IBM Support

How to alert when the flat log requests are increasing on a Guardium Collector

Question & Answer


Question

How can I alert when there are increasing flat log requests on my collector?

Cause

Flat log requests in the Buffer Usage Monitor report indicate that the sniffer is dropping packets. This is most likely due to an analyzer queue overflow problem caused by high traffic. Flat log requests should not be increasing in a healthy collector.

For troubleshooting steps see - Identifying and resolving common sniffer problems with the Buffer Usage report.

For enterprise environments the analyzer queue parameter in units utilization or deployment health view can be used to track this problem. High analyzer queues are very likely to cause flat log requests.

Answer

The Alerter must be running in order to receive an alert.
v9 Administration Console->Configuration->Alerter. v10 Setup -> Tools and Views -> Alerter

v9v10

For the alert to work, the buffer usage process on the appliance must be active. Use this link to ensure that it is: Guardium S-TAP is collecting data but request rate and buffer usage reports are empty.

Pre made alert definition

This alert can be imported into your v9(p300 and above) and v10 appliances. There will be a compatibility warning when importing into v10 but it will import successfully.

Alert to DownloadAlert nameQuery name alert is based onFunction
flat_log_requests_alert.sqlflat_log_requests_alert.sql-Flat log request alert-Flat log request alertAlert when there are 3 or more distinct values of flat log requests in the last 30 minutes. This indicates the number is increasing.

1. Import the .sql file from GUI v9->Administration Console->Guardium Definitions->Import. v10 Manage -> Data Management ->Definitions Import. This must be done on the Central Manager if one exists in the environment.

2. If the alert is imported in the central manager it can be set to run on all or some managed units from the definition in v9 Tools -> Alert Builder. v10 Protect -> Database Intrusion Detection -> Alert Builder. e.g.


3. Currently the alert is set to send to syslog only, add any receivers that are required.

4. Confirm the alert is active from v9 Administration Console->Anomaly detection. v10 Setup -> Tools and Views -> Anomaly Detection

[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Guardium Appliances","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"10.0;10.0.1;10.1;9.1;9.5","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21994542