Email notifications are very important when auditing a server. Often, users need to be notified when there are changes to the data. When there is a change to a selected column, an email can be sent to whoever is interested in the change. From this, users can identify which records were changed. For example, if the salary field is changed, an email can be sent to the Human Resources department. See the screen below.
Once all the configuration information is set up, the software creates any necessary triggers to track the changes. In addition, a table will automatically be created to store the changes. A new audit table is created for each table you decide to audit.
Among other features that are available, with DB Audit Expert, you can assign tables an alias name so that it can refer to it with a user-friendly name. In addition, you have the ability to search by table name.
Over time, the table used to store the audit information can grow. Because of this, there is the built-in ability to truncate data that has outlived its usefulness. When you select the truncate option, you are given a list of audited table from which you can select table which you want to truncate, as you can see below.
Another important option is the ability to purge the audited data periodically. Normally, we do not want to keep audited data for long time. Built-in scheduling provides you with the facility of purging data periodically.
Audit Trail Monitoring and Alerting
Automated security events monitoring, pattern analysis, and alerting is one of the most important features of the DB Audit Expert. To use these features, users are required to license and install another product called the Alert Center, which is available separately from the vendor. The Alert Center was not available for evaluation at the time of this review. As a result we could not test this. Below is just a screenshot and few short excepts that we were allowed to copy from the documentation.
The Alert Center analyses audit trail data for patterns of activity that are either clear security violations, or just suspicious, intrusive or anomalous (in other words, do not correspond to normal users activity) and alerts the system administrator to such activity. The Alert Center also allows administrators to define automated countermeasures. Such automated countermeasures are called “incident response jobs”, which could be used for suspending or terminating processes, locking or terminating user sessions, shutting down and restarting database servers and so on.
DB Audit Expert includes graphical Alert Center Remote Console. Using this graphical console users can remotely manage audit trail monitoring jobs that are scheduled and run using the Alert Center. Because the Alert Center functions as a server application multiple users can connect to and manage the Alert Center concurrently.
The following same screenshot demonstrates the Alert Center Remote Console as provided in the product documentation.
By default, the Alert Center generates an email alert for each detected incident. In addition, to each audit trail monitoring job can be linked to 1 or more user-defined incident response jobs, which in turn, can be used for suspending or terminating suspicious processes, locking or terminating user sessions, shutting down and restarting database servers and so on. The incident response jobs could be created as either external batch jobs, SQL queries, or JavaScript programs automatically invoked in case of an incident.