Unit utilization and inspection core performance

This section presents details about Unit utilization and Buffer usage monitor reports so you can learn to identify problems. It includes troubleshooting tips for queue overflow scenarios, and managing utilization thresholds.

The Inspection Core (sniffer) is the heart of the Guardium collector. It receives all data that is sent from S-TAPs, Network TAPs, and SPAN ports. It is composed of the following components that perform various tasks of transforming network packets into data that can be stored in the internal MySQL database of the collector:
  • Sniffer Engine: The sniffer engine reassembles packets that are coming from a SPAN port or Network TAP, or from S-TAPs that are using the packet capture (pcap) driver to capture data. It is not used to process data that is captured by the native S-TAP drivers, such as KTAP (in the case of UNIX S-TAP).
  • Analyzer/Parser: The analyzer determines the database type, protocol, and packet structure that is used for each monitored session. It then passes this information to the Parser, which, as the name implies, parses the SQL statements into their constituent parts (VERB, OBJECT, FIELD, and so on).
  • Logger: The parsed data is then passed to the logger, which stores this data into the collector’s database.
Each of these inspection core components feature dedicated buffers to cope with temporary spikes in traffic. When these buffers overflow, data loss occurs. When the appliance loses packets, you might notice data missing from Guardium reports or reports with missing fields (such as Database Username). Therefore, managing the performance of the Inspection Core comes down to doing what is necessary to keep the various buffers from overflowing. The most efficient way to do this varies with the size of your Guardium environments.

The sniffer can restart because of logger queue overflow. Any data that is stored in any of the sniffer buffers during a restart is lost.

Open the unit utilization reports by going to Manage > Reports > Unit Utilization, and then selecting one of the reports.

Using aliases is recommended when using unit utilization data in custom and predefined reports. Otherwise, utilization levels display with the values: 1, 2, 3, instead of Low, Medium, High.