Imperva Cyber Community

Dear team,

I am testing Oracle built on AIX system. But i have some issues with it.

• Cannot see UserDB: it shows "connected user" only
• Cannot see OS users, OS host or more information details in alert/violation.
• How can i get a troubleshooting log?

Does anyone have solutions for them?

Dear team,

I am testing Oracle built on AIX system. But i have some issues with it.

• Cannot see UserDB: it shows "connected user" only
• Cannot see OS users, OS host or more information details in alert/violation.
• How can i get a troubleshooting log?

Does anyone have solutions for them?

Hi,

"Connected User" in DB audit data means "Untraceable Database User", this violation is invoked if On-Premises (SecureSphere) is unable to identify the database user.

This can happen, for example:

1. If a session was opened before a newly-deployed gateway came online, or a session was opened just before a gateway came online in fail-over mode.

2. "Old" connection - stream is a long stream that was started x hours ago (more than 2 hours) and wasn't active for a period of time, and after a while it became active again.

Within On-Premises (SecureSphere) there is definition per service about connection timeout (default: 7200 seconds -> 2 hours) after this period On-Premises (SecureSphere) removes connection details. If this session (between client and server) is used after 2 hours – On-Premises (SecureSphere) will not see the SYN, SYN/ACK, and will indicate the user is connected user, but since no information about this session is available will mark it as untraceable user.

Note: Do not increase the default value of "connection timeout" without specific instructions from Support, since this will increase gateway memory consumption.

3. Gateway missed traffic due to CPU Load / Heavy traffic / Network gaps / Sniffing mode without TAP device

You need to know that after agent installation on AIX + ORACLE, you must restart Oracle services.

https://docs.imperva.com/bundle/v14.18-dam-administration-guide/page/7349.htm

If you have installed the SecureSphere Agent on a machine on which no SecureSphere Agent was previously installed, then:

• You must restart all database instances and processes after the first time you start the SecureSphere Agent. For example, in Oracle, the "tnslsnr" process should also be restarted.
• If you ever manually enabled EIK, you must restart the database for every agent reinstallation.
• If you want to enable the source IP address feature, you must restart the login servers (SSH, Telnet, Rlogin) after the first time you start the SecureSphere Agent.

There is no need to reboot the machine.

------------------------------
Karol Gruszczynski
IT Security Expert
Trafford IT Sp. z o.o.
Warszawa

Original Message:
Sent: 03-11-2025 00:02
From: Duc Dinh Minh
Subject: Oracle on AIX issues

Dear team,

I am testing Oracle built on AIX system. But i have some issues with it.

• Cannot see UserDB: it shows "connected user" only
• Cannot see OS users, OS host or more information details in alert/violation.
• How can i get a troubleshooting log?

Does anyone have solutions for them?

#DatabaseActivityMonitoring

------------------------------
Duc Dinh Minh
Security Engineer I
M.Tech Holdings Pte Ltd
ho chi minh
------------------------------

Dear team,

I am testing Oracle built on AIX system. But i have some issues with it.

• Cannot see UserDB: it shows "connected user" only
• Cannot see OS users, OS host or more information details in alert/violation.
• How can i get a troubleshooting log?

Does anyone have solutions for them?