Hi kamlesh_vaghela, thanks for your help. Following the entire _raw log. { "name": "SecureSphere_Audit_PCI_-_Login_and_logout_audit_15.01.2021_1043_19.02.2021_1639_ith-aru-sec-imp-gw02_0_mxName.0000000001", "messageAgg": [{ "timeSlot": "2021-02-19T16:37:58Z", "hits": "40", "responseTimeSum": "11", "base": { "keysCrc": "-8551114388220623619", "serverGroup": "LAB", "service": "Oracle", "application": "Default Oracle Application", "eventSourceType": "Network", "userType": "Valid", "dbUser": "sapserviceid6", "isUserAuthenticed": true, "sourceIp": "10.1.5.190", "sourceApp": "disp+work.exe", "osUser": "sapserviceid6", "host": "sapysap1", "serviceType": "Oracle", "destinationIp": "10.1.5.191", "eventType": "LOGIN", "operation": "Login", "database": "id6", "schema": "sapserviceid6", "gatewayName": "ith-aru-sec-imp-gw02", "sourceOfActivity": "REMOTE", "dbInstance": "id6" }, "responseSizeBucket": "Size0", "affectedRowsBucket": "Size0", "responseTimeBucket": "Time0to1", "destinationPort": "1527", "policy": "PCI - Login and logout audit", "policyId": "993812025799991000" }, { "timeSlot": "2021-02-19T16:37:58Z", "hits": "80", "base": { "keysCrc": "6526603515572082956", "serverGroup": "LAB", "service": "Oracle", "application": "Default Oracle Application", "eventSourceType": "Network", "userType": "Valid", "dbUser": "sapid6", "sourceIp": "10.1.5.190", "sourceApp": "disp+work.exe", "osUser": "sapserviceid6", "host": "sapysap1", "serviceType": "Oracle", "destinationIp": "10.1.5.191", "eventType": "LOGOUT", "operation": "Logout", "database": "id6", "schema": "sapid6", "gatewayName": "ith-aru-sec-imp-gw02", "sourceOfActivity": "REMOTE", "dbInstance": "id6" }, "responseSizeBucket": "Size0", "affectedRowsBucket": "Size0", "responseTimeBucket": "Time0to1", "destinationPort": "1527", "policy": "PCI - Login and logout audit", "policyId": "993812025799991000" }, { "timeSlot": "2021-02-19T16:37:58Z", "hits": "1", "responseTimeSum": "1742", "base": { "keysCrc": "-8163044881711936885", "serverGroup": "LAB", "service": "Oracle", "application": "Default Oracle Application", "eventSourceType": "Network", "userType": "Valid", "dbUser": "sapid6", "isUserAuthenticed": true, "sourceIp": "10.1.5.190", "sourceApp": "disp+work.exe", "osUser": "sapserviceid6", "host": "sapysap1", "serviceType": "Oracle", "destinationIp": "10.1.5.191", "eventType": "LOGIN", "operation": "Login", "database": "id6", "schema": "sapid6", "gatewayName": "ith-aru-sec-imp-gw02", "sourceOfActivity": "REMOTE", "dbInstance": "id6" }, "responseSizeBucket": "Size0", "affectedRowsBucket": "Size0", "responseTimeBucket": "Time1to10", "destinationPort": "1527", "policy": "PCI - Login and logout audit", "policyId": "993812025799991000" }, { "timeSlot": "2021-02-19T16:37:58Z", "hits": "39", "responseTimeSum": "8", "base": { "keysCrc": "-204053942017404474", "serverGroup": "LAB", "service": "Oracle", "application": "Default Oracle Application", "eventSourceType": "Network", "userType": "Valid", "dbUser": "sapid6", "isUserAuthenticed": true, "sourceIp": "10.1.5.190", "sourceApp": "disp+work.exe", "osUser": "sapserviceid6", "host": "sapysap1", "serviceType": "Oracle", "destinationIp": "10.1.5.191", "eventType": "LOGIN", "operation": "Login", "database": "id6", "schema": "sapid6", "gatewayName": "ith-aru-sec-imp-gw02", "sourceOfActivity": "REMOTE", "dbInstance": "id6" }, "responseSizeBucket": "Size0", "affectedRowsBucket": "Size0", "responseTimeBucket": "Time0to1", "destinationPort": "1527", "policy": "PCI - Login and logout audit", "policyId": "993812025799991000" }, { "timeSlot": "2021-02-19T16:37:58Z", "hits": "3", "base": { "keysCrc": "5464671818046985164", "serverGroup": "LAB", "service": "Oracle", "application": "Default Oracle Application", "eventSourceType": "Network", "userType": "Valid", "dbUser": "sapsr3db", "sourceIp": "10.1.5.190", "osUser": "sapserviceep7", "host": "sap1", "serviceType": "Oracle", "destinationIp": "10.1.5.191", "eventType": "LOGIN", "operation": "Login", "database": "ep7", "schema": "sapsr3db", "isExceptionOccurred": true, "gatewayName": "ith-aru-sec-imp-gw02", "sourceOfActivity": "REMOTE" }, "responseSizeBucket": "Size0", "affectedRowsBucket": "Size0", "responseTimeBucket": "Time0to1", "destinationPort": "1527", "policy": "PCI - Login and logout audit", "policyId": "993812025799991000" }, { "timeSlot": "2021-02-19T16:37:58Z", "hits": "2", "base": { "keysCrc": "296121360254800243", "serverGroup": "LAB", "service": "Oracle", "application": "Default Oracle Application", "eventSourceType": "Network", "userType": "Valid", "dbUser": "sapid6", "sqlSourceGroup": "Default oracle group", "isUserAuthenticed": true, "sourceIp": "10.1.5.190", "sourceApp": "disp+work.exe", "osUser": "sapserviceid6", "host": "sapysap1", "serviceType": "Oracle", "destinationIp": "10.1.5.191", "eventType": "LOGOUT", "operation": "Logout", "database": "id6", "schema": "sapid6", "gatewayName": "ith-aru-sec-imp-gw02", "sourceOfActivity": "REMOTE", "dbInstance": "id6" }, "responseSizeBucket": "Size0", "affectedRowsBucket": "Size0", "responseTimeBucket": "Time0to1", "destinationPort": "1527", "policy": "PCI - Login and logout audit", "policyId": "993812025799991000" }, { "timeSlot": "2021-02-19T16:37:58Z", "hits": "22", "responseTimeSum": "10", "base": { "keysCrc": "-7569040835949211912", "serverGroup": "LAB", "service": "Oracle", "application": "Default Oracle Application", "eventSourceType": "Network", "userType": "Valid", "dbUser": "sapserviceid6", "sqlSourceGroup": "Default oracle group", "isUserAuthenticed": true, "sourceIp": "10.1.5.190", "sourceApp": "disp+work.exe", "osUser": "sapserviceid6", "host": "sapysap1", "serviceType": "Oracle", "destinationIp": "10.1.5.191", "eventType": "LOGIN", "operation": "Login", "database": "id6", "schema": "sapserviceid6", "gatewayName": "ith-aru-sec-imp-gw02", "sourceOfActivity": "REMOTE", "dbInstance": "id6" }, "responseSizeBucket": "Size0", "affectedRowsBucket": "Size0", "responseTimeBucket": "Time0to1", "destinationPort": "1527", "policy": "PCI - Login and logout audit", "policyId": "993812025799991000" }, { "timeSlot": "2021-02-19T16:37:58Z", "hits": "44", "base": { "keysCrc": "-2959819095772425042", "serverGroup": "LAB", "service": "Oracle", "application": "Default Oracle Application", "eventSourceType": "Network", "userType": "Valid", "dbUser": "sapid6", "sqlSourceGroup": "Default oracle group", "sourceIp": "10.1.5.190", "sourceApp": "disp+work.exe", "osUser": "sapserviceid6", "host": "sapysap1", "serviceType": "Oracle", "destinationIp": "10.1.5.191", "eventType": "LOGOUT", "operation": "Logout", "database": "id6", "schema": "sapid6", "gatewayName": "ith-aru-sec-imp-gw02", "sourceOfActivity": "REMOTE", "dbInstance": "id6" }, "responseSizeBucket": "Size0", "affectedRowsBucket": "Size0", "responseTimeBucket": "Time0to1", "destinationPort": "1527", "policy": "PCI - Login and logout audit", "policyId": "993812025799991000" }, { "timeSlot": "2021-02-19T16:37:58Z", "hits": "22", "responseTimeSum": "14", "base": { "keysCrc": "517624223826118305", "serverGroup": "LAB", "service": "Oracle", "application": "Default Oracle Application", "eventSourceType": "Network", "userType": "Valid", "dbUser": "sapid6", "sqlSourceGroup": "Default oracle group", "isUserAuthenticed": true, "sourceIp": "10.1.5.190", "sourceApp": "disp+work.exe", "osUser": "sapserviceid6", "host": "sapysap1", "serviceType": "Oracle", "destinationIp": "10.1.5.191", "eventType": "LOGIN", "operation": "Login", "database": "id6", "schema": "sapid6", "gatewayName": "ith-aru-sec-imp-gw02", "sourceOfActivity": "REMOTE", "dbInstance": "id6" }, "responseSizeBucket": "Size0", "affectedRowsBucket": "Size0", "responseTimeBucket": "Time0to1", "destinationPort": "1527", "policy": "PCI - Login and logout audit", "policyId": "993812025799991000" }] } The file contains SecureSphere sample audit logs Thanks again Regards Mario
... View more