Protocol 7 General parameters

These parameters define basic properties of the S-TAP® running on a Windows server and the server on which it is installed, and do not fall into any of the other categories.

These parameters are stored in the [VERSION] section of the S-TAP properties file: guard_tap.ini.
Attention: If a parameter is available through both the Guardium installation manager (GIM) and the command line interface (CLI), then the GIM parameter, including any defaults, always overwrites any value that is available from WINSTAP_CMD_LINE.
Table 1. S-TAP configuration parameters in the [VERSION] section
GUI guard_tap.ini Description
  STAP_CLIENT_BUILD Read only. The build version of the installed S-TAP.
Version PROTOCOL_VERSION Read only. The version of the Guardium® system.
These parameters are stored in the [TAP] section of the S-TAP properties file: guard_tap.ini.
Table 2. S-TAP configuration parameters in the [TAP] section
GUI GIM guard_tap.ini Default value Description
    ADD_TO_VERTIFICATION_SCHEDULE    
All can control WINSTAP_ALL_CAN_CONTROL ALL_CAN_CONTROL 0 Defines which Guardium systems control this S-TAP. Valid values:
  • 0: S-TAP is controlled by the primary Guardium system
  • 1: S-TAP can be controlled by any Guardium system
  WINSTAP_BUFFER_FILE_MAX_SIZE BUFFER_FILE_MAX_SIZE 250 Advanced. The maximum size, in MB, that the Memory commit expands to. Maximum value is 1000.
  BUFFER_FILE_MEM_FOOTPRINT 8 12.0 Deprecated in 12.1. Advanced. The maximum fraction of the total memory that is allocated for the dynamic buffer increase. The default value of 8 translates to 1/8 of the total memory. The minimum parameter value is 2, meaning that you cannot allocate more than 1/2 of the total memory.
  WINSTAP_BUFFER_MMAP_FILE_SIZE BUFFER_MMAP_FILE 0
  • 0=virtual memory allocation
  • 1=memory mapped file option.
  WINSTAP_BUFFER_FILE_SIZE BUFFER_FILE_SIZE 50 Advanced. The initial size of the buffer. The range is 5 - 1000 in MB.
Compres. level WINSTAP_COMPRESSION_LEVEL COMPRESSION_LEVEL 0 Compression level. Valid values:
  • 0: No compression
  • 1-9: Compression level. Nine is the maximum.
  WINSTAP_CMD_LINE     In rare cases, the S-TAP named pipes driver can interact with other third-party software in ways that slow the server down. To turn off the named pipes driver, set the -nmp parameter to off. The named pipes driver is removed at the next system reboot.
Notes:
  • The named pipes driver is not removed during an upgrade. A reboot is always required.
  • If you turn off the named pipes driver, then the S-TAP does not capture named pipes traffic.

For more information about using the WINSTAP_CMD_LINE parameter with GIM, see GIM user interfaces.

  WINSTAP_CORRELATION_LIMIT CORRELATION_LIMIT 200 Limits the amount of traffic buffered by each session. Once the limit is reached S-TAP stops waiting for the correlation key as if a correlation timeout occurred, and all buffered traffic is released to the appliance.

Minimum value=100; no maximum value

  WINSTAP_CORRELATION_TIMEOUT CORRELATION_TIMEOUT 120 The number of seconds the WFP and NMP sniffers wait for correlation to occur before it gives up and resumes the flow of traffic to the appliance. Maximum value: 600

Minimum value: 1

  WINSTAP_CPU_LOAD_LIMIT CPU_LOAD_LIMIT 100 The CPU load threshold (as a percentage) for S-TAP. Valid values 1 - 100.
  WINSTAP_CPU_INTERVALS_ALLOWED CPU_INTERVALS_ALLOWED 30 The number of intervals (in minutes) that the CPU can be greater than the threshold before an action is triggered. Valid values 1 - 360.
  WINSTAP_DB_IGNORE_RESPONSE DB_IGNORE_RESPONSE   Ignore response at inspection level. Use this function to ignore all database responses at the S-TAP level, without sending anything to the Guardium system. In certain environments, where only interested in client transactions, this function saves bandwidth and processing time for the S-TAP and the Guardium system. Use this function for an easier configuration for ignoring unwanted responses from the database, without loading the network. Database types can be listed as comma separated or ALL can be specified to ignore responses from all types of databases, for example, DB_IGNORE_RESPONSE=ALL or DB_IGNORE_RESPONSE=MSSQL,DB2. Supported DB types: ALL, MSSQL_NP, MSSQL, MYSQL, TRD, PGRS, MSSYB, ORACLE, DB2, DB2_EXIT, INFORMIX, KERBEROS, FTP, CIFS.
  WINSTAP_DB_IGNORE_RESPONSE_BYPASS_BYTES DB_IGNORE_RESPONSE_BYPASS_BYTES 65535 Ignore DB responses after specified number of bytes.
  WINSTAP_DB_IGNORE_RESPONSE_FILTER DB_IGNORE_RESPONSE_FILTER 0.0.0.0/0.0.0.0 Comma separated list of IP/MASKs to be response-ignored. Any DB responses of the type specified by DB_IGNORE_RESPONSE to the specified IP/MASKs are ignored. Valid values:
  • NULL: No filtering of responses
  • 0.0.0.0/0.0.0.0: All IPs are filtered
  WINSTAP_DB_IGNORE_RESPONSE_LOCAL DB_IGNORE_RESPONSE_LOCAL 1 Filtering of local db responses. Valid values:
  • 0: No
  • 1: Yes
Note: TCP traffic is not considered Local traffic for db_ignore_response_local parameter.
  WINSTAP_DB_IGNORE_RESPONSE_RESETS_PER_REQUEST DB_IGNORE_RESPONSE_RESETS_PER_REQUEST 1 The DB_IGNORE_RESPONSE_BYPASS_BYTES is reset on each request's response. Valid values:
  • 0: No
  • 1: Yes
WINSTAP_DB2_EXIT_DRIVER_INSTALLED DB2_EXIT_DRIVER_INSTALLED   Enable Db2 Exit library integration. Valid values:
  • 0: Disabled
  • 1: Enabled
  WINSTAP_DB2_PROTOCOLS DB2_PROTOCOLS LOCAL,PIPES,SSL Specifies the protocols that Db2 exit Monitors.
  WINSTAP_DB2_SSL_DRIVER_INSTALLED DB2_SSL_DRIVER_INSTALLED 0 Specifies whether the DB2 SSL engine is installed. Valid values:
  • 0: Disabled
  • 1: Enabled
  WINSTAP_DB2_TAP_INSTALLED DB2_TAP_INSTALLED 0 Set to 1 for sniffing Db2 shared memory traffic. Starts the Db2 TAP Service when set to 1.
Note: For a fresh S-TAP installation on a server where a Db2 database is installed, the DB2_TAP_INSTALLED parameter is automatically enabled if DB2_EXIT_DRIVER_INSTALLED and DB2_SSL_DRIVER_INSTALLED are disabled.
  DISABLE_SHARED_MEMORY_IF_TURNED_ON 0  
  WINSTAP_DOMAIN_CONTROLLER DOMAIN_CONTROLLER Null The name of the specific controller from which to read the SID/usernames map.
  WINSTAP_DYNAMIC_BUFFER_INCREASE DYNAMIC_BUFFER_INCREASE 0 Advanced. Enables the dynamic buffer feature: when the buffer gets to 75% full in the current S-TAP session, the buffer size increases incrementally by 50 MB. The feature is controlled by buffer_file_size and buffer_file_max_size. Valid values:
  • 0: Disabled
  • 1: Enabled
  WSTAP_FAM_PROTECT_PRIVILEGED FAM_PROTECT_PRIVILEGED 0 Valid values:
  • 0: The FAM for Windows software does not provide any blocking functionality for either the domain or local Administrator accounts. An Administrator user can still access a file or folder that is marked to be blocked by policy.
  • 1: The FAM for Windows software treats the Administrator accounts like any other account on the machine. Files that are marked to be blocked are blocked for regular users, as well as the Administrator users.
  FILE_SNIFFER_FREQUENCY 45 Frequency, in seconds, of:
  • Registration attempts with a Guardium system if a previous attempt was not successful.
  • S-TAP checks for new logs available from Program Files\IBM\Windows S-TAP\Logs for uploading on to collector.
  WINSTAP_FIREWALL_VERDICT_DELAY FIREWALL_VERDICT_DELAY 5 The number of milliseconds delay before applying verdicts from the collector. Smaller values results in decreases of end-user latency but increases CPU usage. Larger values decrease overall system CPU usage but increases end-user latency.

Minimum value: 0

Maximum value: 30

  WINSTAP_FORCE_LOG_LIMITED FORCE_LOG_LIMITED 0 Forces restricted logging on the collector. Use this parameter to evaluate the number of records affected by an SQL command, while masking the actual query. This parameter can be set only by user root on the DB server. Valid values:
  • 0: No logging allowed
  • 1: Log with masking, only logins are allowed (sent packets are flagged with LOGALWAYSMASK). Forces encryption to be on in the S-TAP regardless of any other settings; traffic is sent to the collector only after the collector indicates that it is aware of the parameter value. Otherwise, the S-TAP logs a message that traffic can't be sent, and its status is red in the S-TAP Control page.
  • 2: All packets are allowed (sent packets are flagged with LOGACCESSONLY)
  WINSTAP_GLOBAL_SESSION_KEY GLOBAL_SESSION_KEY 0 When set to 1, allows the S-TAP to use the extended session key, which provided more unique IDs for each session.
Valid values:
  • 0 (off, default)
  • 1 (on)

Setting GLOBAL_SESSION_KEY to 1 reduces the chances that the S-TAP reuses an ID, which in turn helps to ensure that data packets are correlated correctly.

Note: Do not change the value of this parameter when restarting the S-TAP. You might lose session information for open sessions.
  WINSTAP_GUARDIUM_CA_PATH GUARDIUM_CA_PATH NULL Location of the Certificate Authority certificate.
  WINSTAP_GUARDIUM_CRL_PATH GUARDIUM_CRL_PATH NULL The path to the Certificate Revocation list file or directory.
  WINSTAP_HANDLE_COUNT_INTERVALS_ALLOWED HANDLE_COUNT_INTERVALS_ALLOWED 30 The number of intervals (in minutes) that the handle count can be greater than the threshold before an action is triggered. Valid values 1 - 360.
  WINSTAP_HANDLE_COUNT_LIMIT HANDLE_COUNT_LIMIT 5000 The handle count threshold for S-TAP before an action is triggered. Valid values 300 - 10,000.
  HIGH_RESOLUTION_TIMER 0 Valid values:
  • 0: Send time stamps in milliseconds.
  • 1: Send time stamps in microseconds, but use milliseconds system timer (to reduce system performance hit - multiply milliseconds by 1000).
  • 2: Send time stamps in microseconds, use high-resolution windows timer (most accurate).
For cases 1 and 2, the S-TAP indicates to the Guardium system that micro seconds are sent, by setting the reserved byte in PacketData to 1.
    INFORMIX_LOG_SIZE    
    INFX_SSL_DRIVER_INSTALLED    
WINSTAP_INITIAL_BALANCER_MU_GROUP INITIAL_BALANCER_MU_GROUP   The managed unit group name to associate with this S-TAP (by the central manager load balancer) when installing an S-TAP. S-TAP stops sending group information after the first successful request.
WINSTAP_INITIAL_BALANCER_TAP_GROUP INITIAL_BALANCER_TAP_GROUP   The S-TAP group name to associate with this S-TAP (by the central manager load balancer) when installing an S-TAP. S-TAP stops sending group information after the first successful request.
    INTERVAL    
    LDAP_DRIVER_INSTALLED    
  WINSTAP_LOAD_BALANCER_IP LOAD_BALANCER_IP Null IP address or hostname of the load balancer unit. If not defined, S-TAP does not use enterprise load balancing.
  WINSTAP_LOAD_BALANCER_NUM_MUS LOAD_BALANCER_NUM_MUS 1 If you specify a LOAD_BALANCER_IP, the number of managed units that enterprise load balancing will assign. If LOAD_BALANCER_IP is null, S-TAP does not use enterprise load balancing and LOAD_BALANCER_NUM_MUS is ignored.
  WINSTAP_LOAD_BALANCER_PORT LOAD_BALANCER_PORT 8443 Port of the load balancer unit.
Valid values: 1024-65535
  WINSTAP_LOG_NMP_CONNECTIONS LOG_NMP_CONNECTIONS 0 Named Pipe connection information is logged in S-TAP. Valid values:
  • 0: Disabled
  • 1: Enabled
    LOG_NMP_MUTE 0 Mutes the Premonitory logs. Valid values:
  • 0 (off, default)
  • 1 (on)
    LOG_STP_MUTE 0 Mutes the S-TAP logs. Valid values:
  • 0 (off, default)
  • 1 (on)
  WINSTAP_LOG_WFP_CONNECTIONS LOG_WFP_CONNECTIONS 0 TCP information is logged in S-TAP. Valid values:
  • 0: Disabled
  • 1: Enabled
    LOG_WFP_MUTE 0 Mutes the Premonitory logs. Valid values:
  • 0 (off, default)
  • 1 (on)
  MAXIMUM_PACKET_NUM 300,000 Sets the maximum packet ID. When Guardium reaches the maximum number (300,000), the packet ID is reset and the IDs are incremented from 0.
  WINSTAP_MEM_USAGE_INTERVALS_ALLOWED MEM_USAGE_INTERVALS_ALLOWED 30 The number of intervals (in minutes) that memory usage can be greater than the threshold before an action is triggered. Valid values 1 - 360.
  WINSTAP_MEM_USAGE_LIMIT MEM_USAGE_COUNT_LIMIT 10240 The memory usage threshold for S-TAP before an action is triggered. Valid values 50-20480.
    MEM_USAGE_LIMIT    
  WINSTAP_MIN_BYTES_TO_COMPRESS MIN_BYTES_TO_COMPRESS 500 Advanced. Minimum size of message to compress.
  WINSTAP_NAMED_PIPES_DRIVER_INSTALLED NAMED_PIPES_DRIVER_INSTALLED 0 Set to 1 for local named pipes sniffing. Valid values:
  • 0: no
  • 1: yes
  WINSTAP_NMP_SNIFFER_PAUSE NMP_SNIFFER_PAUSE 0 The length of the pause, in milliseconds, after every packet on the Named Pipes thread (to reduce CPU consumption).
  NOT_SEND_TO_SQLGUARD 0 Advanced. Send nothing to the Guardium system.
    NPTRC_LOG_SIZE    
  NUMBER_OF_PROCESSORS 4 Read only. Number of processors on the machine
    ORA_DRIVER_INSTALLED    
    ORACLE_LOG_SIZE    
    OS_TYPE    
Load balancing WINSTAP_PARTICIPATE_IN_LOAD_BALANCING PARTICIPATE_IN_LOAD_BALANCING 0 Controls S-TAP load balancing (not enterprise load balancing) to Guardium systems. Valid values:
  • 0: No load balancing.
  • 1: Load balancing. Traffic is balanced between the primary and secondary servers, which are defined in the SQLGuard section.
  • 2: Redundancy. Fully mirrored S-TAP sends all traffic to all primary and secondary servers, which are defined in the SQLGuard section.
  • 3: Hardware load balancing. Guardium uses a load balancer such as F5 or Cisco. S-TAP sends the traffic to the load balancer, which forwards it to one of the collectors in the pool.
Use the primary parameter in the SQLGUARD section to specify primary, secondary (and so on), servers. If this parameter is set to 0, and you have more than one Guardium system monitoring traffic, then the non-primary Guardium systems are available for failover.
  WINSTAP_PRIORITY_QUEUE_ENABLED PRIORITY_QUEUE_ENABLED 1 Valid values:
  • 0: Disabled
  • 1: S-TAP sends the PRIORITY_COUNT number of packets per session. See priority_count.
  WINSTAP_QUERY_REWRITE_VERDICT_DELAY QUERY_REWRITE_VERDICT_DELAY 5 The number of milliseconds to delay before applying verdicts from the collector. Smaller values decrease end-user latency at the expense of increased CPU usage. Larger values decrease overall system CPU usage at the expense of increased end-user latency.

Minimum value: 0

Maximum value: 30

Messages: remote REMOTE_MESSAGES 1
  • 1: Send messages to the active Guardium
  • 0: Do not send messages
  • system
  SEND_LEVEL 0 Advanced. Used for thread prioritization.
  SOFTWARE_TAP_HOST   The database server host on which S-TAP is installed. It can be an IP address or a name that is recognized by the DNS server. There is no default.

If the SOFTWARE_TAP_HOST configuration is invalid, the value is automatically replaced with a valid local IP address.

SQLGUARD_IP and SOFTWARE_TAP_HOST must be both either IPv4 or IPv6. Do not mix IP modes for these addresses.

  WINSTAP_SQLGUARD_CERT_CN SQLGUARD_CERT_CN NULL The common name to expect from the Sqlguard certificate.
  12.1 and later WINSTAP_SSPI_NAME_LIMIT SSPI_NAME_LIMIT 10000 The maximum number of SSPI names that the correlators can store in the STAP at a time. Any names over this limit are dropped and result in a missing DB_USER.

Maximum value: 20000

Minimum value: 500

  12.1 and later WINSTAP_SSPI_NAME_TTL SSPI_NAME_TTL 120 The number of seconds that an SSPI name remains in the STAP. The names that dreaming beyond the time interval are dropped and result in a missing DB_USER.

Minimum value: 5

Maximum value: 300

  12.1 and later WINSTAP_SSPI_SESSION_MEMORY SSPI_SESSION_MEMORY 40 This is the amount of memory in MB that can be utilized to buffer traffic while waiting the delivery of Kerberos names for sessions that are currently active. Traffic is released when this limit is reached, which results in missing DB_USERs.

Minimum value: 1

Maximum value: 1024

  12.1 and later WINSTAP_SSPI_SESSION_TTL SSPI_SESSION_TTL 60 The duration for which the login packets must wait for a Kerberos name to be sent to them. If a login packet remains beyond the designated time duration, then they are released to the collector, and result in missing DB_USER.

Minimum value: 1

Maximum value: 300

    SSL_BANNED_PROTOCOLS    
  WINSTAP_STAP_STATISTIC STAP_STATISTIC -5 The interval at which the S-TAP sends its statistics information to the collector.
  • Positive integer: for hours
  • Negative integer: minutes
  • 0: do not send
    SYBASE_DRIVER_INSTALLED    
    SYNCH_FLAG 1 Read only. Indicates whether parameters are synchronized with the UI.
  TAP_DBSERVER_NAMES    
  WINSTAP_TAP_FAILOVER_SESSION_QUIESCE TAP_FAILOVER_SESSION_QUIESCE 60 The number of minutes after failover, when unused sessions in the failover list from the previous active servers can be removed from the current active server. Valid values: 20-300.
  WINSTAP_TAP_FAILOVER_SESSION_SIZE TAP_FAILOVER_SESSION_SIZE 8192 Size, in MB, of the failover session list. Valid values:
  • 0: failover sessions are not saved
  • 256 - 12228 (12 K ): size, in MB
    TAP_GUARD_TCP_PORT 9500 Read only. Port used for S-TAP to connect to Guardium system.
    TAP_MIN_HEARTBEAT_ALL_CAN_CONTROL    
  WINSTAP_TAP_MIN_HEARTBEAT_INTERVAL TAP_MIN_HEARTBEAT_INTERVAL 30 Maximum time the S-TAP attempts to write to the primary Guardium system buffer before it attempts to write to the secondary Guardium buffer. Default is 30 sec, meaning it tries to write at least 5*60/30 times before failover, by default (along with TAP_MIN_TIME_BEFOREFAILOVER).
  WINSTAP_TAP_MIN_TIME_BEFOREFAILOVER TAP_MIN_TIME_BEFOREFAILOVER 5 The time interval, in minutes, after which the S-TAP switches to secondary Guardium system if:
  • It cannot connect to its primary Guardium system.
  • It can connect to its primary Guardium system but cannot write to its buffer.
.
    TAP_TYPE wstap Read only. The type of installed S-TAP agent. Values: wtap=WINDOWS
  WINSTAP_TCP_BUFFER_SIZE TCP_BUFFER_SIZE 60000 Advanced. Minimum number of bytes to collect before sending a message to the Guardium system.
    TCP_LOG_SIZE    
    TENANT_ID   To use an S-TAP with Guardium Insights, the Guardium Insights tenant ID is required, including the TNT_ prefix. For example:
tenant_id=TNT_N5YBRAPBWRYAPFLQWABCDE
  TIME_NETWORK 0 Advanced. Used for debug only.
S-TAP Host WINSTAP_TAP_IP TAP_IP   Read only. Used by the file system monitoring service, instead of the SOFTWARE_TAP_HOST parameter. Both parameters should have the same value.
Version   TAP_VERSION   Read only. The version of S-TAP installed on the server.
  WINSTAP_UPLOAD_FEATURE UPLOAD_FEATURE 1 Controls uploading of all log files from Program Files\IBM\Windows S-TAP\Logs on to the collector and/or central manager. Valid values:
  • 0: No automatic upload.
  • 1: Upload files to the collector and the central manager.
  • 2: Upload files to the collector even if a central manager is available.
For more information, see Windows: Upload dump files from the S-TAP to the collector and central manager.
  WINSTAP_UPLOAD_PORT UPLOAD_PORT 8444 Valid values: 1024-65535
TLS Use WINSTAP_USE_TLS USE_TLS 0 Controls encryption. Valid values:
  • 0: Do not encrypt. Warning: the traffic between the agent and Guardium system is in clear text.
  • 1: Use SSL to encrypt traffic between the agent and the Guardium system.

Guardium recommends encrypting network traffic between the S-TAP and the collector whenever possible. Only disable network encryption when performance is a higher priority than security.

  WINSTAP_V8_PROTOCOL V8_PROTOCOL 1 Enable Protocol 8 on the S-TAP. Both S-TAPs reside in the same image. One is dormant while the other is active. Valid values:
  • 0: Disabled
  • 1: Enabled
  WEB_SERVER_PORT 9000 Port for web-server