Database discovered instances rules
Use the Database Discovered Instances Rules UI from a central manager to determine how to manage inspection engines for discovered databases.
Before you begin
grdapi modify_guard_param paramName=IE_CREATION paramValue=1
For more information, see the modify_guard_param API command.
Configuring the database discovered instance rules
Guardium® can be configured to discover databases that are created on both Windows and UNIX systems. In many cases, you might want Guardium to create and run inspection engines on all newly discovered databases. However, there are scenarios in which you want control when and how Guardium creates new inspection engines. In these cases, Database Discovered Instances Rules provides a way to manage inspection engine creation. You can configure discovered instances rules from a central manager in a managed environment or on a stand-alone system.
From a central manager, select Database Discovered Instances Rules from .
- Click Enable to start automatically creating inspection engines.
- To generate a report of the discovered instances rules without creating
inspection engines, select the Report results of discovered instances rules (don't create
inspection engines) checkbox. You can use this report to:
- Determine the impact of your changes before you create new inspection engines.
- Report on changes to your existing database configurations (such as unexpected changes to port ranges or [for UNIX] DB installation directory).
- Select whether you want to manage inspection engines for a Windows or UNIX environment.
- Choose whether to create inspection engines for all discovered databases, or to specify rules that determine when an inspection engine is created.
Creating inspection engines use cases
Rule | Existing inspection engine | Newly discovered instance | Use case |
---|---|---|---|
Filter | Ignore | Add or ignore, depending on filter criteria. | You want to detect only inspection engines that meet certain criteria, such as specified ports, protocols, or servers. Create a filter to prevent creating inspection engines that do not meet the criteria. |
Exclude | Remove | Don't add inspection engine. | You have database instances that no longer need monitoring. Delete existing inspection engines that meet the rules, and do not add an inspection engine if it meets the specified rules. |
Ignore | Keep | Don't add inspection engine. | You have inspection engines that you want to keep, regardless of whether they are discoverable (such as a late mount configurations or a passive cluster). Preserve existing configurations that meet all of specified rules. |
Replace | Remove | Add | Update existing inspection engines to meet new criteria, such as upgrading to a new database version or changing the installation directory path. |
Add | Keep | Add | Create an inspection engine whenever a new database is found in your environment and the newly discovered instance does not match any of the Filter, Exclude, Ignore, or Replace rules. |
Specifying inspection engine rules
- Click Filter to open the Filter pan. Use Filter to
specify ports, protocols, or servers to ignore (that is, to filter out those inspection engines from
discovery).
- Click Add rule to add a filtering rule.
- Select a parameter from the parameter list and specify a value for that parameter.
Note: For the Port range start and Port range end parameters, if you select the in or not in operators, separate multiple values with commas, and use a hyphen to specify an inclusive range of ports. For example: 1520-1530, 1621, 1622. - Click Exclude to open the Exclude pane. Use Exclude to delete outdated
inspection engines.
- Click Add rule to add an exclude rule.
- Select a parameter from the parameter list and specify a value for that parameter. Important: If any of the specified parameters match inspection engine parameters, Guardium deletes that inspection engine. Therefore, you need to be precise about which parameters you select.
For example, if you specify only the Exclude rule DB version = 12, Guardium deletes the inspection engines on any database type with version 12 (such as Oracle 12c, Informix® v12.10, or Db2® v12).
- Click Ignore to open the Ignore pane. Use Ignore to determine whether an
inspection engine exists that meets all of the match criteria. If an exact match is found, Guardium does not create a new inspection engine (that is,
Guardium ignores the new database instance).Note: A built-in implicit Ignore rule checks new discovered database instances against all of the available criteria. When all criteria match, the Ignore rule is triggered. Therefore, in general, you do not need to configure this rule.
- Click Replace to open the Replace pane. Use Replace to update individual
parameters in one or more inspection engines. Guardium provides suggested
match criteria for Replace, but these are not required.
For example, say that your site updates the database version and installation directory for a database. In this case, you want to update only the DB version and DB install dir parameters for the existing inspection engines. To do so, specify all of the parameters for the inspection engines to match against; that is, everything except DB version and DB install dir. Guardium compares all of the newly discovered databases (with the new database version and installation directory) against all of the inspection engines and updates the inspection engines that match the selected criteria. Since you did not specify the DB version and DB install dir , the corresponding inspection engines are updated with the new version and install directory parameters.
- Click Add to open the Add pane. If a newly discovered instance does not
meet any of the previous criteria (for Exclude, Replace, or Ignore), Guardium creates a new inspection engine based on the discovered
instance.Note: The Create inspection engines checkbox is selected by default. If you clear Create inspection engines, Guardium does not create inspection engines. In general, make sure that Create inspection engines is selected.
- When you are done, click Save to save your changes or
Cancel to clear all of your changes and start over.
At the Save configuration and overwrite previous settings message, click Save again to save your changes or Cancel to return to your current settings without saving.
The next time Guardium looks for new database instances, the selected rules apply.
What to do next
After you configure the Database Discovered Instances Rules, you can discover database instances from to open the S-TAP Commands window.
To run database instance discovery, select Run Database Instance Discovery from the list and then make sure that Replace Inspection Engines is not selected. When you click Apply, database instance discovery runs. For more information, see Linux-UNIX: Discover database instances or Windows: Discover database instances.
The results of filter rule application details are available in the Discovered Instances
Rules Results
report.
You can also add or configure reports and alerts that trigger when an inspection engine changes. For more information, see Adding reports and alerts for inspection engine changes.
Creating inspection engines from the API
- apply_rules_on_discoveredinstances
- IE_CREATION, as described under Inspection engine parameter in modify_guard_param.