Configuration and control CLI commands

? (question mark)

To find more information about a command, enter a question mark at any point to display the arguments.

Syntax

<partial_command> ?

CLI> show account strike ?

USAGE:  show account strike <arg>, where arg is:
?, count, interval, max
ok
CLI>

commands

Displays an alphabetical listing of all CLI commands.

Syntax

commands

debug

Enable or disable debug mode. Without an argument, it toggles the debug state. Optionally, you can include a state argument (on or off)

Syntax

debug <on | off>

clean load_balance_inactive_stap_queue

Use this command to manually clear an inactive S-TAP and its corresponding collector from the inactive S-TAPs queue in the load balancer.

Syntax

clean load_balance_inactive_stap_queue <stapHost> <collectorName>

delete scheduled-patch

To delete a patch installation request, use the delete scheduled-patch CLI command.

For more information about installing patches, see the store system patch install CLI command.

delete ssl_gui_ciphers and restore ssl_gui_ciphers

Use these commands to select and delete out-of-date GUI ciphers, and, if necessary, restore deleted ciphers.

delete ssl_gui_ciphers

Guardium returns a list of ciphers. Specify the number of the cipher to delete. Use a comma to separate multiple cipher numbers.

Click q to quit without deleting any ciphers.

If you accidentally delete the wrong cipher, use restore ssl_gui_ciphers to restore it.

restore ssl_gui_ciphers [ last | list ]

Before you restore ciphers, Guardium warns that restoring the certificates can affect the connectivity of GUI and GIM-TLS. Make sure that when you restore deleted ciphers, the results that are returned are expected.

show ssl_gui_ciphers

For more information about supported ciphers, see Cipher suites.

delete unit type

Use this command to clear one or more unit type attributes. Note that this command cannot clear all unit type attributes. For more information, see store unit type.

Syntax

delete unit type [manager | standalone] [aggregated] [netinsp] [network routes static] [stap] [mainframe]

eject

This command dismounts and ejects the CD ROM, which is useful after you upgrade or reinstall the system, or after you install patches that were distributed on a CD ROM.

Syntax

eject

forward support email

When the support-state option is enabled (which it is by default), this command sets the email address to receive system alerts.

Syntax

forward support email to <email address>

Show command

show support-email

import jproxy_files

Use this command, along with store jproxy_config ssh_key_file to upload the GBDI SSH key file (in .pem format) and configure the SSH target host to communicate with GBDI. For more information, see store jproxy_config ssh_key_file.

iptraf

IPTraf is a network statistics utility that is distributed with the underlying operating system. It gathers information such as TCP connection packet and byte counts, interface statistics and activity indicators, TCP/UDP traffic breakdowns, and LAN station packet and byte counts.  For more information, see the IPTraf User Manual at the following location (it might also be available at other locations):

http://iptraf.seul.org/2.7/manual.html

Syntax

iptraf

license check

Indicates whether the installed license if valid. Use this command after you install a new product key.

Syntax

license check

license clear

Removes product licenses. After running this command, you will need to reapply base and append license keys and accept their terms and conditions. For more information about applying licenses, see License keys and Install license keys.

Syntax

license clear

ping

Sends ICMP ping packets to a remote host. This command is useful for checking network connectivity. The value of host can be an IP address or host name.

Syntax

ping <host>

quit

Exits the command-line interface.

Syntax

quit

recover failed

Command to restore failed CSV/CEF/PDF transfer files, placing the files back into the export folder for another export attempt.

Syntax

recover failed [csv|cef|pdf]

register management

Registers the Guardium system for management by the specified central manager. The pre-registration configuration of this Guardium system is saved, and that configuration is restored later if the unit is unregistered.

Syntax

register management  <manager ip> <port>

Parameters

manager ip is the IP address of the central manager.

port is the port number used by the central manager (usually 8443).

reset luks keys

Clears all stored tang keys in the Linux Unified Key Setup (LUKS) and removes all connections to the tang server.

Syntax:

reset luks keys

restart datastreams

Use this command to restart stopped AWS database activity-monitoring data streams. For more information, see Cloud database service protection with data streams.

restart datastreams

restart datastreams [--yes]

restart gui

Restarts the IBM® Guardium Web interface. To optionally schedule a restart of the GUI once a day or once a week, use additional parameters. HH is hours 01-24. MM is minutes 01-60. W is the day of the week, 0-6, Sunday is 0. If HHMM is listed twice, only the last entry is used. The parameter clear deletes the scheduled time.

In order to restart the classifier and security assessments processes, run the restart gui command from the CLI (not from the GUI).

Running restart GUI from the GUI only restarts the web services. It is necessary to run the restart GUI command from the CLI to fully restart all processes, including Classifier and Security Assessments processes. It is necessary to run the restart GUI command from the CLI for each managed unit to restart the Classifier listener.

restart gui [HHMM|HHMMW|clear]

restart gui [HHMM|HHMMW|clear] [--yes]

restart rds_monitoring

Restart the AWS RDS monitor for Oracle. For more information, see Cloud database service protection with native audit.

restart rds_monitoring

restart sniffer_buffer_usage

Restarts the sniffer buffer.monitor.

restart sniffer_buffer_usage

For more information about using restart sniffer_buffer_usage, see Performance issue: buffer usage process not running.

restart stopped_services

Use this CLI command to restart services previously stopped with the store auto_stop_services_when_full CLI command.

restart stopped_services

restart system

Reboots the Guardium system. The system will completely shut down and restart, which means that the cli session will be terminated.

Syntax

restart system

restart system [--yes]

restart ticket_service

Restarts the external ticketing service. For more information, see Configure an external ticketing system.

You can also stop and start the ticketing service from the CLI.

restart ticket_service

restart ticket_service --yes

restore rsyslog

Compares the current remotelog (rsyslog) on your system with an rsyslog that is restored from a CONFIG backup file, if one is available. You can then choose to override the existing rsyslog with the backed-up rsyslog.

restore rsyslog

setup hyper-v-tools

Syntax

setup hyper-v-tools [install | uninstall]

show buffer

This command displays a report of buffer use for the inspection engine process. If you are experiencing load problems, IBM Technical Support may ask you to run this command.

Syntax

show buffer <log | snif>

Examples

To display the buffer usage of the inspection engine process:

show buffer log

To display the buffer usage of the sniffer:

show buffer snif

show build

Displays build information for the installed software (build, release, snif version).

Syntax

show build

show load_balance_inactive_stap_queue

This command shows the list of inactive S-TAPs and corresponding collectors that have accumulated in the load balancer's inactive S-TAP queue.

Syntax

show load_balance_inactive_stap_queue 

show network routes static

Permit the user to have only one IP address per appliance (through the primary interface) and direct traffic through different routers using static routing tables. List the current static routes, with IDs.

Syntax

show network routes static

Delete command

delete network routes static

show remotelog

Displays information about the rsyslog program that runs syslog. For information about adding and configuring remote logs, see the store remotelog commands, beginning with store remotelog add.

show remotelog <escape_control_characters_on_receive | host | max_message_size| status | test>

Syntax

show remotelog escape_control_characters_on_receive

show remotelog host

show remotelog max_message_size

show remotelog status

show remotelog test

Examples

show remotelog host

Remote syslog is in non-encrypted mode.
Remote syslog format is default.
user.=warning    @@9.30.252.111
user.=alert    @@myhost.mycompany
user.=alert    @@myhost.mycompany

show remotelog status

show remotelog test

 show remotelog status test
The following receivers are configured
Messages will be written to syslog targeting these.
Please verify that the messages were received.

The tests could take several minutes

Facility    Priority    Protocol    Host:port
daemon      info        TCP         9.30.252.192:514
user        info        UDP         9.30.252.192:514
user        alert       TCP         9.30.252.192:5514


Sending message:  daemon.info: Guardium test message
Sending message:  user.info: Guardium test message
Sending message:  user.alert: Guardium test message

Test message 'Guardium test message' successfully sent to syslog

Analyzing tcpdump.  If a message is found in the tcpdump
output, but not in the syslog receiver, please consult your
administrator for the syslog receiver.

Message to 9.30.252.192:514 sent
Message to 9.30.252.192:514 sent
Message to 9.30.252.192:5514 sent
ok

show security policies

Displays the list of security policies.

Syntax

show security policies

show ticket update interval

View the interval for updating the status of records from external ticketing systems like Service Now. For more information, see Configure an external ticketing system.

Set the value using store ticket update interval <n>.

Show command

show ticket update interval

start datastreams

Use this command to start existing AWS database activity-monitoring data streams. For more information, see Cloud database service protection with data streams.

Syntax

start datastreams

start rds_monitoring

Start the AWS RDS monitor for Oracle. For more information, see Cloud database service protection with native audit.

start rds_monitoring

start ticket_service

Starts the external ticketing service. The ticketing service synchronizes external tickets (such as Service Now tickets) that are stored in local system. When the ticketing service is running, the synchronization runs once an hour. For more information, see Configure an external ticketing system.

You can also stop or restart the ticketing service from the CLI.

start ticket_service

stop datastreams

Use this command to stop running AWS database activity-monitoring data streams. For more information, see Cloud database service protection with data streams.

Syntax

stop datastreams

stop gui

Stops the Web user interface.

Syntax

stop gui

stop rds_monitoring

Stop the AWS RDS monitor for Oracle. For more information, see Cloud database service protection with native audit.

stop rds_monitoring

stop system

Stops and powers down the appliance.

Syntax

stop system

stop ticket_service

Stops the external ticketing service. For more information, see Configure an external ticketing system.

You can also start or restart the ticketing service from the CLI.

start ticket_service

store apply_user_hierarchy

Use this CLI command to apply user hierarchy to audit receiver.

If ON, the non-audit group receiver (the receiver other than the audit group receiver (normal or role) will only see audit results with a group IP beneath the receiver's hierarchy, including the receiver.  

Syntax

store apply_user_hierarchy [ON | OFF]

Show command

show apply_user_hierarchy

store alert_timestamp_unit

Controls the timestamp unit for syslog alerts. Default is seconds.

Syntax

store alert_timestamp_unit [millisecond | second]

Show command

show alert_timestamp_unit

store alert_object_num_limit

Sets the maximum number of objects to show in the Alert log with the %%Object or %%objectType variables.

Syntax

store alert_object_num_limit <n>

Where n is a positive integer between 1 and 50. The default is 10.

Show command

show alert_object_num_limit

store alert_verb_num_limit

Sets the maximum number of SQL verbs to show in the Alert log. You can also set this parameter from the GuardAPI or REST API. For more information, see modify_guard_param.

Syntax

store alert_verb_num_limit <n>

Where n is a positive integer between 1 and 50. The default is 10.

Show command

show alert_verb_num_limit

store allow_simulation

Enables (on) or disables (off) the ability to run the Policy Simulation on the appliance.

To run the simulation, the original traffic must be replayed through the rules engine (with the policy needing to be tested). This requires some of the original SQL on the appliance to be saved with their values. The enable or disable of allow_simulation instructs IBM Guardium to save or NOT save any SQL or values whatsoever.

Syntax

store allow_simulation [on|off]

Show command

show allow_simulation

store alp_throttle

Use this CLI to determine the amount of data logged by the Analyzer into the GDM_FLAT_LOG table.

Use store alp_throttle to choose how much data to log into the GDM_FLAT_LOG table.

Syntax

store alp_throttle <n>

• If n = 0 (the default), report without logging any SQL statements.
• If n is a positive integer, report and log every nth SQL statement in GDM_FLAT_LOG.

Examples

To report and log all SQL statements (100%):

store alp_throttle = 1

To report and log every 2nd SQL statement (50%):

store alp_throttle = 2

store alp_throttle = 1000

store analyzer

This command sets the value of the timeout of the ignore session and sets the duration of the ignore session.

Ignore session: The current request and the remainder of the session will be ignored. This action does log a policy violation, but it stops the logging of constructs and will not test for policy violations of any type for the remainder of the session. This action might be useful if, for example, the database includes a test region, and there is no need to apply policy rules against that region of the database.

Syntax

store analyzer [ignore_sess_timeout | max_open_sess]

Show command

show analyzer

store auto_stop_services_when_full

When ON, stops internal services if the database exceeds the 90% full threshold.

Inspection Engine, Classification and other Collection-related services will stop. Also, Aggregation import/restore will not process any new files.

To remediate, use the various Support commands (support clean audit_task, support clean log_files, support clean DAM_data, support show large_files) to analyze and manually purge large tables.

Syntax

store auto_stop_services_when_full [ON | OFF]

Show command

show auto_stop_services_when_full

store connect oracle_parser

Use this command to connect and disconnect the Oracle parser from the DB2 parser. The default is OFF (disconnect).

Syntax

store connect oracle_parser [ON | OFF]

Show command

show connect oracle_parser

store csv_fetch_size

This command is used by the report REST service to control total number of records. Guardium reports can be downloaded in CSV file format.

store csv_fetch_size and store csv_max_size are GLOBAL_PROFILE parameters that can only be modified via CLI.

Syntax

show csv_fetch_size <num>

Where <num> is a number is greater than 0

Show command

store csv_fetch_size

store csv_max_size

This command controls the size of the CSV downloads that are retrieved when you click Download all records from the report export menu. The default value is 30,000.

Syntax

store csv_max_size <num>

Where <num> is a number is greater than 0.

Show command

show csv_max_size

store cyberark config_failover

Use this command to configure standby CyberArk vault servers on your Guardium system.

Syntax

store cyberark config_failover

store cyberark install

Use this command to install CyberArk on your Guardium system.

Syntax

store cyberark install

You are prompted to enter the vault host name or IP address, vault user name and vault password.

Show command

Use the show command to verify if CyberArk is installed on your Guardium system.

show cyberark status

store cyberark service [start | stop]

Use this command to start or stop the CyberArk service on your Guardium system.

Syntax

store cyberark service start

store cyberark service stop

store cyberark uninstall

Use this command to uninstall CyberArk from the Guardium system.

Before uninstalling, you must remove the reference to the Guardium system from the CyberArk vault server first. For more information, see Uninstalling CyberArk.

Syntax

store cyberark uninstall

store cyberark upgrade_parameter

Before installing the CyberArk SDK upgrade patch on your Guardium system, run this command to enter the CyberArk upgrade parameters. The upgrade parameters are the CyberArk vault hostname or IP address, the vault username, and the vault password.

Syntax

store cyberark upgrade_parameter

Show command

show cyberark upgrade_parameter

store default_queue_size

Use this command to control the ADMINCONSOLE_PARAMETER.DEFAULT_QUEUE_SIZEconfiguration parameter. The default is 25. The range is 25-300.

The sniffer must be restarted after a change in value.

Syntax

store default_queue_size <N>, where N is the number in range of 25 to 300

Show command

show default_queue_size 25

store defrag

Use this command to restore defragmentation defaults, or to set the defragmentation size. After entering this command, you must issue the restart inspection-core command for the changes to take effect. The defrag is relevant only for network sniffing through SPAM or a TAP device.

Syntax

store defrag [default | size <s> interval <i> trigger <t> release <r>]

Where:

• default: Restore the default size.
• S: The packet size in bytes, up to a maximum of 217 (131072)
• I: The time interval
• T: The trigger level
• R: The release level specified as a number of seconds, up to a maximum of the 31st power of two (2147483648).

Show command

show defrag

Identify fragmented packets and attempt to reconstruct the packets before they get to the network sniffing process. Defrag is relevant only for network sniffing through SPAM or a TAP device.

store delayed_firewall_correlation

Use this CLI command to hold a user connection until the decryption correlation has taken place.

Syntax

store delayed_firewall_collection [on | off]

Show command

show delayed_firewall_correlation

store disk_space_reserved

Use this command to change the amount of disk space to reserve on a Guardium aggregator or collector. Reserving disk space allows you to customize the percentage of free space to preserve on the data partition.

store disk_space_reserved [ custom <pct> | reset ]

store disk_space_reserved [ custom <pct> | reset [-- yes ]]

Show command

show disk_space_reserved

store dump_data_for_forensics

This command dumps full SQL details into the local Kafka server for forensic and analysis purposes.

store dump_data_for_forensics <ON | OFF>

store dump_data_for_forensics <ON | OFF> [--yes]

Show command

store encrypt_must_gather

Guardium collects certain data (must gather information) that IBM support uses if something goes wrong. This command determines whether must gather data is encrypted (on) or compressed, but not encrypted (off).

Syntax

store encrypt_must_gather <on |off>

Show command

store full-bypass

This command is intended for emergency use only, when traffic is being unexpectedly blocked by the Guardium system. When on, all network traffic passes directly through the system, and is not seen by the Guardium system.

When using this command, you will be prompted for the admin user password.

Syntax

store full-bypass <on | off>

store gdm_analyzer_rule

Analyzer rules - Certain rules can be applied at the analyzer level. Examples of analyzer rules are: user-defined character sets, source program changes, and firewall watch or firewall unwatch modes. Rules applied at the analyzer level means decisions can be made at an earlier stage.

Syntax

store gdm_analyzer_rule [active_flag | new ]  
store gdm_analyzer_rule active_flag <id> <on|off>

Where <id> is the rule ID.

Show command

Use the CLI command, show gdm_analyzer_rule, to see a list of GDM analyzer rules.

show gdm_analyzer_rule

store gdm_analyzer_rule new

Use the Guardium CLI to add an analyzer rule for a direct regular expression to Mask UID Chain pattern.

Syntax

store gdm_analyzer_rule new
Enter rule description (optional):
Enter rule type (required):

Example

store gdm_analyzer_rule new
Please enter rule description: new rule 4
Rule type
 1. Change source program
 2. Set alternate character set
 3. Send verdict
 4. HADOOP exclude
 5. Define protocol and port
 6. Ignore session after packets
 7. Set empty Oracle DB user when login information is missed
 8. Force MS SQL login
 9. Transform string
Please select rule type (required): 9
Please enter pattern (required, regex string): (.*)(-ppassword)(.*)
Please enter format (required, regex string): \\\\1-p****\\\\3
Do you want to activate the rule now? (Yes/No)
Y
ok

store gdm_http_session_template

Use this CLI command to set the template for the HTTP session.

Usage

store gdm_http_session_template [activate] [add] [deactivate] [remove]

Show command

show gdm_http_session_template 

Attempting to retrieve the template information. It may take time. Please wait.

store log external

Use this command to set file size, flush period, gdm error and state of the log external. This rule displays only if the following CLI command is executed:

Then log external shows up as a policy action.

CLI command to check the state:

show log external state

CLI command to enable and disable this action:

store log external state on/off

Usage

store log external [file_size] [flush_period] [gdm_error] [state]

Syntax

store log external gdm_error <state>

Where state is on or off. 'on' is to enable and 'off' is to disable.

store log external file_size <num>

Where <num> is the size of the file. Default is 4096 bytes.

store log external flush_period <num>

Where <num> is the flush period. Default is 60 seconds.

store log external state <state>

Where state is on or off. 'on' is to enable and 'off' is to disable.

Show command

show log external [file_size] [flush_period] [gdm_error] [state]

store monitor gdm_statistics

Use this CLI command to get information about the Unit Utilization. Default is 1 (run the script every hour).

Syntax

store monitor gdm_statistics

USAGE: store monitor gdm_statistics <hour>, where hour is a value from 0 to 24. Default value is 1, means to run the script every hour. Value 0, means not to run the script.

Show command

show monitor gdm_statistics 

Disable command

Disable gdm_statistics monitor

store gui

Sets the TCP/IP port number on which the IBM Guardium appliance management interface accepts connections. The default is 8443.

n must be a value in the range of 1024 to 65535. Be sure to avoid the use of any port that is required or in use for another purpose.

Set session timeout: Sets the length of time (in seconds) with no activity before timeout. After the no-activity-timeout has been reached, it is necessary to log on again to Guardium. The default length is 900 seconds (15-minutes).

Enable or disable the Cross-site Request Forgery (CSRF) status. Trying to use certain web browser functions (for example, F5/CTRL-R/Refresh/Reload, Back/Forward) results in a 403 Permission Error message.

The new session timeout value will take effect only after the next GUI restart.

Syntax

store gui port <n>
store gui session_timeout <n>
store gui csrf_status [on | off]

Show command

Displays the GUI port number, state, session timeout (in seconds) and/or CSRF status.

show gui [port | state | all | session_timeout | csrf_status ]

store gui cache

Use this CLI command to turn web browser caching ON or OFF (Enable or Disable).

The response is:

The parameter has been changed. 
Restarting gui 
Changing to port 8443 
Stopping....... 
Safekeeping xregs 
ok 

The default setting for browser caching is enabled.

The act of changing the cache setting will automatically restart the Guardium web server.

For Firefox, you must clear the browser cache for the setting to take effect.

Syntax

store gui cache [ON | OFF]

Show command

show gui cache

store gui hsts_status

Use this CLI command to enable or disable the HSTS (HTTP Strict Transport Security Filter). This option is disabled by default on upgraded systems and is recommended to be turned on after valid certificates are installed. See the topic, How to install an appliance certificate to avoid a browser SSL certificate challenge, for further reference.

Syntax

store gui hsts_status [ on | off ] 

Show command

show gui hsts_status 

store gui xss_status

Use this CLI command to enable or disable the Cross-Site Scripting (XSS) status. This option is enabled by default on upgraded systems.

Syntax

store gui xss_status [ on | off ]

Show command

show gui xss_status

store installed security policy

Sets the security policy named policy-name as the installed security policy.

Syntax

store installed security policy <policy-name>

Show command

show installed security policy

store jproxy_config flush_at_size/store jproxy_config flush_timeout_sec

Use these commands to configure the streaming interval for transporting the JSON document data from Guardium to Guardium Big Data Intelligence ( GBDI). Whenever Guardium hits either threshold, jProxy sends the data to GBDI. For more information, see Big Data Intelligence with data streaming.

store jproxy_config flush_at_size <bytes>

store jproxy_config flush_timeout_sec <seconds>

The default is 60 seconds.

Show commands

show jproxy_config flush_at_size <bytes>
show jproxy_config flush_timeout_sec <seconds>

store jproxy_config ssh_key_file

Use this command, along with import jproxy_files to upload the GBDI SSH key file (in .pem format) and configure the SSH target host to communicate with GBDI. For more information, see Big Data Intelligence with data streaming

import jproxy_files
store jproxy_config ssh_key_file <key_file_name>

• Use import jproxy_files to import the signed certificate (the SSH key file).
• Use store jproxy_config ssh_key_file <key_file_name> to store the SSH key file in the keystore.

store keep_psmls

Use this CLI command to retain the current layouts/profiles/portlets created the users of the Guardium application. Set this CLI command to ON before an upgrade, and the psmls from the previous version will be retained.

Syntax

store keep_psmls [ON | OFF]

Show command

show keep_psmls

store ldap-mapping

Store LDAP-mapping parameters - allow a custom mapping for the LDAP server schema. This command permits customized mapping to the LDAP server schema for email, firstname and lastname attributes. The paging parameter is used to facilitate transfer between any LDAP server type (Active Directory, Novell Directory, Open LDAP, Sun One Directory, Tivoli® Directory). If the paging parameter is set to on, but paging is not supported by the server, the search is performed without paging.

Example for paging. If the CLI command, ldap-mapping paging is set to ON, then Microsoft Active Directory will download the maximum number users defined under the limit value on the LDAP Import configuration screen. If CLI command, ldap-mapping paging is set to OFF, then Active Directory will download up to only 1000 users not matter what the limit value is set to. All other LDAP server configurations must use the CLI command, ldap-mapping paging off in order to download users up to the set limit value.

Note: Each time you change the CLI ldap-mapping attributes you also need to select Override Existing Changes on the LDAP Import configuration screen in IBM Guardium GUI before updating. This action must occur each time you change the CLI ldap-mapping email, firstname or lastname attributes and import LDAP users.

Show commands

show ldap-mapping [email] [firstname][lastname] <name>
show ldap-mapping paging ON|OFF

A GUI restart of the CLI is required for new parameters to take effect.

Examples

store ldap-mapping firstname name
store ldap-mapping lastname sn
store ldap-mapping email mail
store ldap-mapping paging on 

store license

This command applies a new license key to the appliance.

A license key may be of one of two kinds: override type or append type; an override type replaces the currently installed license while the append type license will be appended to the currently installed license. Append-type licenses can only add functionality; new functions may be enabled and when relevant - updates expiration dates, the remaining number of scans, the number of datasources, or might replace certain numeric fields in the license, such as the number of managed units.

Syntax

store license

Example

CLI> store license
Please paste the string received from customer services. Then press <ENTER> to continue.

Copy and paste the new product key at the cursor location, and then press Enter. The product key
contains no line breaks or white space characters, and it always ends with (and includes) a trailing
equal sign. A series of messages will display, ending with:
>We recommend that the machine be rebooted at the earliest opportunity in order to complete the
license updating process.
ok
CLI>
Run the restart gui command at this time.

Show command

show license

store log classifier level

Sets the debugging level for the classifier, to one of the values shown.

Syntax

store log classifier level TRACE|DEBUG|INFO|WARN|ERROR|FATAL

Show command

show log classifier level

store log exception sql

When on, logs the entire SQL command when logging exceptions.

Syntax

store log exception sql <on | off>

Show command

show log exception sql

store log_general_response_length

Use this CLI to enable or disable logging the response length. When enabled, controls whether the sniffer logs the response length for every SQL instance.

store log_general_response_length is disabled by default. Enabling response length logging can impact sniffer performance.

Syntax

store log_general_response_length [ enable | disable ]

Show command

show log_general_response_length

store log object_join_info

Sets the logging of object_join.

A join table is a way of implementing many-to-many relationships. Use join entity to join tables in a SELECT SQL statement.

Syntax

store log object_join_info [ on | off]

Show command

show log object_join_info

store log object_join_info

Sets the logging of object_join.

A join table is a way of implementing many-to-many relationships. Use join entity to join tables in a SELECT SQL statement.

Syntax

store log object_join_info [ on | off]

Show command

show log object_join_info

store log session_info

This command enables or disables storing sniffer log session information.

Syntax

store log session_info [ on | off]

Show command

show log session_info

store log sql parser_errors

Sets the logging of syntactically wrong SQL commands.

Syntax

store log sql parser_errors [on|off]

Show command

show log sql parser_errors

store logger_data_destination_config

Use the following CLI commands to optionally configure information for Guardium Big Data Intelligence (GBDI) data streaming such as logger destination, Mongo client authentication (username, auth, database, and mechanism).

Show command

show logger_data_destination_config <parameter>

store logging granularity

Sets the logging granularity to the specified number of minutes. You must use one of the minute values shown in the syntax. The default is 60.

Syntax

store logging granularity <1, 2, 5, 10, 15, 30 or 60>

Show command

show logging granularity

store max_audit_reporting

Displays the audit report threshold in days. The default is 32. When defining reports in audit process, the number of days of the report (defined by the FROM-TO fields) should not exceed a certain threshold (one month by default). For more information, see Audit processing notes.

Syntax

store max_audit_reporting <days>

Show command

show max_audit_reporting

store max_result_set_packet_size

Store the max_result_set_packet_size, default value is 32 (size is between 1 and 65535) and aids in tuning the inspection engine when observing returned data. This command sets the limitation for packet size in response. This parameter works for any type of database. If the value is beyond the defined threshold, the analyzer will not retrieve data to calculate records affected value.

Syntax

store max_result_set_packet_size <size>

Show command

show max_result_set_packet_size

store max_result_set_size

Store the max_result_set_size, default value is 100 (size is between 1 and 65535) and aids in tuning the inspection engine when observing returned data. This command sets the limitation for total result set size. This parameter works for any type of database. If the value is beyond the defined threshold, the analyzer will not retrieve data to calculate records affected value.

Syntax

store max_result_set_size <size>

Show command

show max_result_set_size

store max_tds_response_packets

Store the max_tds_response_packets, default value is 5 (size is between 1 and 65535) and aids in tuning the inspection engine when observing returned data. This command sets the limitation for number of packets in response. This parameter works for MS SQL only. If the value is beyond the defined threshold, the analyzer will not retrieve data to calculate records affected value.

Syntax

store max_tds_response_packets <size>

Show command

show max_tds_response_packets

store maximum query duration

Sets the maximum number of seconds for a query to the value specified by n. The default is 180. We recommend that you do not set this value greater than the default, because doing so increases the chances of overloading the system with query processing. This value can also be set from the Running Status Monitor panel on the administrator portal.

Syntax

store maximum query duration <n>

Show command

show maximum query duration

store monitor

Use the store monitor buffer CLI command to

Syntax

store monitor [buffer | custom_db_usage [state <hour>] | gdm_statistics <hour> ]

Show commands

show monitor buffer
show monitor custom_db_usage
show monitor gdm_statistics

store mysql_utf8mb4

Enable support for 4-byte UTF-8 encoding (utf8mb4).

This command modifies Guardium sniffer processes and internal databases to correctly capture and store 4-byte UTF-8 characters. Enabling utf8mb4 may be useful if datasources in your environment contain 4-byte characters, for example as used for Chinese, Japanese, and Korean ideographs.

12.0 Syntax

store mysql_utf8mb4

store mysql_utf8mb4 [--yes]

Show command

show mysql_utf8mb4

Examples

> show mysql_utf8mb4

mysql configuration NOT set with UTF8MB4.
ok 

>store mysql_utf8mb4

Attempting to change the mysql config file. It may take time. Please wait.
Start to modify mysql config file
Restarting mysql
Mysql has been restarted. Please exit CLI and log back on.
The parameter IS_UTF8MB4 has been changed to 1.

> show mysql_utf8mb4

mysql configuration set with UTF8MB4.
ok

store packet max-size

Limit the maximum size of packets from the sniffer.

Syntax

store packet max-size 1536

Show command

show packet max-size

store pdf-config

Use this command to change the font size and orientation of the PDF image body content (excluding header/footer).

Size unit ranges from 1 (smallest) to 10 (largest) with default value of 6.

Orientation unit is 1 (for landscape orientation) or 2 (for portrait). The default value is 1.

The change takes effect immediately after typing the CLI command and pressing the Enter key.

Syntax

store pdf-config [ orientation | size ]

Show command

show pdf-config [ orientation | size ]

store pdf-config multilanguage_support

There are different static PDF generator config files for English (Used on English version) and language C/J (Used on Chinese/Japanese). Use this CLI command to define the fonts in the PDF generator. Default is English. Multilanguage is language C/J.

Syntax

CLI> store pdf-config multilanguage_support

Current setting is Default

1  Default
2  Multi-language
Please select the option (1,2, or q to quit)

Show command

show pdf-config multilanguage_support

store populate_from_query_maxrecs

Sets the maximum number of records that can be used to populate groups and aliases from a query.

Use caution when setting a maximum records value via this CLI command. Setting it too high may result in incomplete populate group from query processes. The maximum threshold is dynamic and dependent on the system load and memory utilization. The default value is 20,000 records. The maximum configurable value is 200,000 records.

Syntax

store populate_from_query_maxrecs 100000

Show command

show populate_from_query_maxrecs

store product gid

Sets the stored unique product <n> GID value.

Syntax

store product gid <n>

Show command

show product gid

store purge object

Sets the age (in days) at which non-essential objects will be purged. Use the show purge objects age command to display a table showing the index, object name, and age for each object type for which a purge age is maintained. Then use the appropriate index from that table in the command to set the purge age.

Note: The value of number of days will be set to the default (90 days) when the unit type changes between managed unit/Manager/standalone unit.

Syntax

store purge object age <index> <days>

Show command

show purge object age

Example

Assume you want to keep an Event Log for 30 days. First issue the show purge objects age command to determine the index (do not use the table; your list may be different). Then enter the store purge object command.

>show purge objects age

Index Name, Age
... purge objects

>store purge object age 2 30

store quartz_thread_num

This CLI command is for use by Technical Support.

The Java™ Virtual Machine allows the application to have multiple threads. Thread is a piece of the program execution.

Use the store quartz_thread_num CLI command to set the number of threads that can run at the same time.

Use this command to ease conflict between too many threads running at the same time.

The show quartz_thread_num CLI command displays the number of Quartz scheduler threads that run at the same time.

Syntax

store quartz_thread_num <number>

store quartz_thread_num [number [--yes]]

Where number is in range 3 to 15. Default value = 5.

Show command

show quartz_thread_num
org.quartz.threadPoll.threadCount= 5

store remotelog add

Controls the use of remote logging. In addition to system messages, statistical alerts and policy rule violation messages can be written to syslog. For each host and port combination, you can direct messages from the syslog to a remote host. This command works with any syslog implementation that supports TCP or UDP protocol.

If you enable remote logging, be sure that the receiving host can accept the log information.

Syntax

store remotelog add <encrypted | non_encrypted> <facility.priority> <host[:port]> <protocol> [format]

cli> store remotelog add encrypted user.info 9.30.252.111 tcp

cli>store remotelog add non_encrypted user.warning myhost.mycompany.com tcp
tcp forwarder to myhost.mycompany.com added to rsyslog configuration:
user.=warning    @@myhost.mycompany.com
Restarting remote logger...
Remote logger restarted successfully
ok
cli> store remotelog clear myhost.mycompany.com
Remote logger configuration updated.
Restarting remote logger...
Remote logger restarted successfully

store remotelog clear

Use this command to clear the specified facility.priority combination from the list of messages to send to the specified host.

store remotelog clear host

Example

cli> store remotelog clear myhost.mycompany.com
Remote logger configuration updated.
Restarting remote logger...
Remote logger restarted successfully

store remotelog escape_control_characters_on_receive

Use this command to escape the control characters if your system mangles messages that include control characters. The default is on (escape control characters).

Syntax

store remotelog escape_control_characters_on_receive <on|off>

Run restart remotelog to apply the new configuration.

store remotelog format

Sets the default syslog format in the rsyslog configuration (in the global directive $Undoable-in-transactional).

store remotelog max_message_size

Use this command to set the maximum message size from 5k to 64k. Specify the maximum message size with a single number, as follows:

• 1 = 5k
• 2 = 10k
• 3 = 15k
• 4 = 20k
• 5 = 32k
• 6 = 64k

Syntax

store remotelog max_message_size <1|2|3|4|5|6>

Run restart remotelog to apply the new configuration.

Show command

Use this command to display the current value of the $MaxMessageSize parameter.

store s2c

Sets several configurable parameters for ADMINCONSOLE. These parameters are used for throttling server-to-client (S2C) traffic.

See also the CLI command Store Throttle.

Syntax

store s2c

USAGE: store s2c ignore I maxrate M maxinterval T where 0<=I<=3 (level),  0<=M<=2147483647 (K/sec), and 1<=T<=2147483647 (seconds) OR store throttle default.

>store s2c ignore 3 maxrate 300 maxinterval 5007

The new configuration will take effect after you run the restart inspection-core,CLI command.

Show command

show s2c

Throttle S2C parameters (defaults):

         Ignore:         0

         Max rate:      999999

         Max interval:  30

-------------------

ANALYZER_S2C_IGNORE (0,1,2,3) - Switch s2c throttling mechanisms on/off based on scenarios. This flag is based on bits. 0 = the s2c throttling mechanism is OFF. 1 = turns on the function described in scenario 1, 2 = turns on the function described by scenario 2. 3 = turns both on.

MAX_S2C_VELOCITY - maximal rate (K bytes/sec). If this rate is exceeded, then analyzer should send CLI commands, ignore session, or ignore session reply, request to S-TAP® or sniffer.

MAX_S2C_INTERVAL - time interval in seconds (default 30 sec.) between possible CLI commands, ignore session, or ignore session reply, requests.

Scenario 1

The sniffer starts to receive traffic from S-TAP or network in the middle of large query. Since all incoming packets are DB server responses, no new session will be created by the analyzer and therefore no information will be sent to logger and rules engine. This type of traffic is useless for the sniffer. From the other side, this type of traffic can create additional S-TAP and sniffer loads.

A throttling mechanism helps to decrease S-TAP and network sniffer load by sending an ignore session message from the analyzer, if the S2C velocity is greater than MAX_S2C_VELOCITY. If, for some reason, S-TAP or network sniffer were not affected, then the analyzer sends ignore session request again after MAX_S2C_INTERVAL seconds. In order to switch this throttling mechanism on, set ANALYZER_S2C_IGNORE flag to 1.

Scenario 2

If the incoming traffic has a high S2C rate (>MAX_S2C_VELOCITY), then a throttling mechanism sends a ignore session reply request to S-TAP for local database connections in the case when S2C velocity is greater than MAX_S2C_VELOCITY. If from some reason S-TAP was not affected, then analyzer will send the ignore session reply request again after MAX_S2C_INTERVAL seconds. In order to switch this throttling mechanism on, set ANALYZER_S2C_IGNORE flag to 2.

store save_result_max_size

This CLI command modifies the GLOBAL_PROFILE field SAVE_RESULT_MAX_SIZE to set the amount of data in reports that are generated from the GUI that reflect the maximum number of result records in the reports.

Syntax

store save_result_max_size <num>

Where <num> is a number greater than 0.

Show command

show save_result_max_size

store sender_encoding

Use this CLI command to encode outgoing messages (email and SNMP traps) in different encoding schemes, where previously everything is encoded in UTF8.

For example, a Guardium customer wanted to encode all of the outgoing SNMP messages in SJIS - an alternative Japanese encoding.

Syntax

store sender_encoding <str>,

where str is the encoding with maximum length 16

Show command

show sender_encoding

store set_informix_driver_property

Use this command to set the connection property IFX_USE_STRENC=true on all Informix® datasources.

12.0 Syntax

store set_informix_driver_property

store set_informix_driver_property [--yes]

store set_partitions_for_queries

Use this CLI command to enable or disable partition selection on queries.

Syntax

store set_partitions_for_queries <on|off>

store sftp_mode

This command, along with show sftp_mode, was deprecated as of Guardium 11.3.

show snif_alert_only_syslog_with_subject

Use this command to determine whether the subject of alerts displays in the syslog. Set to OFF to hide the subject of alert messages. The default is ON, which displays the alert subject in the syslog.

Syntax

store snif_alert_only_syslog_with_subject on|off

Show command

show snif_alert_only_syslog_with_subject

store snif_double_quote_literal

Use this command to control whether the sniffer handles double-quoted strings as literals and replaces them with question marks when generating masked SQL. By default, the sniffer assumes that double-quoted strings are literals and masks accordingly. The setting is available for several database types. Upon running the command, you are asked to select the database type from a list and define whether quoted strings are treated as literals. Use restart inspection-core to restart the inspection engine core after changing snif_double_quote_literal settings.

> store snif_double_quote_literal
This command controls whether or not snif will consider double quoted strings literals, and replace them
with question marks when generating masked sql.
USAGE: store snif_double_quote_literal

DB type:
	1. MySql
	2. MemSql
	3. MsSql
	4. Sybase
	5. Informix
	0. Quit

Please select DB type to modify (required) 1

Consider double quoted strings literals?
 (y/n)? n
The parameter has been changed.
Please restart the inspection core for this change to take effect:
restart inspection-core
ok

show snif_double_quote_literal

> show snif_double_quote_literal
Database types in which snif considers double quoted strings as literals

Mysql:    No  (default Yes)
MemSql:   Yes (default Yes)
MsSql:    Yes (default Yes)
Sybase:   Yes (default Yes)
Informix: No  (default No)
ok

store snif_logger_destination_type

Use this command to control the sniffer logger destination for Guardium Big Data Intelligence ( GBDI) data streaming.

store snif_logger_destination_type [LOCAL | REMOTE]

For more information, see Big Data Intelligence with data streaming.

store snif_mask_sql_value

Syntax

store snif_mask_sql_value on|off

Show command

show snif_mask_sql_value

store snif_db2z_alert_use_client_ip_for_host_name

For Db2 z/OS systems only, use this command to enable using the client IP address as the host name for Alert messages. When enabled, the %%clientHostName variable displays the host IP address.

Syntax

store snif_db2z_alert_use_client_ip_for_host_name [on|off]

Show command

show snif_db2z_alert_use_client_ip_for_host_name

store snif_max_db2z_bind_variable_value_size

For Db2 z/OS systems only, use this command to control the length, in KB, of bind variable values. The default length is 2 KB (2047 characters). The maximum length is 4096 KB.

Syntax

store snif_max_db2z_bind_variable_value_size <n>

Where <n> is a number between 2 and 4096, which is the maximum length of the bind variable values in KB.

Show command

show snif_max_db2z_bind_variable_value_size

store snif_use_feed_analyzer_thread

The store snif_use_feed_analyzer_thread command allows you to have sniffer use a separate internal queue for these S-TAPs.

The default for store snif_use_feed_analyzer_thread is OFF. If you expect traffic on both ports (that is 16016 or 16018 and 16021 or 16022), set store snif_use_feed_analyzer_thread to ON before the S-TAPs start.

In addition, if the sniffer detects traffic from both ports, sniffer sets the parameter to ON, causing sniffer to use separate queues after the next restart.

store snif_use_feed_analyzer_thread [ON | OFF ]

Show command

show snif_use_feed_analyzer_thread

store ssl_ciphers

Use this command to specify the ciphers used by the Guardium sniffer for your operating system.

store ssl_ciphers [custom]

For store ssl_ciphers without the custom option, Guardium returns a list of ciphers. Specify the number of the cipher (or ciphers) to use. Use a comma to separate multiple cipher numbers.

Click q to quit without making changes.

For store ssl_ciphers [custom], you can enter a comma-separated list of ciphers to add.

These changes take effect only after the inspection core is restarted . Use restart inspection-core to restart.

For example:

store ssl_ciphers custom

>You have chosen to configure custom ciphers for the sniffer.
it is your responsibility to ensure that the ciphers are of 
acceptable strength and that a common cipher exists between 
these ciphers and the ciphers used by the STAPs.

Do you want to continue? [Yes/n] yes

The current list of configured ciphers is:

    AES256-SHA,AES128-SHA

Please enter a comma separated ciphers that you wish to use
Hit enter to exit: AES256-SHA256,AES256-SHA,AES128-SHA,DHE-RSA-AES256-SHA256

SSL Ciphers set to AES256-SHA256,AES256-SHA,AES128-SHA,DHE-RSA-AES256-SHA256

These changes will only take effect after the inspection core is restarted ('restart inspection-core')

ok

delete ssl_ciphers

Guardium returns a list of current ciphers. Specify the number of the cipher to delete.

show ssl_ciphers

For more information about supported ciphers, see Cipher suites.

store stop approval

Use this function to block unauthorized S-TAPs from connecting to the Guardium appliance.

If ON, then S-TAPs can not connect until they are specifically approved.

If an unapproved S-TAP connects, it is immediately disconnected until the specific authorization of the IP Address of that S-TAP.

A pre-defined report for approved clients, Approved TAP clients, is available on the Daily Monitor tab.

Syntax

store stap approval ON | OFF

Show command

show stap approval

GuardAPI command

grdapi store_stap_approval
The new configuration takes effect after running the CLI command, restart
inspection-core.

store stap certificate

Stores a certificate from the S-TAP host (usually a database server), on the IBM Guardium appliance. This command functions exactly like the store certificate console command, described later.

Syntax

store stap certificate

You will be prompted as follows:

Please paste your new server certificate, in PEM format.

Include the BEGIN and END lines, then press CTRL-D.

If you have not done so already, copy the server certificate to your clipboard. Paste the PEM-format certificate to the command line, then press CRTL-D. You will be informed of the success or failure of the store operation.

When you are done, use the restart gui command to restart the IBM Guardium GUI.

store stap network_latency

S-TAP verification is a feature by which customers can verify if a S-TAP is monitoring database traffic or not. The verification feature is affected by the customer's network traffic/latency. Since latency is different for each customer, there is a need for a way to list and change the default value that the verification feature uses.

Syntax

store stap network_latency

USAGE: store stap network_latency <N>

where N is the number greater than 0 seconds.

The default value is 5 seconds.

If the number goes higher the S-TAP verification process will become slower.

Show command

show stap network_latency

store storage-system

store storage-system

Adds or deletes a storage system type for archiving or system backup.

Syntax

store storage-system <NETWORK | Amazon_S3 | Centera  | IBMCloud | IBMCOS  | TSM>   <backup | archive> <on | off>

Show command

show storage-system

Example

Assume you are currently using Centera for system backups, but want to switch to a TSM system. You must turn off the Centera backup option (unless you want to leave that as another option), and turn on the TSM backup option. The commands to do this are highlighted in the example. The show commands are not necessary, but are for illustration only.

CLI> show storage-system

show storage-system
NETWORK :
CENTERA :
TSM     :
SCP     : archiving and backing-up
SFTP (formerly FTP)     : archiving and backing-up
AMAZON S3       : archiving and backing-up
IBMCloud       : archiving and backing-up
IBM COS (formerly Cleversafe)      : archiving and backing-up

store support state

Enables (on) or disables (off) the sending of email alerts to the support email address, which can be configured using the forward support email command. By default, the support state is enabled (on), and the default support email address is support@guardium.com.

Syntax

store support state <on | off>

Show command

show support state

store tang server

Sets up the initial connection between the clevis client on a machine to a remote tang server.

You can enter the IP addresses of one or more tang servers. The IP address that is entered first is the primary server, the rest are backup servers. You can change the order of the tang servers by clearing the keys using the CLI command reset luks keys and then reentering the tang server addresses by running the store tang server command.

Syntax:

store tang server

Show command:

show tang server

Shows the most recent tang server to which the Guardium system is connected. The command also displays the backup servers, if any.

store throttle

This CLI command stores the throttle parameters. After entering this command, you must issue the CLI command, restart inspection-core for the changes to take effect.

This command is used to filter out (ignore) large packets. Throttling has two modes: Thresholds, per session - ignore sessions when identifying a long enough burst (duration configurable) of large packets (size configurable) and stop ignoring the session when traffic goes under a certain threshold (also configurable); and, Overall - ignore all packets larger than a certain size (configurable) in all sessions. This throttling mode completely ignores long and excessive non-database packets smaller than a predefined size (useful for VNC clients and other types of white-noise traffic). Use for network traffic through SPAM port or hardware TAP. For S-TAP traffic, only network TCP traffic picked up by PCAP. See also the CLI command, store s2c.

Syntax

store throttle [default | size <s> interval <i> trigger <t> release <r>]

USAGE:   store throttle size S interval I trigger T release R

         where 0<=S<=2^17 (bytes), 1<=I,T,R,<=2^31 (seconds)

         OR store throttle default

Show command

show throttle

Throttle parameters:
Packet size:   228000
Time interval: 604800
Trigger level: 10000000
Release level: 10000000

Parameters

• default - Enter the keyword default to restore the system defaults (no other parameters are used). The default throttling parameters are never throttle.
• s - The packet size in bytes, up to a maximum of 217 (131072).

  The remaining parameters are in seconds, up to a maximum of 231 (2147483648):

• i - The time interval
• t - The trigger level
• r- The release level

store timeout

Sets the timeout value of a CLI session and or file server session. The default value is 600 seconds. A timeout will also close the CLI session.

If the file server is stopped because of a timeout, a message will appear, Warning : Fileserver stopped because of timeout. The file upload may not be complete. Stopping the process.

Use the CLI commands, show timeout db_connection, to show the socketTimeout value in the conf file, and store timeout db_connection, to set the value of the timeout. The value should be greater than 0. The default value is 25000 seconds. These CLI commands are used in managing the communications between the central manager and the managed unit when DNS is not configured.

Syntax

store timeout cli_session <n>
store timeout fileserver_session <n>
store timeout db_connection <n>

Show command

show timeout cli_session 600
show timeout fileserver_session 600
show timeout db_connection 25000

store timeout classifier

Sets the number of seconds (0 - 9999) to run classifier queries.

Syntax

store timeout classifier <count_query n | sample_query n>

Show syntax

show timeout classifier <count_query | sample_query>

store transfer-method

Sets the file transfer method. Specify FTP protocol for SFTP.

Syntax

store transfer-method <FTP | SCP>

Show command

show transfer-method

store uid_chain_polling_interval

Set the interval for UID Chain polling with this CLI command. UID chain is a mechanism which allows S-TAP (by way of K-Tap) to track the chain of users that occurred prior to a database connection.

Set the interval to 0 to turn off the UID Chain processing, in order to improve database performance. If the UID Chain processing is turned off, then calculating the UID Chain and updating children sessions are skipped.

Syntax

store uid_chain_polling_interval <n>

Where n is time in minutes (>= 1 minute; default is 2 minutes). Set N = 0 to turn off the UID Chain processing

Show command

show uid_chain_polling_interval

store upd_session_end

This CLI command adds an option to skip the update for the session_end time using Session Inference. For more information, see Session Inference.

Syntax

store upd_session_end <on | off>

Show command

show upd_session_end

store unit type

Use this CLI command to set unit type attributes for the Guardium appliance. See Table 2 for a description of all unit type attributes you can display with this command.

Syntax

store unit type [manager | standalone] [netinsp] [stap] [mainframe] [sink]

Use store unit type sink to switch collected DRDA traffic timestamp granularity from 1 millisecond to 1 microsecond.

Show command

show unit type

Unit type attributes

store va max_detail

This CLI command helps to regulate the maximum detail records for running query based security assessment tests.

Syntax

store va max_detail [on <num> | off] 

Show command

show va max_detail

traceroute

This command is a diagnostic tool that follows the route packets across an IP network.

Syntax

traceroute <host> <max hops> <wait time>

unregister management

The unregister command restores the configuration that was saved when the appliance was registered for central management.

Syntax

unregister management