Support CLI Commands
The following CLI commands are to be used only with the direction of Technical Support.
These commands are to assist Technical Support in analyzing the status of the machine, troubleshooting common issues and correct some common problems. There are no functions that you would perform with these commands on a regular basis.
- support clean audit_results
A way to manually purge audit results, this command should be used only when absolutely necessary to deal with audit tasks that produce a high number of records and take up too much disk space.
It is strongly advised to consult with Technical Support before running this command.
A Warning message is presented and a confirmation step is needed when running this command.
This command will list the audit processes and tasks information.
It will present the number of rows, ordered from the largest result set to the smallest. The number of report results is greater or equal to the input value.
Next, after the report is presented, the user can select a line number to purge the results of the audit process corresponding to that line number. Selection of this line number will delete the audit data for the selected process name.
Syntax
support clean audit_results <rows>
Input parameters
rows - an integer, number of rows to show. Default 10.
Note: On a system with a great many audit tasks, the completion of this command can take some time.
- support clean log_files
This CLI command will delete the specified file after user confirms to delete. If it can not find the file, it will list files larger than 10MB in /var/log and the user delete a large file from the list. A warning message is presented and a confirmation step is included.
Syntax
support clean log_file <filename> >> add filename
- support clean DAM_data
A way to manually purge database activity monitoring data, this command should be used only when absolutely necessary.
It is strongly advised to consult with Technical Support before running this command.
A Warning message and a confirmation step are included in the command.
Syntax
support clean DAM_data <purge_type> <start_date> <end_date>
Input parameters
purge_type options: agg, exceptions, full_details, msgs, constructs, access, policy_violations, parser_errors, flat_log
start_date: YYYY-mm-dd
end_date: YYYY-mm-dd
- support clean centera_files
Guardium archives/backups stored within Centera have a deletion date marker attached to them by Guardium, however there is no subsequent facility to invoke the deletion. Centera does not have a GUI to allow maintenance of its own files, it relies on API invocations from client applications.
Use the CLI command, support clean centera_files, to delete marked files within Centera.
- support clean InnoDB-dumps
Use this CLI command to purge InnoDB tables
This is a password protected command (for Technical Support only)
- support clean hosts
USAGE: support clean hosts <IP address> <fully qualified domain name>
- support clean servlets
Deletes *jsp*.java and *jsp*.class files and restarts GUI.
Use this CLI command to delete generated Java™ servlets and their classes.
- support execute
This utility is designed to provide Guardium Advanced Support with the ability to assist with remote diagnostics and support when direct remote access it not available or permitted.
Support Execute is not a replacement for direct remote connections, but will allow Guardium Support at least some level of root access in a secure way without direct access.
The commands provided by Guardium Advanced Support can be SQL statements, O/S Commands, Shell Scripts or SQL scripts. These will then be provided to the customer along with a Secure Key to allow the command to run via CLI. The Secure key is tied to the system that Guardium Support is working with the customer on, and is not valid for any other system. The command can only be run a number of times permitted by Guardium Support and is only valid for seven days from the agreed date.
The feature is disabled by default. Enable via CLI command in both normal and recovery mode:
support execute [enable | disable]
In order to permit the Guardium Advanced Support team to generate a Secure Key, the MAC address of the system in question must be provided for eth0. Here is an example of the interfaces and MAC addresses:
Customer usage / Logged in as CLI
support execute <CMD String> <PMR #> <KEY>
# main execute command provided by Guardium Advanced Support
support execute showlog [<Secure Key>|main|files]
# Show usage logs
#'<Secure Key>' for full details of single entry
# 'main' to display the main execute log
# 'files' to display log directory list
support execute mac
# Eth0 MAC address required by support to generate secure key
support execute info
# Show eth0 MAC address, root passkey & other system information
support execute version
# Display the "Support Execute" internal binary code version
support execute help
# Help details and purpose of utility information
Example of command provided by Guardium Advanced Support:
support execute "select * from GDM_ACCESS%5CG" 11111,111,111 6254130c0f0c3c504b33687c57f41363e4c00
- support reset-password accessmgr
This command will reset the accessmgr account password.
Syntax
support reset-password accessmgr 10000000-99999999|random
Parameters
8-digit key number used to generate new password. Keep this key number to provide to Technical Support to receive new accessmgr account password. The selection Random will generate a 8-digit random number.
Note: System will attempt to send notification to the accessmgr account email, if it is setup.
- support reset-password root
This command will reset root password on the IBM® Guardium® appliance.
Syntax
support reset-password root 10000000-99999999|random
Parameters
8-digit key number used to generate new password. Keep this key number to provide to Technical Support. The choice Random will generate a 8-digit random number.
This command also requires that the user provide a secret keyword in order to change the root password. Contact Technical Support if there is a need to change the root password.
Note: Do not reset root password unless absolutely required by business rules.
- support schedule find_crashed_tables
- Use this CLI command, support schedule find_crashed_tables [ON/OFF], to enable/disable the daily cron job of find_crashed_tables.sh script.
- USAGE: support schedule find_crash_tables on ALL|db
- support schedule find_crash_tables off
- This command enables or disables daily schedule of find_crashed_tables script.
- Note: Pay particular attention to the database entered. Users can enter "ALL" in order to process all five valid databases for crashed tables or just one of the five valid databases "TURBINE", "GDMS", "CUSTOM", "DATAMART or "DIST_INT".
- support show db-processlist
This command will list all the db processes sorted by running time.
Syntax
support show db-processlist all
support show db-processlist locked
support show db-processlist running
support show db-process full
Parameters:
support show db-processlist [ ]
Where
running is option to see all running sql statements
all is option to include also sleeping processes
locked is to display all locked and one oldest processes
full [optional] displays sql queries in expended format
- support show db-struct-check
This command will display all the structure differences found during aggregation process.
Syntax
support show db-struct-check
- support show db-top-tables
This command will list 20 biggest database tables sorted by size and list of tables sorted by used free table space in percents for those tables which use more than 80% free space. It will allow filtering by table name. All table sizes displayed in Mbytes, free space usage in percents.
Syntax
support show db-top-tables all
support show db-top-tables like
Parameters
support show db-top-tables all
will list biggest size tables out of entire DB sorted
support show db-top-tables like
will list biggest tables matching criteria, where could be any portion of the table name
- support show db-status
This command will show database usage.
Selections are free, used, megabytes, percentage.
Syntax
support show db-status free %
support show db-status used %
support show db-status free m
support show db-status used m
- support show hardware-info
This command uses a script to collect hardware information and place this collected information in a directory for retrieval.
After running this CLI command, the following message will appear:
Collected HW Info as /var/log/guard/Gather_hw_info-2012-06-25-17-43.tgz
Then run the CLI command, fileserver, to retrieve this .tar file from the server.
- support show iptables
This command will display the output of system iptables command.
Syntax
support show iptables diff
support show iptables list
Parameters
[diff | list] parameter controlling normal iptables output presentation versus displaying only differences/delta
[accept | full] parameter will filter output by accept row versus not filtered list
- support show large_files
This command will list all the files larger than MB and older than days in the /var /tmp /root folders.
Usage
support show large_files
This command will list all the files larger than MB and older than days in the /var /tmp /root folders
Input parameters:
* size - integer > 10 (in MB)
* age - integer >= 0 (in days)
Syntax:
support show large_files <size> <age>
Parameters
support show large_files
where <size> is the minimum size files to display (default 100M)
where <age> is the number of days since the last modification.
- support show netstat
This command will display the output of system netstat command. It will allow filtering of the output by content using grep parameter.
Syntax
support show netstat all
support show netstat grep
Parameters
support show netstat grep
where is alphanumeric string to search
support show netstat all
- support show port open
This command is similar to using telnet to detect an open TCP port locally or on a remote host.
If we are able to connect successfully you will see a message like: Connection to 127.0.0.1 8443 port [tcp/*] succeeded!
If you are unable to connect you will see a message like: connect to 127.0.0.1 port 1 (tcp) failed: Connection refused
Syntax: support show port open
IP port - IP must be a valid IPv4 address like 127.0.0.1.
Port must be an integer with a value in 1-65535.
- support show top
This command will display the output of system top command sorted by cpu, memory or running time. It has configurable number of iterations (default 1) and number of displayed rows (default 10).
Syntax
support show top [ cpu | memory | time ]
Parameters
support show top cpu
where N is number of iterations in range 1 to 10 and R is number of rows to display - min 10
support show top memory
where N is number of iterations in range 1 to 10 and R is number of rows to display - min 10
support show top time
where N is number of iterations in range 1 to 10 and R is number of rows to display - min 10
- support check tables [DB name] [table name}
Invokes mysqlcheck –c command on tables (checks tables for errors).
Without any parameter this command checks all tables in TURBINE database with 3 minutes timeout for each check. Checks are running in parallel, overall time will vary. Command will show progress in percents.If any check runs more than 3 minutes it will be terminated. All tables, whose checks were terminated by timeout, will be listed on the screen after command completion. Any errors occurred during command's operation will be reported to the log file /var/log/guard/<dbname>_check_tables/errors.<date>.log, where <date> is current date and <dbname> is the name of database.
Errors found for each table check operation will be reported in /var/log/guard/<dbname>_check_tables/check_table_child.<tablename>.<date>.log files, where <date> is current date, <dbname> is a name of database and <tablename> is the name of table checked. Files for healthy tables are not created. </p><p>With dbname specified as the 1st parameter the command will check all tables in the specified DB with the same timeout (3 minutes). With no parameters specified it will check all TURBINE's tables.
With dbname and tablename specified as the parameters the command will check specified table in specified DB without timeout, until the check operation is complete. This is to allow manual checking the tables whose checks didn't finish in 3 minutes. You can use masks in tablename parameter using percent sign (%).
- support shrink innodb-size
Use this CLI command to reduce size of ibdata1 file.
It performs the following steps:
dumps all InnoDB tables
stops mysql
deletes ibdata1, ib_logfile0, ib_logfile1 files
starts mysql
restores dumped tables
This is a password protected command (for Technical Support only)
- support show innodb-status
Use this CLI command to troubleshoot MySQL issues. Use this CLI command to check what is happening at runtime with MySQL tables. Use this CLI command to determine if long check times with MySQL tables are due to record lock or table lock.
support show innodb-status
0 queries inside InnoDB, 0 queries in queue
0 read views open inside InnoDB
Main thread process no. 7959, id 139923805550336, state: sleeping Number of rows inserted 6894, updated 6934, deleted 93, read 24787 0.33 inserts/s, 0.00 updates/s, 0.00 deletes/s, 0.67 reads/s
----------------------------
END OF INNODB MONITOR OUTPUT
- support analyze static-table
Use this CLI command to analyze content of static tables by sorting them based on the largest group per value length and value occurrence.
- support must_gather commands
There are some simple must_gather commands that can be run by user CLI that generate specific information about the state of any Guardium system. This information can be uploaded from the appliance and sent to Guardium Technical Support whenever a PMR (Problem Management Record) is logged.
In order to run these commands, you will need to have the appropriate must_gather patch installed.
Once the correct patch is installed, the must_gather commands can be run at any time by user CLI as follows.
Open a Putty session (or similar) to the Guardium system of concern.
Log in as user CLI.
Depending on the type of issue you are facing, paste the relevant must_gather commands into the CLI prompt. More than one must_gather command may be needed in order to diagnose the problem.
support must_gather system_db_info
support must_gather purge_issues
support must_gather audit_issues
support must_gather agg_issues
support must_gather cm_issues
support must_gather alert_issues
support must_gather patch_install_issues
The following may take a few minutes to run to completion.
support must_gather miss_dbuser_prog_issues
support must_gather sniffer_issues
For the following commands, you will be prompted for a time in minutes for how long you want the debugger running while you reproduce the problem.
support must_gather backup_issues
support must_gather scheduler_issues
Output is written to the must_gather directory with filename(s) along the lines of this example, must_gather/system_logs/.tgz
- Send the resulting output to IBM Support.
By using fileserver, you can upload the tgz files and send to Support.
Send via email or upload to ECUREP using - for example - the standard data upload specifying the PMR number and file to upload.
Guardium for z/OS traffic diagnostics commands
- support store zdiag on [N]
Where optional N is number of minutes to run diagnostics, from 10 to 600, 60 by default
Turns on Guardium for z/OS traffic diagnostics. This includes collection of TCPDUMP and SLON, collections will stop once corresponding files reach 2 GB size. Once completed, results files tcpdump.tar.gz and slon_all.tar.gz can be found via fileserver command. The /var partition must have at least 15GB of free space.
- support store zdiag off
Turns off Guardium for z/OS traffic diagnostics. Results files tcpdump.tar.gz and slon_all.tar.gz can be downloaded using the CLI command, fileserver.
support show zdiag
Shows Guardium for z/OS traffic diagnostics status.
SLON Collection Commands
- support store slon on [parameter]
Turns on SLON utility that captures packets got by sniffer for debug. Results files slon_packets.tar.gz, slon_messages.tar.gz or slon_all.tar.gz can be found via fileserver. The /var partition must have at least 15GB of free space.
Where optional parameter is:
packets, dump analyzer packets (default)
snifsql, log sniffer SQL activities and dump analyzer packets
secparams, log secure parameters info and dump analyzer packets
sgate, log S-GATE debugging info and dump analyzer packets
messages, tap message data dump
- support store slon off [parameter]
Turns off SLON utility. Results files slon_packets.tar.gz, slon_messages.tar.gz or slon_all.tar.gz can be found via fileserver.
Where optional parameter is:
packets, stop dumping packets, logging secure parameters, S-GATE debug info and sniffer SQL activities (default)
messages, stop tapping message data dump
all, stop all activities
- support show slon
Shows SLON utility status.
TCPDUMP Collection Command
- support store snif_memory_max
- Usage: support snif_memory_max <num>, where num is a number of | 33 | 50 | 75 |
- This command only applies to 64-bit system.
- Show command
- support show snif_memory_max
- support store tcpdump on <type> <period> <loglimit> [interface] [IP] [port] [protocol]
support store tcpdump on <type> <period> <loglimit> [interface] [IP] [port] [protocol]
Turns on TCPDUMP utility. After period ends, results file tcpdump.tar.gz can be found via fileserver. The /var partition must have at least 15GB of free space.
Where:
<type> - dump type, 'headers' (only headers captured) or 'raw' (whole packets captured)
<period> - dump period, NUMBER[SUFFIX], where optional SUFFIX may be 's' for seconds, 'm' for minutes (default)
<loglimit> - dump logfile limit, from 1 to 6 gigabytes
Optional filter arguments:
[interface] - network interface name (default eth0)
[IP] - IP address
[port] - port
[protocol] - protocol, 'tcp', 'udp', 'ip', 'ip6', 'arp', 'rarp', 'icmp' or
'icmp6'
Example
support store tcpdump on headers 10m 1
This command will run TCPDUMP saving packets headers for 10 minutes and 1GB log file size limit.
- support show tcpdump
Shows TCPDUMP utility status.
- support store tcpdump off
Turns off TCPDUMP utility. After stop, results file tcpdump.tar.gz can be found via fileserver.
- support must_gather datamining_issues
Collects necessary diagnostic information for Outliers, Quick search and Datamart functionality. Information includes dumps of corresponding internal tables, necessary logs, state of corresponding processes and standard must_gather diagnostics (general system and internal DB info).
- support must_gather network_issues [--host=<HOST>], where optional parameter <HOST> is hostname or IP address.
The command gathers all network information from the appliance and polls hosts that Guardium interacts with by using ping, traceroute, corresponding port probing and other measures. If the optional parameter is specified, then it polls only the host that was specified (if Guardium is configured to do any activity on this host).
- store antlr3_max
Use this CLI command to help control data flow between Parser and Logger The CLI command, store antlr3_max is an advanced parameter geared towards expert users and Customer Support to help control the data flow between Parser and Logger component of the Sniffer for Oracle, DB2, MySql, and MSSql.
This value (default 20,000) will change the number of concurrent parsed SQL statements that the Logger is able to hold in queue.
The issues that this could potentially help remedy are Sniffer running out of memory and restarting, or Sniffer not utilizing enough memory.
If you notice the sniffer is running out of memory and restarting, lowering the context cap may help to alleviate this. Alternatively, if the Sniffer isn't using enough of the available system memory, raising the context cap can allow it to use more.
- store active_parser_engine
- This CLI command is used to control which parser engine should be used by sniffer. This CLI command is only applicable to database types supported by ANTLR3 parsers (Oracle, DB2, MS SQL, MySQL
- USAGE: store active_parser_engine <num>
- where <num> is
- 1: ANTLR3 parser errors reparsed by ANTLR2 (default)
- 2: ANTLR2 only
- 3: ANTLR3 only
- Show command
- show active_parser_engine