IBM Support

How can a 'slon' capture be created on an InfoSphere Guardium Appliance

Question & Answer


Question

How can I generate a slon capture and send it to IBM Technical Support ?

Cause

A 'slon' capture can be useful for IBM Technical Support in order to help diagnose problems with the data packets that come into the Guardium Appliance.

They have the ability to 'replay' and/or analyse this capture in-house.

Answer

Recommended video

Review the video in this course on the Security Learning Academy:



To create a slon capture there are two methods available as follows

IMPORTANT
For both methods below please be aware that collecting a slon can fill the disk up quickly - especially on heavy traffic systems - so please plan to run the slon capture for as minimum time as possible whilst you reproduce the problem


A) Using a simple cli command to stop and start a slon capture
  • This method will capture everything that comes into the appliance whilst the slon is being captured and requires at least 15GB of free space ( although the final slon file may be smaller)

    1) log onto the appliance via putty as the CLI user
      • run the following command to start a slon capture
        • support store slon on



        •  
      • Leave the capture running ....

    2) Whilst the capture is running - Generate the required activity you wish to capture - for example :-
      • login as a database end user to the database of concern
      • run the sql statements of concern
      • logout of the database session

    3) from the cli command stop the slon capture
      • support store slon off

        No SQL sniffer activities were logged during slon operation.
        Results file slon_packets.tar can be downloaded using "fileserver" command.



      •  

    4) using the cli command - fileserver - Extract and send the slon_packets.tar file up to the IBM Technical Support engineer dealing with your PMR - From version 10 onwards the file is located in the last listed subdirectory - gim-snif-guard-logs/  



      •  



  •  
B) Using the diag method and specifying parameters

  • 1) log onto the appliance via putty as the CLI user
        • run the diag command by typing diag
          • if requested - enter the admin password
            You should now be in the diag menu (SQLGuard Diagnostics)
              • Choose 3 - System Interactive Queries
              • Choose 12 - Slon Utility
              • Choose p - to dump packets to apks.txt
              • Choose 300 - seconds ( 5 minutes) ( for example )

    • Leave the capture running ....

    2) Whilst the capture is running - Generate the required activity you wish to capture - for example :-
      • login as a database end user to the database of concern
      • run the sql statements of concern
      • logout of the database session

    3) Pack and send the slon files to IBM Technical Support
    • From the diag utilty session in 1) above
        • Choose <OK>
        • Choose <Cancel> to return to Main diag menu
        • Choose 1 - Output Management
        • Choose 1 - End and Pack Current Session

    4) Extract and send the files up to the IBM Technical Support engineer dealing with your PMR
    • The slon capture is located in the diag/depot directory and will typically have name including the date and time in the filename - for example
       
      • diag_session_17_7_1441.tgz



  •  
How can log files be extracted from an InfoSphere Guardium Appliance?

Note Here are further details on the diag utility which can also be found in the relevant Appendices section of the Product Help Manual(s)
 

[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF016","label":"Linux"}],"Version":"10.0;10.0.1;10.1;10.1.2;8.2;9.0;9.1;9.5","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
03 February 2021

UID

swg21508960