This post is a summary for my experience with IBM Guardium product. Some of them are pretty simple. I am recording those for my own reference.
- Find Guardium STAP Installation Folder and Exec Stap Diag
- Shut Down System
- Inspection Engine Status is Fail
- Changing Report Parameters
- Add Reports into Dashboard to Check Logged Data
- Change GIM Client Configuration’s Guardium IP
- Remove inactive GIM client connection
- VA Report View Issue – Disable Data Level Security Filtering
- Unit Utilization Report Failed
- Central Manager shows all S-TAP offline (red)
Find Guardium STAP Installation Folder and Exec Diag
Sometimes, if stap already is having problem, run command from web gui wont work. You will have to go to your DB server’s command line to run it as show below:
[[email protected] tmp]# ps -ef | grep -i tap root 1911 933 0 11:58 ? 00:00:00 /var/gim/modules/STAP/184.108.40.206_r108838_1-1598487907/guard_stap /var/gim/modules/STAP/220.127.116.11_r108838_1-1598487907/guard_tap.ini root 5685 5104 0 13:07 pts/0 00:00:00 grep --color=auto -i tap [[email protected] tmp]# cd /var/gim/modules/STAP/18.104.22.168_r108838_1-1598487907/ [[email protected] 22.214.171.124_r108838_1-1598487907]# ls atap_must_gather.sh config guard-config-update guardium_evaluator.jar guard-stap-setup hooks libsasl2.so platform_checks.sh buffers db2_exit_health_check.sh guard_diag guardkerbplugin.conf guard_tap.ini libgssapiv2.so libsasl2.so.3 ranger_dynpolicy_config.py ca.cert.pem depends guard_discovery guard_log4j_listener_config.py guard_tap.ini.bak libgssapiv2.so.3 libsasl2.so.3.0.0 rc cit_config.xml files guard_discovery.stderr.log guard_sof guard_tap.ini.default_orig libgssapiv2.so.3.0.0 LICENSE.TXT STAP.log common.sh find_db2_shmem_parameters.sh guard-gim-STAP-build.conf guard_stap guard_tap.ini.prev libguardkerbplugin.so load_balance trace_files conf GIM.pm guardium_cassandra_audit-3.11.jar guard_stap_analyze_tool.sh guard_tap.ini.save_default librdkafka.so merge_ini_file.sh uninstall conf.bkp guard-atap-ctl guardium_cassandra_audit-3.4.jar guard_stap.pid guard_validate_ip librdkafka.so.1 monit-stap-control [[email protected] 126.96.36.199_r108838_1-1598487907]# mkdir /tmp/guard_diag_out [[email protected] 188.8.131.52_r108838_1-1598487907]# ./guard_diag /tmp/guard_diag_out/ Args /tmp/guard_diag_out/ LOG LEVEL 4 LOG TIME 60 This diagnostics script runs for approximately two minutes. During the course of its execution, it will gather data about various aspects of your system to aid in analysing performance issues and other problems. To do so, a couple of processes will be started and terminated after a predetermined time-out. On some systems, this may cause some messages about processes being killed to be printed below - this is normal and should not be cause for concern. find: ‘/var/gim/modules/STAP/184.108.40.206_r108838_1-1598487907/./../../..//modules/CAS/current’: No such file or directory ./guard_diag: line 372: 6069 Killed tail -f /var/log/messages >> $KTAP_TEMP 2>&1 ./guard_diag: line 372: 6071 Killed tail -f $tap_log_dir/guard_stap.stderr.txt >> $STAP_TEMP 2>&1 /dev/guard_ktap: No such file or directory /var/gim/modules/STAP/220.127.116.11_r108838_1-1598487907/./../../..//modules/STAP/current/db2_exit_health_check.sh: line 145: /var/gim/modules/STAP/18.104.22.168_r108838_1-1598487907/./../../..//modules/STAP/current/guard-sign: No such file or directory /var/gim/modules/STAP/22.214.171.124_r108838_1-1598487907/./../../..//modules/STAP/current/db2_exit_health_check.sh: line 146: /var/gim/modules/STAP/126.96.36.199_r108838_1-1598487907/./../../..//modules/STAP/current/guard-sign: No such file or directory ./guard_diag: line 1308: /var/gim/modules/STAP/188.8.131.52_r108838_1-1598487907/./../../..//modules/STAP/current/dump_shmem_stats: No such file or directory cat: /tmp/guard_diag_out//diag.91vDi5/../stap_drop.log: No such file or directory Diagnostics completed! The results are in /tmp/guard_diag_out//diag.ustap.localhost.localdomain.20-08-31_130855.tar.gz [[email protected] 184.108.40.206_r108838_1-1598487907]#
Find and Delete Large File in Guardium
guardium11.yourcompany.com> support show large_file 500 0 517 /var/IBM/Guardium/collector/bin/snif-debug 532 /var/IBM/Guardium/collector/bin/packet-run 722 /var/IBM/Guardium/collector/bin/snif 4097 /var/IBM/Guardium/data/mysql/ib_logfile0 4097 /var/IBM/Guardium/data/mysql/ib_logfile1 4097 /var/IBM/Guardium/data/mysql/ib_logfile2 4097 /var/IBM/Guardium/data/mysql/ib_logfile3 ok guardium11.yourcompany.com>
To find files that are over a certain size and age, run the following CLI command:
Shut Down System
Changing Report Parameters
Add Reports into Dashboard to Check Logged Data
Log in to your Collector WebUI, add following reports into your Dashboard:
1. Full SQL Count
2. Full SQL
3. Server Accessed
4. Open Sessions
5. Session count
Sometimes, you might want to point your GIM Client to different collector or aggregator. The following steps will show you how to change that.
1. Stop GIM service from GIM client server
2. Go to the path C:\Program Files (x86)\Guardium\Guardium Installation Manager\GIM\Current\
3. Edit the file “conf”
4. search GIM_URL and change ip from 172.23.1.29 (collector) to 172.23.1.28 (central manager)
5. Save the changes
6. Start GIM service
7. Verify from Guardium Central Manager
Based on How to move a GIM client to point to another appliance (GIM Server)?, there are two other ways to do it:
1. From Guardium Web GUI, Manage – module Installation – Set up Client
choose the GIM client and GIM bundle then change parameter GIM_URL to your new GIM appliance ip, install it now to get it updated.
2. From Guardium Client command line.
Remove inactive GIM client connection
If your GIM client has pointed to different Guardium Aggregator / collector / central manager, you might received following notification about “The GIM process is not running on following database server”. In this case, you might want to delete this GIM connection by click “reset connection” in the Set up by Client page.
VA Report View Issue – Disable Data Level Security Filtering
VA task has been scheduled to run and log shows it was completed successfully, but the report received shows empty with a information “Data level security or event filtering is enabled. Therefore all of the results have been filtered”
There is also a checkbox for “Include indirect records”.
It is quite clear, Data level security was enabled for some reasons, such as segregate duties. It can be turned off at Setup > Tools and Views > Global Profile.
Unit Utilization Report Failed
Central Manager shows all S-TAP offline (red)
It might relate to inspection engine service if it is still offline after you verified the stap service on DB server and verified the firewall allowing port 9500 and 9501.
guardium-v11.yourcompany.com> restart inspection-core Are you sure you want to restart inspection-core (y/n)? Restarting inspection-core ok guardium-v11.yourcompany.com>