IBM Support

How to identify the value of unix_domain_socket_marker in Guardium S-TAP?

Technote (FAQ)


I'd like to capture DB traffic of UNIX Domain Socket connection, but don't know how to configure the guard_tap.ini in S-TAP.


Run the following on the DB server and check the Active UNIX domain sockets section in the output.

    netstat -an


    netstat -an | grep mysql
    unix 2 [ ACC ] STREAM LISTENING 247162 /var/lib/mysql/ mysql.sock

    netstat -an | grep oracle
    unix 2 [ ACC ] STREAM LISTENING 11933 /var/tmp /.oracle/s#2070.1
    unix 2 [ ACC ] STREAM LISTENING 11937 /var/tmp /.oracle/s#2070.2

    netstat -an | grep PGSQL
    unix 2 [ ACC ] STREAM LISTENING 1385475 /tmp/ .s.PGSQL.5432

The above values in bold are the default values that S-TAP is assuming. If you see some other values in the above output, please set the values to unix_domain_socket_marker parameter in guard_tap.ini. Refer to the product manual page to know more about this parameter.

    unix_domain_socket_marker - is used to set marker for oracle, mysql and postgres' unix domain sockets. Most time the default value is correct but when named pipe or unix domain socket traffic does not work then we need to make sure this value is set correctly. For example, for oracle, unix_domain_socket_marker should be set to the KEY of IPC defined in tnsnames.ora. By default unix_domain_socket_marker is set to NULL in guard_tap.ini file, if it is NULL or not set, STAP will use defined default markers identified as:
      • MySQL - "mysql.sock"
      • Oracle - "/.oracle/"
      • Postgres - ".s.PGSQL.5432"

[NOTE] S-TAP must gather ( guard_diag command output ) contains the output of netstat, so you can check the value of Active UNIX domain socket names from the must gather.

Related information

IBM MustGather: Collecting data for Guardium S-TAP

Document information

More support for: IBM Security Guardium

Software version: 8.2, 9.0, 9.1

Operating system(s): AIX, HP-UX, Linux, Solaris

Reference #: 1653221

Modified date: 2013-10-21