How to alert when the flat log requests are increasing on a Guardium Collector
How can I alert when there are increasing flat log requests on my collector?
Flat log requests in the Buffer Usage Monitor report indicate that the sniffer is dropping packets. This is most likely due to an analyzer queue overflow problem caused by high traffic. Flat log requests should not be increasing in a healthy collector.
For troubleshooting steps see - Identifying and resolving common sniffer problems with the Buffer Usage report.
For enterprise environments the analyzer queue parameter in units utilization or deployment health view can be used to track this problem. High analyzer queues are very likely to cause flat log requests.
The Alerter must be running in order to receive an alert.
v9 Administration Console->Configuration->Alerter. v10 Setup -> Tools and Views -> Alerter
For the alert to work, the buffer usage process on the appliance must be active. Use this link to ensure that it is: Guardium S-TAP is collecting data but request rate and buffer usage reports are empty.
Pre made alert definition
This alert can be imported into your v9(p300 and above) and v10 appliances. There will be a compatibility warning when importing into v10 but it will import successfully.
|Alert to Download||Alert name||Query name alert is based on||Function|
|flat_log_requests_alert.sql||-Flat log request alert||-Flat log request alert||Alert when there are 3 or more distinct values of flat log requests in the last 30 minutes. This indicates the number is increasing.|
1. Import the .sql file from GUI v9->Administration Console->Guardium Definitions->Import. v10 Manage -> Data Management ->Definitions Import. This must be done on the Central Manager if one exists in the environment.
2. If the alert is imported in the central manager it can be set to run on all or some managed units from the definition in v9 Tools -> Alert Builder. v10 Protect -> Database Intrusion Detection -> Alert Builder. e.g.
3. Currently the alert is set to send to syslog only, add any receivers that are required.
4. Confirm the alert is active from v9 Administration Console->Anomaly detection. v10 Setup -> Tools and Views -> Anomaly Detection
More support for:
IBM Security Guardium
Software version: 9.1, 9.5, 10.0, 10.0.1, 10.1
Operating system(s): AIX, HP-UX, Linux, Solaris, Windows, z/OS
Software edition: All Editions
Reference #: 1994542
Modified date: 07 March 2018
Translate this page: