diag CLI command
Use the diag CLI command to access troubleshooting and maintenance utilities through the SQLGuard Diagnostics interface.
Use the diag command only as directed by Technical Support.
There are no functions that you would perform with this command on a regular basis. Each main menu entry is described in a separate topic.
- Aggregator Fix Schema – brings all imported tables that have older schema than that of the aggregator to the schema of the latest patch level of the aggregator (runs in the background and may take several hours to complete). Note: There may be scenarios in which (a) the aggregator will not have the latest patch level or (b) some of the imported tables are of the latest patch level—resulting in not all imported tables having the latest patch level.
- Aggregator Maintenance – full analysis and recovery of the Aggregator. This utility will collect AGG related logs and place it in the diag export folder, calls the Aggregator Fix Schema to sync the schema of all databases, clean AGG workspace and restart the merge process to ensure full analysis of all imported tables (runs in the background and may take several hours to complete).
- Clean Static Orphans on an Aggregator – This option should be used only by Technical Support and only in those cases where static tables grow too much and needed to be cleaned. This utility cleans all the old construct records that are no longer in use.
Opening the Diagnostics Main Menu
Use the diag command to open the SQLGuard Diagnostics menu as follows:
- At the command line prompt, log into the Guardium®
appliance with CLI. Note: To use the CLI, the Guardium user must have a CLI or admin role, or CLI does not start. Use the accessmgr to assign CLI and admin roles.Note: To use the diag command, the Guardium user must have an assigned CLI or admin role. The only user who has a CLI role by default is admin. A user with a CLI or admin role can enter the diag command, use the unlock admin and unlock accessmgr CLI commands, and use the export audit-data CLI command without restrictions. A user with the CLI role does not have to enter user name and password required of a GUI login and does not go through any further role check.
In addition, as a Guardium user, you must have an assigned diag role on the Guardium system to use the diag command. By default, only admin has this assigned role. Access to diag is allowed based on the role assignment of this user (access to diag is permitted only if this user has the diag role). The accessmgr assigns diag roles.
- After starting CLI, enter the diag command (with no arguments) at the command line prompt to open the SQLGuard Diagnostics window.
- Do one of the following to move the option selection cursor:
- Type the desired entry number (the selection cursor moves to the selected entry).
- Use the Up or Down arrow key to select an entry.
- Click the Spacebar, the Left arrow key, or the Right arrow key to move the command selection cursor in the display.
- Perform an action by selecting the appropriate option in the display
area and then doing one of the following:
- Select the appropriate command with the command selection cursor, then click Enter.
- Click on the appropriate action command.
About the diag Output
- .../guard/diag/current
- .../guard/diag/depot
You can access the output through the fileserver CLI command. Fore more information, see fileserver.
Each directory is described in the following subsections.
.../guard/diag/current Directory
Most output from the diag commands is written in text format to the current directory. For most commands, this directory contains a separate output file. Each time you run the same command, output is appended to the single file for that command. For a smaller number of commands, a separate file is created for each execution, usually incorporating a date and time stamp in the filename.
We recommend that you “clean up” after each session, so that you are not looking at old information in subsequent sessions. When you pack files to a single compressed file for export, all of the files in the current directory are deleted. Alternatively, use the Delete recordings option from the Output Management menu to delete individual files.
The files in the current directory are easy to identify since the names are created from menu and command names. For example, after you use the File Summary command from the System Interactive Queries menu, a file named interactive_filesummary.txt is created in the current directory.
If you look at the current directory while in the process of using a command, you may see a hidden temporary file with the same name as the one that will contain the output for that command. The temporary file will be removed when the output is appended to the command output file.
.../guard/diag/depot Directory
When you pack the diag output files in the current directory to a compressed file (to send to Guardium Technical Support, for example), it is stored in the depot directory. The filename is in the format diag_session_<dd_mm_hhmm>.tgz, where the variable portion of the name indicates when the file was created. For example, a file created at 12:15 PM on May 20th would be named as follows: diag_session_20_5_1215.tgz.
After exporting files (see the Export recorded files topic), you can remove them from the depot directory using the Delete recordings command of the Output Management menu.
1 Output Management
The Output Management commands control what is done with the output produced by the diag command. Each Output Management command is described separately.
1.1 End and pack current session
Use this command to pack all diagnostic files in the current directory into a single compressed file, and remove those files from the current directory. When you enter this command, there is no feedback to indicate that the command has completed. You can verify that the command has finished by displaying the directory of the depot directory. When the command completes, there is a file named in the following format: diag_session_<mm_dd_hhmm>.tgz, where the variable portion of the name is a date and time stamp, as described previously. Use the Export recorded files command of the Output Management menu to send the file to another system.
1.2 Delete recordings
Use this command to delete files in the depot or current directory. (To delete only the current session files, use the Delete current session files command.) When you enter this command, the depot directory structure displays:
You can navigate the directories using the Up and Down arrow keys and clicking Enter. For example, selecting ../ and clicking Enter moves the selection up one level in the directory structure.
You could then select the current directory and click Enter, to navigate down to that folder and delete individual command output files. Note that you can navigate to other directories, but you cannot delete files except from the current and depot directories.
When you have selected the file you want to delete, click Enter.
Caution: You will not be prompted to confirm the delete action
1.3 Export recorded files
Use this command to send a file from the depot directory to another site. To export a file:
- Select Export recorded files from the Output Management menu. The depot directory displays.
- Select the file to be sent or use the ../ and ./ entries to navigate up or down in the directory structure. (However, keep in mind that you can only export files from the depot directory.)
- With the file to be transmitted selected, click Enter.
- You are prompted to select FTP or exit. Select FTP and click Enter.
- You are prompted to supply a host name. Enter the host name of the receiving system (or its IP address), and click Enter.
- You are prompted for a user name. Enter a user account name for the receiving system, and click Enter.
- You are prompted for a password. Enter the password for the user on the receiving system.
- You are prompted to identify a directory to receive the sent file on the receiving system. Enter the path relative to the ftp root of the directory to contain the file on the receiving system and click Enter.
- You are prompted to confirm the details of the transfer (the file to be sent and its destination). Click Enter to perform the transfer, or select Cancel and click Enter to start over.
- You are informed of the success (or failure) of the operation.
1.4 Delete current session files
Use this command to delete files created during the current session.
1.5 Exit
Use the Exit command to return to the main menu.
2 System Static Reports
Use the System Static Reports command of the Main Menu to produce an extensive set of reports.
- Select System Static Reports from the Main Menu. You are informed that the process is running.
- After the report has been created, it displays in the viewing area. Note that his report is
lengthy and may be easier to view using a text editor, after exporting it to a desktop computer).
Use the Up and Down arrow keys to scroll up or down in the report. When you are done viewing the report, click Enter to return to the Main Menu.
System Static Reports Overview
The following subtopics provide an outline of the major components of the System Static Reports output. The fragments of output shown are intended to illustrate the type and level of information contained in the report, rather than provide a detailed description of the actual contents (that is beyond the scope of this document).
System Configuration Information
The System Static Reports output describes the build version, the patches applied, the current system up time, and name server information:
Build version: 34e1eb12eb68ba76cb49028251c9a0d6 /opt/IBM/guardium/etc/cvstag
Patches:
2009/02/22 16:16:50: START Installation of 'Update 5.0'
2009/02/22 16:18:04: Installation Done - Successfully Installed
< lines deleted… >
Current uptime:
09:03:43 up 6 days, 17:34, 1 user, load average: 0.44, 0.50, 0.41
System nameservers:
192.168.3.20
DB nameservers:
192.168.3.20
Gateway: 192.168.3.1 (system) 192.168.3.1 (def)
Next, the file system information displays (shown partially):
Filesystem Size Used Avail Use% Mounted on
/dev/hdc3 2.0G 1.1G 813M 58% /
/dev/hdc1 97M 9.2M 83M 10% /boot
none 504M 0 504M 0% /dev/shm
/dev/hdc2 71G 1.2G 66G 2% /var
total: used: free: shared: buffers: cached:
Mem: 1055199232 1041711104 13488128 0 63275008 186220544
Swap: 536698880 295432192 241266688
MemTotal: 1030468 kB
MemFree: 13172 kB
< lines deleted… >
This is followed by information about the mail and SNMP servers configured:
SMTP server: 192.168.1.7 on port 25 : REACHABLE
SMTP user: undef
SMTP password: undef
SMTP auth: NONE
SNMP trapsink: undef UNREACHABLE
SNMP trap community: undef
SNMP read community: undef
The final section of the system configuration section describes the network configuration for the unit: IP address, host and domain names, etc:
ens32: 192.168.3.101 (system) 192.168.3.101 (def)
hostname: (system) g1 (def)
domain: (system) guardium.com (def)
mac address: 00:04:23:A7:77:F2 (MAC1) 00:04:23:A7:77:F2 (MAC2)
unit type: 548 Standalone STAP
Internal Database Information
The next major section of the System Static Reports output contains information about the internal database status and threads (only the first few threads are shown):
uptime 77097 seconds.
27 threads.
78545028 queries.
+------+------------+-----------------------------+---------+---------+------+-----------
| Id | User | Host | db | Command | Time | State | +---------------------------------------------------------------------------------------
| 1137 | enchantedg | localhost | TURBINE | Sleep | 26 | | 1257 | enchantedg | localhost.localdomain:33587 | TURBINE | Sleep | 0 | | 1258 | enchantedg | localhost.localdomain:60409 | TURBINE | Sleep | 7716 | | 1259 | enchantedg | localhost.localdomain:48233 | TURBINE | Sleep | 322 |
< lines deleted… >
The list of threads is followed by an analysis of table status.
Web Servlet Container Information
The next several sections of the System Static Reports output contain information about the Web servlet container environment (Tomcat):
============================================================================
Currently defined Tomcat port is 8443.
The TOMCAT daemon is running and listening on port(s): 8005 8443.
Currently OPEN ports
java run by tomcat on port *:8443
< lines deleted… >
============================================================================
These are the nanny latest actions:
May 19 14:13:09 guard nanny:[5528]: Also checking tomcat.
May 19 14:13:09 guard nanny:[5528]: Going for my initial nap.
< lines deleted… >
This is the TOMCAT command line:
463 sh -c ps -o pid,cmd -e | grep Dcatalina.base
21917 grep Dcatalina.base.
Inspection Engine Information
The next major section of the System Static Reports output contains information about the inspection engine:
============================================================================
This is the SNIF (pid: 13036) command line: 13036 /opt/IBM/guardium/bin/snif.
This is the SNIF status:
Name: snif
State: R (running)
Tgid: 13036
< lines deleted… >
============================================================================
Current timestamp is 2009-05-20 11:56:41
This is the last timestamp at GDM_CONSTRUCT_INSTANCE: 2009-05-20 11:56:41
This is the last timestamp at GDM_EXCEPTION: 2009-05-20 11:56:41
This is the last timestamp at GDM_POLICY_VIOLATIONS_LOG: 2009-05-20 11:56:41
============================================================================
Snif buf usage at Fri May 20 11:56:44 2009:
100 204800 buffers out of 204800
126 connection used, 32642 unused, 0 dropped (sniffer), 9 ignored (analyzer)
0 bytes lost, 60 connections ended, 601752099 bytes sent, 579063 request sent
Dropped Packets: 0 buffer full, 0 too short , 451 ignored
time now is 1116604603
Analyzer/Parser buffers size: 6 (66533) 0 (62902)
ms-tsql-logger 0 (11331)
syb-tsql-logger 0 (70)
ora-tsql-logger 79 (67803)
db2-sql-logger 0 (20544)
< lines deleted… >
IP Tables Information
The next major section contains information about the IP tables:
===========================================================================
IPTABLES:
-------------
tcp -- 192.168.2.0/24 192.168.1.0/24 tcp spts:1521:60000 set 0x23
tcp -- 192.168.1.0/24 192.168.2.0/24 tcp dpts:1521:60000 set 0x22
< lines deleted… >
S-TAP Information
The next major section contains S-TAP® information:
============================================================================
STAP:
----
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:9500
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9500
2696 148K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:16016
2835 175K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:16016
< lines deleted… >
IP Traffic Information
The next major section contains IP traffic information:
IP traffic statistics.
OUTPUT OF ens32
Fri May 20 11:57:04 2012; ******** Detailed interface statistics started ********
*** Detailed statistics for interface ens32, generated Fri May 20 11:58:04 2009
< lines deleted… >
OUTPUT OF ens192
Fri May 20 11:57:04 2012; ******** Detailed interface statistics started ********
*** Detailed statistics for interface ens192, generated Fri May 20 11:58:04 2009
Total: 82440 packets, 53892382 bytes
(incoming: 82440 packets, 53892382 bytes; outgoing: 0 packets, 0 bytes)
IP: 82440 packets, 52632747 bytes
(incoming: 82440 packets, 52632747 bytes; outgoing: 0 packets, 0 bytes)
< lines deleted… >
Information Engine STDERR and STDOUT Information
The next section contains the last messages output by the sniffer:
Snif STDERR:
< lines deleted… >
Snif STDOUT:
Fri_20-May-2009_04:04:35 : Guardium Engine Monitor starting
Fri_20-May-2009_04:14:37 : Guardium Engine Monitor starting
Fri_20-May-2009_04:24:38 : Guardium Engine Monitor starting
< lines deleted… >
Import Directory Information
The next section lists the import directory contents:
These are the contents of the importdir directory:
total 0
Aggregator Activity Information
This section lists aggregator activities (there are none in the example):
============================================================================
This is the aggregator last activities:
Audit Report
This section lists the following summary information (see example):
============================================================================
Range of time in logs: 01/14/10 13:12:26.348 - 01/18/10 12:48:01.073
Selected time for report: 01/14/10 13:12:26 - 01/18/10 12:48:01.073
Number of changes in configuration: 4 - changes to the audit configuration
Number of changes to accounts, groups, or roles: 0
Number of logins: 22 - logins into the machine - ssh and console
Number of failed logins: 114
Number of authentications: 22 - "su", etc.
Number of failed authentications: 5
Number of users: 2
Number of terminals: 18
Number of host names: 9
Number of executables: 7
Number of files: 0
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 0
Number of anomaly events: 3
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of keys: 0
Number of process IDs: 9173
Number of events: 98669
============================================================================
Anomaly Report
This section lists the following (see example):
============================================================================
# Date Time Type Exe Term Host AUID Event
============================================================================
1. 01/14/10 13:16:02 ANOM_PROMISCUOUS /usr/sbin/brctl (none) ? -1 8 - this is expected
to appear - it means the bridge is listening to all traffic
Authentication Report
This section lists the following (see example):
============================================================================
# Date Time Type Exe Term Host AUID Event
============================================================================
1. 01/14/10 13:13:22 tomcat ? console /bin/su yes 4
2. 01/14/10 13:16:44 tomcat ? console /bin/su yes 11
3. 01/14/10 13:16:44 tomcat ? console /bin/su yes 17
4. 01/14/10 13:16:45 tomcat ? console /bin/su yes 23
5. 01/14/10 13:16:48 tomcat ? console /bin/su yes 29
6. 01/14/10 13:22:29 tomcat ? ? /bin/su yes 155
7. 01/14/10 13:28:10 ? ? tty1 /bin/login no 252
8. 01/14/10 13:28:20 ? ? tty1 /bin/login no 254
Login Report
This section lists the following (see example):
============================================================================
# Date Time Type Exe Term Host AUID Event
============================================================================
1. 01/14/10 13:22:15 root 192.168.2.9 sshd /usr/sbin/sshd no 142
2. 01/14/10 13:22:15 root 192.168.2.9 sshd /usr/sbin/sshd no 143
3. 01/14/10 13:22:17 root 192.168.2.9 sshd /usr/sbin/sshd no 144
4. 01/14/10 13:22:17 root 192.168.2.9 sshd /usr/sbin/sshd no 145
5. 01/14/10 13:22:20 root 192.168.2.9 sshd /usr/sbin/sshd no 146
3 Interactive Queries
Select System Interactive Queries from the main menu to open the Interactive Queries menu. (Use the Down arrow key to scroll past the tenth item to see all items on this menu.)
In addition to displaying the requested information, each interactive query command creates output in a separate text file in the current directory. See the Overview topic for more information about the files created.
Each command is described in the following sections.
3.1 Files Changed
Use the Files Changed command to display a list of files changed either before or after a specified number of days.
- Select Files Changed from the Interactive Queries menu. You are prompted to enter a number days. Type a number and click Enter.
- You are asked if you are interested in the files changed before or after that number of days. Select 1 or 2 and click Enter.
- The full directory path for each changed file is displayed. Note that if not all data fits in the display area, use the Up and Down arrow keys to scroll through the data. The current position in the file is indicated by the number in the display. The white bars in the display area indicate the presence of more data with a plus sign.
3.2 List Folder
Use this command to list the contents of various directories.
- Select List Folder from the Interactive Queries menu.
- You are prompted to select a directory. Select a directory and click Enter. The selected directory is displayed. Remember that if multiple commands of the same type are issued, the data for each execution of the command is appended to the single text file maintained for that command.
- Click Enter or click Exit when you are done.
3.3 Summarize Folder
Use the Summarize Folder command to display the output of the du (Disk Usage) command:
- Select Summarize Folder from the Interactive Queries menu. There are no prompts. You are presented with a display of disk use for various directories.
- Use the Up and Down arrow keys to scroll through the directories.
- Click Enter or click Exit when you are done.
3.4 File Summary and Export
Use this command to list all or some portion of a log file.
- Select File Summary from the Interactive Queries menu.
- You are prompted to select a file. Use the Up and Down arrow keys to scroll the selection cursor to the file you want to view.
- Click Enter or click OK.
- You are prompted to select the number of lines to display. Make your selection and click Enter.
- You are prompted to enter an optional search string. Use this box if you are searching for a particular log message (you can enter a regular expression). Otherwise leave the box empty and click Enter.
- Following the prompt, click Enter to answer yes, meaning that only unique messages will be
displayed. Otherwise select No and click Enter (all messages will be displayed).
Be aware that when the Summary Style is used, variables are replaced by the pound sign character (#). For some log data containing variables such as IP addresses or dates, the replacements can be extensive.
3.5 Test Email
Use this command to send a test email using the configured SMTP server.
- Select Test Email from the Interactive Queries menu.
- You are prompted to select a recipient. Select Custom and click Enter.
- You are prompted to supply an email address. Type an email address and click Enter. You will be informed of the output of the operation. Note that on the Administration Console, the Test Connection link in the SMTP pane of the Alerter configuration panel only tests that an SMTP port is configured, not that mail can actually be delivered via that server. You can use this command to test email delivery without having to configure and trigger a statistical or real-time alert, or an audit process notification.
3.6 Test SNMP
Use this command to send a test SNMP trap to the configured SNMP server.
- Select Test SNMP from the Interactive Queries menu.
- You are informed of the activity and the results. Note that on the Alerter Configuration panel, the Test Connection link in the SNMP pane only tests that an SNMP port is configured, not that a trap can actually be delivered via that server. You can use this command to test trap delivery without having to configure (and trigger) a statistical or real-time alert, or an audit process notification.
3.7 Report Query Data
Use this command to display the actual select statement used for a report query. This might be useful if a user-written report is producing unexpected output.
- Select Report Query Data from the Interactive Queries menu.
- You are prompted to make a selection from a list of report titles. Use the Up and Down arrow
keys to select an entry and click the Enter key. Each entry in this list is a Report entity. All
pre-defined reports are listed first. These are numbered in the range 100-225 (for version 3.6.1
– the numbers will most likely grow incrementally with each release, as more pre-defined
reports are created).
User written reports are listed following the pre-defined reports, beginning with number 20001 (for version 3.6.1).
The selected report select statement will be displayed.
3.8 GDM Queries
Use this command to display a count of observed SQL calls during a 100 second interval.
- Select GDM Queries from the Interactive Queries menu.
- A message displays requesting your patience. Select yes to continue. The CMD_CT column on the display lists the number of observed SQL calls from the specified clients to the specified servers.
- Click Enter when you are done viewing the report.
3.9 Generate TCP Dump
Use this command to create a TCP dump. For this command, output is written to a command file only and not to the screen. Unlike most other commands, a separate file is created in the current directory for each execution of this command. The file name is in the format: tcpdump_<mmyyyy-hhmmss>, where the variable portion is a date and time stamp: mmyyyy is the month and year, and hhmmss is the hours, minutes, and seconds.
- Select Generate TCP dump from the Interactive Queries menu.
- You are prompted to select an interface. Select a port and click Enter.
- You are prompted for an optional filter IP address. If you are interested in traffic from only a specific address, enter that IP address and click Enter. Otherwise, just click Enter.
- You are prompted for an optional port number. If you are interested in traffic from only a specific port, enter that port number and click Enter. Otherwise, just click Enter.
- You are prompted to select how many seconds of traffic to capture. Select a number of seconds and click Enter.
- You are prompted to click Enter to start collecting data. Click Enter. You are returned to the menu after (approximately) the specified number of seconds.
- To view the TCP dump data, select the Read TCP dumps command or export the file (see Export Reported Files on the Output Management menu, described previously).
3.10 Read TCP Dumps
Use this command to display a TCP dump file created previously.
- Select Read TCP dumps from the Interactive Queries menu.
- You are prompted to select file. The TCP dump files are listed from oldest to newest. The file name is in the format: tcpdump_<mmddyy-hhmmss>, where the variable portion is a date and time stamp: mmddyy is the month, day, and year; and hhmmss is the hours, minutes, and seconds. Select the file you want to view and click Enter.
- The selected file displays. Use the Up and Down arrow keys to scroll through the display and click Enter when you are done.
3.11 Watch Buffer
Use this command to watch activity in the Guardium buffers:
- Select Watch Buffer from the Interactive Queries menu. The display is updated every second.
- Click Ctrl-C to close the display.
3.12 SLON Utility
Use this command to run the slon utility, which tracks packets. Typically, you would only run this command as directed by Technical Support. For this command, output is not written to the screen. Output is written to one of two command files in the current directory, for each execution of the command: apks.txt.<day_dd-mmm-yyyy_hh.mm.ss.ttt> OR requests.txt.<day_dd-mmm-yyyy_hh.mm.ss.ttt>
The variable portions or the file names are date and time stamps. For example, apks.txt.Fri_20-May-2011_08.52.00.789.
- Select Slon Utility from the Interactive Queries menu.
- Select the action to be performed and click OK. The choices
are:
(a) to dump Analyzer rules info
(f) to filter Analyzer packets based on IP and/or mask
(p) to dump packets to apks.txt
(l) to dump logger requests to requests.txt
(m) to dump STAP packets (Select how long to run. Wait for completion and then check the msg-dump file under /var/log/guard/diag/current/tap/ )
(r) to record IPQ traffic
(s) to dump State machine info
(t) to configure throttle parameters
- Regardless of your selection, you will be prompted to select the time period for the activity. Select a time period and click Enter.
- You are notified that the program will run for the specified time and prompted to click Enter. Click Enter and wait.
- When processing completes, a message will be displayed. You can use the File Summary command to display the output of this command. Because this command can produce a large amount of data, you will probably want to export the file to another system, where you can view the contents using a text editor. (Pack the current session data, and export the recordings as described earlier in this section.)
3.13 Show Indexes
Use this command to show indexes for various internal tables:
- Select Show Indexes from the Interactive Queries menu.
- You are prompted to select a table. Select a table and click Enter to display the indexes for that table.
- Use the Up and Down arrow keys to scroll through the display. Click Enter when you are done.
3.14 S-TAP Check
Use this command to display S-TAP definitions and traffic information:
- Select S-TAP Check from the Interactive Queries menu.
- The system’s unit type displays in numeric format. Click Enter.
- You are prompted to select the number of seconds to monitor the S-TAP traffic. Use the Up and Down arrow keys to make a selection and click Enter.
- You are informed of approximately how long to wait for output, and prompted to click Enter. Click Enter.
- The S-TAP Definitions and Server Traffic reports display. Click Enter when you are done viewing the report.
3.15 Interface Link Status
Use this command to display interface link status.
- Select Interface link status from the Interactive Queries menu.
- The status of all interfaces displays. Use the Up and Down arrows to scroll through the display.
- Click Enter when you are done. Note that this command displays the link status only. To display interface configuration information, use the show network interface all CLI command.
3.16 Show Throttle Data
Use this command to display throttle data.
- Select Show Throttle data from the Interactive Queries menu.
- Click Enter and wait 3 seconds for throttle statistics.
- Use the Up and Down arrows to scroll through the display, and click Exit when you are done.
3.17 Generate TCP dump and slon
Use this command to create a TCP dump and run the slon utility, which tracks packets. Only run this command as directed by Technical Support. For more information, see Generate TCP dump and Slon utility.
3.18 Generate SSL dump
Use this command to create a SSL dump..
- Select Generate SSL dump from the Interactive Queries menu.
- Select an interface and click OK. Enter filter IP address and click OK. Enter filter port number and click OK.
- Select how long to run and click OK. Click OK and wait the specified time in order to gather TCP dumps.
- If you wish to view SSL dumps, click OK.
- Click Exit when you are done.
3.19 View bash history
Use this command to display bash history.
- Select View Bash History from the Interactive Queries menu.
- Click OK.
- Use the Up and Down arrows to scroll through the display, and click Exit when you are done.
3.20 Generate GDM_Error dump
Use this command to create GDM_ERROR dumps.
- Select Show Generate GDM_ERROR dump from the Interactive Queries menu.
- Click OK and then enter password. Click Enter.
- Use the Up and Down arrows to scroll through the display, and click Exit when you are done.
3.21 Prepare Tomcat Memory dump
When Tomcat has a first outOfMemory error, it will do a memory dump to /var/tmp/tomcat/tomcat.dmp. Use this command to compress, encrypt and move this file to /var/log/guard/diag/tomcat/ for fileserv to retrieve.
- Select Prepare Tomcat Memory dump from the Interactive Queries menu.
- Click OK.
- Use the Up and Down arrows to scroll through the display, and click Exit when you are done.
3.22 Extended Network Information
Click on Extended Network Information option under System interactive query to display the network diagnostics information.
Example
SQLGuard Diagnostics
Network Parameters from ADMINCONSOLE_PARAMETER:
SYSTEM_NETMASK1: 255.255.255.0
SYSTEM_DOMAIN:
SYSTEM_DEFAULT_ROUTE:
SYSTEM_DNS1:
SYSTEM_DNS2:
SYSTEM_DNS3:
TOMCAT_IP:
MANAGER_IP:
HOST_MAC_ADDRESS:
SECOND_DEVICE:
3.23 Generate TCP dump in rotation
This selection is different from other diag selections in the section called Generate TCP and Generate TCP and slon.
For Generate TCP dump in rotation, enter Filter IP address (enter blank for all IPs). Enter Filter Port number. For the question, How long to run? if the TCP dump in rotation is already running, choose the option “Rotation OFF” or “Rotation” (ON). If Rotation is selected, add file size.
The TCP dump will be output to /var/log/guard/tcp.bin1 and /var/log/guard.bin2 in rotation.
Select TCP dump in rotation again to stop the process loop_tcpdump.sh.
4 Perform Maintenance Actions
Select the Perform Maintenance Actions option from the Main Menu to open the Maintenance menu. Use these commands only under the direction of Technical Support. These do not need to be run on a regular basis.
4.1 TURBINE analyze (update index cardinality)
Use this command to optimize index cardinality on Guardium’s internal database. A progress bar displays while the operation is running. When the operation completes, you are returned to the Maintenance menu.
4.2 TURBINE optimize (rebuild indexes, takes longer)
Use this command to analyze and re-index Guardium’s internal database.
- Select TURBINE optimize ( index cardinality ) from the Maintenance menu. A progress bar displays while the operation is running. When the operation completes, you are returned to the Maintenance menu.
4.3 Clean disk space
Use this command to clean unused disk space. You are returned to the Maintenance menu when the procedure completes.
- Select Clean disk space from the Maintenance menu. You will be prompted to select a directory.
- Select the directory from which you want to remove files. The contents of the directory will be listed, and you will be prompted to confirm that you want to remove all files.
- When the operation completes, you are returned to the Maintenance menu.
4.4 RAID maintenance
Use this command only under the direction of Technical Support. This command provides access to the Management Menu of the RAID controller utility program, which can be used to display the status of the RAID drives. If your system does not have a RAID controller, an error message displays if you select this command. You must be extremely careful when using the RAID controller utility program, since several of the functions provided will erase all information on the disk.
4.5 Application Debugging Utility
Use this command to turn debugging on or off. You are prompted to enable or disable logging, or to reset the system defaults.
4.6 Modify TURBINE watchdog time threshold
Use this option to change the timeout limit for long queries.
4.7 Force unrecoverable MySQL to start
Use this option only when directed to do so by Technical Support.
4.8 Transfer Backups & System Recovery
Use this command to restore a backed up version of the internal database. You will be prompted to confirm the operation.
4.9 Tomcat logging level
Use this command to select the component debug level. Choose one of the following options:
Classifier, Data Level Security, Workflow, or Other.
Choose Classifier to select debug level options: ERROR, WARN, INFO, DEBUG, ALL.
Choose DLS (data level security), Workflow, or Other (text input) to select debug level options: ERROR, WARN, INFO, DEBUG, ALL.
If Other is chosen (text input separated by ',') , enter valid components (dls, workflow, audit, customtable, gui, other, job).
4.10 Aggregator Maintenance
Full analysis and recovery of the Aggregator. This utility will collect AGG related logs and place it in the diag export folder, calls the Aggregator Fix Schema to sync the schema of all databases, clean AGG workspace, and restart the merge process to ensure full analysis of all imported tables (runs in the background and may take several hours to complete).
4.11 Aggregator Fix Schema
Brings all imported tables to the schema of the latest patch level (runs in the background and may take several hours to complete).
4.12 Clean Static Orphans
This option should be used only by Technical Support and only in those cases where static tables grow too much and needed to be cleaned. This utility cleans all the old construct records that don’t have any Instances associated with them. A progress message will display during the Clean Static Orphans (for use on collector or aggregator).
5 Exit to CLI
Select Exit to CLI on the Main Menu. Click Enter to close the diag command and return to the command line interface.