IBM Support

What to do if Guardium inspection engine status is fail

Technote (FAQ)


Question

"Inspection Engine Status" in GUI-> System View-> S-TAP Status Monitor is fail and red. "S-TAP Status" is active and green.

What does it mean if inspection engine status is fail?
What should I do if inspection engine status is fail?

Answer


YouTube Video
Troubleshooting the Guardium S-TAP Verification Process (20.49)
This video comprehensively examines the design of both standard and advanced S-TAP verification processes, including common reasons for failure and how to troubleshoot when the process fails.

Background

Inspection engine verification is feature in Guardium v9.1 and above. Its purpose is to determine if inspection engines configured on the S-TAP are collecting data. There are two methods:


    1. " Standard Verification" - Sends a login request to the database defined in inspection engine with user "RESULTFD". This login request should fail. If the inspection engine is configured and working correctly the S-TAP will send an exception to the collector with failed login. The verification process looks for this failed login, if it finds it then we know that the S-TAP can capture data from this inspection engine.

    2. "Advanced Verification" - A user configured datasource is used to login to the database. The advanced verification runs a select on a table that does not exist. If the inspection engine is configured and working correctly the S-TAP will send an exception to the collector with database error.Verification process looks for this error, if it finds it then we know that the S-TAP can capture data from this inspection engine.


The results of these processes are shown in "inspection engine status" column. For more detail on the verification mechanisms see How to resolve S-TAP verification failure with 0 failed checks.

What does it mean if inspection engine status is fail?

If inspection engine status is fail, it means the chosen verification method has not succeeded. It does not necessarily mean data is missing. It is possible for verification to fail for other reasons, for example:


What should I do if inspection engine status is fail?

  1. Check if the inspection engine is collecting data.

In your usual report for tracking access is new data coming in? If you are unsure what report to check you can use the guidelines here - How can I check if the correct data is being logged on my Guardium appliance?
    • If there is new data in reports from the inspection engine, the problem is only with the verification process. Data is being captured and this does not meet the requirements for a severity 1 PMR - What type of Guardium problem can I consider to be a severity 1 PMR. Proceed with the steps below.
    • If there is no data coming from the inspection engine the configuration may be incorrect. Use the diagnostics in step 2 and check the full inspection engine configuration from S-TAP control, see step 3. This technote may help - No traffic is being captured in Guardium reports. If you are in a production environment and can not resolve the problem you can open a severity 1 PMR as per the requirements above.

2. Use "Run Diagnostics"

This will give actions to resolve the issue. If you click the "fail" icon you will get this option. Note - How to resolve S-TAP verification failure with 0 failed checks


3. Check KTAP DB real port (UNIX) or Port range start (Windows)

Check the inspection engine configuration in Administration Console-> Local Taps-> S-TAP Control. Standard verification will use this port to attempt connection to the database. Ensure connection can be made over this port. Inspection engine may be collecting data from connections over other ports in the range, but standard verification will fail if this port can not accept connection. If you can not ensure this, advanced verification must be used.

4. Must Gather for verification failed issues.

If you are unable to resolve the problem and wish to open a PMR, please attach the following:
    • Support must_gather app_issues. Run the debugger for a number of minutes and "Run Diagnostics" on the failed inspection engine while debugger is on.
    • Slon capture for 30s. While slon is running "Run Diagnostics" on the failed inspection engine.
    • If advanced verification is used, datasource definitions and output of "test connection" for the datasource.

Related information

MustGather: Collecting data for Guardium Appliance
How can a 'slon' capture be created in Guardium

Document information

More support for: IBM Security Guardium

Software version: 9.1, 9.5, 10.0, 10.0.1, 10.1, 10.1.2

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows, z/OS

Software edition: All Editions

Reference #: 1959830

Modified date: 23 June 2017