Troubleshooting
Problem
On a new IBM Security Guardium v10 aggregator unit you find that some data from a certain collector is visible on the aggregator when you run reports, but much of it is missing. The data exists on the the collector and export file sizes suggest the data was sent to the aggregator.
Symptom
For example, a report on the aggregator shows 80 sessions for hostABC on MAY 03. The same report run for MAY 03 on the collector which receives traffic from hostABC shows there were over 5000 sessions that day.
The aggregator does show some data from the collector, so it's clear import worked, but much of the data seems to be missing.
Cause
The aggregator is new and no backup was restored. The collector was exporting to a different aggregator and was cut over to the new aggregator mid-month. As a result, GDM_ACCESS and the static tables are exported incrementally from the collector. The Aggregator is missing most of the records from those static tables.
Environment
IBM security Guardium v10 aggregator.
Diagnosing The Problem
The Aggregation/Archive log shows export files were received from the collectors and import succeeded.
For a particular day from a particular host, you have SOME data but not ALL the data expected, compared to the collector for that host.
Resolving The Problem
For each collector reporting to that aggreegator:
- Log into CLI
- store next_export_static on
- Log into the GUI and [Run Once Now] for the export job.
- Confirm export completed OK.
- store next_export_static off
After the next import the aggregator should have all the data.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg22003543