Windows: General parameters

These parameters define basic properties of the S-TAP running on a Windows server and the server on which it is installed, and do not fall into any of the other categories.

These parameters are stored in the [VERSION] section of the S-TAP properties file.
Table 1. S-TAP configuration parameters in the [VERSION] section
GUI guard_tap.ini Description
  STAP_CLIENT_BUILD Read only. The build version of the installed S-TAP.
Version PROTOCOL_VERSION Read only. The version of the Guardium system.
These parameters are stored in the [TAP] section of the S-TAP properties file.
Table 2. S-TAP configuration parameters in the [TAP] section
GUI GIM guard_tap.ini Default value Description
    TAP_TYPE wstap Read only. The type of installed S-TAP agent:
Version   TAP_VERSION   Read only. The version of S-TAP installed on the server.
S-TAP Host TAP_IP   Read only. Used by the file system monitoring service, instead of the SOFTWARE_TAP_HOST parameter. Both parameters should have the same value.
All can control WSTAP_ALL_CAN_CONTROL ALL_CAN_CONTROL 0 0=S-TAP can be controlled only from the primary Guardium system. 1=S-TAP can be controlled from any Guardium system.
Load balancing WINSTAP_PARTICIPATE_IN_LOAD_BALANCING PARTICIPATE_IN_LOAD_BALANCING 0 Controls S-TAP load balancing (not enterprise load balancing) to Guardium systems:
  • 0: No load balancing.
  • 1: Load balancing. Traffic is balanced between the primary and secondary servers, defined in the SQLGuard section.
  • 2: Redundancy. Fully mirrored S-TAP sends all traffic to all primary and secondary servers, defined in the SQLGuard section.
  • 3: Hardware load balancing. Guardium uses a load balancer such as F5 or Cisco. S-TAP sends the traffic to the load balancer, which forwards it to one of the collectors in the pool.
Use the primary parameter in the SQLGUARD section to specify primary, secondary, etc. servers. If this parameter is set to 0, and you have more than one Guardium system monitoring traffic, then the non-primary Guardium systems are available for failover.

1=use SSL to encrypt traffic between the agent and the Guardium system.

0=do not encrypt. Warning - the traffic between the agent and Guardium system is in clear text.

Guardium recommends encrypting network traffic between the S-TAP and the collector whenever possible, only in cases where the performance is a higher priority than security should this be disabled.

TLS Failover   FAILOVER_TLS 1 1= If ssl connection is not possible for any reason, fail over to using non-secure connection. 0=use only secure connections.
  NUMBER_OF_PROCESSORS 4 Read only. Number of processors on the machine
    ALTERNATE_IPS   Comma-separated list of alternate or virtual IP addresses used to connect to this database server. This is used only when your server has multiple network cards with multiple IPs, or virtual IPs. S-TAP only monitors traffic when the destination IP matches either the S-TAP Host IP defined for this S-TAP, or one of the alternate IPs listed here, so it's recommend that you list all virtual IPs here.
  DB2_TAP_INSTALLED 0 Set to 1 for sniffing DB2 shared memory traffic. Starts the DB2 TAP Service when set to 1.
  DB2_EXIT_DRIVER_INSTALLED   DB2 Integration with S-TAP: set to 1 to enable DB2 Exit library integration 1) Let S-TAP capture all DB2 traffic directly from the DB2 engine - Note, that it is only for specifc DB2 releases - 10.1 and onwards 2) When using this method, Firewall and Scrub/Redact functionality are not supported. Also, stored procedures will not be captured. 3) It lets us pick up all DB2 traffic , regardless of encryption/network protocol. 4) This solution simplifies the S-TAP configuration for customers that will deploy this version of DB2, and gives them native DB2 support.
  DB2_SHMEM_DRIVER_INSTALLED   Deprecated, and replaced by db2_tap_installed.
    DC_COLLECT_FREQ 24 Specifies the frequency of collection in hours. Minimum is 1, maximum is 24. GuardiumDC is a service that collects updates of user accounts (SIDs and usernames) from the primary domain controller and then signals the changes to Guardium_S-TAP to update S-TAP internal SID/UserName? map. If S-TAP cannot find resolved SID in the map, it tries to get it from the primary Domain Controller, in which case S-TAP logs a message into debug log (level 7) The account name *** has been retrieved for SID ***.
    DC_COLLECT_MAXUSERS 200,000 The maximum number of users to collect. Minimum is 10,000.
  DOMAIN_CONTROLLER   The name of the specific controller from which the SID/usernames map should be read.
  HIGH_RESOLUTION_TIMER 0 0: send time stamps in milliseconds. 1: send time stamps in microseconds, but use milliseconds system timer (to reduce system performance hit - multiply milliseconds by 1000). 2: send time stamps in microseconds, use high resolution windows timer (most accurate). For cases 1 and 2, the S-TAP will indicate to the Guardium system that micro seconds are sent, by setting the reserved byte in PacketData to 1.
  BUFFER_FILE_SIZE 50 Advanced. The initial size of the buffer. The range is 5 to 1000 in MB.
    BUFFER_FILE_NAME   The full path of the memory mapped file if BUFFER_MMAP_FILE=1. Default is WSTAP working folder/StapBuffer/STAP_buffer.dtx
  BUFFER_MMAP_FILE 0 1=memory mapped file option. 0=virtual memory allocation
  SOFTWARE_TAP_HOST   The database server host on which S-TAP is installed. It can be an IP address or a name recognized by the DNSserver. There is no default. An invalidly configured SOFTWARE_TAP_HOST is automatically replaced with a valid local IP.
  TCP_ALIVE_MESSAGE 1 This parameter is deprecated since Guardium v10.x. Guardium collectors no longer send UDP alive messages.
Compres. level COMPRESSION_LEVEL 0 Compression level, from 1 to 9.
0=no compression.
  FILE_SNIFFER_FREQUENCY 45 Frequency, in seconds, of:
  • registration attempts with a Guardium system if a previous attempt was not successful
  • S-TAP checks for new logs available from Program Files\IBM\Windows S-TAP\Logs for uploading onto collector
  MAXIMUM_PACKET_NUM 300,000 Deprecated
  MIN_BYTES_TO_COMPRESS 500 Advanced. Minimum size of message to compress.
  NOT_SEND_TO_SQLGUARD 0 Advanced. Send nothing to the Guardium system.
  RECV_LEVEL 0 Advanced.
Messages: remote REMOTE_MESSAGES 1 1=Send messages to the active Guardium system. 0=Do not send messages
  SEND_LEVEL 0 Advanced. Used for thread prioritization.
  SNIFFED_UDP_PORTS 88 Deprecated.
  SYNCH_FLAG 1 Read only. Deprecated in v10.0. Indicates whether parameters are synchronized with the UI.
  TAP_MIN_HEARTBEAT_INTERVAL 30 Maximum time the S-TAP attempts to write to the primary Guardium system buffer before attempting to write to the secondary Guardium buffer. Default is 30 sec, meaning it tries to write at least 5*60/30 times before failover, by default (using also TAP_MIN_TIME_BEFOREFAILOVER).
    TAP_MIN_TIME_BEFOREFAILOVER 5 The time interval, in minutes, after which the S-TAP switches to secondary Guardium system if: it cannot connect to its primary Guardium system; it can connect to its primary Guardium system but cannot write to its buffer.
  TCP_BUFFER_SIZE 60000 Advanced. Minimum number of bytes to collect before sending a message to the Guardium system
  TIME_NETWORK 0 Advanced. Used for debug only.
  WEB_SERVER_CONNECTIONS 1 Maximum number of DB connections by .net app.
  WEB_SERVER_INSTALLED 0 Deprecated. Formerly used to enable IIS tap.
  WEB_SERVER_PORT 9000 Port for web-server
  GUARDIUM_CA_PATH NULL Location of the Certificate Authority certificate.
  SQLGUARD_CERT_CN NULL The common name to expect from the Sqlguard certificate.
  GUARDIUM_CRL_PATH NULL The path to the Certificate Revocation list file or directory.
  TAP_FAILOVER_SESSION_QUIESCE 240 The number of seconds after failover, when unused sessions in the failover list from the previous active servers can be removed from the current active server,
  TAP_FAILOVER_SESSION_SIZE 8192 Size, in MB, of the failover session list. 0=no failover sessions should be saved
  DB_IGNORE_RESPONSE   Ignore response at inspection level. Use this function to ignore all database responses at the S-TAP level, without sending anything to the Guardium system. In certain environments, where only interested in client transactions, this function saves bandwidth and processing time for the S-TAP and the Guardium system. Use this function for an easier configuration for ignoring unwanted responses from the database, without loading the network. Database types can be listed as comma separated or ALL can be specified to ignore responses from all types of databases, for example, DB_IGNORE_RESPONSE=ALL or DB_IGNORE_RESPONSE=MSSQL,DB2. Supported DB types: ALL, MSSQL_NP, MSSQL, MYSQL, TRD, PGRS, MSSYB, ORACLE, DB2, DB2_EXIT, INFORMIX, KERBEROS, FTP, CIFS.

Comma separated list of IP/MASKs to be response-ignored. Any DB responses of the type specified by DB_IGNORE_RESPONSE to the specified IP/MASKs are ignored

NULL: no filtering of responses all IPs are filtered

  DB_IGNORE_RESPONSE_LOCAL 1 filtering of local db responses 0:no, 1:yes
Note: TCP traffic is not considered Local traffic for db_ignore_response_local parameter.
  DB_IGNORE_RESPONSE_BYPASS_BYTES 65535 DB_IGNORE_RESPONSE starts when bypass bytes are reached.
  UPLOAD_FEATURE 1 Controls uploading of all log files from Program Files\IBM\Windows S-TAP\Logs onto the collector.