Fortinet black logo

Handbook (HTML)

Tutorial: Monitoring a database table using the native auditing feature

Copy Link
Copy Doc ID 73ac471a-9afd-11ea-8862-00505692583a:272767

Tutorial: Monitoring a database table using the native auditing feature

You can configure FortiDB to use your database’s auditing features to monitor specific database tables and generate alerts based on policies you specify. For example, you can configure FortiDB to generate alerts when it detects security violations or suspicious database users. You can then use the alert information to generate a report

This example configures FortiDB to monitor an Oracle database. Before you start the tutorial, ensure that the database has the required configuration. For details, see Oracle target database pre-configuration .

FortiDB can use several different methods to collect information from the monitoring process. The value of your database’s audit_trail parameter determines which collection method you use. For this example, because the value of audit_trail is db, extended, the collection method is DB, EXTENDED.

For a description of other collection methods, see Configuring Oracle monitoring.

Create a target

A target specifies a database for FortiDB to monitor.

  1. Log in to FortiDB using the following credentials (the default values):
  2. User Name admin
    Password fortidb1!$

    All DAM tasks require the user to log in as admin.

  3. In the navigation menu, go to Target Database Server > Targets.
  4. On the Targets page, click Add.
  5. On the General tab, enter the following information. For this example, the target is an Oracle database:
  6. Name dam2target
    Type Oracle
    DB Host Name/IP The IP address or name of the machine where the database is located (for example, test_machine or 172.30.12.112)
    Port The number of the port the database uses; the default port is 1521
    DB Name

    The name of the database (for example, orcl)

    User Name The database user name
    Password The password for the database user
    DB Activity Monitoring Select Allow.
  7. To verify that the connection parameters are correct, click Test Connection.
  8. The message "Success" is displayed at the top of the page.

  9. Click Save.
  10. The dam2target item is displayed in the list of targets.

Configure an alert policy for a database table
  1. In the navigation menu, click DB Activity Monitoring > Monitoring Management.
  2. Your target database is listed on the Target Monitoring Management page.

  3. Click damtarget (the name of the target you created).
  4. On the General tab, confirm that the following default Audit Configuration values are selected:
  5. Collection Method DB, EXTENDED
    Polling Frequency 60 (default value)
  6. To test the collection method, click Test.
  7. The message "Success" is displayed the top of the page.

  8. Click the Alert Policies tab.
  9. At the bottom-left of the page, for Data Policies, select Table, and then click Add.
  10. On the Target Monitor:<target name> page, configure a table policy using the following values:
  11. Policy Name Enter a policy name or use the default name
    Description Enter an optional description
    Enable Selected
    Create new policy group for policy check box Selected
    Severity Informational (the default) or other value

    When you create a table policy, selecting Enable or Create new policy group for policy check box is optional.

  12. Beside Audit Settings, click the triangle icon to view the settings, and then select Browse Object by Target (the default value).
  13. For Schema, select a schema to use (for example, SCOTT).
  14. In the Tables list, select a table to monitor (for example, EMP).
  15. To select multiple tables, click a table, and then Shift-click another table in the list. All tables between the two tables are selected.

  16. Under Audit Actions, select Read, Write, or both.
  17. Click > (right arrow) to move the selected tables and their Audit Action settings to the Selected Objects table.
  18. Move any other tables you want to monitor to the Selected Objects table.
  19. Select Issue alert if ANY of the enabled rules are triggered.
  20. Select Security Violation (selected by default).
  21. Select Suspicious Database Users, and then click the triangle icon beside it to view additional settings.
  22. Select one or more user names, and then click > (right arrow) to move them to the Selected users list.
  23. Select Alert any successful access if the database matches a selected entry.
  24. Select Save.
  25. On the Alert Policies tab, the new policy is listed. The green up-arrow in the Status column indicates that the policy is enabled.

Confirm the policy group was created and start monitoring
  1. Click the Alert Policy Groups tab.
  2. In Selected Policy Groups, confirm that FortiDB created a policy group based on the alert policy that you created.
  3. In Selected Policy Groups, select the new policy group, and then confirm that the alert policy that you created is displayed in the Selected Policy Group contents list.
  4. To start monitoring the database, click the General tab, and then click Start Monitoring.
  5. Monitor Status displays Starting and then Running.

View alerts generated by the policy and export them as a report
  1. Using a database client-side application, execute several SQL statements that generate alerts.
  2. To view alerts, click DB Activity Monitoring > Security Alerts.
  3. In the Security Alerts list, click an item to display its details under Alert Details (below the list).
  4. To hide the alert details, beside Alert Details, click the triangle icon.

  5. To create a customized report, click Report > User-Defined DAM Reports, and then select Add.
  6. On the General tab, for Name, enter a name for the report. Optionally, for Description, enter a short description for the report.
  7. Click the Table View tab.
  8. In the Available Columns list, select columns to include in the report, and then click >> (right arrows) to add the selected columns to the Columns in Report list.
  9. Click Save.
  10. On the User-Defined Alert Reports page, in the list of reports, select the report you just created, and then click Run.
  11. After FortiDB has run the report, beside the report name, click [+] (plus sign).
  12. A list of items with names created from the report name and run times is displayed.

  13. Click a run report item to view the report.
  14. To export the report, click one of the following file format icons:
    • PDF

    • TXT (tab-delimited)

    • XLS (Excel)

    • CSV (comma-separated values)

    Your browser prompts you to download a file of the specified format.

    See also

Tutorial: Monitoring a database table using the native auditing feature

You can configure FortiDB to use your database’s auditing features to monitor specific database tables and generate alerts based on policies you specify. For example, you can configure FortiDB to generate alerts when it detects security violations or suspicious database users. You can then use the alert information to generate a report

This example configures FortiDB to monitor an Oracle database. Before you start the tutorial, ensure that the database has the required configuration. For details, see Oracle target database pre-configuration .

FortiDB can use several different methods to collect information from the monitoring process. The value of your database’s audit_trail parameter determines which collection method you use. For this example, because the value of audit_trail is db, extended, the collection method is DB, EXTENDED.

For a description of other collection methods, see Configuring Oracle monitoring.

Create a target

A target specifies a database for FortiDB to monitor.

  1. Log in to FortiDB using the following credentials (the default values):
  2. User Name admin
    Password fortidb1!$

    All DAM tasks require the user to log in as admin.

  3. In the navigation menu, go to Target Database Server > Targets.
  4. On the Targets page, click Add.
  5. On the General tab, enter the following information. For this example, the target is an Oracle database:
  6. Name dam2target
    Type Oracle
    DB Host Name/IP The IP address or name of the machine where the database is located (for example, test_machine or 172.30.12.112)
    Port The number of the port the database uses; the default port is 1521
    DB Name

    The name of the database (for example, orcl)

    User Name The database user name
    Password The password for the database user
    DB Activity Monitoring Select Allow.
  7. To verify that the connection parameters are correct, click Test Connection.
  8. The message "Success" is displayed at the top of the page.

  9. Click Save.
  10. The dam2target item is displayed in the list of targets.

Configure an alert policy for a database table
  1. In the navigation menu, click DB Activity Monitoring > Monitoring Management.
  2. Your target database is listed on the Target Monitoring Management page.

  3. Click damtarget (the name of the target you created).
  4. On the General tab, confirm that the following default Audit Configuration values are selected:
  5. Collection Method DB, EXTENDED
    Polling Frequency 60 (default value)
  6. To test the collection method, click Test.
  7. The message "Success" is displayed the top of the page.

  8. Click the Alert Policies tab.
  9. At the bottom-left of the page, for Data Policies, select Table, and then click Add.
  10. On the Target Monitor:<target name> page, configure a table policy using the following values:
  11. Policy Name Enter a policy name or use the default name
    Description Enter an optional description
    Enable Selected
    Create new policy group for policy check box Selected
    Severity Informational (the default) or other value

    When you create a table policy, selecting Enable or Create new policy group for policy check box is optional.

  12. Beside Audit Settings, click the triangle icon to view the settings, and then select Browse Object by Target (the default value).
  13. For Schema, select a schema to use (for example, SCOTT).
  14. In the Tables list, select a table to monitor (for example, EMP).
  15. To select multiple tables, click a table, and then Shift-click another table in the list. All tables between the two tables are selected.

  16. Under Audit Actions, select Read, Write, or both.
  17. Click > (right arrow) to move the selected tables and their Audit Action settings to the Selected Objects table.
  18. Move any other tables you want to monitor to the Selected Objects table.
  19. Select Issue alert if ANY of the enabled rules are triggered.
  20. Select Security Violation (selected by default).
  21. Select Suspicious Database Users, and then click the triangle icon beside it to view additional settings.
  22. Select one or more user names, and then click > (right arrow) to move them to the Selected users list.
  23. Select Alert any successful access if the database matches a selected entry.
  24. Select Save.
  25. On the Alert Policies tab, the new policy is listed. The green up-arrow in the Status column indicates that the policy is enabled.

Confirm the policy group was created and start monitoring
  1. Click the Alert Policy Groups tab.
  2. In Selected Policy Groups, confirm that FortiDB created a policy group based on the alert policy that you created.
  3. In Selected Policy Groups, select the new policy group, and then confirm that the alert policy that you created is displayed in the Selected Policy Group contents list.
  4. To start monitoring the database, click the General tab, and then click Start Monitoring.
  5. Monitor Status displays Starting and then Running.

View alerts generated by the policy and export them as a report
  1. Using a database client-side application, execute several SQL statements that generate alerts.
  2. To view alerts, click DB Activity Monitoring > Security Alerts.
  3. In the Security Alerts list, click an item to display its details under Alert Details (below the list).
  4. To hide the alert details, beside Alert Details, click the triangle icon.

  5. To create a customized report, click Report > User-Defined DAM Reports, and then select Add.
  6. On the General tab, for Name, enter a name for the report. Optionally, for Description, enter a short description for the report.
  7. Click the Table View tab.
  8. In the Available Columns list, select columns to include in the report, and then click >> (right arrows) to add the selected columns to the Columns in Report list.
  9. Click Save.
  10. On the User-Defined Alert Reports page, in the list of reports, select the report you just created, and then click Run.
  11. After FortiDB has run the report, beside the report name, click [+] (plus sign).
  12. A list of items with names created from the report name and run times is displayed.

  13. Click a run report item to view the report.
  14. To export the report, click one of the following file format icons:
    • PDF

    • TXT (tab-delimited)

    • XLS (Excel)

    • CSV (comma-separated values)

    Your browser prompts you to download a file of the specified format.

    See also