Support CLI Commands

The following CLI commands are to be used only with the direction of Technical Support.

These commands are to assist Technical Support in analyzing the status of the machine, troubleshooting common issues and correct some common problems. There are no functions that you would perform with these commands on a regular basis.

support clean audit_results

A way to manually purge audit results, this command should be used only when absolutely necessary to deal with audit tasks that produce a high number of records and take up too much disk space.

It is strongly advised to consult with Technical Support before running this command.

A Warning message is presented and a confirmation step is needed when running this command.

This command will list the audit processes and tasks information.

It will present the number of rows, ordered from the largest result set to the smallest. The number of report results is greater or equal to the input value.

Next, after the report is presented, the user can select a line number to purge the results of the audit process corresponding to that line number. Selection of this line number will delete the audit data for the selected process name.

Syntax

support clean audit_results <rows>

Input parameters

rows  - an integer, number of rows to show.  Default 10.

Note: On a system with a great many audit tasks, the completion of this command can take some time.

support clean log_files

This CLI command will delete the specified file after user confirms to delete. If it can not find the file, it will list files larger than 10MB in /var/log and the user delete a large file from the list. A warning message is presented and a confirmation step is included.

Syntax

support clean log_file <filename>    >> add filename

support clean DAM_data

A way to manually purge database activity monitoring data, this command should be used only when absolutely necessary.

It is strongly advised to consult with Technical Support before running this command.

A Warning message and a confirmation step are included in the command.

Syntax

support clean DAM_data <purge_type> <start_date> <end_date>

Input parameters

purge_type options: agg, exceptions, full_details, msgs, constructs, access, policy_violations, parser_errors, flat_log

start_date: YYYY-mm-dd

end_date: YYYY-mm-dd

support clean centera_files

Guardium archives/backups stored within Centera have a deletion date marker attached to them by Guardium, however there is no subsequent facility to invoke the deletion. Centera does not have a GUI to allow maintenance of its own files, it relies on API invocations from client applications.

Use the CLI command, support clean centera_files, to delete marked files within Centera.

support clean InnoDB-dumps

Use this CLI command to purge InnoDB tables

This is a password protected command (for Technical Support only)

support clean hosts

 USAGE: support clean hosts <IP address> <fully qualified domain name>

support clean servlets

Deletes *jsp*.java and *jsp*.class files and restarts GUI.

Use this CLI command to delete generated Java™ servlets and their classes.

support execute

This utility is designed to provide Guardium Advanced Support with the ability to assist with remote diagnostics and support when direct remote access it not available or permitted.

Support Execute is not a replacement for direct remote connections, but will allow Guardium Support at least some level of root access in a secure way without direct access.

The commands provided by Guardium Advanced Support can be SQL statements, O/S Commands, Shell Scripts or SQL scripts. These will then be provided to the customer along with a Secure Key to allow the command to run via CLI. The Secure key is tied to the system that Guardium Support is working with the customer on, and is not valid for any other system. The command can only be run a number of times permitted by Guardium Support and is only valid for seven days from the agreed date.

The feature is disabled by default. Enable via CLI command in both normal and recovery mode:

support execute [enable | disable]

In order to permit the Guardium Advanced Support team to generate a Secure Key, the MAC address of the system in question must be provided for eth0. Here is an example of the interfaces and MAC addresses:

Customer usage / Logged in as CLI

support execute <CMD String> <PMR #> <KEY>

# main execute command provided by Guardium Advanced Support

support execute showlog [<Secure Key>|main|files]

# Show usage logs

#'<Secure Key>' for full details of single entry

# 'main' to display the main execute log

# 'files' to display log directory list

support execute mac

# Eth0 MAC address required by support to generate secure key

support execute info

# Show eth0 MAC address, root passkey & other system information

support execute version

# Display the "Support Execute" internal binary code version

support execute help

# Help details and purpose of utility information

Example of command provided by Guardium Advanced Support:

support execute "select * from GDM_ACCESS%5CG" 11111,111,111 6254130c0f0c3c504b33687c57f41363e4c00

support reset-password accessmgr

This command will reset the accessmgr account password.

Syntax

support reset-password accessmgr 10000000-99999999|random

Parameters

8-digit key number used to generate new password. Keep this key number to provide to Technical Support to receive new accessmgr account password. The selection Random will generate a 8-digit random number.

Note: System will attempt to send notification to the accessmgr account email, if it is setup.

support reset-password root

This command will reset root password on the IBM® Guardium® appliance.

Syntax

support reset-password root 10000000-99999999|random

Parameters

8-digit key number used to generate new password. Keep this key number to provide to Technical Support. The choice Random will generate a 8-digit random number.

This command also requires that the user provide a secret keyword in order to change the root password. Contact Technical Support if there is a need to change the root password.

Note: Do not reset root password unless absolutely required by business rules.

 

support schedule find_crashed_tables

Use this CLI command, support schedule find_crashed_tables [ON/OFF], to enable/disable the daily cron job of find_crashed_tables.sh script.

USAGE: support schedule find_crash_tables on ALL|db

support schedule find_crash_tables off

This command enables or disables daily schedule of find_crashed_tables script.

Note: Pay particular attention to the database entered. Users can enter "ALL" in order to process all five valid databases for crashed tables or just one of the five valid databases "TURBINE", "GDMS", "CUSTOM", "DATAMART or "DIST_INT".

support show db-processlist

This command will list all the db processes sorted by running time.

Syntax

support show db-processlist all

support show db-processlist locked

support show db-processlist running

support show db-process full

Parameters:

support show db-processlist [ ]

Where

running is option to see all running sql statements

all is option to include also sleeping processes

locked is to display all locked and one oldest processes

full [optional] displays sql queries in expended format

 

support show db-struct-check

This command will display all the structure differences found during aggregation process.

Syntax

support show db-struct-check

 

support show db-top-tables

This command will list 20 biggest database tables sorted by size and list of tables sorted by used free table space in percents for those tables which use more than 80% free space. It will allow filtering by table name. All table sizes displayed in Mbytes, free space usage in percents.

Syntax

support show db-top-tables all

support show db-top-tables like

Parameters

support show db-top-tables all

will list biggest size tables out of entire DB sorted

support show db-top-tables like

will list biggest tables matching criteria, where could be any portion of the table name

 

support show db-status

This command will show database usage.

Selections are free, used, megabytes, percentage.

Syntax

support show db-status free %

support show db-status used %

support show db-status free m

support show db-status used m

 

support show hardware-info

This command uses a script to collect hardware information and place this collected information in a directory for retrieval.

After running this CLI command, the following message will appear:

Collected HW Info as /var/log/guard/Gather_hw_info-2012-06-25-17-43.tgz

Then run the CLI command, fileserver, to retrieve this .tar file from the server.

support show iptables

This command will display the output of system iptables command.

Syntax

support show iptables diff

support show iptables list

Parameters

[diff | list] parameter controlling normal iptables output presentation versus displaying only differences/delta

[accept | full] parameter will filter output by accept row versus not filtered list

 

support show large_files

This command will list all the files larger than MB and older than days in the /var /tmp /root folders.

Usage  

support show large_files

This command will list all the files larger than MB and older than days in the /var /tmp /root folders

Input parameters:

   * size   - integer >  10 (in MB)

   * age    - integer >= 0 (in days)

Syntax:

support show large_files <size> <age>

Parameters

support show large_files

where <size> is the minimum size files to display (default 100M)

where <age> is the number of days since the last modification.

 

support show netstat

This command will display the output of system netstat command. It will allow filtering of the output by content using grep parameter.

Syntax

support show netstat all

support show netstat grep

Parameters

support show netstat grep

where is alphanumeric string to search

support show netstat all

 

support show port open

This command is similar to using telnet to detect an open TCP port locally or on a remote host.

If we are able to connect successfully you will see a message like: Connection to 127.0.0.1 8443 port [tcp/*] succeeded!

If you are unable to connect you will see a message like: connect to 127.0.0.1 port 1 (tcp) failed: Connection refused

Syntax: support show port open

IP port - IP must be a valid IPv4 address like 127.0.0.1.

Port must be an integer with a value in 1-65535.

support show top

This command will display the output of system top command sorted by cpu, memory or running time. It has configurable number of iterations (default 1) and number of displayed rows (default 10).

Syntax

support show top [ cpu | memory | time ]

Parameters

support show top cpu

where N is number of iterations in range 1 to 10  and R is number of rows to display - min 10

support show top memory

where N is number of iterations in range 1 to 10 and R is number of rows to display - min 10

support show top time

where N is number of iterations in range 1 to 10  and R is number of rows to display - min 10

 

support check tables [DB name] [table name}

Invokes mysqlcheck –c command on tables (checks tables for errors).

Without any parameter this command checks all tables in TURBINE database with 3 minutes timeout for each check. Checks are running in parallel, overall time will vary. Command will show progress in percents.If any check runs more than 3 minutes it will be terminated. All tables, whose checks were terminated by timeout, will be listed on the screen after command completion. Any errors occurred during command's operation will be reported to the log file /var/log/guard/<dbname>_check_tables/errors.<date>.log, where <date> is current date and <dbname> is the name of database.

Errors found for each table check operation will be reported in /var/log/guard/<dbname>_check_tables/check_table_child.<tablename>.<date>.log files, where <date> is current date, <dbname> is a name of database and <tablename> is the name of table checked. Files for healthy tables are not created. </p><p>With dbname specified as the 1st parameter the command will check all tables in the specified DB with the same timeout (3 minutes). With no parameters specified it will check all TURBINE's tables.

With dbname and tablename specified as the parameters the command will check specified table in specified DB without timeout, until the check operation is complete. This is to allow manual checking the tables whose checks didn't finish in 3 minutes. You can use masks in tablename parameter using percent sign (%).

 

support shrink innodb-size

Use this CLI command to reduce size of ibdata1 file.

It performs the following steps:

• dumps all InnoDB tables

• stops mysql

• deletes ibdata1, ib_logfile0, ib_logfile1 files

• starts mysql

• restores dumped tables

This is a password protected command (for Technical Support only)

 

support show innodb-status

Use this CLI command to troubleshoot MySQL issues. Use this CLI command to check what is happening at runtime with MySQL tables. Use this CLI command to determine if long check times with MySQL tables are due to record lock or table lock.

support show innodb-status

0 queries inside InnoDB, 0 queries in queue

0 read views open inside InnoDB

Main thread process no. 7959, id 139923805550336, state: sleeping Number of rows inserted 6894, updated 6934, deleted 93, read 24787 0.33 inserts/s, 0.00 updates/s, 0.00 deletes/s, 0.67 reads/s

----------------------------

END OF INNODB MONITOR OUTPUT

support analyze static-table

Use this CLI command to analyze content of static tables by sorting them based on the largest group per value length and value occurrence.

support must_gather commands

There are some simple must_gather commands that can be run by user CLI that generate specific information about the state of any Guardium system. This information can be uploaded from the appliance and sent to Guardium Technical Support whenever a PMR (Problem Management Record) is logged.

In order to run these commands, you will need to have the appropriate must_gather patch installed.

Once the correct patch is installed, the must_gather commands can be run at any time by user CLI as follows.

1. Open a Putty session (or similar) to the Guardium system of concern.

2. Log in as user CLI.

3. Depending on the type of issue you are facing, paste the relevant must_gather commands into the CLI prompt. More than one must_gather command may be needed in order to diagnose the problem.

   support must_gather system_db_info

   support must_gather purge_issues

   support must_gather audit_issues

   support must_gather agg_issues

   support must_gather cm_issues

   support must_gather alert_issues

   support must_gather patch_install_issues

    

   The following may take a few minutes to run to completion.

   support must_gather miss_dbuser_prog_issues

   support must_gather sniffer_issues

    

   For the following commands, you will be prompted for a time in minutes for how long you want the debugger running while you reproduce the problem.

   support must_gather backup_issues

   support must_gather scheduler_issues

    

   Output is written to the must_gather directory with filename(s) along the lines of this example, must_gather/system_logs/.tgz

4. Send the resulting output to IBM Support.

By using fileserver, you can upload the tgz files and send to Support.

Send via email or upload to ECUREP using - for example - the standard data upload specifying the PMR number and file to upload.

Guardium for z/OS traffic diagnostics commands

support store zdiag on [N]

Where optional N is number of minutes to run diagnostics, from 10 to 600, 60 by default

Turns on Guardium for z/OS traffic diagnostics. This includes collection of TCPDUMP and SLON, collections will stop once corresponding files reach 2 GB size. Once completed, results files tcpdump.tar.gz and slon_all.tar.gz can be found via fileserver command. The /var partition must have at least 15GB of free space.

support store zdiag off

Turns off Guardium for z/OS traffic diagnostics. Results files tcpdump.tar.gz and slon_all.tar.gz can be downloaded using the CLI command, fileserver.

support show zdiag

Shows Guardium for z/OS traffic diagnostics status.

SLON Collection Commands

support store slon on [parameter]

Turns on SLON utility that captures packets got by sniffer for debug. Results files slon_packets.tar.gz, slon_messages.tar.gz or slon_all.tar.gz can be found via fileserver. The /var partition must have at least 15GB of free space.

Where optional parameter is:

packets, dump analyzer packets (default)

snifsql, log sniffer SQL activities and dump analyzer packets

secparams, log secure parameters info and dump analyzer packets

sgate, log S-GATE debugging info and dump analyzer packets

messages, tap message data dump

support store slon off [parameter]

Turns off SLON utility. Results files slon_packets.tar.gz, slon_messages.tar.gz or slon_all.tar.gz can be found via fileserver.

Where optional parameter is:

packets, stop dumping packets, logging secure parameters, S-GATE debug info and sniffer SQL activities (default)

messages, stop tapping message data dump

all, stop all activities

support show slon

Shows SLON utility status.

TCPDUMP Collection Command

support store snif_memory_max

Usage: support snif_memory_max <num>, where num is a number of | 33 | 50 | 75 |

This command only applies to 64-bit system.

Show command

support show snif_memory_max

support store tcpdump on <type> <period> <loglimit> [interface] [IP] [port] [protocol]

support store tcpdump on <type> <period> <loglimit> [interface] [IP] [port] [protocol]

Turns on TCPDUMP utility. After period ends, results file tcpdump.tar.gz can be found via fileserver. The /var partition must have at least 15GB of free space.

Where:

<type> - dump type, 'headers' (only headers captured) or 'raw' (whole packets captured)

<period> - dump period, NUMBER[SUFFIX], where optional SUFFIX may be 's' for seconds, 'm' for minutes (default)

<loglimit> - dump logfile limit, from 1 to 6 gigabytes

Optional filter arguments:

[interface] - network interface name (default eth0)

[IP] - IP address

[port] - port

[protocol] - protocol, 'tcp', 'udp', 'ip', 'ip6', 'arp', 'rarp', 'icmp' or

'icmp6'

Example

support store tcpdump on headers 10m 1

This command will run TCPDUMP saving packets headers for 10 minutes and 1GB log file size limit.

support show tcpdump

Shows TCPDUMP utility status.

support store tcpdump off

Turns off TCPDUMP utility. After stop, results file tcpdump.tar.gz can be found via fileserver.

support must_gather datamining_issues

Collects necessary diagnostic information for Outliers, Quick search and Datamart functionality. Information includes dumps of corresponding internal tables, necessary logs, state of corresponding processes and standard must_gather diagnostics (general system and internal DB info).

support must_gather network_issues [--host=<HOST>], where optional parameter <HOST> is hostname or IP address.

The command gathers all network information from the appliance and polls hosts that Guardium interacts with by using ping, traceroute, corresponding port probing and other measures. If the optional parameter is specified, then it polls only the host that was specified (if Guardium is configured to do any activity on this host).

store antlr3_max

Use this CLI command to help control data flow between Parser and Logger The CLI command, store antlr3_max is an advanced parameter geared towards expert users and Customer Support to help control the data flow between Parser and Logger component of the Sniffer for Oracle, DB2, MySql, and MSSql.

This value (default 20,000) will change the number of concurrent parsed SQL statements that the Logger is able to hold in queue.

The issues that this could potentially help remedy are Sniffer running out of memory and restarting, or Sniffer not utilizing enough memory.

If you notice the sniffer is running out of memory and restarting, lowering the context cap may help to alleviate this. Alternatively, if the Sniffer isn't using enough of the available system memory, raising the context cap can allow it to use more.

store active_parser_engine

This CLI command is used to control which parser engine should be used by sniffer. This CLI command is only applicable to database types supported by ANTLR3 parsers (Oracle, DB2, MS SQL, MySQL

USAGE: store active_parser_engine <num>

where <num> is

1: ANTLR3 parser errors reparsed by ANTLR2 (default)

2: ANTLR2 only

3: ANTLR3 only

Show command

show active_parser_engine