IBM Guardium Tips and Tricks
This post is a summary for my experience with IBM Guardium product. Some of them are pretty simple. I am recording those for my own reference.
Sometimes, if stap already is having problem, run command from web gui wont work. You will have to go to your DB server's command line to run it as show below:
There are two methods to verify Inspection Engine:
YouTube Video:
Troubleshooting the Guardium S-TAP Verification Process:
Reference: https://www.ibm.com/support/pages/what-do-if-guardium-inspection-engine-status-fail
1. Full SQL Count
2. Full SQL
3. Server Accessed
4. Open Sessions
5. Session count
Sometimes, you might want to point your GIM Client to different collector or aggregator. The following steps will show you how to change that.
1. Stop GIM service from GIM client server
2. Go to the path C:\Program Files (x86)\Guardium\Guardium Installation Manager\GIM\Current\
3. Edit the file "conf"
4. search GIM_URL and change ip from 172.23.1.29 (collector) to 172.23.1.28 (central manager)
5. Save the changes
6. Start GIM service
7. Verify from Guardium Central Manager
Based on How to move a GIM client to point to another appliance (GIM Server)?, there are two other ways to do it:
1. From Guardium Web GUI, Manage - module Installation - Set up Client
choose the GIM client and GIM bundle then change parameter GIM_URL to your new GIM appliance ip, install it now to get it updated.
2. From Guardium Client command line.
There is also a checkbox for "Include indirect records".
It is quite clear, Data level security was enabled for some reasons, such as segregate duties. It can be turned off at Setup > Tools and Views > Global Profile.
Note: https://www.ibm.com/support/knowledgecenter/en/SSMPHH_11.0.0/com.ibm.guardium.doc.admin/adm/unit_utilization_configure.html
via Blogger https://ift.tt/31TLtNs
September 03, 2020 at 06:14PM Guardium
This post is a summary for my experience with IBM Guardium product. Some of them are pretty simple. I am recording those for my own reference.
- Find Guardium STAP Installation Folder and Exec Stap Diag
- Shut Down System
- Inspection Engine Status is Fail
- Changing Report Parameters
- Add Reports into Dashboard to Check Logged Data
- Change GIM Client Configuration's Guardium IP
- Remove inactive GIM client connection
- VA Report View Issue - Disable Data Level Security Filtering
- Unit Utilization Report Failed
- Central Manager shows all S-TAP offline (red)
Topology
Find Guardium STAP Installation Folder and Exec Diag
[root@localhost tmp]# ps -ef | grep -i tap
root 1911 933 0 11:58 ? 00:00:00 /var/gim/modules/STAP/11.2.0.0_r108838_1-1598487907/guard_stap /var/gim/modules/STAP/11.2.0.0_r108838_1-1598487907/guard_tap.ini
root 5685 5104 0 13:07 pts/0 00:00:00 grep --color=auto -i tap
[root@localhost tmp]# cd /var/gim/modules/STAP/11.2.0.0_r108838_1-1598487907/
[root@localhost 11.2.0.0_r108838_1-1598487907]# ls
atap_must_gather.sh config guard-config-update guardium_evaluator.jar guard-stap-setup hooks libsasl2.so platform_checks.sh
buffers db2_exit_health_check.sh guard_diag guardkerbplugin.conf guard_tap.ini libgssapiv2.so libsasl2.so.3 ranger_dynpolicy_config.py
ca.cert.pem depends guard_discovery guard_log4j_listener_config.py guard_tap.ini.bak libgssapiv2.so.3 libsasl2.so.3.0.0 rc
cit_config.xml files guard_discovery.stderr.log guard_sof guard_tap.ini.default_orig libgssapiv2.so.3.0.0 LICENSE.TXT STAP.log
common.sh find_db2_shmem_parameters.sh guard-gim-STAP-build.conf guard_stap guard_tap.ini.prev libguardkerbplugin.so load_balance trace_files
conf GIM.pm guardium_cassandra_audit-3.11.jar guard_stap_analyze_tool.sh guard_tap.ini.save_default librdkafka.so merge_ini_file.sh uninstall
conf.bkp guard-atap-ctl guardium_cassandra_audit-3.4.jar guard_stap.pid guard_validate_ip librdkafka.so.1 monit-stap-control
[root@localhost 11.2.0.0_r108838_1-1598487907]# mkdir /tmp/guard_diag_out
[root@localhost 11.2.0.0_r108838_1-1598487907]# ./guard_diag /tmp/guard_diag_out/
Args /tmp/guard_diag_out/
LOG LEVEL 4
LOG TIME 60
This diagnostics script runs for approximately two minutes. During the course
of its execution, it will gather data about various aspects of your system to
aid in analysing performance issues and other problems. To do so, a couple of
processes will be started and terminated after a predetermined time-out. On
some systems, this may cause some messages about processes being killed to be
printed below - this is normal and should not be cause for concern.
find: ‘/var/gim/modules/STAP/11.2.0.0_r108838_1-1598487907/./../../..//modules/CAS/current’: No such file or directory
./guard_diag: line 372: 6069 Killed tail -f /var/log/messages >> $KTAP_TEMP 2>&1
./guard_diag: line 372: 6071 Killed tail -f $tap_log_dir/guard_stap.stderr.txt >> $STAP_TEMP 2>&1
/dev/guard_ktap: No such file or directory
/var/gim/modules/STAP/11.2.0.0_r108838_1-1598487907/./../../..//modules/STAP/current/db2_exit_health_check.sh: line 145: /var/gim/modules/STAP/11.2.0.0_r108838_1-1598487907/./../../..//modules/STAP/current/guard-sign: No such file or directory
/var/gim/modules/STAP/11.2.0.0_r108838_1-1598487907/./../../..//modules/STAP/current/db2_exit_health_check.sh: line 146: /var/gim/modules/STAP/11.2.0.0_r108838_1-1598487907/./../../..//modules/STAP/current/guard-sign: No such file or directory
./guard_diag: line 1308: /var/gim/modules/STAP/11.2.0.0_r108838_1-1598487907/./../../..//modules/STAP/current/dump_shmem_stats: No such file or directory
cat: /tmp/guard_diag_out//diag.91vDi5/../stap_drop.log: No such file or directory
Diagnostics completed! The results are in /tmp/guard_diag_out//diag.ustap.localhost.localdomain.20-08-31_130855.tar.gz
[root@localhost 11.2.0.0_r108838_1-1598487907]#
STAP diagnostics. --> https://www-01.ibm.com/support/docview.wss?uid=swg21579891
Find and Delete Large File in Guardium
Search any large files which size is larger than 500MB and no matter when it was created.
guardium11.yourcompany.com> support show large_file 500 0
517 /var/IBM/Guardium/collector/bin/snif-debug
532 /var/IBM/Guardium/collector/bin/packet-run
722 /var/IBM/Guardium/collector/bin/snif
4097 /var/IBM/Guardium/data/mysql/ib_logfile0
4097 /var/IBM/Guardium/data/mysql/ib_logfile1
4097 /var/IBM/Guardium/data/mysql/ib_logfile2
4097 /var/IBM/Guardium/data/mysql/ib_logfile3
ok
guardium11.yourcompany.com>
To find files that are over a certain size and age, run the following CLI command:
support show large_files <size> <age>
You can then delete a specific file by running the following command:
support clean log_file <full path of file to delete>
support clean log_file <full path of file to delete>
Shut Down System
Stop command to shutdown Guardium from Command line. stop system
Web GUI - Setup - Tools and View - System - Stop
Inspection Engine Status is Fail
Inspection engine verification is feature in Guardium v9.1 and above. Its purpose is to determine if inspection engines configured on the S-TAP are collecting data.
There are two methods to verify Inspection Engine:
1. "Standard Verification" - Sends a login request to the database defined in inspection engine with user "RESULTFD". This login request should fail. If the inspection engine is configured and working correctly the S-TAP will send an exception to the collector with failed login. The verification process looks for this failed login, if it finds it then we know that the S-TAP can capture data from this inspection engine.
2. "Advanced Verification" - A user configured datasource is used to login to the database. The advanced verification runs a select on a table that does not exist. If the inspection engine is configured and working correctly the S-TAP will send an exception to the collector with database error.Verification process looks for this error, if it finds it then we know that the S-TAP can capture data from this inspection engine.
YouTube Video:
Troubleshooting the Guardium S-TAP Verification Process:
Reference: https://www.ibm.com/support/pages/what-do-if-guardium-inspection-engine-status-fail
Changing Report Parameters
Run Time Parameters
For these queries the QUERY_FROM_DATE and QUERY_TO_DATE can be changed to limit to show just the recent 3 minutes data for example
click the pencil top right in v9 or wrench in v10.
Amend parameters
Any of the Fields can be used to set a condition as normal and the report can the be re-saved and re-run - for example to restrict for a specific ServerIP ...
click the edit report icon at the top left in v10.
Add a condition - for example
For these queries the QUERY_FROM_DATE and QUERY_TO_DATE can be changed to limit to show just the recent 3 minutes data for example
click the pencil top right in v9 or wrench in v10.
Amend parameters
Report Parameters
Any of the Fields can be used to set a condition as normal and the report can the be re-saved and re-run - for example to restrict for a specific ServerIP ...
click the edit report icon at the top left in v10.
Add a condition - for example
Add Reports into Dashboard to Check Logged Data
Reference: https://www.ibm.com/support/pages/how-can-i-check-if-correct-data-being-logged-my-guardium-appliance
Steps:
Log in to your Collector WebUI, add following reports into your Dashboard:1. Full SQL Count
2. Full SQL
3. Server Accessed
4. Open Sessions
5. Session count
Change GIM Client Configuration's Guardium IP
1. Stop GIM service from GIM client server
2. Go to the path C:\Program Files (x86)\Guardium\Guardium Installation Manager\GIM\Current\
3. Edit the file "conf"
4. search GIM_URL and change ip from 172.23.1.29 (collector) to 172.23.1.28 (central manager)
5. Save the changes
6. Start GIM service
7. Verify from Guardium Central Manager
Based on How to move a GIM client to point to another appliance (GIM Server)?, there are two other ways to do it:
1. From Guardium Web GUI, Manage - module Installation - Set up Client
choose the GIM client and GIM bundle then change parameter GIM_URL to your new GIM appliance ip, install it now to get it updated.
2. From Guardium Client command line.
Remove inactive GIM client connection
If your GIM client has pointed to different Guardium Aggregator / collector / central manager, you might received following notification about "The GIM process is not running on following database server". In this case, you might want to delete this GIM connection by click "reset connection" in the Set up by Client page.
VA Report View Issue - Disable Data Level Security Filtering
VA task has been scheduled to run and log shows it was completed successfully, but the report received shows empty with a information "Data level security or event filtering is enabled. Therefore all of the results have been filtered"There is also a checkbox for "Include indirect records".
It is quite clear, Data level security was enabled for some reasons, such as segregate duties. It can be turned off at Setup > Tools and Views > Global Profile.
Unit Utilization Report Failed
Follow following KB's two step configuration, the Unit Utilization Report will generate properly.
Central Manager shows all S-TAP offline (red)
It might relate to inspection engine service if it is still offline after you verified the stap service on DB server and verified the firewall allowing port 9500 and 9501.
You can try to telnet collector's port 9500 / 9501 from DB server.
guardium-v11.yourcompany.com> restart inspection-core
Are you sure you want to restart inspection-core (y/n)?
Restarting inspection-core
ok
guardium-v11.yourcompany.com>
References
- How to change / modify IP address or host name of the Guardium appliance in the GIM Client configuration by editing conf file at Windows Server ?
- How to move a GIM client to point to another appliance (GIM Server)?
- Unable to view reports on the Guardium GUI
via Blogger https://ift.tt/31TLtNs
September 03, 2020 at 06:14PM Guardium
RSS Feed
