IBM Support

Guardium reports are not showing any data

Troubleshooting


Problem

You receive a reguarly scheduled report from Guardium without any data in it. This can be a GUI interactive report or the result of a scheduled or ad-hoc Audit process. You expect the report to contain data.

Symptom

In the interactive or audit process results you see one of the messages:

  • No data found
  • No data found. Check the aggregation merge period.
  • No matching results found
All of these messages indicate that the report completed without error but there was no data found.

Cause

Reports with no data in them can have a wide range of underlying causes. Before you request technical support for this problem you need to go through some basic troubleshooting steps. This technote is a guide to the steps that you should take.

Diagnosing The Problem

Go through the steps below in order to try and understand the cause of the empty report. Make sure to note the results of the tests and questions below.

1. Report run time parameters


    For GUI interactive reports click the pencil icon in the report page.

    For audit process reports check in the audit process definition. GUI->Tools->Audit Process Builder->Modify->Audit Tasks-> Task Parameters.

    • Are the time parameters correct?
    • Do you expect to see data in the report at that time?
    • Are all other parameters defined correctly?
    • Are you excluding the data you want to see with those parameters?
    • Are you running this report on a remote source by accident?

    Test: Increase the date range of the report until you can see data. Note down the last time there was data in the report. Also increase the "Query to" date into the future as timestamps in reports can sometimes be ahead of the GUI time.

2. Report query definition


    For GUI interactive reports click the "edit the query for this report" icon at the bottom of the report.

    For audit process reports check in the definition GUI->Tools->Audit Process Builder->Modify->Audit Tasks->Report. Note the name of the query and find that in the query finder for the correct query domain. e.g. Tools->Report Building->Access tracking.
    • Are there any conditions in the query definition that would stop you getting data in the report?

    Test: Make a clone query with no conditions and test to see if it has any data in it. If the clone contains the data you expect, then the query conditions are the problem.

    Test: Increase the date range of the clone report until you can see data. Note down the last time there was data in the clone report. Remember to increase "Query to" date into the future as in point 1.


3. Purge settings

    Check the purge settings on the appliance. GUI->Administration Console->Data Management->Archive (or Export).
    • What is the purge setting on the appliance?
    • Has the data you are looking for in the report been purged already?

      • If so you may need to look on the aggregator or restore an archive of that days data.

4. Merge period (aggregators only)

    Check in the CLI:

    show aggregator merge_period
    • Is the report looking for data from before the merge period?


      • If needed you can change using CLI command:

      store aggregator merge_period

5. Incoming data to the appliance

5a) Collectors
    You need to determine whether data was being collected by the appliance over the time parameters of your report. If this is not the case then the root cause of that needs to be investigated as the true problem.
    • Have the STAPs been green in the GUI constantly (as far as you know)?

      • If the STAPs are red, start the inspection-core in the CLI:
      start inspection-core
      restart inspection-core
    • Have you seen any error messages saying the appliance is becoming full?

      • Check the database size in the CLI. If the appliance is over 90% full it will not be collecting any data. CLI:
      support show db-status used %

    Check the GUI->Guardium Monitor-> Buffer Usage Monitor.
    • Over the time of the report, was there any data coming into the appliance?

      • If "Analyzer Rate" or "Logger Rate" columns are 0 then the answer is no.
    • Is ALP column increasing?

      • If so dropped packets may be the cause of missing data in the report.

5b) Aggregators
    Incoming data to the aggregator is controlled by the export/import process. Check in the GUI->Guardium Monitor->Aggregation/Archive log on both aggregator and collectors.
    • Have there been any errors with the export or import for data in the time range of your report?

5c) Central Managers
    A central manager can run a report on a managed unit as a remote source. You can see this in the run time parameters from step 1.
    • Is the remote source on the report set to "none"?

      • If so use 5b)
    • Is the remote source set to one of the managed units?

      • If so use 5a) on the managed unit that the report is set to.

6. Data sent from the STAP
    If you see that no data is coming into the appliance in step 5 Then you can check to see if the appropriate STAP is sending data. This is only possible via the GUI in appliances v9.0 and above.

    The Guardium Deployment Guide - Section 7.1.1 S-TAP optimization and tuning describes how to set up the S-TAP statistics report. If you have not already configured this you are recommended to do so.

    Guardium Deployment Guide
    • If you have S-TAP Statistics report configured, was the S-TAP sending data at the time of the report?

Resolving The Problem

If you are unable to resolve the problem from the steps above you should at least have a better idea of the underlying cause of the problem. If you still need to open a PMR please do so with the below information. Details on how to get the must gather information is in the related links.

Information to add when opening a PMR

  • Export of the query or audit process definition. From the central manager (if there is one) GUI->Administration Console-> Guardium Definitions -> Export.
  • Time when reports stopped containing data, to the best of your knowledge.
  • Full details of your investigation from the above points. Results of tests, answers to questions and any other notes.
  • File generated from CLI command: support must_gather system_db_info

  • If the report is running in an audit process.

    •   support must_gather audit_issues
  • If you saw a problem in step 3 above.

    •   support must_gather agg_issues
      support must_gather purge_issues
  • If you saw a problem in step 4.

    •   support must_gather agg_issues
  • If you saw a problem in step 5a.

    •   support must_gather sniffer_issues
  • If you saw a problem in step 5b.

    •   support must_gather agg_issues from both Aggregator and Collector.
  • If you saw a problem in step 6.

    •   support must_gather sniffer_issue
      Output of the guard_diag (Unix) or diag.bat (Windows) script from the DB server.
      Copy of the S-TAP statistics report from the GUI.

[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Guardium Database Activity Monitor","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"9.1;9.0;8.2;8.1;8.0.1","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21679901

Page Feedback