Protocol 7 General parameters
These parameters define basic properties of the S-TAP® running on a Windows server and the server on which it is installed, and do not fall into any of the other categories.
GUI | guard_tap.ini | Description |
---|---|---|
STAP_CLIENT_BUILD | Read only. The build version of the installed S-TAP. | |
Version | PROTOCOL_VERSION | Read only. The version of the Guardium® system. |
GUI | GIM | guard_tap.ini | Default value | Description |
---|---|---|---|---|
ADD_TO_VERTIFICATION_SCHEDULE | ||||
All can control | WINSTAP_ALL_CAN_CONTROL | ALL_CAN_CONTROL | 0 | Defines which Guardium
systems control this S-TAP. Valid
values:
|
WINSTAP_BUFFER_FILE_MAX_SIZE | BUFFER_FILE_MAX_SIZE | 250 | Advanced. The maximum size, in MB, that the Memory commit expands to. Maximum value is 1000. | |
BUFFER_FILE_MEM_FOOTPRINT | 8 | 12.0 Deprecated in 12.1. Advanced. The maximum fraction of the total memory that is allocated for the dynamic buffer increase. The default value of 8 translates to 1/8 of the total memory. The minimum parameter value is 2, meaning that you cannot allocate more than 1/2 of the total memory. | ||
WINSTAP_BUFFER_MMAP_FILE_SIZE | BUFFER_MMAP_FILE | 0 |
|
|
WINSTAP_BUFFER_FILE_SIZE | BUFFER_FILE_SIZE | 50 | Advanced. The initial size of the buffer. The range is 5 - 1000 in MB. | |
Compres. level | WINSTAP_COMPRESSION_LEVEL | COMPRESSION_LEVEL | 0 | Compression level. Valid values:
|
WINSTAP_CMD_LINE | In rare cases, the S-TAP named pipes driver can interact with other
third-party software in ways that slow the server down. To turn off the named pipes driver, set the
-nmp parameter to off. The named pipes driver is removed at
the next system reboot. Notes:
For more information about using the WINSTAP_CMD_LINE parameter with GIM, see GIM user interfaces. |
|||
WINSTAP_CORRELATION_LIMIT | CORRELATION_LIMIT | 200 | Limits the amount of traffic buffered by each session. Once the limit is
reached S-TAP stops waiting for the correlation key as if a correlation timeout occurred, and all buffered
traffic is released to the appliance. Minimum value=100; no maximum value |
|
WINSTAP_CORRELATION_TIMEOUT | CORRELATION_TIMEOUT | 120 | The number of seconds the WFP and NMP sniffers wait for correlation to occur
before it gives up and resumes the flow of traffic to the appliance. Maximum value: 600
Minimum value: 1 |
|
WINSTAP_CPU_LOAD_LIMIT | CPU_LOAD_LIMIT | 100 | The CPU load threshold (as a percentage) for S-TAP. Valid values 1 - 100. | |
WINSTAP_CPU_INTERVALS_ALLOWED | CPU_INTERVALS_ALLOWED | 30 | The number of intervals (in minutes) that the CPU can be greater than the threshold before an action is triggered. Valid values 1 - 360. | |
WINSTAP_DB_IGNORE_RESPONSE | DB_IGNORE_RESPONSE | Ignore response at inspection level. Use this function to ignore all database responses at the S-TAP level, without sending anything to the Guardium system. In certain environments, where only interested in client transactions, this function saves bandwidth and processing time for the S-TAP and the Guardium system. Use this function for an easier configuration for ignoring unwanted responses from the database, without loading the network. Database types can be listed as comma separated or ALL can be specified to ignore responses from all types of databases, for example, DB_IGNORE_RESPONSE=ALL or DB_IGNORE_RESPONSE=MSSQL,DB2. Supported DB types: ALL, MSSQL_NP, MSSQL, MYSQL, TRD, PGRS, MSSYB, ORACLE, DB2, DB2_EXIT, INFORMIX, KERBEROS, FTP, CIFS. | ||
WINSTAP_DB_IGNORE_RESPONSE_BYPASS_BYTES | DB_IGNORE_RESPONSE_BYPASS_BYTES | 65535 | Ignore DB responses after specified number of bytes. | |
WINSTAP_DB_IGNORE_RESPONSE_FILTER | DB_IGNORE_RESPONSE_FILTER | 0.0.0.0/0.0.0.0 | Comma separated list of IP/MASKs to be response-ignored. Any DB responses of
the type specified by DB_IGNORE_RESPONSE to the specified IP/MASKs are ignored. Valid values:
|
|
WINSTAP_DB_IGNORE_RESPONSE_LOCAL | DB_IGNORE_RESPONSE_LOCAL | 1 | Filtering of local db responses. Valid values:
Note: TCP traffic is not considered Local traffic for db_ignore_response_local
parameter.
|
|
WINSTAP_DB_IGNORE_RESPONSE_RESETS_PER_REQUEST | DB_IGNORE_RESPONSE_RESETS_PER_REQUEST | 1 | The DB_IGNORE_RESPONSE_BYPASS_BYTES is reset on each
request's response. Valid values:
|
|
WINSTAP_DB2_EXIT_DRIVER_INSTALLED | DB2_EXIT_DRIVER_INSTALLED | Enable Db2 Exit library integration. Valid values:
|
||
WINSTAP_DB2_PROTOCOLS | DB2_PROTOCOLS | LOCAL,PIPES,SSL | Specifies the protocols that Db2 exit Monitors. | |
WINSTAP_DB2_SSL_DRIVER_INSTALLED | DB2_SSL_DRIVER_INSTALLED | 0 | Specifies whether the DB2 SSL engine is installed. Valid values:
|
|
WINSTAP_DB2_TAP_INSTALLED | DB2_TAP_INSTALLED | 0 | Set to 1 for sniffing Db2 shared memory traffic. Starts the Db2 TAP Service
when set to 1. Note: For a fresh S-TAP installation on a server where a Db2 database
is installed, the DB2_TAP_INSTALLED parameter is automatically enabled if DB2_EXIT_DRIVER_INSTALLED
and DB2_SSL_DRIVER_INSTALLED are
disabled.
|
|
DISABLE_SHARED_MEMORY_IF_TURNED_ON | 0 | |||
WINSTAP_DOMAIN_CONTROLLER | DOMAIN_CONTROLLER | Null | The name of the specific controller from which to read the SID/usernames map. | |
WINSTAP_DYNAMIC_BUFFER_INCREASE | DYNAMIC_BUFFER_INCREASE | 0 | Advanced. Enables the dynamic buffer feature: when the buffer gets to 75% full
in the current S-TAP session, the
buffer size increases incrementally by 50 MB. The feature is controlled by
buffer_file_size and buffer_file_max_size. Valid
values:
|
|
WSTAP_FAM_PROTECT_PRIVILEGED | FAM_PROTECT_PRIVILEGED | 0 | Valid values:
|
|
FILE_SNIFFER_FREQUENCY | 45 | Frequency, in seconds, of:
|
||
WINSTAP_FIREWALL_VERDICT_DELAY | FIREWALL_VERDICT_DELAY | 5 | The number of milliseconds delay before applying verdicts from the collector.
Smaller values results in decreases of end-user latency but increases CPU usage. Larger values
decrease overall system CPU usage but increases end-user latency. Minimum value: 0 Maximum value: 30 |
|
WINSTAP_FORCE_LOG_LIMITED | FORCE_LOG_LIMITED | 0 | Forces restricted logging on the collector. Use this parameter to evaluate the
number of records affected by an SQL command, while masking the actual query. This parameter can be
set only by user root on the DB server. Valid values:
|
|
WINSTAP_GLOBAL_SESSION_KEY | GLOBAL_SESSION_KEY | 0 | When set to 1, allows the S-TAP to use the
extended session key, which provided more unique IDs for each session. Valid values:
Setting GLOBAL_SESSION_KEY to 1 reduces the chances that the S-TAP reuses an ID, which in turn helps to ensure that data packets are correlated correctly. Note: Do not change
the value of this parameter when restarting the S-TAP. You might lose
session information for open sessions.
|
|
WINSTAP_GUARDIUM_CA_PATH | GUARDIUM_CA_PATH | NULL | Location of the Certificate Authority certificate. | |
WINSTAP_GUARDIUM_CRL_PATH | GUARDIUM_CRL_PATH | NULL | The path to the Certificate Revocation list file or directory. | |
WINSTAP_HANDLE_COUNT_INTERVALS_ALLOWED | HANDLE_COUNT_INTERVALS_ALLOWED | 30 | The number of intervals (in minutes) that the handle count can be greater than the threshold before an action is triggered. Valid values 1 - 360. | |
WINSTAP_HANDLE_COUNT_LIMIT | HANDLE_COUNT_LIMIT | 5000 | The handle count threshold for S-TAP before an action is triggered. Valid values 300 - 10,000. | |
HIGH_RESOLUTION_TIMER | 0 | Valid values:
|
||
INFORMIX_LOG_SIZE | ||||
INFX_SSL_DRIVER_INSTALLED | ||||
WINSTAP_INITIAL_BALANCER_MU_GROUP | INITIAL_BALANCER_MU_GROUP | The managed unit group name to associate with this S-TAP (by the central manager load balancer) when installing an S-TAP. S-TAP stops sending group information after the first successful request. | ||
WINSTAP_INITIAL_BALANCER_TAP_GROUP | INITIAL_BALANCER_TAP_GROUP | The S-TAP group name to associate with this S-TAP (by the central manager load balancer) when installing an S-TAP. S-TAP stops sending group information after the first successful request. | ||
INTERVAL | ||||
LDAP_DRIVER_INSTALLED | ||||
WINSTAP_LOAD_BALANCER_IP | LOAD_BALANCER_IP | Null | IP address or hostname of the load balancer unit. If not defined, S-TAP does not use enterprise load balancing. | |
WINSTAP_LOAD_BALANCER_NUM_MUS | LOAD_BALANCER_NUM_MUS | 1 | If you specify a LOAD_BALANCER_IP, the number of managed units that enterprise load balancing will assign. If LOAD_BALANCER_IP is null, S-TAP does not use enterprise load balancing and LOAD_BALANCER_NUM_MUS is ignored. | |
WINSTAP_LOAD_BALANCER_PORT | LOAD_BALANCER_PORT | 8443 | Port of the load balancer unit. Valid values: 1024-65535 |
|
WINSTAP_LOG_NMP_CONNECTIONS | LOG_NMP_CONNECTIONS | 0 | Named Pipe connection information is logged in S-TAP. Valid values:
|
|
LOG_NMP_MUTE | 0 | Mutes the Premonitory logs. Valid values:
|
||
LOG_STP_MUTE | 0 | Mutes the S-TAP logs. Valid values:
|
||
WINSTAP_LOG_WFP_CONNECTIONS | LOG_WFP_CONNECTIONS | 0 | TCP information is logged in S-TAP. Valid values:
|
|
LOG_WFP_MUTE | 0 | Mutes the Premonitory logs. Valid values:
|
||
MAXIMUM_PACKET_NUM | 300,000 | Sets the maximum packet ID. When Guardium reaches the maximum number (300,000), the packet ID is reset and the IDs are incremented from 0. | ||
WINSTAP_MEM_USAGE_INTERVALS_ALLOWED | MEM_USAGE_INTERVALS_ALLOWED | 30 | The number of intervals (in minutes) that memory usage can be greater than the threshold before an action is triggered. Valid values 1 - 360. | |
WINSTAP_MEM_USAGE_LIMIT | MEM_USAGE_COUNT_LIMIT | 10240 | The memory usage threshold for S-TAP before an action is triggered. Valid values 50-20480. | |
MEM_USAGE_LIMIT | ||||
WINSTAP_MIN_BYTES_TO_COMPRESS | MIN_BYTES_TO_COMPRESS | 500 | Advanced. Minimum size of message to compress. | |
WINSTAP_NAMED_PIPES_DRIVER_INSTALLED | NAMED_PIPES_DRIVER_INSTALLED | 0 | Set to 1 for local named pipes sniffing. Valid values:
|
|
WINSTAP_NMP_SNIFFER_PAUSE | NMP_SNIFFER_PAUSE | 0 | The length of the pause, in milliseconds, after every packet on the Named Pipes thread (to reduce CPU consumption). | |
NOT_SEND_TO_SQLGUARD | 0 | Advanced. Send nothing to the Guardium system. | ||
NPTRC_LOG_SIZE | ||||
NUMBER_OF_PROCESSORS | 4 | Read only. Number of processors on the machine | ||
ORA_DRIVER_INSTALLED | ||||
ORACLE_LOG_SIZE | ||||
OS_TYPE | ||||
Load balancing | WINSTAP_PARTICIPATE_IN_LOAD_BALANCING | PARTICIPATE_IN_LOAD_BALANCING | 0 | Controls S-TAP load balancing
(not enterprise load balancing) to Guardium
systems. Valid values:
|
WINSTAP_PRIORITY_QUEUE_ENABLED | PRIORITY_QUEUE_ENABLED | 1 | Valid values:
|
|
WINSTAP_QUERY_REWRITE_VERDICT_DELAY | QUERY_REWRITE_VERDICT_DELAY | 5 | The number of milliseconds to delay before applying verdicts from the
collector. Smaller values decrease end-user latency at the expense of increased CPU usage. Larger
values decrease overall system CPU usage at the expense of increased end-user latency. Minimum value: 0 Maximum value: 30 |
|
Messages: remote | REMOTE_MESSAGES | 1 |
|
|
SEND_LEVEL | 0 | Advanced. Used for thread prioritization. | ||
SOFTWARE_TAP_HOST | The database server host on which S-TAP is installed.
It can be an IP address or a name that is recognized by the DNS server. There is no default. If the SOFTWARE_TAP_HOST configuration is invalid, the value is automatically replaced with a valid local IP address. SQLGUARD_IP and SOFTWARE_TAP_HOST must be both either IPv4 or IPv6. Do not mix IP modes for these addresses. |
|||
WINSTAP_SQLGUARD_CERT_CN | SQLGUARD_CERT_CN | NULL | The common name to expect from the Sqlguard certificate. | |
12.1 and later WINSTAP_SSPI_NAME_LIMIT | SSPI_NAME_LIMIT | 10000 | The maximum number of SSPI names that the correlators can store in the STAP at
a time. Any names over this limit are dropped and result in a missing DB_USER. Maximum value: 20000 Minimum value: 500 |
|
12.1 and later WINSTAP_SSPI_NAME_TTL | SSPI_NAME_TTL | 120 | The number of seconds that an SSPI name remains in the STAP. The names that
dreaming beyond the time interval are dropped and result in a missing DB_USER. Minimum value: 5 Maximum value: 300 |
|
12.1 and later WINSTAP_SSPI_SESSION_MEMORY | SSPI_SESSION_MEMORY | 40 | This is the amount of memory in MB that can be utilized to buffer traffic
while waiting the delivery of Kerberos names for sessions that are currently active. Traffic is
released when this limit is reached, which results in missing DB_USERs. Minimum value: 1 Maximum value: 1024 |
|
12.1 and later WINSTAP_SSPI_SESSION_TTL | SSPI_SESSION_TTL | 60 | The duration for which the login packets must wait for a Kerberos name to be
sent to them. If a login packet remains beyond the designated time duration, then they are released
to the collector, and result in missing DB_USER. Minimum value: 1 Maximum value: 300 |
|
SSL_BANNED_PROTOCOLS | ||||
WINSTAP_STAP_STATISTIC | STAP_STATISTIC | -5 | The interval at which the S-TAP sends its
statistics information to the collector.
|
|
SYBASE_DRIVER_INSTALLED | ||||
SYNCH_FLAG | 1 | Read only. Indicates whether parameters are synchronized with the UI. | ||
TAP_DBSERVER_NAMES | ||||
WINSTAP_TAP_FAILOVER_SESSION_QUIESCE | TAP_FAILOVER_SESSION_QUIESCE | 60 | The number of minutes after failover, when unused sessions in the failover list from the previous active servers can be removed from the current active server. Valid values: 20-300. | |
WINSTAP_TAP_FAILOVER_SESSION_SIZE | TAP_FAILOVER_SESSION_SIZE | 8192 | Size, in MB, of the failover session list. Valid values:
|
|
TAP_GUARD_TCP_PORT | 9500 | Read only. Port used for S-TAP to connect to Guardium system. | ||
TAP_MIN_HEARTBEAT_ALL_CAN_CONTROL | ||||
WINSTAP_TAP_MIN_HEARTBEAT_INTERVAL | TAP_MIN_HEARTBEAT_INTERVAL | 30 | Maximum time the S-TAP attempts to write to the primary Guardium system buffer before it attempts to write to the secondary Guardium buffer. Default is 30 sec, meaning it tries to write at least 5*60/30 times before failover, by default (along with TAP_MIN_TIME_BEFOREFAILOVER). | |
WINSTAP_TAP_MIN_TIME_BEFOREFAILOVER | TAP_MIN_TIME_BEFOREFAILOVER | 5 | The time interval, in minutes, after which the S-TAP switches to
secondary Guardium system if:
|
|
TAP_TYPE | wstap | Read only. The type of installed S-TAP agent. Values: wtap=WINDOWS | ||
WINSTAP_TCP_BUFFER_SIZE | TCP_BUFFER_SIZE | 60000 | Advanced. Minimum number of bytes to collect before sending a message to the Guardium system. | |
TCP_LOG_SIZE | ||||
TENANT_ID | To use an S-TAP with Guardium
Insights, the
Guardium
Insights
tenant ID is required, including the TNT_ prefix. For
example:
|
|||
TIME_NETWORK | 0 | Advanced. Used for debug only. | ||
S-TAP Host | WINSTAP_TAP_IP | TAP_IP | Read only. Used by the file system monitoring service, instead of the SOFTWARE_TAP_HOST parameter. Both parameters should have the same value. | |
Version | TAP_VERSION | Read only. The version of S-TAP installed on the server. | ||
WINSTAP_UPLOAD_FEATURE | UPLOAD_FEATURE | 1 | Controls uploading of all log files from Program Files\IBM\Windows
S-TAP\Logs on to the collector and/or central manager. Valid values:
|
|
WINSTAP_UPLOAD_PORT | UPLOAD_PORT | 8444 | Valid values: 1024-65535 | |
TLS Use | WINSTAP_USE_TLS | USE_TLS | 0 | Controls encryption. Valid values:
Guardium recommends encrypting network traffic between the S-TAP and the collector whenever possible. Only disable network encryption when performance is a higher priority than security. |
WINSTAP_V8_PROTOCOL | V8_PROTOCOL | 1 | Enable Protocol 8 on the S-TAP. Both S-TAPs reside in the same image. One is
dormant while the other is active. Valid values:
|
|
WEB_SERVER_PORT | 9000 | Port for web-server |