Describe the bug
Hi team,
We have configured the filter plugin filter-plugin/logstash-filter-mysql-azure-guardium/azure_mysql.conf, but it is not auditing any events in Guardium, even though we are not seeing any errors in the Universal Connector log files.
After reviewing the filter used in azure_mysql.conf, we suspect the issue lies in the filter itself, where some fields (such as TIMESTAMP, CLIENT_HOST_NAME, etc.) are added and then removed a few lines later:
mutate {
add_field => {
"[TIMESTAMP]" => "%{updatedeventtime}"
"[CLIENT_HOST_NAME]" => "%{host_name}"
"[STATEMENT]" => "%{statement}"
"[Client_IP]" => "%{client_ip}"
"[SERVER_INSTANCE_NAME]" => "%{server_instance_name}"
"[SUCCEEDED]" => "%{succeeded}"
"[User_Name]" => "%{server_principal_name}"
"[APPLICATION_NAME]" => "%{application_name}"
"[Session_ID]" => "%{session_id}"
"[Server_Hostname]" => "%{enrollmentId}_%{server_instance_name}"
}
}
mutate { gsub => [ "STATEMENT", "[\n]", "" ] }
azuresql_guardium_plugin_filter{}
mutate { remove_field => ["@version","type","@timestamp","additional_information","session_id","updatedeventtime","client_ip","User_Name","server_principal_name","statement","host_name","server_instance_name","succeeded","database_name","application_name","TIMESTAMP","CLIENT_HOST_NAME","STATEMENT","Client_IP","SERVER_INSTANCE_NAME","SUCCEEDED","User_Name","APPLICATION_NAME","Session_ID","Server_Hostname","enrollmentId"] }
Could it be incorrect? What is the purpose of the azuresql_guardium_plugin_filter{} function?
To Reproduce
We have configure it to audit an Azure SQL Server, but we couldn't find any audit event on Guardium even if we are not receiving any error.
Expected behavior
We have checked there are audit events in the configure Azure SQL Databases, but they are not shown on a Full SQL Report con Guardium
Screenshots
N/A
Environment (please complete the following information):
- Product: Guardium Data Protection
- Version: 11.5
Additional context
Describe the bug
Hi team,
We have configured the filter plugin filter-plugin/logstash-filter-mysql-azure-guardium/azure_mysql.conf, but it is not auditing any events in Guardium, even though we are not seeing any errors in the Universal Connector log files.
After reviewing the filter used in azure_mysql.conf, we suspect the issue lies in the filter itself, where some fields (such as TIMESTAMP, CLIENT_HOST_NAME, etc.) are added and then removed a few lines later:
mutate {
add_field => {
"[TIMESTAMP]" => "%{updatedeventtime}"
"[CLIENT_HOST_NAME]" => "%{host_name}"
"[STATEMENT]" => "%{statement}"
"[Client_IP]" => "%{client_ip}"
"[SERVER_INSTANCE_NAME]" => "%{server_instance_name}"
"[SUCCEEDED]" => "%{succeeded}"
"[User_Name]" => "%{server_principal_name}"
"[APPLICATION_NAME]" => "%{application_name}"
"[Session_ID]" => "%{session_id}"
"[Server_Hostname]" => "%{enrollmentId}_%{server_instance_name}"
}
}
mutate { gsub => [ "STATEMENT", "[\n]", "" ] }
Could it be incorrect? What is the purpose of the azuresql_guardium_plugin_filter{} function?
To Reproduce
We have configure it to audit an Azure SQL Server, but we couldn't find any audit event on Guardium even if we are not receiving any error.
Expected behavior
We have checked there are audit events in the configure Azure SQL Databases, but they are not shown on a Full SQL Report con Guardium
Screenshots
N/A
Environment (please complete the following information):
Additional context