List of fields available in alerts are defined here:
https://cmp.guardium.notes:8443/guardhelp_kc/SSMPHH_11.1.0/com.ibm.guardium.doc.admin/config/configuring_global_profile.html
There is no ObjectName on the list.
It make sense because SQL can contain the vary number of objects.
------------------------------
Zbigniew (Zibi) Szmigiero
IBM
Warsaw
------------------------------
Original Message:
Sent: Thu May 07, 2020 02:10 PM
From: Brian Greenwood
Subject: Send Object Name in Sys Log Template
Hello,
I have a Policy built under the Access Type of Policy. I have a Rule where I am matching on traffic that meets certain parameter. I am sending those alerts through Sys Log to our SIEM tool (Qradar). I have created a template with the below fields in the Global Profile. The only field I am having trouble with is the "Object Name" field. I have it set up like this: "Object Name=%%ObjectName" It does not work. I am being told that Object Name can't be sent in a template to Syslog. Has anyone had any luck sending the Object Name field to the Sys Log in a template? Not sure why it would be the only field that does not work??
LEEF:1.0|IBM|Guardium|10.0|%%ruleDescription|ruleID=%%ruleID|ruleDesc=%%ruleDescription|severity=%%severity|devTime=%%receiptTime|serverType=%%serverType|classification=%%classification|category=%%category|dbProtocolVersion=%%DBProtocolVersion|usrName=%%AppUserName|sourceProgram=%%SourceProgram|start=%%sessionStartMills|dbUser=%%DBUser|dst=%%serverIP|dstPort=%%serverPort|src=%%clientIP|srcPort=%%clientPort|protocol=%%netProtocol|type=%%requestType|violationID=%%violationID|sql=%%SQLString|error=%%lastError|Database name=%%DBName|Object Name=%%ObjectName
Brian Greenwood CPC HCISSP-A
Information Security Analyst II
Arkansas Blue Cross and Blue Shield
515 Pershing Blvd
North Little Rock, Arkansas 72214
Office | 501-210-4319
Privacy Information:
http://privacynotice.net (data rate charges may apply) or 800-524-2621.