High CPU and I/O Use in Guardium STAP host

If you observe a high CPU or I/O usage, review the configuration for all of the inspection engines.


You observe a high CPU or I/O usage by the Guardium S-TAP process.


The following items are common causes.

  1. An error in the configuration of one of the inspection engines. If there are errors in an inspection engine, the S-TAP process restarts frequently or tries to reconnect to the inspection engine repeatedly.
  2. The K-TAP portion of the S-TAP is sending connection information along with a confirmation request to the S-TAP. This step is causing delays.
  3. ORACLE RAC is used, but the unix_domain_socket_marker parameter is not set in the S-TAP configuration file to avoid monitoring potentially large amounts of Oracle RAC traffic.
  4. The User ID Chain (UID chain) feature is enabled, for example, parameter hunter_trace=1 in the S-TAP configuration file. Hunter trace is used for UID chain and can be quite CPU intensive for S-TAP.
  5. The firewall is enabled (firewall_installed=1). This firewall forces S-TAP to request verdicts for each new session that is observed which can hurt S-TAP performance.


S-TAP installed in AIX

Resolving the problem

Based on the cause, take the corresponding actions.

  1. Review the configuration for all of the inspection engines and make sure that there are no errors in any of the parameters. For example, make sure the database installation directory, executable, ports, and any other parameters applicable to your inspection engine are correctly set with no misspellings or wrong values.
  2. Set S-TAP configuration parameter ktap_fast_tcp_verdict to 1 (ktap_fast_tcp_verdict = 1 in the guard_tap.ini configuration file) and restart the S-TAP. Here are the possible settings.

    ktap_fast_tcp_verdict=0: KTAP confirms that the session is the database connection that the inspection engine configured by checking ports and Ips.

    ktap_fast_tcp_verdict=1: KTAP does not send the request to S-TAP while the session's ports are in the range.

  3. Disable the UID Chain feature if not needed by setting hunter_trace=0 and restarting the S-TAP.
  4. Set firewall_installed=0 if SGATE is not needed and restart the S-TAP.