How to monitor the Guardium system via alerts

Monitor the capacity, performance and availability of the IBM Security Guardium system using a combination of built-in and custom correlation alerts.

Alert users to issues that may affect system performance, such as: CPU utilization, database disk space, inactive STAPs, and no traffic situations.

The Sniffer Buffer Usage domain is the basis for most of the following alerts.

Sniffer Restart Alert

An alert will be sent if the sniffer on a collector has restarted at least three times an hour.

Create a Query using the Sniffer Buffer Usage domain with the columns and Fields as shown – there are no conditions.

Sniffer Restart Alert

This is an example of the output from the Query:

Query output

Define the alert.

Alert definition

High CPU Utilization

Using the Enterprise Buffer Usage domain, create an alert to monitor system CPU utilization. Here is an example of a query for CPU utilization which exceeds 75%.

CPU definition

The alert will then be setup to fire only if the utilization is exceeded for 360 times in a 24-hour period, for example, 25% of the day.

Note: The Sniffer buffer usage domain is populated once a minute, so there are 1440 entries in a 24-hour period.
System CPU load 1

To define the alert, click Protect > Database Intrusion Detectioin > Alert Builder..

System CPU load 2

Database Disk Space Alerts

Use the Query Builder to Build two reports (they are similar) and two alerts – one for the collector and the other for the aggregator since the database size is fixed on the collector but dynamic on the aggregator (up to the size of the var partition).

Aggregator Disk Space Alert

  1. Create a new Query with Sniffer Buffer Usage as the main entity.

  2. Configure the fields and conditions.

    VAR disk usage
  1. Setup a new alert in the Alert Builder. Open the Alert Builder by clicking Protect > Database Intrusion Detection > Alert Builder.

Collector Disk Space Alert

Repeat the previous steps to create an alert for monitoring disk space on the collectors.

  1. Create a Query.

    MYSQL disk usage
  1. Use the Alert Builder to set up a new alert.

    New alert

Data Import, Merge (Aggregation), Archive or Backup Failure Alerts

This is a built-in alert and must be activated and scheduled.

Inactive S-TAP Alerts

This is a built-in alert and needs to be activated and scheduled.

For STAPs configured with a primary and secondary collector, if the STAP cannot communicate with the primary (for example, due to network issues), it will failover to the secondary. Unless the former-primary collector is able to ping the STAP, it will then generate an inactive STAP alert.

Note: STAPs in a cluster configuration can generate false alerts if misconfigured.

No Traffic Alerts

This is a built-in alert and needs to be activated and scheduled.

This alert checks for traffic from an active inspection engine, from which the collector previously received traffic, AND for traffic that is processed by the policy. If both conditions are not satisfied within 48 hours, an alert will be generated.

Application Monitoring via Ad-hoc Reports

As a general rule, avoid invoking ad-hoc queries/reports on the collector with time spans > 1 hour. Large/long running queries should be invoked on the aggregator and are best scheduled using the Audit Process.

The following two reports should be scheduled, from the Central Manager, to run weekly on each collector.

Note: These reports also need to be scheduled individually on EACH aggregator.

Custom Sniffer Buffer Usage Report

Using the Sniffer Buffer Usage domain, create a report with the following fields:

Custom Sniffer Buffer Usage Report

STAP Status Report

This report displays the key parameters for ALL STAPs and inspection engines for a given collector. The report cannot be modified but can be run on each collector, or from the Central Manager pointing to each collector in turn, or scheduled via the Audit process on each collector.

STAP Status Report