Question & Answer
How can I check if the correct data is being logged on my Guardium Collector? Can I check if my Guardium Policy is excluding that data from being logged ?
You have some DB Servers with STAPs sending data to a Guardium Collector and you wish to check if certain data is being logged into the Guardium Appliance .
In your reports you can't see the data you expect and you want to make some basic checks to isolate the problem.
Some detail from the video
There are some pre-defined reports that can be used to view certain data - for example in v9
View -> DB Activities -> Database Servers -> Servers Accessed
figure 1 - a pre-defined report (Servers Accessed)
The same report can be found in v10 Investigate -> Report Builder or added to a new dashboard in My Dashboards
Some drill down is also available on reports when double clicking any row in v9 or right clicking in v10.
As well as the above pre-defined reports - here are 4 basic reports that can be imported into your system and then tailored to make the necessary checks.
These reports can be imported into your v9.1, v9.5 or v10 appliance. You will receive a compatibility warning when importing into v10 which is expected. Once imported, the reports are configurable as normal.
1. Import the .sql files above from
v9 GUI -> Administration Console -> Guardium Definitions -> Import.
v10 GUI -> Manage -> Data Management -> Definitions Import.
This must be done on the Central Manager if one exists in the environment.
2. Add the report to a v9 pane from Tools -> Report Building -> Access Tracking.
Pick a report - and then once the report definition comes up - click "Add to Pane" - and add to eg "Daily Monitor"
figure 2 - picking one of the reports just imported in v9
You can then access and run these reports at any time from that Daily Monitor pane.
In v10 use My Dashboards, create a new dashboard and add the reports.
-IBM Sessions report
It uses the Main Entity of Session which can list the individual sessions
Note - For any Policy all session information (log in / log outs) are always logged ( even if a rule is in place which will IGNORE S-TAP SESSION) - This report can be used to check basic session data is being captured from whichever DB Server / Database you are interested in. - reports in reverse session date order
figure 3 - report showing a list of sessions logged on the appliance
-IBM Sessions Count report
This report is as above - however will show a simple count of the sessions per Client Server detail
figure 4 - report showing a count of sessions logged on the appliance per Client/Server detail
- IBM Full SQL report
It uses the Main Entity of FULL SQL which can list the individual sessions - reports in reverse session date order
A pre-requisite is that full details are being logged ( ie -a rule in the Policy is set to "LOG FULL DETAILS" ) then the following report can be used to check the sql statements being logged.
figure 5 - report showing a list of Full SQL logged on the appliance ( * it is logged so long as a LOG FULL DETAILS rule is within the Policy )
-IBM Full SQL Count report
This report is as above - however will show a simple count of the sessions and Full SQL statements per Client Server detail
figure 6 - report showing a count of Full SQL logged on the appliance per Client/Server detail ( * it is logged so long as a LOG FULL DETAILS rule is within the Policy )
These reports can be edited, cloned and re-saved as per normal - Parameters can be changed at any time
Changing Report Parameters - Tips
Run Time Parameters
For these queries the QUERY_FROM_DATE and QUERY_TO_DATE can be changed to limit to show just the recent 3 minutes data for example
click the pencil top right in v9 or wrench in v10.
Any of the Fields can be used to set a condition as normal and the report can the be re-saved and re-run - for example to restrict for a specific ServerIP ...
click the edit report icon at the bottom in v9 or top left in v10.
Add a condition - for example
Is there a Policy Problem ?
- is the STAP for the specific DB Server connecting and sending data ( does the STAP show as green / active in the System View or System Monitor ? )
- if the STAP is active and sending data - then a Policy Rule could be excluding specific data from being logged .
If you have made checks using the above reports to see if specific data has been logged - and still can't find it then consider the following :-
- If the STAP is inactive see - What to do if you get Guardium "Inactive S-TAPs Since" alerts
- As a sanity check - you can set an "Allow-All" policy ( and with a rule to LOG FULL DETAILS if needed ) for a short period - eg 5 minutes - to check and prove that the data you are looking for can be logged
Warning! the LOG FULL DETAILS Policy action should be used as little as possible (potentially the the disk space could fill quickly) . If you use it for troubleshooting please review the policy before resuming normal operations.
If doing that proves that the data can be logged - then you will know that the Policy is to blame and somewhere there will be a rule that is filtering the data and excluding it from being logged.
*Note IBM Guardium Technical Support cannot advise on the Policy rules you should use in your environment. - that task should be undertaken by engaging IBM Services who can work with you to better understand your business needs for your whole Enterprise and build the Policy with you based on those needs.
16 June 2018