Connecting to Guardium collectors

To stream data to IBM Security GuardiumĀ® Insights, you must first connect to your data sources. Learn how to connect to a Guardium central manager to stream data from its collectors.

Before you begin

Ensure that Guardium Insights supports the data source environment that you will connect to.

You might need to adjust your Guardium central manager settings to minimize delays in the data streaming to Guardium Insights. For more information, see Adjusting Guardium central manager and OpenShift Container Platform settings for data mart streaming.

Important: If you want the ability to block database users on Guardium Data Protection from within Guardium Insights: Install the ActivityInsightsPolicy policy on the Guardium central manager, and all of its collectors. You must install the policy (it cannot be cloned or installed by template). For more information about installing policies on the Guardium central manager, see https://www.ibm.com/docs/en/guardium/latest?topic=policies-using-policy-installation-tool).

Procedure

  1. To open the settings menu, select Settings (main menu). After opening the settings menu, choose Integrations, and then choose the Guardium card.
  2. If you have existing Guardium integrations, the Guardium central managers page opens. To create a new connection, click Add a new central manager. If you don't have existing integrations, the Connection details pane opens automatically.
  3. Type in the connection details.
    • Name: Enter a unique name for the connection (with a minimum of 4 characters). This name distinguishes this connection from all other Guardium Insights connections.
    • Full hostname: Enter the full hostname of the Guardium central manager.
      Note: IP addresses are not supported for Full hostname.
    • Port: Enter the Guardium central manager port.
  4. Click Connect.
  5. Use the Set start date page to set the start date for data mart extraction from all collectors. This can also be set after you create the connection when you enable the connection.
  6. Click Next.
    The Select collectors page opens, listing all of the collectors that are managed by the central manager that are available for connection.
  7. Select one or more collectors. To choose all of the collectors in the page, select the checkbox next to the Name column header.
    Important: If you want to send vulnerability assessment data to Guardium Insights, ensure that your vulnerability assessment jobs are scheduled to run on at least one of the collectors that you select.
  8. To enable streaming from the collectors, select one or more of the collectors in the Select collectors page and click Enable
    Important:
    • To enable or disable one collector, use the menu in the row of the collector. If you select one or more collectors, a banner opens where you can enable all of the selected collectors at the same time.
    • If a collector has a warning status, or if its status information indicates that streaming is not supported, the Enable action is not available for the collector.
    • If you want to enable multiple collectors simultaneously, you cannot select collectors that have a warning status, or that do not support streaming.
    • After you click Enable, it might take a few seconds for the status of the collector to change to Enabled.
  9. Click Done to add the connection.
  10. After the connection is added, the Guardium central managers page opens showing all of the configured Guardium central managers.
    Note: A Guardium central manager can manage collectors that are running different versions of Guardium. Guardium Insights supports managed collectors from these data sources. If your central manager includes managed collectors that are not supported by Guardium Insights, they appear in the list of managed collectors in Guardium Insights, however, these managed collectors are not included in analysis.

What to do next

After adding the connection, you can see and work with your data in Guardium Insights reports.

After you add a data source, it is scanned almost immediately. You can use these actions to work with connections:

  • To delete a connection, select its checkbox, and click Remove in the banner that opens. You can select multiple connections and remove them with this button.
  • To edit a connection, select its Connection name link in the table. This opens a panel that allows you to Enable or Disable the connection. In addition, you can see the status of the connection and edit its configurations.
  • To export a CSV list of the connections in the table, click Export CSV. This will export a list of only the connections that are currently in the table - it will not include any that have been filtered out.
  • To refresh the list of connections, click Refresh.

When you enable a connection, you can specify the start date for data mart extraction from all collectors.

When you enable or disable the connection, you are enabling or disabling all of its collectors. If you want to enable or disable individual collectors, click the connection to open it. The system displays a list of the collectors. You can enable and disable them in the same manner as they were enabled and disabled when creating the connection.

After completing the connection, you can set up streaming for aggregators by following these instructions.

Note: Guardium Insights only pulls SQL that has been audited using the Log full details rule action. In order to gain traffic visibility, you should change your policy to include this action (see https://www.ibm.com/docs/en/guardium/latest?topic=actions-log-full-details). This also allows you to import historic data using Full SQL from Guardium Data Protection to Guardium Insights.