IBM Support

Streaming data to IBM Security Guardium S-TAP on z/OS

How To


Summary

IBM Security Guardium S-TAP on z/OS collects and streams audit event data to the Guardium appliances. You can choose from five modes to stream data: Single Appliance, Failover, Hot Failover, or Multistream, or Mirroring mode. This article explains the five modes of data streaming, how they work, and how you can configure each.

Environment

The mode you choose depends on:
  • The number of connected Guardium appliances you want to stream data to. You can stream data to one primary and five secondary Guardium appliances – six in total. Set the primary appliance using APPLIANCE_SERVER(). Set the number of secondary Guardium appliances using APPLIANCE_SERVER_n, where n= 1-5.
  • How you want Security Guardium S-TAP to handle data if a connection outage occurs
The following table lists parameters referred to in this article that configure data streaming.
Data Streaming Parameters
Parameter Values Description
APPLIANCE_SERVER_LIST

FAILOVER

HOT_FAILOVER

MULTI-STREAM

MIRROR

Specify the data streaming mode.

If you use Single Appliance mode, you do not need to use this parameter. 
APPLIANCE_SERVER IP address or hostname

Specify the IP address or hostname of the primary appliance to stream to.

APPLIANCE_SERVER_n IP address or hostname

Specify the IP address or hostname of the secondary, failover appliances where n=1-5.

During a connection outage, Guardium S-TAP attempts to connect to failover appliances in the order you number them.

Not required for Single Appliance mode.

Steps

​​​​​Single Appliance mode

Single appliance mode enables data to stream to one connected appliance. Single Appliance mode does not provide failover during a connection outage and you cannot specify backup failover appliances. When a connection outage occurs in Single Appliance mode, Security Guardium S-TAP continues to collect data. During short-term outages, spill areas prevent data loss until connectivity is restored at which point data streaming to the appliance resumes.

  1. Specify the IP address or hostname of the primary appliance with parameter APPLIANCE_SERVER.

Example APPLIANCE_SERVER configuration:

APPLIANCE_SERVER(192.168.2.1)

APPLIANCE_SERVER(myCompany.com)

Failover mode

Failover mode enables data to stream to one or more backup failover appliances when a connection outage occurs.

Events are first streamed to the appliance specified by APPLIANCE_SERVER. During a connection outage, Guardium S-TAP attempts to connect to appliances in the order you number them with parameter APPLIANCE_SERVER_n.

In Failover mode, policies are pushed to the S-TAP from the active appliance. For example, if a connection outage occurs with the appliance you specified with APPLIANCE_SERVER and a connection is established with the failover appliance specified with APPLIANCE_SERVER_1, a new policy is activated and pushed by the failover appliance. For this reason, install the same policy for all appliances you define with parameters APPLIANCE_SERVER and APPLIANCE_SERVER_n.

  1. Specify the IP address or hostname of the primary appliance with parameter APPLIANCE_SERVER.
  2. Specify FAILOVER as the data streaming type for parameter APPLIANCE_SERVER_LIST.
  3. Specify the number of failover appliances with parameter APPLIANCE_SERVER_n where n=1-5.

Example FAILOVER configuration:

APPLIANCE_SERVER_LIST(FAILOVER)

APPLIANCE_SERVER(192.168.2.100)

APPLIANCE_SERVER_1(192.168.2.101)

Note: In Failover mode, install the same policy for all appliances you specify in APPLIANCE_SERVER through APPLIANCE_SERVER_n. Failover connections to subsequent appliances use newly activated policies.

Hot Failover mode

Like Failover mode, Hot Failover mode enables data to stream to backup failover appliances when a connection outage occurs. However, in Hot Failover mode, connections to all appliances you specify with APPLIANCE_SERVER_n are initiated at S-TAP startup and the connections are always kept active.

In Hot Failover mode, you need to configure and activate the policy only for the primary appliance you specify with parameter APPLIANCE_SERVER. If a connection outage occurs and connectivity is successfully established with a failover appliance specified by APPLIANCE_SERVER_n, the policy pushed by the primary appliance continues to be the active policy.

  1. Specify the IP address of the primary appliance with parameter APPLIANCE_SERVER.
  2. Specify HOT_FAILOVER as the data streaming type for parameter APPLIANCE_SERVER_LIST.
  3. Specify the number of failover appliances with parameter APPLIANCE_SERVER_n where n=1-5.

Example HOT_FAILOVER configuration:

APPLIANCE_SERVER_LIST(HOT_FAILOVER)

APPLIANCE_SERVER(192.168.2.100)

APPLIANCE_SERVER_1(192.168.2.100)

Note: In Hot Failover, Multistream, and Mirroring mode, you need to configure and activate the policy only for the primary appliance.

Multistream mode

Multistream mode enables data streaming to multiple connected Guardium appliances, to a maximum of six. 

In Multistream mode, you need to configure and activate the policy only for the primary appliance you specify with parameter APPLIANCE_SERVER. If a connection outage occurs and connectivity is successfully established with a failover appliance specified by APPLIANCE_SERVER_n, the policy pushed by the primary appliance continues to be the active policy.

  1. Specify the IP address or hostname of the primary appliance with parameter APPLIANCE_SERVER.
  2. Specify MULTI_STREAM as the data streaming type for parameter APPLIANCE_SERVER_LIST.
  3. Specify the number of failover appliances with parameter APPLIANCE_SERVER_n where n=1-5.

Example MULTISTREAM configuration:

APPLIANCE_SERVER_LIST(MULTI_STREAM)

APPLIANCE_SERVER(192.168.2.100)

APPLIANCE_SERVER_1(192.168.2.101)

APPLIANCE_SERVER_2(192.168.2.102)

Note: In Hot Failover, Multistream, and Mirroring mode, you need to configure and activate the policy only for the primary appliance.

Mirroring mode

Mirroring mode enables you to stream the same event data to all connected appliances, known as mirroring. Mirroring mode supports ports 16022 and 16023

Note: Do not enable Mirror mode if aggregation of appliances is occurring. Aggregation of appliances included in one or more S-TAPs operating in Mirror mode may result in duplicate events and alerts.

In Mirroring mode, you need to configure and activate the policy only for the primary appliance you specify with parameter APPLIANCE_SERVER. If a connection outage occurs, and connectivity continues to be successfully established with a failover appliance specified by APPLIANCE_SERVER_n, the policy pushed by the primary appliance continues to be the active policy. 

  1. Specify the IP address or hostname of the primary appliance server using keyword APPLIANCE_SERVER.
  2. Set the value of parameter APPLIANCE_SERVER_LIST to MIRROR.
  3. Specify the number of failover appliances using keyword APPLIANCE_SERVER_n where n=1-5.
Example MIRROR configuration:
APPLIANCE_SERVER(192.168.2.100)

APPLIANCE_SERVER_LIST(MIRROR)

APPLIANCE_SERVER_1(192.168.2.101)

APPLIANCE_SERVER_2(192.168.2.102)
Note: In Hot Failover, Multistream, and Mirroring mode, you need to configure and activate the policy only for the primary appliance.

Additional Information

The following references provide further information about Guardium S-TAP data collection and parameters:

S-TAP for Db2 

S-TAP for IMS

S-TAP for Data Sets

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSCA4SV","label":"IBM Security Guardium S-TAP for Db2 on z\/OS"},"ARM Category":[{"code":"a8m0z000000Gp0IAAS","label":"STAP"}],"ARM Case Number":"","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"All Version(s)"}]

Document Information

Modified date:
28 November 2022

UID

ibm16348632

Page Feedback