IBM Guardium Tips and Tricks

This post is a summary for my experience with IBM Guardium product. Some of them are pretty simple. I am recording those for my own reference.

• Find Guardium STAP Installation Folder and Exec Stap Diag
• Shut Down System
• Inspection Engine Status is Fail
• Changing Report Parameters
• Add Reports into Dashboard to Check Logged Data
• Change GIM Client Configuration's Guardium IP
• Remove inactive GIM client connection
• VA Report View Issue - Disable Data Level Security Filtering
• Unit Utilization Report Failed
• Central Manager shows all S-TAP offline (red)

Topology

Find Guardium STAP Installation Folder and Exec Diag

1  From Guardium Web GUI

2  From Linux DB Server

Sometimes, if stap already is having problem, run command from web gui wont work. You will have to go to your DB server's command line to run it as show below:

[root@localhost tmp]# ps -ef | grep -i tap
root      1911   933  0 11:58 ?        00:00:00 /var/gim/modules/STAP/11.2.0.0_r108838_1-1598487907/guard_stap /var/gim/modules/STAP/11.2.0.0_r108838_1-1598487907/guard_tap.ini
root      5685  5104  0 13:07 pts/0    00:00:00 grep --color=auto -i tap
[root@localhost tmp]# cd /var/gim/modules/STAP/11.2.0.0_r108838_1-1598487907/
[root@localhost 11.2.0.0_r108838_1-1598487907]# ls
atap_must_gather.sh  config                        guard-config-update                guardium_evaluator.jar          guard-stap-setup            hooks                  libsasl2.so         platform_checks.sh
buffers              db2_exit_health_check.sh      guard_diag                         guardkerbplugin.conf            guard_tap.ini               libgssapiv2.so         libsasl2.so.3       ranger_dynpolicy_config.py
ca.cert.pem          depends                       guard_discovery                    guard_log4j_listener_config.py  guard_tap.ini.bak           libgssapiv2.so.3       libsasl2.so.3.0.0   rc
cit_config.xml       files                         guard_discovery.stderr.log         guard_sof                       guard_tap.ini.default_orig  libgssapiv2.so.3.0.0   LICENSE.TXT         STAP.log
common.sh            find_db2_shmem_parameters.sh  guard-gim-STAP-build.conf          guard_stap                      guard_tap.ini.prev          libguardkerbplugin.so  load_balance        trace_files
conf                 GIM.pm                        guardium_cassandra_audit-3.11.jar  guard_stap_analyze_tool.sh      guard_tap.ini.save_default  librdkafka.so          merge_ini_file.sh   uninstall
conf.bkp             guard-atap-ctl                guardium_cassandra_audit-3.4.jar   guard_stap.pid                  guard_validate_ip           librdkafka.so.1        monit-stap-control
[root@localhost 11.2.0.0_r108838_1-1598487907]# mkdir /tmp/guard_diag_out
[root@localhost 11.2.0.0_r108838_1-1598487907]# ./guard_diag /tmp/guard_diag_out/
Args /tmp/guard_diag_out/
LOG LEVEL 4
LOG TIME 60
This diagnostics script runs for approximately two minutes.  During the course
of its execution, it will gather data about various aspects of your system to
aid in analysing performance issues and other problems.  To do so, a couple of
processes will be started and terminated after a predetermined time-out.  On
some systems, this may cause some messages about processes being killed to be
printed below - this is normal and should not be cause for concern.

find: ‘/var/gim/modules/STAP/11.2.0.0_r108838_1-1598487907/./../../..//modules/CAS/current’: No such file or directory
./guard_diag: line 372:  6069 Killed                  tail -f /var/log/messages >> $KTAP_TEMP 2>&1
./guard_diag: line 372:  6071 Killed                  tail -f $tap_log_dir/guard_stap.stderr.txt >> $STAP_TEMP 2>&1
/dev/guard_ktap: No such file or directory
/var/gim/modules/STAP/11.2.0.0_r108838_1-1598487907/./../../..//modules/STAP/current/db2_exit_health_check.sh: line 145: /var/gim/modules/STAP/11.2.0.0_r108838_1-1598487907/./../../..//modules/STAP/current/guard-sign: No such file or directory
/var/gim/modules/STAP/11.2.0.0_r108838_1-1598487907/./../../..//modules/STAP/current/db2_exit_health_check.sh: line 146: /var/gim/modules/STAP/11.2.0.0_r108838_1-1598487907/./../../..//modules/STAP/current/guard-sign: No such file or directory
./guard_diag: line 1308: /var/gim/modules/STAP/11.2.0.0_r108838_1-1598487907/./../../..//modules/STAP/current/dump_shmem_stats: No such file or directory
cat: /tmp/guard_diag_out//diag.91vDi5/../stap_drop.log: No such file or directory
Diagnostics completed!  The results are in /tmp/guard_diag_out//diag.ustap.localhost.localdomain.20-08-31_130855.tar.gz
[root@localhost 11.2.0.0_r108838_1-1598487907]#

STAP diagnostics. --> https://www-01.ibm.com/support/docview.wss?uid=swg21579891

3  From Windows DB Server

To run the diagnostics directly at the DB Server, open a Winddows Explorer window and go to the STAP Install folder, by default it is C:\Program Files (x86)\Guardium\Guardium Installation Manager\WINSTAP\current\Files\Static,  but it will depend on your installation settings. In that path there is a diag.bat file, rigth click->Run as Administrator, this will open a cmd window where it will show the progress, once finished, it will create two new folders on the same path:

• diag
• tmpZip

Find and Delete Large File in Guardium

Search any large files which size is larger than 500MB and no matter when it was created. 

guardium11.yourcompany.com> support show large_file 500 0

517     /var/IBM/Guardium/collector/bin/snif-debug
532     /var/IBM/Guardium/collector/bin/packet-run
722     /var/IBM/Guardium/collector/bin/snif
4097    /var/IBM/Guardium/data/mysql/ib_logfile0
4097    /var/IBM/Guardium/data/mysql/ib_logfile1
4097    /var/IBM/Guardium/data/mysql/ib_logfile2
4097    /var/IBM/Guardium/data/mysql/ib_logfile3
ok
guardium11.yourcompany.com>

To find files that are over a certain size and age, run the following CLI command:
support show large_files <size> <age>

You can then delete a specific file by running the following command:
support clean log_file <full path of file to delete>

Shut Down System

Stop command to shutdown Guardium from Command line. stop system

Web GUI - Setup - Tools and View - System - Stop

Inspection Engine Status is Fail

Inspection engine verification is feature in Guardium v9.1 and above. Its purpose is to determine if inspection engines configured on the S-TAP are collecting data.

 There are two methods to verify Inspection Engine:

1. "Standard Verification" - Sends a login request to the database defined in inspection engine with user "RESULTFD". This login request should fail. If the inspection engine is configured and working correctly the S-TAP will send an exception to the collector with failed login. The verification process looks for this failed login, if it finds it then we know that the S-TAP can capture data from this inspection engine.

2. "Advanced Verification" - A user configured datasource is used to login to the database. The advanced verification runs a select on a table that does not exist. If the inspection engine is configured and working correctly the S-TAP will send an exception to the collector with database error.Verification process looks for this error, if it finds it then we know that the S-TAP can capture data from this inspection engine.

YouTube Video:

Troubleshooting the Guardium S-TAP Verification Process:

Reference: https://www.ibm.com/support/pages/what-do-if-guardium-inspection-engine-status-fail

Changing Report Parameters

Run Time Parameters

For these queries the QUERY_FROM_DATE and QUERY_TO_DATE can be changed to limit to show just the recent 3 minutes data for example

click the pencil top right in v9 or wrench in v10.
 

Amend parameters
Report Parameters

Any of the Fields can be used to set a condition as normal and the report can the be re-saved and re-run - for example to restrict for a specific ServerIP ...

click the edit report icon at the top left in v10.

 

Add a condition - for example

Add Reports into Dashboard to Check Logged Data

Reference: https://www.ibm.com/support/pages/how-can-i-check-if-correct-data-being-logged-my-guardium-appliance

Steps: 

Log in to your Collector WebUI, add following reports into your Dashboard:
1. Full SQL Count
2. Full SQL
3. Server Accessed
4. Open Sessions
5. Session count

Change GIM Client Configuration's Guardium IP

Sometimes, you might want to point your GIM Client to different collector or aggregator. The following steps will show you how to change that.
1. Stop GIM service from GIM client server
2. Go to the path C:\Program Files (x86)\Guardium\Guardium Installation Manager\GIM\Current\
3. Edit the file "conf"
4. search GIM_URL and change ip from 172.23.1.29 (collector) to 172.23.1.28 (central manager)
5. Save the changes
6. Start GIM service
7. Verify from Guardium Central Manager

Based on How to move a GIM client to point to another appliance (GIM Server)?, there are two other ways to do it:
1. From Guardium Web GUI, Manage - module Installation - Set up Client
choose the GIM client and GIM bundle then change parameter GIM_URL to your new GIM appliance ip, install it now to get it updated.
2. From Guardium Client command line.

Remove inactive GIM client connection

If your GIM client has pointed to different Guardium Aggregator / collector / central manager, you might received following notification about "The GIM process is not running on following database server". In this case, you might want to delete this GIM connection by click "reset connection" in the Set up by Client page.

VA Report View Issue - Disable Data Level Security Filtering

VA task has been scheduled to run and log shows it was completed successfully, but the report received shows empty with a information "Data level security or event filtering is enabled. Therefore all of the results have been filtered"

There is also a checkbox for "Include indirect records".

It is quite clear, Data level security was enabled for some reasons, such as segregate duties. It can be turned off at Setup > Tools and Views > Global Profile.

Unit Utilization Report Failed

Follow following KB's two step configuration, the Unit Utilization Report will generate properly. 

Note: https://www.ibm.com/support/knowledgecenter/en/SSMPHH_11.0.0/com.ibm.guardium.doc.admin/adm/unit_utilization_configure.html

Central Manager shows all S-TAP offline (red)

It might relate to inspection engine service if it is still offline after you verified the stap service on DB server and verified the firewall allowing port 9500 and 9501. 

You can try to telnet collector's port 9500 / 9501 from DB server. 

guardium-v11.yourcompany.com> restart inspection-core
Are you sure you want to restart inspection-core (y/n)?
Restarting inspection-core
ok
guardium-v11.yourcompany.com>

References

• How to change / modify IP address or host name of the Guardium appliance in the GIM Client configuration by editing conf file at Windows Server ?
• How to move a GIM client to point to another appliance (GIM Server)?
• Unable to view reports on the Guardium GUI