Hi Akash,
I would consider creating a custom logging template. There are a lot of fields that are not included in the default template as well as the other example templates that come with Guardium. Check out this doc where you can choose the variables that apply to the type of database you are monitoring with your security policy. There are variables that only apply to certain types of databases, distributed vs mainframe type monitoring.
https://www.ibm.com/docs/en/guardium/11.5?topic=profile-alert-message-templateIn addition I'd get with your splunk team to get the logs you are sending parsed and indexed consistently. They will appreciate a template that provides key / value pairs. As an example something like this would be helpful. You can substitute other delimiters as well.
rule_description="%%ruleDescription", client_ip="%%clientIP", server_ip="%%serverIP", db_user="%%DBUser", source_program="%%SourceProgram" ,database_name="%%DBName", sql_verb="%%Verb", object="%%Object", object_type="%%objectType"
Good luck!
------------------------------
Patrick OBrien
------------------------------
Original Message:
Sent: Wed January 11, 2023 07:42 AM
From: Akash Parmar
Subject: Guardium Splunk SIEM Integration
Dear Seniors,
We have to configure Guardium with Splunk SIEM in order to send Real Time Logs , Initially, we wants to send a Failed , SQL Errors Logs caused by the users columns should Includes DB UserName, Server IP, Client IP, DB User Name, Database Error Text, Exception Type Description, Database Name, Source Program, OS User, Service Name to the Splunk SIEM.
We have following configured in Global Profile Template, However, it is not sending above mentioned columns from Guardium to Splunk SIEM. Could anyone please guide me how I can achieve this. Thanks much for your kind support and your guidance will be appreciated much!
This is what we are receiving as of now on Spunk SIEM.
------------------------------
Sincerely,
Sky Christi
------------------------------