IBM Support

How can I check if the correct data is being logged on my Guardium Appliance ?

Question & Answer


Question

How can I check if the correct data is being logged on my Guardium Collector? Can I check if my Guardium Policy is excluding that data from being logged ?

Cause

You have some DB Servers with STAPs sending data to a Guardium Collector and you wish to check if certain data is being logged into the Guardium Appliance .

In your reports you can't see the data you expect and you want to make some basic checks to isolate the problem.

Answer


YouTube Video
How can I check if the correct data is being logged on my Guardium Appliance? (11.53)
Use specific Guardium GUI reports to check the data being logged on a Guardium Appliance .

Some detail from the video

There are some pre-defined reports that can be used to view certain data - for example in v9

View -> DB Activities -> Database Servers -> Servers Accessed



figure 1 - a pre-defined report (Servers Accessed)

The same report can be found in v10 Investigate -> Report Builder or added to a new dashboard in My Dashboards

Some drill down is also available on reports when double clicking any row in v9 or right clicking in v10.

As well as the above pre-defined reports - here are 4 basic reports that can be imported into your system and then tailored to make the necessary checks.


These reports can be imported into your v9.1, v9.5 or v10 appliance. You will receive a compatibility warning when importing into v10 which is expected. Once imported, the reports are configurable as normal.

Report to Download and Import


Report Name Purpose
IBM_Sessions_report.sqlIBM_Sessions_report.sql-IBM SessionsProvides a report of all recent sessions logged in reverse session date order (most recent first) - shows specific Client Server Information
IBM_Sessions_Count_report.sqlIBM_Sessions_Count_report.sql-IBM Sessions CountProvides a report of all recent session counts - shows specific Client Server Information
IBM_Full_SQL_report.sqlIBM_Full_SQL_report.sql-IBM Full SQLProvides a report of all recent sessions which have the Full SQL logged in reverse session date order (most recent first) - shows specific Client Server Information
IBM_Full_SQL_Count_report.sqlIBM_Full_SQL_Count_report.sql-IBM Full SQL CountProvides a report of all recent session counts and Full SQL counts where the Full SQL has been logged - shows specific Client Server Information

1. Import the .sql files above from
v9 GUI -> Administration Console -> Guardium Definitions -> Import.
v10 GUI -> Manage -> Data Management -> Definitions Import.
This must be done on the Central Manager if one exists in the environment.

2. Add the report to a v9 pane from Tools -> Report Building -> Access Tracking.
Pick a report - and then once the report definition comes up - click "Add to Pane" - and add to eg "Daily Monitor"


    figure 2 - picking one of the reports just imported in v9

You can then access and run these reports at any time from that Daily Monitor pane.

In v10 use My Dashboards, create a new dashboard and add the reports.

-IBM Sessions report


    It uses the Main Entity of Session which can list the individual sessions

    Note - For any Policy all session information (log in / log outs) are always logged ( even if a rule is in place which will IGNORE S-TAP SESSION) - This report can be used to check basic session data is being captured from whichever DB Server / Database you are interested in. - reports in reverse session date order



    figure 3 - report showing a list of sessions logged on the appliance


-IBM Sessions Count report

    This report is as above - however will show a simple count of the sessions per Client Server detail



    figure 4 - report showing a count of sessions logged on the appliance per Client/Server detail


- IBM Full SQL report

    It uses the Main Entity of FULL SQL which can list the individual sessions - reports in reverse session date order

    A pre-requisite is that full details are being logged ( ie -a rule in the Policy is set to "LOG FULL DETAILS" ) then the following report can be used to check the sql statements being logged.



    figure 5 - report showing a list of Full SQL logged on the appliance ( * it is logged so long as a LOG FULL DETAILS rule is within the Policy )

-IBM Full SQL Count report


    This report is as above - however will show a simple count of the sessions and Full SQL statements per Client Server detail



    figure 6 - report showing a count of Full SQL logged on the appliance per Client/Server detail ( * it is logged so long as a LOG FULL DETAILS rule is within the Policy )

These reports can be edited, cloned and re-saved as per normal - Parameters can be changed at any time

Changing Report Parameters - Tips


    Run Time Parameters

      For these queries the QUERY_FROM_DATE and QUERY_TO_DATE can be changed to limit to show just the recent 3 minutes data for example

        click the pencil top right in v9 or wrench in v10.

        Amend parameters

    Report Parameters


      Any of the Fields can be used to set a condition as normal and the report can the be re-saved and re-run - for example to restrict for a specific ServerIP ...

        click the edit report icon at the bottom in v9 or top left in v10.


        Add a condition - for example

Is there a Policy Problem ?


    If you have made checks using the above reports to see if specific data has been logged - and still can't find it then consider the following :-

    • is the STAP for the specific DB Server connecting and sending data ( does the STAP show as green / active in the System View or System Monitor ? )

    • if the STAP is active and sending data - then a Policy Rule could be excluding specific data from being logged .

        As a sanity check - you can set an "Allow-All" policy ( and with a rule to LOG FULL DETAILS if needed ) for a short period - eg 5 minutes - to check and prove that the data you are looking for can be logged

        Warning! the LOG FULL DETAILS Policy action should be used as little as possible (potentially the the disk space could fill quickly) . If you use it for troubleshooting please review the policy before resuming normal operations.

        If doing that proves that the data can be logged - then you will know that the Policy is to blame and somewhere there will be a rule that is filtering the data and excluding it from being logged.



    *Note IBM Guardium Technical Support cannot advise on the Policy rules you should use in your environment. - that task should be undertaken by engaging IBM Services who can work with you to better understand your business needs for your whole Enterprise and build the Policy with you based on those needs.

[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"--","Platform":[{"code":"PF016","label":"Linux"}],"Version":"9.1;9.0;8.2;10.0;9.5","Edition":"All Editions"}]

Document Information

Modified date:
16 June 2018

UID

swg21699711