Windows: Debug parameters

Edit online

These parameters affect the behavior of S-TAP debugging.

Attention: These are advanced parameters and should be modified by IBM Technical Support.
Attention: If a parameter is available through both the GIM and the command line interface (CLI), then the GIM parameter, including any defaults, always overwrites any value that is available from WINSTAP_CMD_LINE.
These parameters are stored in the [DEBUG_OPTIONS] section of the S-TAP properties file.
GIM guard_tap.ini Default value Description Protocol version
WINSTAP_DEBUG_BUFFER DEBUG_BUFFER 1 1 (on) = Log the contents of local packets. 7
WINSTAP_DEBUG_FIREWALL DEBUG_FIREWALL 1 1 (on) = Log firewall events. 7
WINSTAP_DEBUG_FORMAT DEBUG_FORMAT 1 1 (on) = Print packet contents in column mode to be more readable. 7
These parameters are stored in the [TAP] section of the S-TAP properties file:
Table 1. More S-TAP configuration parameters for debugging
GIM guard_tap.ini Default value Description Protocol version
WINSTAP_DEBUG_MAX_FILE_SIZE DEBUG_MAX_FILE_SIZE 200 (MB) Maximum size of debug log in MB.
Debugging starts when you turn on DEBUGLEVEL (that is set DEBUGLEVEL between 1 and 7). S-TAP stores the debug data in memory while debug is running. After the debug completes (or exceeds the specified file size), the debug information is extracted to the debug log file. Therefore, during the debugging process, the file size registers as zero during debugging.
Note:
  • The actual size of the log file may exceed DEBUG_MAX_FILE_SIZE since it contains extra characters when it is written to disc, such as spaces and carriage returns for new lines.
  • You do not need to restart the S-TAP after you modify the value of DEBUG_MAX_FILE_SIZE in guard_tap.ini

Valid values: 1 or higher.

 7 and 8
WINSTAP_DEBUGLEVEL DEBUGLEVEL 0 Level of debug messages to store. Leave at 0 unless directed by IBM® Technical Support.
  • 0: Only critical error information. Two start-up debug logs, containing only messages that are related to S-TAP® startup, are always generated and saved in bin\..\logs. Filename syntax: startup_hostname_timestamp.new and startup_hostname_timestamp.old. Files from bin\..\logs get uploaded automatically if upload_feature is on.
  • 1: All previous messages plus repeatable critical error information. Two "normal" debug logs are saved in bin\StapBuffer. Filename syntax: stap_hostname_timestamp.new and stap_hostname_timestamp.old (from the previous S-TAP session, if it exists). Files from bin\StapBuffer are not uploaded.
  • 2: Not used.
  • 3: All messages from level 1, plus brief information about packets sent to a Guardium® system
  • 4: All messages from level 3, plus local sniffing log.
  • 5: All messages from level 4, plus network sniffing log.
  • 6: All messages from level 5, plus heartbeat receiving log.
  • 7: All messages from level 6, plus miscellaneous debugging information.
 7 and 8
WINSTAP_DUMP_FILE_MODE DUMP_FILE_MODE 0 Enables capture of dump files if S-TAP crashes. When the parameter is not zero, a new dump file is opened every time the S-TAP starts; it is empty if there is no crash.
  • 0: no crash dumps generated
  • 1: crash dumps generated, written to the file stap.diag which is created in the S-TAP working directory. S-TAP copies any existing stap.diag file to a backup file before overwriting the stap.diag file.
  • 2: time-stamped crash dumps generated, written to a file stap-TIMESTAMP.diag which is created in the S-TAP working directory, where TIMESTAMP identifies when the crash dump was generated. If you have issues with crashes, use this option to capture all dumps, not just the most recent one. The timestamp also helps with debugging. This option however, uses more disk space.
 7 and 8
WINSTAP_DEBUG_FILE_NAME DEBUG_FILE_NAME
  • DB server: %WINSTAP%\Bin\StapBuffer\stap_myhost.timestamp.new
  • UI: %WINSTAP%\Logs\snap.wstap.myhost.timestamp.log
 Location of the S-TAP debug file.
  • Example for database default. %WINSTAP%\Bin\StapBuffer\stap_myhost.timestamp.new

    When you run debug on the database server, the previous debug log is saved as xxx.old. It will be deleted the next time the debug log runs.

  • Example for GUI default. %WINSTAP%\Logs\stap_myhost.timestamp.log.new.
Note: After the debug log runs from the GUI, if UPLOAD_FEATURE=1, then all of the files under %WINSTAP%\Logs are zipped and uploaded to the collector, and .txt files are removed from %WINSTAP%\Logs.
 7
WINSTAP_DEBUG_FILE_NAME DEBUG_FILE_NAME %WINSTAP%\Logs\snap.wstap.traffic.myhost.timestamp.txt Location of the S-TAP debug file.
  • When you run debug from the GUI, the debug log is generated at %WINSTAP%\Logs by default. For example,%WINSTAP%\Logs\snap.wstap.traffic.myhost.timestamp.txt.
Note: After the debug log runs from the GUI, if UPLOAD_FEATURE=1, then all of the files under %WINSTAP%\Logs are zipped and uploaded to the collector, and .txt files are removed from %WINSTAP%\Logs.
 8
WINSTAP_KERNEL_DEBUG_LEVEL KERNEL_DEBUG_LEVEL 3 The verbosity of the overall logging for the driver-based .CTL files. Valid values: 0-5
Remember: For Protocol 8 only: Dynamic parameter. When you modify the value in the guard_tap.ini, the S-TAP does not need restarting for the updated values to take effect.
 7 and 8
WINSTAP_LOG_NMP_MUTE LOG_NMP_MUTE 0 or OFF Mutes the NmpMonitor logs.
Valid values:
  • 0 (off, default)
  • 1 (on)
 7 and 8
WINSTAP_LOG_STAP_MUTE LOG_STAP_MUTE 0 or OFF Mutes the S-TAP logs.
Valid values:
  • 0 (off, default)
  • 1 (on)
 7 and 8
WINSTAP_LOG_WFP_MUTE LOG_WFP_MUTE 0 or OFF Mutes the WfpMonitor logs.
Valid values:
  • 0 (off, default)
  • 1 (on)
 7 and 8
WINSTAP_SYSLOG_MESSAGES SYSLOG_MESSAGES 1 1= send messages to EventViewer. 0=do not send messages. 7
WINSTAP_WER_DUMP WER_DUMP 1 Enables the Windows Error Reporting (WER) facility. Valid values:
  • 0: disabled
  • 1: enabled
If WER_DUMP is set to 0 (disabled), then Guardium removes the registry entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\guardium_stapr.exe and does not create a crash dump if the S-TAP crashes.

If WER_DUMP is set to 1 (enabled), then Guardium creates a registry entry and S-TAP generates a crash dump when it crashes. The location of the dump file depends on the value of the WER_DUMP_FOLDER parameter.

 7 and 8
WINSTAP_WER_DUMP_FOLDER WER_DUMP_FOLDER None Set the WER dump folder name.
You can either:
  • Specify the full path and name of the WER dump folder. For example: 
    WER_DUMP_FOLDER=F:\Guardium\MyDumpFiles
  • Leave this parameter empty ("") to use the default name.

    If WER_DUMP_FOLDER is left blank (""), then the S-TAP automatically creates the dump in the S-TAP logs folder. However, if the S-TAP logs folder path contains the phrase (X86), then Guardium sets WER_DUMP_FOLDER to C:\Guardium\Dumps and creates any crash dump files there.

For example, if the S-TAP is installed to C:\PROGRAM FILES\IBM\WINDOWS S-TAP and uses default values for WER_DUMP_FOLDER and WER_DUMP_COUNT, the S-TAP uses the following registry settings, and the S-TAP crash dump is generated via Windows Error Reporting (WER) if it crashes.
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\guardium_stapr.exe
  • DumpCount REG_DWORD 0x1
  • DumpFolder REG_EXPAND_SZ C:\PROGRAM FILES\IBM\WINDOWS S-TAP\Bin\..\LOGS\
  • DumpType REG_DWORD 0x2
 7 and 8
WINSTAP_WER_DUMP_COUNT WER_DUMP_COUNT 1 Max value is 5.Dynamic parameter. When you modify the value in the guard_tap.ini, the S-TAP does not need restarting for the updated values to take effect. 7 and 8