Sybase

 
Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
User Name:
Password:
Remember me



Go Back   Tutorialized ForumsDatabasesSybase

Reply
Add This Thread To:
  Del.icio.us   Digg   Google   Spurl   Blink   Furl   Simpy   Y! MyWeb 
Thread Tools Search this Thread Rate Thread Display Modes
 
Unread Tutorialized Forums Sponsor:
  #1  
Old July 2nd, 2015, 08:57 AM
pottapitot pottapitot is offline
Registered User
Tutorialized Newbie (0 - 499 posts)
 
Join Date: Jul 2015
Posts: 1 pottapitot User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 5 m 36 sec
Reputation Power: 0
Question Auditing Sybase ASE 15.7

Hi,

I am currently trying to collect the audit logs from the Sybase ASE 15.7 sysaudits table. A SIEM will be using a query to read the audit logs.
Since the sysaudits table can be read by users with SSO role , we had to find an alternative since we cannot give the privilege to the SIEM. Our DBA tried to create a view for this purpose but since the account used by the SIEM is not having a SSO role it failed.
So the DBA proposed we create another table with the same structure (event, eventmod, spid, eventtime, sequence, suid, dbid, objid, xactid, loginname, dbname, objname, objowner, extrainfo, nodeid) and he would write a script that would read from the sysaudits table and write to this new table every 5 minutes.
So we went ahead with the solution, however I ran across a problem which is why I need help

The SIEM solution will read using a query provided by the DBA, however the SIEM solution needs a unique column to keep track of which record it last read. I noticed there is no such unique column in sysaudits. Moreover, I noticed certain commands broken into multiple entries and to keep track of them the sequence ID is used.

1) I was thinking if I should add another auto incrementing column ID. That will help in keeping track of the audit logs.
2) For the sequence ID and commands broken in multiple entries, I was thinking perhaps to use a script which reads from the sysaudits and when it encounters a command broken in multiple entries, it could merge it as one entry and write it into our table rather the original multiple entries with sequence numbers.

How should I frame the query for this? Or is there a better way of going about this?

Also, I noticed we only get 92 in the event column event though sybase specified we can get different values for the event field. Am i supposed to get the other values also?



Thanks in advance

Reply With Quote
Reply

Viewing: Tutorialized ForumsDatabasesSybase > Auditing Sybase ASE 15.7


Developer Shed Advertisers and Affiliates


Thread Tools  Search this Thread 
Search this Thread:

Advanced Search
Display Modes  Rate This Thread 
Rate This Thread:


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
View Your Warnings | New Posts | Latest News | Latest Threads | Shoutbox
Forum Jump


Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
  
 

Powered by: vBulletin Version 3.0.5
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.

© 2003-2017 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap