问题描述
我的 sql 解析器似乎有错误,无法从数据库中提取。我正在为 McAfee 重写 ArcSight DLP 解析器,但在尝试处理查询时抛出以下 java 错误,当针对 sql 服务器运行时,查询有效。
[2021-03-03 09:58:03,663][ERROR][default.com.arcsight.agent.loadable.agent._McAfeeEPODatabaseAgent][setDeviceConnectionState] Device connection to [jdbc:sqlserver;DatabaseName=] down.(The index 1 is out of range.)
[2021-03-03 09:58:03,663][FATAL][default.com.arcsight.agent.sdk.c.d.g][processQuery()]
com.microsoft.sqlserver.jdbc.sqlServerException: The index 1 is out of range.
at com.microsoft.sqlserver.jdbc.sqlServerException.makeFromDriverError(sqlServerException.java:191)
at com.microsoft.sqlserver.jdbc.sqlServerPreparedStatement.setterGetParam(sqlServerPreparedStatement.java:736)
at com.microsoft.sqlserver.jdbc.sqlServerPreparedStatement.setValue(sqlServerPreparedStatement.java:745)
at com.microsoft.sqlserver.jdbc.sqlServerPreparedStatement.setInt(sqlServerPreparedStatement.java:906)
at sun.reflect.GeneratedMethodAccessor21.invoke(UnkNown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.tomcat.jdbc.pool.StatementFacade$StatementProxy.invoke(StatementFacade.java:114)
at com.sun.proxy.$Proxy6.setInt(UnkNown Source)
at com.arcsight.agent.sdk.c.d.x.a(x.java:447)
at com.arcsight.agent.sdk.c.d.x.a(x.java:433)
at com.arcsight.agent.sdk.c.d.f.e(f.java:251)
at com.arcsight.agent.sdk.c.d.f.run(f.java:806)
at java.lang.Thread.run(Thread.java:748)
[2021-03-03 09:58:03,664][FATAL][default.com.arcsight.agent.sdk.c.d.g][processQuery()] Failed to process query [[select top 1000 udlpi.IncidentId as DLP_AutoID,udlpi.ViolationUTCTime as DetectedUTC,] for [Thu Jan 01 00:05:26 UTC 1970]/[326677]] for [jdbc:sqlserver;DatabaseName=].
我尝试修改下面的 sql 语句以尝试绕过我在 Stack 和 Web 上看到的一些建议选项,但似乎没有任何方法可以解决错误
请忽略我代码中的 \,它是如何与 ArcSight 配合使用的
我尝试将它与 ArcSight 提供的解析器进行匹配,并且在大多数情况下它看起来与工作的解析器完全相同(当然我的包含更多的表拉取,但它仍然应该工作)
我只是不知道错误可能是什么,我能看到的最多的是它的“>”?但显然使用问号是解决方案。
select top 1000 udlpi.IncidentId as DLP_AutoID,\
udlpi.ViolationUTCTime as DetectedUTC,\
udlpi.InsertionTime as ReceivedUTC,\
udlpi.ViolationTimezone as time_zone_bias,\
udlpi.McAfeeAgentGuid as AgentGUID,\
udlpi.DlpAgentVersion as AnalyzerVersion,\
udlpi.RulesTodisplay as ThreatName,\
udlpi.IncidentType,\
case \
when udlpi.IncidentType = 10000 then "Device plug" \
when udlpi.IncidentType = 10001 then "Device Unplug" \
when udlpi.IncidentType = 10002 then "Device New Class Found" \
when udlpi.IncidentType = 40101 then "Network Share Protection" \
when udlpi.IncidentType = 40102 then "Removable Storage Protection" \
when udlpi.IncidentType = 40200 then "Email Protection" \
when udlpi.IncidentType = 40301 then "Printer Protection" \
when udlpi.IncidentType = 40400 then "Network Communication Protection" \
when udlpi.IncidentType = 40500 then "Web Protection" \
when udlpi.IncidentType = 40601 then "Application File Access Protection" \
when udlpi.IncidentType = 40602 then "Clipboard Protection" \
when udlpi.IncidentType = 40603 then "Screen Capture Protection" \
when udlpi.IncidentType = 40700 then "Cloud Protection" \
when udlpi.IncidentType = 50000 then "File System discovery" \
when udlpi.IncidentType = 50100 then "Email Storage discovery" \
when udlpi.IncidentType = 50103 then "discovery Summary" \
when udlpi.IncidentType = 50104 then "discovery Summary (user initiated)" \
when udlpi.IncidentType = 60000 then "Mobile Protection" \
else "Not Found" \
end as ThreatType,\
udlpi.Severity as severity,\
udlpi.Reviewer as reviewer,\
udlpi.EvidenceCount as score,\
udlpi.TotalMatchCount as aggregate_count,\
udlpi.TotalContentSize as content_size,\
udlpi.sourceApplicationTemplates as sourcetemplate,\
udlpi.ClassificationCount as classificationcount,\
udlpi.ConnectivityState as online,\
udlpi.ActualAction,\
case
when udlpi.ActualAction = 0 then "Monitor" \
when udlpi.ActualAction = 1 then "Block" \
when udlpi.ActualAction = 2 then "Encrypt" \
else "Not defined" \
end as epo_action,\
udlpi.ExpectedAction,\
case \
when udlpi.ExpectedAction = 0 then "Monitor" \
when udlpi.ExpectedAction = 1 then "Block" \
when udlpi.ExpectedAction = 2 then "Encrypt" \
else "Not defined" \
end as epo_expected_action,\
udlpi.InsertionTime as insertion_time,\
udlpi.ReportingProduct as product,\
udlpi.EvidenceLocationPrefix as evidence_location_prefix,\
udlpi.destination as destination,\
udlpi.copyDirection as direction,\
udlpi.ActivityEnum as activity,\
udlpi.JustificationText as justification,\
udlpi.ShortMatchString as shortmatch,\
ec.Name as Name,\
ec.IP as IP,\
idev.DeviceClassName as class_display_name,\
idev.DeviceDescription as devicedescription,\
idev.DeviceName as display_name,\
idev.USBSerialNumber as usbserialno,\
idev.USBvendorId as vid,\
idev.USBProductId as pid,\
idev.BusType as BusType,\
case \
when idev.BusType = 1 then "USB" \
when idev.BusType = 2 then "PCI" \
when idev.BusType = 3 then "FIREWIRE" \
when idev.BusType = 4 then "PCMCIA" \
when idev.BusType = 5 then "BLUetoOTH" \
when idev.BusType = 6 then "IDE" \
when idev.BusType = 7 then "SCSI" \
when idev.BusType = 8 then "SD" \
when idev.BusType = 9 then "THUNDERBOLT" \
else "Not defined" \
end as BusType_name,\
idev.USBClass as usbclass,\
idev.DeviceInstanceID as deviceinstanceid,\
ieml.Sender as sender,\
ieml.Recipients as recipient,\
ieml.RecipientsCc as recipientcc,\
ieml.RecipientsBcc as recipientbcc,\
ieml.Subject as subject,\
irs.sourcePath as sourcepath,\
irs.DestinationPath as destinationsourcepath,\
incapp.ApplicationFileName as file_name,\
incapp.ApplicationHash as app_hash,\
incapp.ApplicationProductName as app_info,\
evtu.PrimaryUserAccountID as accountid,\
evtu.Username_NTLM as username,\
iwp.DestinationURL as destinationurl,\
iwp.DestinationAddressBarURL as destinationbarurl,\
ireqry.FileName as filename,\
ireqry.MatchCount as matchcount,\
ireqry.ItemType as itemtype,\
ireqry.FileType as filetype,\
ireqry.FileSize as filesize,\
ireqry.FileExt as fileext,\
ireqry.FilePath as filepath,\
ireqry.ClassificationsTodisplay as classification \
FROM UDLP_Incidents as udlpi LEFT OUTER JOIN UDLP_IncidentEmail ieml ON udlpi.IncidentId=ieml.IncidentId LEFT OUTER JOIN UDLP_EventUsers evtu ON udlpi.UserID=evtu.UserId \LEFT OUTER JOIN UDLP_IncidentWebPost iwp ON udlpi.IncidentId=iwp.IncidentId LEFT OUTER JOIN UDLP_IncidentDevice idev ON udlpi.IncidentId=idev.IncidentId LEFT OUTER JOIN UDLP_EventComputers ec ON udlpi.ComputerID=ec.ID LEFT OUTER JOIN UDLP_IncidentRemovableStorage irs ON udlpi.IncidentId=irs.IncidentId LEFT OUTER JOIN UDLP_IncidentApplications incapp ON udlpi.sourceApplicationId=incapp.ApplicationId LEFT OUTER JOIN UDLP_IncidentRuleEvidencesQueriesView ireqry ON udlpi.IncidentId=ireqry.IncidentId WHERE udlpi.IncidentId > ? order by udlpi.IncidentId
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)