Question & Answer
Question
How can I generate a slon capture and send it to IBM Technical Support ?
Cause
A 'slon' capture can be useful for IBM Technical Support in order to help diagnose problems with the data packets that come into the Guardium Appliance.
They have the ability to 'replay' and/or analyse this capture in-house.
They have the ability to 'replay' and/or analyse this capture in-house.
Answer
Recommended video
Review the video in this course on the Security Learning Academy:
To create a slon capture there are two methods available as follows
IMPORTANT
For both methods below please be aware that collecting a slon can fill the disk up quickly - especially on heavy traffic systems - so please plan to run the slon capture for as minimum time as possible whilst you reproduce the problem
A) Using a simple cli command to stop and start a slon capture
- This method will capture everything that comes into the appliance whilst the slon is being captured and requires at least 15GB of free space ( although the final slon file may be smaller)
1) log onto the appliance via putty as the CLI user-
- run the following command to start a slon capture
- support store slon on
- Leave the capture running ....
- run the following command to start a slon capture
2) Whilst the capture is running - Generate the required activity you wish to capture - for example :--
- login as a database end user to the database of concern
- run the sql statements of concern
- logout of the database session
3) from the cli command stop the slon capture-
- support store slon off
No SQL sniffer activities were logged during slon operation.
Results file slon_packets.tar can be downloaded using "fileserver" command.
- support store slon off
4) using the cli command - fileserver - Extract and send the slon_packets.tar file up to the IBM Technical Support engineer dealing with your PMR - From version 10 onwards the file is located in the last listed subdirectory - gim-snif-guard-logs/ -
- 1) log onto the appliance via putty as the CLI user
-
-
- run the diag command by typing diag
- if requested - enter the admin password
You should now be in the diag menu (SQLGuard Diagnostics)-
- Choose 3 - System Interactive Queries
- Choose 12 - Slon Utility
- Choose p - to dump packets to apks.txt
- Choose 300 - seconds ( 5 minutes) ( for example )
-
- if requested - enter the admin password
- run the diag command by typing diag
-
- Leave the capture running ....
2) Whilst the capture is running - Generate the required activity you wish to capture - for example :--
- login as a database end user to the database of concern
- run the sql statements of concern
- logout of the database session
3) Pack and send the slon files to IBM Technical Support- From the diag utilty session in 1) above
-
- Choose <OK>
- Choose <Cancel> to return to Main diag menu
- Choose 1 - Output Management
- Choose 1 - End and Pack Current Session
-
4) Extract and send the files up to the IBM Technical Support engineer dealing with your PMR- The slon capture is located in the diag/depot directory and will typically have name including the date and time in the filename - for example
- diag_session_17_7_1441.tgz
-
Note Here are further details on the diag utility which can also be found in the relevant Appendices section of the Product Help Manual(s)
[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF016","label":"Linux"}],"Version":"10.0;10.0.1;10.1;10.1.2;8.2;9.0;9.1;9.5","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
03 February 2021
UID
swg21508960