This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
scolicchio
Absent Member.
Absent Member.
‎2012-11-06 16:17
297 views

SQL table monitoring

Hello,

  I am trying to monitor specific fields in a table for changes. Most documentation I find around this task focuses on the actual ArcSight database itself and not other Oracle Databases. I have monitoring setup for when the database user logs on, but not when a table change is made. Any help in the matter or pointing in the direction of documentation of this issue is greatly appreciated. Thanks in advance!

Labels (2)
Labels
0 Likes
Report Inappropriate Content
2 Replies
scolicchio
Absent Member.
Absent Member.
‎2012-11-06 17:59

for example, i need to monitor selects, updates and deletes to a specific table by a specific user. is there a simple way to do this seemingly straight forward task?

an example of a filter not working

event1 :
( Target Host Name = some_dev_db AND ( Device Host Name = some_dev_db AND Type != Correlation AND ( ( Name = delete [ignore case] AND Target User ID = user1 ) OR ( Name = alter [ignore case] AND Target User ID = user1 ) OR ( Name = select [ignore case] AND Target User ID = user1 ) OR ( Name = update [ignore case] AND Target User ID = user1 ) OR ( Name = insert [ignore case] AND Target User ID = user1 ) OR ( Name = delete [ignore case] AND Target User ID = user2 ) OR ( Name = alter [ignore case] AND Target User ID = user 2) OR ( Name = select [ignore case] AND Target User ID = user2 ) OR ( Name = update [ignore case] AND Target User ID = user2 ) OR ( Name = insert [ignore case] AND Target User ID = user2 ) OR ( Name = delete [ignore case] AND Target User ID = user3 ) OR ( Name = select [ignore case] AND Target User ID = user3 ) OR ( Name = alter [ignore case] AND Target User ID = user3 ) OR ( Name = update [ignore case] AND Target User ID = user3 ) OR ( Name = insert [ignore case] AND Target User ID = user3 ) OR ( Name = delete [ignore case] AND Target User ID = SYSTEM ) OR ( Name = select [ignore case] AND Target User ID = SYSTEM ) OR ( Name = alter [ignore case] AND Target User ID = SYSTEM ) OR ( Name = update [ignore case] AND Target User ID = SYSTEM ) OR ( Name = insert [ignore case] AND Target User ID = SYSTEM ) ) AND ( Device Vendor = Unix OR Device Vendor = ORACLE ) ) )

0 Likes
Report Inappropriate Content
balahasan.v1
Fleet Admiral
Fleet Admiral
‎2012-11-06 21:21

Hi Sean C,

The problem might be with field mapping. Please replace Name,Target User ID "=" --> "Contains".

Or Problem might be with the AND Operator.Recheck it with the Sample Active Channel.

Please find the Flex guide and Refer page No: 40 for ArcSight Event Field Parameters and Type.

Regards,

Balahasan.V

0 Likes
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.