Universal Connectors FAQs

Find answers to commonly asked questions about Universal Connectors for IBM IBM Guardium® Insights SaaS.

How many universal connections can be configured at once?

You can configure as many connections as your Red Hat OpenShift cluster resources support.

How many Universal Connectors can be configured on one collector?

Guardium recommends not to configure more than 10 Universal Connectors on a single Guardium collector.

How much time does the connection take to establish?

It may take up to 15 minutes to establish a connection. Wait and refresh the connection status.

What to do if the Universal Connector connection fails?

  1. Login to Red Hat OpenShift cluster by using the Command Line Interface.
    cloudctl login -a <CLUSTER_URL> --skip-ssl-validation -u <USER> -p <PASSWORD> -n staging
  2. Find the universal connector manager pod and check the pod status. The status must display 1/1 running as follows:
    oc get pods | grep universal
    
    <pod_name>      1/1     Running     0        2d15h
  3. Check the UC-manager logs for errors.
    oc logs <pod_name>

What to do if the connection is in red or yellow and has an unhealthy connectivity status on the Connections page?

  1. Login to Red Hat OpenShift cluster by using the Command Line Interface.
    cloudctl login -a <cluster_name> --skip-ssl-validation -u
    admin -p
    <password> -n
    staging
    
  2. Find the Universal Connector pods and check the pod status. If the status is not running or not 1/1, then check uc-manager logs.To get pod status, run the following command.
    oc get pods | grep universal
    To get the logs, run the following command.
    oc logs <pod_name>
  3. Enter the Universal Connector container pod and check UC logstash_stdout_stderr.log for errors and exceptions:
    oc exec -it stagingksultnyrrzbspmyqfppnd61-universal-connector-0 bash
    cd /var/log/uc
    ls  -ltr
    cat logstash_stdout_stderr.log
  4. Enable the Guardium Insights operator, delete the old connection, and create a new connection. To enable the Guardium Insights operator: connect by using the Command Line Interface to your cluster and run the following command.
    oc scale $( oc get deploy -oname | grep
      guardiuminsights-controller-manager | awk
      '{print $1}') --replicas=1

Does the Guardium universal connector support MustGather?

Yes, every MustGather option includes logs for the Guardium universal connector.

What to do if data is missing from reports?

  1. Click Connections page form the main menu and verify whether the connection status is green.
  2. Check whether traffic is running on the data source.
  3. Check whether auditing is set correctly on the data source.
  4. Check that the auditing logs are created in the expected location on the data source.
  5. Check that the connection settings are set correctly on the data source side.
  6. Check the Filebeat log files. Enable the logging section in the filebeat.yml, restart Filebeat, go to filebeat logs located by path, which is configured in the filebeat.yml logging section, and check the Filebeat logs for errors and exceptions.
  7. Check that communication between the database server and the managed unit is not blocked (Guardium Insights is accessible from the database server).
For example, consider a MongoDB over Filebeat configuration. The MongoDB database auditing is configured by using the mongod.conf file. The mongo service is running and the mongo audit log file is created. Then complete the following checks in the filebeat.yml file.
  1. In the filebeat.inputs section, check the path to the audit logs. It must be same path as the one configured in the MongoDB configuration file from the auditing section.
  2. Check that the tags are identical to the ones in the Connection configuration details on the Connections page.

    To check the data source tag, go to the Connection page, select the connection, click connection name, and check the data source tag in Universal Connector Configuration.

  3. Check that the server certificate is downloaded from the connection page and uploaded to the data source. Check that the path to the certificate is set in the filebeat.yml and is not commented. For example:
    (fragment from filebeat.yml) ssl.certificate_authorities:
            ["/etc/pki/client/<machine_name>/GuardiumInsightsCA.pem"]
  4. Check that the output.logstash section is uncommented and that the output.elasticsearch is commented.
  5. In the output.logstash section, check the connection hosts and port. They should be identical to the ones in the connection details on the Connections page. By default, the port number is 443. For example:
    hosts: ["usuj7iib4hsg2yutp9i3ca3-universal-
    connector.perf-ded-wdc06-
    0a94651246c65639d6ebe7da606c2479-0000.us-
    east.containers.appdomain.cloud:443"]
    
  6. Restart Filebeat service after editing the filebeat.yml file.
    service filebeat restart
    
  7. Check the Filebeat status after restart.
    service filebeat status

Why is Guardium not displaying any events?

  1. Verify that the required policies are installed. To test, start with a log full details rule, and verify no other policy blocks it.
  2. Follow the steps from the What to do if data is missing from reports FAQ.
  3. Set the debug level in the uc_logstash log and check Guardium Events in the log.
  4. If you found events in uc_logstash.log, the problem may be in the mini-snif microservice.
  5. To set up universal connector debug logs level, connect using the CLI to your cluster.
  6. Enter the universal connector pod and run the command following command
    {UC_SCRIPTS}/set_uc_log_level.sh "debug"
  7. Create a MustGather and look for the universal connector log.