Rule Chaining

Chaining with Parameterized User-Defined Rules

Chained-Rule Alerts: (UBM Session Policy and PUDR)

5Get an alert when the (the Session Policy) Source rule is violated.

6Get another alert when the chained PUDR executes and, in this case kills the session of BAD_GUY.

7And, in the Alert Details dialog, display DB user name, OS user name, machine name, and source-program name as shown above.

Resulting Killed Session

8Notice that our SQLPlus session has been killed

Alert Behavior

This topic describes various alert behavior users should be aware of.

Table Columns That Could Appear in Alerts

Be careful when specifying the SQL for your UDRs. Statements like "SELECT * FROM <table_name>", where <table_name> has a lot of columns, may produce alerts that are difficult to read due to the large number of columns. It is better to be more specific like "SELECT <column_name1>, ... , <column_nameN> from <table_name>".

For example using Oracle, v$session has over 40 columns, so instead of this statement:

SELECT * FROM v$session WHERE osuser = '$osusername'

you might want to use one with specific columns, like:

FortiDB Version 3.2 Utilities

User Guide

15-32000-81369-20081219

17

Page 19
Image 19
Fortinet FortiDB manual Table Columns That Could Appear in Alerts, Chained-Rule Alerts UBM Session Policy and Pudr