Question & Answer
Question
How can I generate a slon capture and send it to IBM Technical Support ?
Cause
A 'slon' capture can be useful for IBM Technical Support in order to help diagnose problems with the data packets that come into the Guardium Appliance.
They have the ability to 'replay' and/or analyse this capture in-house.
They have the ability to 'replay' and/or analyse this capture in-house.
Answer
Recommended video
Review the video in this course on the Security Learning Academy:
To create a slon capture, there are two methods available as follows
IMPORTANT
For both methods described, please be aware that collecting a slon can fill up the disk quickly - especially on heavy traffic systems - so plan to run the slon capture for as minimum time as possible while you reproduce the problem
A) Using a simple cli command to stop and start a slon capture
This method captures everything that comes into the appliance while the slon is being captured and requires at least 15GB of free space ( although the final slon file might be smaller)
1) log onto the appliance using an SSH tool (EG: putty) as the CLI user
1) log onto the appliance using an SSH tool (EG: putty) as the CLI user
- run the following command to start a slon capture
- support store slon on
- Note: For versions 11.5 (GPU p500 and onwards), you need to specify packets in the command to enable slon. So the command to run becomes:
-
Leave the capture running ....support store slon on packets
2) Whilst the capture is running - Generate the required activity you wish to capture - for example :-
- login as a database end user to the database of concern
- run the sql statements of concern
- logout of the database session
3) from the cli command stop the slon capture
- support store slon off
- No SQL sniffer activities were logged during slon operation.
Results file slon_packets.tar can be downloaded by using "fileserver" command.
4) using the cli command - fileserver - Extract and send the slon_packets.tar file up to the IBM Technical Support engineer dealing with your PMR - From version 10 onwards the file is located in the last listed subdirectory - gim-snif-guard-logs/
B) Using the diag method and specifying parameters
1) log onto the appliance via putty as the CLI user
- run the diag command by typing diag
- if requested - enter the admin password
- You should now be in the diag menu (SQLGuard Diagnostics)
- Choose 3 - System Interactive Queries
- Choose 12 - Slon Utility
- Choose p - to dump packets to apks.txt
- Choose 300 - seconds ( 5 minutes) ( for example )
- Leave the capture running ....
2) While the capture is running - Generate the required activity you wish to capture - for example :-
- login as a database end user to the database of concern
- run the sql statements of concern
- logout of the database session
- The slon capture is located in the diag/depot directory and will typically have name including the date and time in the filename - for example
- diag_session_17_7_1441.tgz
3) Pack and send the slon files to IBM Technical Support
- From the diag utilty session in 1) above
- Choose <OK>
- Choose <Cancel> to return to Main diag menu
- Choose 1 - Output Management
- Choose 1 - End and Pack Current Session
How can log files be extracted from an InfoSphere Guardium Appliance?The slon capture is located in the diag/depot directory and will typically have name including the date and time in the filename - for example
- diag_session_17_7_1441.tgz
Note Here are further details on the diag utility which can also be found in the relevant Appendices section of the Product Help Manual(s)
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m0z000000Gp0SAAS","label":"SNIFFER"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"10.0.1;10.1.2;10.6.0;11.3.0;11.4.0;11.5.0"}]
Was this topic helpful?
Document Information
Modified date:
10 August 2023
UID
swg21508960