Troubleshooting
Problem
You have a rule to filter certain accesses using Object/Field that is not firing as expected when that column is accessed. You can see the SQL statement.
Cause
Quick Parse Native (QPN) action in use.
Diagnosing The Problem
Observe the policy actions for "Quick Parse".
Resolving The Problem
When you use QPN, parsing is happening on the STAP side and the components are sent in a message to the sniffer. With this rule, the sniffer will not parse the SQL itself but use the parsed components from message. The message just has the verb and object but no fields. A rule based on an Object/Field condition will not be fired.
Even if you tried to move the rule to the top with the action of "Log Full Details", this will still not be logged. The flag is set early on so the sniffer stops parsing the SQL. QPN is similar to "Quick Parse No Fields".
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg22001640