7 Replies Latest reply on Apr 3, 2013 1:01 PM by grant_babb

    how to add a custom field to watchlist/alarms and how to create an alarm/report from a correlation rule

      Hi,

       

      I have 3 questions.

       

      1) How to add a custom field to watchlist/alarms? For example I have a DB system and I have logged in via system and event is like:

       

       

      HOSTIPDBSID=~10.0.0.72~ ALARMID=~LOGON~ AUDIT_TYPE=~Standard Audit~ SESSION_ID=~113382~ OS_USER=~oracle~ STATEMENTID=~1~ ENTRYID=~1~ TIMESTAMP=~2013-03-28 18:12:31.438300~ DB_USER=~SYSTEM~ USERHOST=~oracle.endersys.com.tr~ OS_PROCESS=~32176~ TERMINAL=~pts/0~ INSTANCE_NUMBER=~0~ ACTION=~100~ STATEMENT_TYPE=~LOGON~ TRANSACTIONID=~0000000000000000~ RETURNCODE=~0~ COMMENT_TEXT=~Authenticated by: DATABASE~ OS_PRIVILEGE=~NONE~ PRIV_USED=~CREATE SESSION~

       

      I have created a watchlist using Field Match and as for the field I have used Username_Nickname and created an alarm using this watchlist but I did not get an alarm? So I think I must use DB_USER as a field but there is no Field like that as a default. So I need to create a field to match and how do I do that?

       

      2) I want to create an alarm for a Db user named DAVID and I want to only create alarms if David makes a DDL (change table format) as depicted  at http://www.orafaq.com/faq/what_are_the_difference_between_ddl_dml_and_dcl_comman ds. So for DDL there are more than one STATEMENT_TYPE (those are CREATE, ALTER,DROP,TRUNCATE..) so

              a) I have to create a custome field names STATEMENT_TYPE so I can match against it. How can I create custom fields (This is my question number 1)

              b) There is more than one statement_type that I must match (those are CREATE, ALTER,DROP,TRUNCATE) so how can I add more than one VALUES for that Field to match (those are CREATE, ALTER,DROP,TRUNCATE)

       

      3) I want to create an alarm based on Correlation rules? How can I do that. Lets say that i have created a custom correlation rule that finds out a user failed to login 8 times in a day and after that he sucessfully logged in so if that happens

       

         a) I want to create an alarm so how can I do that (an alarm criteria should be one correlation rule)

         b) How can I create a report based on that alarm.

       

       

      Regards