GBDI 4.1

Examples Adding Custom DM Extracts

This subsection provides a few examples of DMs built on existing Guardium reports or reports built on existing domains. All examples are very much the same, and additional extracts are all easy to define following this pattern.

Entitlement Data

Entitlement data in Guardium is maintained as a set of custom tables. Make sure you have data sources and that data has been loaded into the custom tables. Then open the predefined report that you wish to extract as a DM, for example, ORA Object Privileges. Click on the Data Mart button, for example, in V10:

UUID-ce975ee8-8d54-a964-5d74-fa3bcded11da.png

Enter the data mart configuration definition as shown below. The Data Mart Name is used within the guardapi call, select File and enter the file name (make sure the file name starts with EXP_ and note that the rest of the file name determines the default collection name that will be created in GBDI. Set the time granularity to 1 hour and set the initial start to the current time or close by. Apply your changes.

UUID-f8d088d2-c18c-527e-b229-4e339f67b602.png

Run the following grdapi commands to set up the DM and the schedule:

grdapi datamart_update_copy_file_info destinationHost="<host>" destinationPassword="<pwd>" destinationPath="<path>" destinationUser="sonargd" Name="Export: Ora object priv" transferMethod="SCP"*

grdapi schedule_job jobType=dataMartExtraction cronString="0 40 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Ora object priv"*

Files will typically start coming in 1 hour from now.

By default all fields will be imported as strings. If you want the ETL to convert fields as dates or numbers you need to edit the sonargd.conf file on GBDI. For example, in the entitlements report there is a field named SqlGuard Timestamp. To ensure that it is brought in as a timestamp, perform the following steps:

  1. Edit the conf file via sudo vi /etc/sonar/sonargd.conf.

  2. You can define the field type in the general section (under int or under date) or you can define a section specific to this CSV file name. In our case since many DM extracts will include this field it makes sense to add this under the general date section.

  3. Save the file and restart the sonargd service.

User Definitions

Use the built-in report named Guardium Users - credentials to set up the DM and then use the following grdapi:

grdapi datamart_update_copy_file_info destinationHost="<host>" destinationPassword="<pwd>" destinationPath="<path>" destinationUser="sonargd" Name="Export: User Credentials" transferMethod="SCP"

grdapi schedule_job jobType=dataMartExtraction cronString="0 45 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: User Credentials"
User Activity

There is a predefined report called Detailed Guardium User Activity but you cannot use it, because it has two additional filters other than the from-to times. In lieu of using the report, you can clone it, remove the two additional filters, and define the DM on the new report. Use the following grdapis:

grdapi datamart_update_copy_file_info destinationHost="<host>" destinationPassword="<pwd>" destinationPath="<path>g" destinationUser="sonargd" Name="Export: Guard User Activity" transferMethod="SCP"

grdapi schedule_job jobType=dataMartExtraction cronString="0 10 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Guard User Activity"
Alerts Sent

By default the three prebuilt reports on Guardium do not enable a DM (Alert Notification, Logged R/T Alerts and Logged Threshold Alerts). You therefore need to build a report based on the domain. Open the Query Builder for the Alert domain and build the desired reports (e.g. make the main entity Messages Sent). Save it and then define the DM on it. Then run the grdapi command using the DM name you gave when defining the DM (in this case Export: Alert):

grdapi datamart_update_copy_file_info destinationHost="<host>" destinationPassword="<pwd>" destinationPath="<path>g" destinationUser="sonargd" Name="Export:Alert" transferMethod="SCP"

grdapi schedule_job jobType=dataMartExtraction cronString="0 10 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Alert"
Policy Changes

Use the prebuilt report "Policy Changes" and define a DM on it. Note that this is actually a report based on user activity and therefore a subset of the User Activity DM already defined. Use the following grdapis:

grdapi datamart_update_copy_file_info destinationHost="<host>" destinationPassword="<pwd>" destinationPath="<path>" destinationUser="sonargd" Name="Export: Policy Changes" transferMethod="SCP"

grdapi schedule_job jobType=dataMartExtraction cronString="0 10 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Policy Changes"
Audit Process Sign Offs

Use the Audit Process Result Comments as your main entity and define the DM from your new report.

Archive Aggregation Logs

Data archive logs are part of the archive and aggregation log report - and can be used to track archiving of data even when using GBDI and no longer using aggregation. Use the built-in Aggregation/Archive Log and build a DM from it.