated SQL statement did not generate a "block" or "warn" in Oracle Database Firewall. WAFBlocked‒ BIG-IP ASM blocked a request. Although a syslog message was generated, the Web application server generated no SQL statements for this request. |
|
|
This is for Oracle Database Firewall engineers only. It indicates the tokens that were used to match syslog messages with the SQL statement. |
|
|
Obtained from the BIG-IP ASM "method" attribute. |
|
|
Obtained from the BIG-IP ASM "policy_apply_date" attribute. |
|
|
Obtained from the BIG-IP ASM "policy_name" attribute. |
|
|
The BIG-IP ASM violation associated with this statement, which the Oracle Database Firewall software believes is the most important. |
|
|
Obtained from the BIG-IP ASM "protocol" attribute. |
|
|
Obtained from the BIG-IP ASM "query_string" attribute. |
|
|
This is the name of the referrer, extracted from the header of the HTTP request. |
|
|
Obtained from the BIG-IP ASM "request" attribute. |
|
|
Obtained from the BIG-IP ASM "request_blocked" attribute. |
|
|
Obtained from the BIG-IP ASM "response_code" attribute. |
|
|
This provides the user-identification cookies, extracted from the header of the HTTP request. |
|
|
Obtained from the BIG-IP ASM "support_id" attribute. Clicking the link provides details of the violation in BIG-IP ASM. Note: The link does not function if ASM is restarted after monitoring the traffic. |
|
|
Obtained from the BIG-IP ASM "uri" attribute. |
|
|
Obtained from the BIG-IP ASM "unit_hostname" attribute. |
|
|
Name of user agent, from the header of the HTTP request. |
|
|
Obtained from the BIG-IP ASM "violations" attribute. |
|
|
Provides the name of the Web application, as obtained from the BIG-IP ASM "web_application_name" attribute. |
|
|
Displays the IP address of the Web client, as obtained from the BIG-IP ASM "ip" attribute. |
|
|
WAF host name, extracted from the header of the HTTP request. |
|
|
If known, this provides the login username of the user. If the user is not known, but cookies with the specified prefix are provided, this displays "Anonymous_<cookie value>". If the HTTP request in the syslog message contains no cookies with the specified prefix, "Unknown_<auto incrementing number>" is displayed. |