Universal Connectors FAQs
Find answers to commonly asked questions about Universal Connectors for IBM IBM Guardium® Insights SaaS.
How many universal connections can be configured at once?
You can configure as many connections as your Red Hat OpenShift cluster resources support.
How many Universal Connectors can be configured on one collector?
Guardium recommends not to configure more than 10 Universal Connectors on a single Guardium collector.
How much time does the connection take to establish?
It may take up to 15 minutes to establish a connection. Wait and refresh the connection status.
What to do if the Universal Connector connection fails?
- Login to Red Hat OpenShift cluster by using the Command Line
Interface.
cloudctl login -a <CLUSTER_URL> --skip-ssl-validation -u <USER> -p <PASSWORD> -n staging
- Find the universal connector manager pod and check the pod status. The status must display 1/1
running as follows:
oc get pods | grep universal <pod_name> 1/1 Running 0 2d15h
- Check the UC-manager logs for errors.
oc logs <pod_name>
What to do if the connection is in red or yellow and has an unhealthy connectivity status on the Connections page?
- Login to Red Hat OpenShift cluster by using the Command Line
Interface.
cloudctl login -a <cluster_name> --skip-ssl-validation -u admin -p <password> -n staging
- Find the Universal Connector pods and check the pod status. If the status is not running or not
1/1, then check uc-manager logs.To get pod status, run the following
command.
To get the logs, run the following command.oc get pods | grep universal
oc logs <pod_name>
- Enter the Universal Connector container pod and check
UC logstash_stdout_stderr.log
for errors and exceptions:oc exec -it stagingksultnyrrzbspmyqfppnd61-universal-connector-0 bash cd /var/log/uc ls -ltr cat logstash_stdout_stderr.log
- Enable the Guardium Insights operator, delete the old connection, and create a new connection.
To enable the Guardium Insights operator: connect by using the Command Line Interface to your
cluster and run the following command.
oc scale $( oc get deploy -oname | grep guardiuminsights-controller-manager | awk '{print $1}') --replicas=1
Does the Guardium universal connector support MustGather?
Yes, every MustGather option includes logs for the Guardium universal connector.
What to do if data is missing from reports?
- Click Connections page form the main menu and verify whether the connection status is green.
- If the status is red, download the plug-in package from the Available plug-ins and data sources topic and retry.
- Check whether traffic is running on the data source.
- Check whether auditing is set correctly on the data source.
- Check that the auditing logs are created in the expected location on the data source.
- Check that the connection settings are set correctly on the data source side.
- Check the Filebeat log files. Enable the logging section in the
filebeat.yml
, restart Filebeat, go to filebeat logs located by path, which is configured in the filebeat.yml logging section, and check the Filebeat logs for errors and exceptions. - Check that communication between the database server and the managed unit is not blocked (Guardium Insights is accessible from the database server).
mongod.conf
file. The mongo service is running and the
mongo audit log file is created. Then complete the following checks in the
filebeat.yml
file.- In the
filebeat.inputs
section, check the path to the audit logs. It must be same path as the one configured in the MongoDB configuration file from the auditing section. - Check that the tags are identical to the ones in the Connection configuration details on the
Connections page.
To check the data source tag, go to the Connection page, select the connection, click connection name, and check the data source tag in Universal Connector Configuration.
- Check that the server certificate is downloaded from the connection page and uploaded to the
data source. Check that the path to the certificate is set in the
filebeat.yml
and is not commented. For example:(fragment from filebeat.yml) ssl.certificate_authorities: ["/etc/pki/client/<machine_name>/GuardiumInsightsCA.pem"]
- Check that the
output.logstash
section is uncommented and that theoutput.elasticsearch
is commented. - In the
output.logstash
section, check the connection hosts and port. They should be identical to the ones in the connection details on the Connections page. By default, the port number is 443. For example:hosts: ["usuj7iib4hsg2yutp9i3ca3-universal- connector.perf-ded-wdc06- 0a94651246c65639d6ebe7da606c2479-0000.us- east.containers.appdomain.cloud:443"]
- Restart Filebeat service after editing the
filebeat.yml
file.service filebeat restart
- Check the Filebeat status after restart.
service filebeat status
Why is Guardium not displaying any events?
- Verify that the required policies are installed. To test, start with a log full details rule, and verify no other policy blocks it.
- Follow the steps from the What to do if data is missing from reports FAQ.
- Set the debug level in the uc_logstash log and check Guardium Events in the log.
- If you found events in
uc_logstash.log
, the problem may be in the mini-snif microservice. - To set up universal connector debug logs level, connect using the CLI to your cluster.
- Enter the universal connector pod and run the command following
command
{UC_SCRIPTS}/set_uc_log_level.sh "debug"
- Create a MustGather and look for the universal connector log.