By: Leila Johannesen and Daina Pupons-Wickham
IBM Security Guardium for Data Protection provides users with views to see what’s going on with the deployment health of their entire Guardium environment. These graphical and tabular views are designed to work together by consolidating several different sources of information into unique but related views. Accessible from a central manager, these views make it easy to identify any problematic systems and investigate the underlying issue.
Version 11.2 has several enhancements to help you understand your deployment health, including: enhanced filtering, near real-time information, better performance, and using K-TAP status as a part of S-TAP status. There is also a new dashboard.
This article provides a quick overview of all the views into your Guardium deployment health.
S-TAP and GIM Dashboard
New in Guardium V11.2 is the S-TAP and GIM dashboard. It has four charts that provide a comprehensive view of the S-TAPs on your system. It also shows two charts on GIM status if you’re using your central manager as a GIM server.
The S-TAP health chart shows at a glance what is known about the health of all your S-TAPs. The S-TAPs by version donut chart indicates how many S-TAPs are operating at specific version levels. The Databases by inspection engine bar chart shows the count of different database types that are known in the environment.
The S-TAPs by operating system bar chart shows the different operating systems that are known in the environment. Different versions of the same operating system are shown on one bar. For example, in the screenshot above, three different versions of Red Hat Enterprise Linux (RHEL) are represented in a single RHEL bar divided into three segments.
If you are using your central manager as a GIM server, you will have two GIM-related charts on this dashboard. The first shows the GIM client versions on your system. The second provides status of those GIM clients.
For each of the charts, you can click on the icon in the upper right of the chart to see a tabular view with more details.
Deployment Health Dashboard
The Deployment Health Dashboard provides an at-a-glance summary of any issues found across a Guardium deployment. The dashboard is especially useful for identifying patterns and trends in the health data before investigating individual systems where problems are identified.
Below is a screenshot of the dashboard showing a problematic situation -- the Guardium database getting filled up and no action taken to remedy the situation.
The Deployment Health Dashboard uses these sources of data:
- System resources (system configuration such as CPU cores, system memory and /var disk capacity
- Unit utilization (such as sniffer restarts, MySQL disk usage and CPU load)
- System self-monitoring (MySQL disk usage and system disk usage)
- Correlation alerts (if the user chooses to add them)
The screenshot shows the default tiles (you can add or swap in a few others). Each tile gets its data from particular sources of data. For example, the data source for critical issues is system self-monitoring; a critical issue appears when the usage meets or exceeds a 90% threshold.
One interesting tile that can be added to the dashboard, is the unit utilization timechart. This tile shows trends over time so you could compare two collectors or multiple unit utilization metrics for the same collector over time. For example, if you are having CPU load issues with a particular collector, you can set up a tile to track CPU load along with other metrics such as /var disk usage or sniffer restarts.
The Deployment Health Dashboard can be filtered by Guardium systems, issue severity, and time period. For example, you can set the dashboard to only show critical information about your collectors for the last week. You can also create managed unit groups and view the health data for a specific group.
Deployment Health Topology
The Deployment Health Topology provides a visualization of the entire Guardium environment that is connected to a central manager. This graphical view shows the relationships between nodes in the environment and provides health information about all the connected aggregators, collectors, and S-TAPs. You can quickly spot any ailing or down systems, using the color-coded legend.
The Deployment Health Topology displays three categories of health information for Guardium systems (collectors, aggregators and central manager): connectivity, unit utilization, and aggregation. S-TAP health metrics include: Connectivity and Inspection engines. Metrics are assigned a health status/severity level. The overall status is determined by the most severe status of any individual metric included under any of the health categories being displayed.
You can hover on any node and drill down to investigate further or take actions to quickly address any health issues. For example, you could hover over a collector and drill down to view the unit utilization report, view the aggregation/archive log or log onto the collector. Hovering on an S-TAP node allows you to see details on the S-TAP and drill down on: S-TAP status, S-TAP events or S-TAP controls. New in Guardium V11.2 is that K-TAP status information is factored into the status of Unix/Linux S-TAPs.
Also new in V11.2 are the available active filters, which now include: DB type, Guardium version, health severity, host name, IP address, issue type, MU group, OS version, S-TAP group and S-TAP version.
The Deployment Health Topology is useful for quickly identifying problematic branches of an environment. In the example above, we see that the branch extending from the green aggregator is mostly healthy. We can focus instead on nodes connected to the central manager, which are in medium and high severity status.
This view is also useful for quickly spotting if systems are not connected correctly. For example, the topology below shows that all nodes are connected to the central manager. However, notice that two of the nodes are aggregators (identified as such with a 4- arrow shaped icon) and yet no collectors are connected to them.
Upon hover over the red node (high severity status), it becomes clear that an import has not been scheduled and therefore the aggregator is not getting information from collectors. The hover has a link to schedule the data import and fix the problem.
Deployment Health Table
The Deployment Health Table shows a tabular version of some of the same information as the Deployment Health Topology. In Guardium V11.2, this view has two tabs to organize the information into Guardium Systems and S-TAPs. You can sort the rows by clicking on a column header, or quickly filter by severity.
Guardium V11.2 adds advanced filters, which can be saved and re-used. The screenshot below shows the advanced filter opened for the Guardium systems tab. Guardium systems can be filtered by: version, health status, host name, issue type, and managed unit group (or combinations thereof). For S-TAPs, you can filter by database type, overall health status, host name, IP address, issue type, OS version, S-TAP group and S-TAP version.
From this view, you are able to select a Guardium system and view the unit utilization report or the distributed aggregation/archive log (from the Actions menu). You can also export this view for later analysis.
Ready to try it?
The deployment health views are available from a central manager. In the Guardium user interface, they’re found under the Manage menu > System View submenu. (Alternatively, you can always type a few words in the user interface search box to find any page in Guardium.)
The Guardium Knowledge Center has more information on these deployment health views. Here are the links to read more:
It is likely that your deployment is already configured to support the deployment health views, but you can double-check the configuration information.
We'd love your feedback!