Configuring inspection engines

Edit online

An inspection engine extracts SQL from network packets; compiles parse trees that identify sentences, requests, commands, objects, and fields; and logs detailed information about that traffic to an internal database.

About this task

You can configure, start, and stop multiple inspection engines on the Guardium® Data Protection appliance but you cannot create or run them on a central manager unit. However, it is possible to start and stop inspection engines on managed units from the central manager control panel. After the inspection engine is configured, you can use the update_engine_config API to change the parameters.

You can define up to 50 inspection engines per Guardium appliance.

Procedure

  1. Click Manage > Activity Monitoring > Inspection Engines to open the Inspection Engine Configuration page.
  2. Click Add Inspection Engine to expand the panel.
  3. In the Name field, type a name for the inspection engine. It must be unique on the appliance.
    Tip: Make sure that the name contains only letters and numbers. Special characters are not supported.
  4. From the Protocol list, select the protocol that you want to monitor from the list.
  5. In the DB Client IP/Mask field, enter a list of clients (a client host from which the database connection was initiated) to be monitored. The clients are identified by IP addresses and subnet masks. For information about using these fields, see How IP addresses work.
  6. In the DB Server IP/Mask field, enter a list of database servers (where a database sits) to be monitored. The servers are identified by IP addresses and subnet masks. For information about identifying the IP addresses and subnet masks, see How IP addresses work.
  7. In the Port field, enter a single port or a range of ports over which traffic between the specified clients and database servers are monitored. This port is usually a single port.
    Warning: Do not enter a wide range of ports to be certain that you included the correct one. The inspection engine might experience performance issues while it attempts to analyze traffic on ports that carry no database traffic or traffic that is of no interest for your environment.
  8. If this inspection engine needs to be started automatically on start-up, select the Active on startup checkbox.
  9. If you want the inspection engine to monitor traffic from all clients except for those clients listed in the DB Client IP/Mask list, select the Exclude DB Client IP checkbox.
  10. Click Add to save the definition.
    Tip: Filtering mechanisms that are defined in the inspection engines are executed in the order they appear in the list. If necessary, reposition the new inspection engine configuration by using the arrows in the border of the definition.
  11. Optional: Click Start to start the inspection engine that you configured.
    Draft comment: JILLGOLDBERG
    Where is TAP_IDENTIFIER? Don't see it in the GUI. "If you provide a value for TAP_IDENTIFIER and the value contains spaces, Guardium automatically replaces the spaces with hyphens. For example, the value Sample description will become Sample-description."
    After the inspection engine starts, Start changes to Stop.

Configuring inspection engine settings

Edit online

Define settings such as transaction replay, logging, response time calculation, and returned data inspection to optimize data security and performance.

Procedure

  1. Click Manage > Activity Monitoring > Inspection Engines.
  2. Configure the following settings for the inspection engines.
    Table 1. Configuring settings for inspection engines
    Control Description
    Default Capture Value Used by Replay function to distinguish between transactions and capture values, meaning that if you have a prepared statement, assigned values are captured and replayed. If you want to replay your captured prepared statements as prepared statements, the checkbox must be seletcted for the captured data.

    Default value = false.

    Default Mark Auto Commit The default value is true. Due to various auto-commit models for different databases, this value is used by Replay function to explicitly mark up the transactions and automatically commit after each command.
    Tip: If the checkbox is selected, then commits and rollbacks are ignored. Databases that are supported include Db2®, Informix®, and Oracle.
    Log Sequencing If selected, a record is made of the immediately previous SQL statement and the current SQL statement, if the previous construct occurs within a short enough time period.
    Log Exception Sql String If selected, when exceptions are logged, the entire SQL statement is logged.
    Log Records Affected Result set of the number of records that are affected by each execution of SQL statements.

    The records affected feature is not supported in AWS, Couchbase, Hadoop integration, and Db2 when you use streaming to send the results.

    If selected, the number of records that are affected is recorded for each SQL statement (when applicable). The default value for log records that are affected is FALSE (0).

    For more information, see How the Log Records Affected option works.
    Compute Avg Response Time When selected, for each SQL construct logged, the average response time is computed.

    12.1 and later If the response time is longer than about 35 minutes (2 million milliseconds), the response time displays as -1.
    Inspect Returned Data Select to inspect data that is returned by SQL requests and update the ingress and egress counts.

    If rules are used in the security policy, this checkbox must be selected.
    Record Empty Sessions When selected, sessions that contain no SQL statements are logged. When cleared, these sessions are ignored.
    Note: This configuration works for other protocols, but not for Oracle Unified Auditing (OUA).
    Parse XML The Inspection Engine does not normally parse XML traffic. Mark this checkbox to parse XML traffic.
    Logging Granularity The number of minutes (1, 2, 5, 10, 15, 30, or 60) in a logging unit. If requested in a report, Guardium summarizes request data at this granularity. For example, if the logging granularity is 60, a certain request occurred n times in a specific hour. If the checkbox is not selected, exactly when the command occurred within the hour is not recorded. But, if a rule in a policy is triggered by a request, a real-time alert can indicate the exact time. When you define exception rules for a policy, those rules can also apply to the logging unit. For example, you might want to ignore 5 login failures per hour, but send an alert on the sixth login failure.
    Max. Hits per Returned Data When returned data is being inspected, indicate how many hits (policy rule violations) are to be recorded.
    Ignored Ports List A list of ports to be ignored. If you know that your database servers are processing nondatabase protocols, and you want Guardium to not waste cycles by analyzing nondatabase traffic, add values to this list . For example, if you know the host on which your database resides also runs an HTTP server on port 80, you can add 80 to the ignored ports list to make sure that Guardium does not process these streams. Separate multiple values with commas, and use a hyphen to specify an inclusive range of ports. For example: 101,105,110-223
    Buffer Free: n % Display only. n is the % of free buffer space available for the inspection engine process. This value is updated each time that the window is refreshed. A single inspection engine process drives all inspection engines and this process uses the buffer.
    How the Log Records Affected option works

    The records affected option is a sniffer operation that requires sniffer to process additional response packets and postpone logging of impacted data. This operation increases the buffer size and might potentially have an adverse effect on overall sniffer performance. Significant impact comes from large responses. To avoid performance issues associated with this operation, Guardium uses a set of default thresholds that allows sniffer to decide to skip processing operation when exceeded.

    Important: Usually, Records Affected is set correctly when the user turns on Log Records Affected by using Inspection Engines > Log Records Affected. However, using a stored procedure in MS-SQL sets Records Affected as -1.

    For more information, see Configuration and Control CLI Commands, store max_results_set_size, store max_result_set_packet_size, and store max_tds_response_packets, to set levels of granularity.

    The following example shows the result values:
    • Case 1, record affected value, positive number that represents correct size of the result set.
    • Case 2, record affected value, -2, means that the number of records exceeded the configurable limit. This value can be tuned by using the CLI commands.
    • Case 3, record affected value, -1 that shows any unsupported cases of packets configurations by Guardium.
    • Case 4, record affected value, -2, if the result set is sent by streaming mode.
    • Case 5, record affected value, less than -2. Intermediate result during record count to update user about current value, ends up with positive number of total records.

      For example, if the server returns 1000 records in 4 packets of Packet #1 250, Packet #2 200, Packet #3 250, and Packet #4 200, then records affected are reported as: Packet #1 -250, Packet #2 -500, Packet #3 -750, and Packet #4 1000.

  3. Click Apply to save the updated system configuration when you are done making changes.
    Tip: Any global changes made (and saved by using Apply) do not take effect until you restart the inspection engines. However, individual inspection engine attributes, such as exclude and sequence order take effect immediately.
  4. Optional: Add comments to the configuration.
  5. Click Restart Inspection Engines to stop and restart all inspection engines. The applied changes do not take effect until the inspection engines are restarted. After applying inspection engine configuration changes, click Restart to stop and restart the system using the new configuration settings.

    You can also update the inspection engines by using the update_engine_config API.

    Restriction: The following inspection engine settings are not supported for HTTP: Default Capture Value; Default Mark Auto Commit; Log Sequencing; Log Exception Sql String; Log Records Affected; Compute Avg. Response Time; Inspect Returned Data; Record Empty Sessions.

What to do next

If you are no longer using an inspection engine, remove the definition so that it is not accidentally restarted.

  1. Click Manage > Activity Monitoring > Inspection Engines.
  2. If the inspection engine you want to remove is still running, click Stop.
  3. To remove an inspection engine, click Delete.