ip address record in sybase ASE auditing database? [closed]

Question

Closed. This question is off-topic. It is not currently accepting answers.

---

Want to improve this question? Update the question so it's on-topic for Database Administrators Stack Exchange.

Closed 3 years ago.

Improve this question

everone.

I installed the sybsecurity database for auditing in sybase ase 15.5. The installation is OK. I configured the audit commands, for example, for auditing the sa user, and other users of the database.

I see that the column extrainfo for the table sysaudits_01 shows additional information. I need to add the IP address of of users who perform certain commands: for example, GRANT, INSERT, 'UPDATE,DELETE,SELECT, andCREATE`.

I see that rows in login attempts include the IP address in the extrainfo column.

I checked the code of the file C:\Sybase\ASE-15_0\scripts\instsecu but I can't find how to add the IP address to extrainfo to my table.

How can I capture the IP address for certain actions, and record it in extrainfo?

Answer 1

The contents of the extrainfo column is populated in two ways:

• automatically by the auditing system; the actual contents are pre-defined based on what exactly is being audited (eg, audited logins could include the ip address)
• when the sp_addauditrecord proc is called (eg, by a user-defined proc, trigger, batch process)

In order to match an ip address with the various commands you'd have to use the audited login record (that contains the ip address) to obtain the associated spid/suid, then use these values to search follow-on auditing records with the same spid/suid; basically a self-join of the sysaudits table.

Keep in mind that you really don't want to be hitting the sysaudits tables very often with this type of activity as that's not what the tables are designed for. Instead, you'd want to periodically pull the auditing data into some other database/table/repository (with appropriate indexes) where you could run your queries.