Streaming audit data to multiple systems

Multistream mode enables S-TAP audit events to be sent to multiple connected appliances. You can enable multistreaming to up to 6 Guardium appliances (APPLIANCE_SERVER + APPLIANCE_SERVER_n, where n can be 1 - 5).

Multistream mode provides a mechanism for distributing a high-volume workload over multiple connected appliances. In multistream mode, a single audit event is only sent to a single appliance. Multistream mode does not enable mirroring of the same set of audit events to multiple appliances.

IBM Guardium S-TAP for Db2 sends events to a single appliance until a ping occurs, or the number of records that is specified by MEGABUFFER_COUNT is reached.

To enable multistreaming, you must specify MULTI_STREAM when you configure the APPLIANCE_SERVER_LIST parameter. Parameters APPLIANCE_SERVER and APPLIANCE_SERVER_[1-5] specify the appliances to which you intend to stream events. The appliance that is specified by APPLIANCE_SERVER provides the policy that is used for event matching.

The APPLIANCE_SERVER parameter specifies the first appliance to which audit events are streamed. The collection policy that is pushed down from the first appliance determines which events are collected and streamed to all appliances that are enabled for multistreaming.

The IBM Guardium S-TAP for Db2 agent streams events to the first appliance, then sequentially to each subsequent appliance in the multistreaming set. Each appliance in the multistreaming set then processes (logs and discards) each event in accordance with the locally installed policies.