Database discovered instances rules

Use the Database Discovered Instances Rules UI from a central manager to determine how to manage inspection engines for discovered databases.

Before you begin

Before you configure the Database Discovered Instances Rules in the GUI, you need to enable inspection engine creation by using the modify_guard_param API command from the CLI. To enable creating inspection engines, call the following API:
grdapi modify_guard_param paramName=IE_CREATION paramValue=1

For more information, see the modify_guard_param API command.

Configuring the database discovered instance rules

Guardium® can be configured to discover databases that are created on both Windows and UNIX systems. In many cases, you might want Guardium to create and run inspection engines on all newly discovered databases. However, there are scenarios in which you want control when and how Guardium creates new inspection engines. In these cases, Database Discovered Instances Rules provides a way to manage inspection engine creation. You can configure discovered instances rules from a central manager in a managed environment or on a stand-alone system.

From a central manager, select Database Discovered Instances Rules from Discover > Database Discovery .

From the GUI, you can take the following actions:
  • Click Enable to start automatically creating inspection engines.
  • To generate a report of the discovered instances rules without creating inspection engines, select the Report results of discovered instances rules (don't create inspection engines) checkbox. You can use this report to:
    • Determine the impact of your changes before you create new inspection engines.
    • Report on changes to your existing database configurations (such as unexpected changes to port ranges or [for UNIX] DB installation directory).
  • Select whether you want to manage inspection engines for a Windows or UNIX environment.
  • Choose whether to create inspection engines for all discovered databases, or to specify rules that determine when an inspection engine is created.
If you select Specify rules to create inspection engines, then you can specify rules for your site.
Note: By default, if parameters for an existing inspection engine are a 100% match with an inspection engine that matches a newly discovered database, Guardium does not create a new inspection engine.

Creating inspection engines use cases

Table 1. Inspection engine use cases
Rule Existing inspection engine Newly discovered instance Use case
Filter Ignore Add or ignore, depending on filter criteria. You want to detect only inspection engines that meet certain criteria, such as specified ports, protocols, or servers. Create a filter to prevent creating inspection engines that do not meet the criteria.
Exclude Remove Don't add inspection engine. You have database instances that no longer need monitoring. Delete existing inspection engines that meet the rules, and do not add an inspection engine if it meets the specified rules.
Ignore Keep Don't add inspection engine. You have inspection engines that you want to keep, regardless of whether they are discoverable (such as a late mount configurations or a passive cluster). Preserve existing configurations that meet all of specified rules.
Replace Remove Add Update existing inspection engines to meet new criteria, such as upgrading to a new database version or changing the installation directory path.
Add Keep Add Create an inspection engine whenever a new database is found in your environment and the newly discovered instance does not match any of the Filter, Exclude, Ignore, or Replace rules.

Specifying inspection engine rules

The rules to create inspection engines fall into the following categories: Filter, Exclude, Ignore, Replace, and Add. The rules are hierarchical. That is, Guardium checks the Filter rule first; if it does not apply, then it checks the Exclude rule, and so on. If none of the rules applies, Guardium creates (adds) a new inspection engine.
Note: For all rules, click the Add rule Add rule icon to add an OR statement. Click the Add rule icon after the parameter to add an AND statement.
To define rules:
  1. Click Filter to open the Filter pan. Use Filter to specify ports, protocols, or servers to ignore (that is, to filter out those inspection engines from discovery).
    1. Click Add rule to add a filtering rule.
    2. Select a parameter from the parameter list and specify a value for that parameter.
    Note: For the Port range start and Port range end parameters, if you select the in or not in operators, separate multiple values with commas, and use a hyphen to specify an inclusive range of ports. For example: 1520-1530, 1621, 1622.
  2. Click Exclude to open the Exclude pane. Use Exclude to delete outdated inspection engines.
    1. Click Add rule to add an exclude rule.
    2. Select a parameter from the parameter list and specify a value for that parameter.
      Important: If any of the specified parameters match inspection engine parameters, Guardium deletes that inspection engine. Therefore, you need to be precise about which parameters you select.

      For example, if you specify only the Exclude rule DB version = 12, Guardium deletes the inspection engines on any database type with version 12 (such as Oracle 12c, Informix® v12.10, or Db2® v12).

  3. Click Ignore to open the Ignore pane. Use Ignore to determine whether an inspection engine exists that meets all of the match criteria. If an exact match is found, Guardium does not create a new inspection engine (that is, Guardium ignores the new database instance).
    Note: A built-in implicit Ignore rule checks new discovered database instances against all of the available criteria. When all criteria match, the Ignore rule is triggered. Therefore, in general, you do not need to configure this rule.
  4. Click Replace to open the Replace pane. Use Replace to update individual parameters in one or more inspection engines. Guardium provides suggested match criteria for Replace, but these are not required.

    For example, say that your site updates the database version and installation directory for a database. In this case, you want to update only the DB version and DB install dir parameters for the existing inspection engines. To do so, specify all of the parameters for the inspection engines to match against; that is, everything except DB version and DB install dir. Guardium compares all of the newly discovered databases (with the new database version and installation directory) against all of the inspection engines and updates the inspection engines that match the selected criteria. Since you did not specify the DB version and DB install dir , the corresponding inspection engines are updated with the new version and install directory parameters.

  5. Click Add to open the Add pane. If a newly discovered instance does not meet any of the previous criteria (for Exclude, Replace, or Ignore), Guardium creates a new inspection engine based on the discovered instance.
    Note: The Create inspection engines checkbox is selected by default. If you clear Create inspection engines, Guardium does not create inspection engines. In general, make sure that Create inspection engines is selected.
  6. When you are done, click Save to save your changes or Cancel to clear all of your changes and start over.

    At the Save configuration and overwrite previous settings message, click Save again to save your changes or Cancel to return to your current settings without saving.

    The next time Guardium looks for new database instances, the selected rules apply.

What to do next

After you configure the Database Discovered Instances Rules, you can discover database instances from Manage > Activity Monitoring > S-TAP Control > Send command Send command to open the S-TAP Commands window.

To run database instance discovery, select Run Database Instance Discovery from the list and then make sure that Replace Inspection Engines is not selected. When you click Apply, database instance discovery runs. For more information, see Linux-UNIX: Discover database instances or Windows: Discover database instances.

The results of filter rule application details are available in the Discovered Instances Rules Results report.

You can also add or configure reports and alerts that trigger when an inspection engine changes. For more information, see Adding reports and alerts for inspection engine changes.

Tip: If you encounter an exception when you run the grdapi apply_rules_on_discoveredinstances API, make sure that the managed unit is the primary host for the S-TAP. Exceptions can occur when the S-TAP points to multiple appliances and the current managed unit is not set as the primary host.

Creating inspection engines from the API

Use the following APIs to manage inspection engine creation: