IBM Security Guardium

Files Collected by Windows S-TAP Must Gather V2

By SATOSHI KAWASE posted Mon June 22, 2020 09:32 AM

  
Guardium.jpg
Windows S-TAP Must Gather V2 provides much more contents than before. This blog article explains what are supposed to be gathered.

Typical output of Windows S-TAP Must Gather V2

In my last blog, we learned how to gather diagnostic files using Windows S-TAP Must Gather. Today's goal is to explain the list of files that can be gathered by Windows S-TAP Must Gather.

Let me show a typical example output of new Windows S-TAP Must Gather. The actual output may be different. It depends on the Guardium products and files in the target database server.

image1.png

1. Windows S-TAP Must Gather script log


Windows S-TAP Must Gather V2 started generating its own log files. This helps when there is a problem in running the script.

  • diag.log ... log file for diag.bat script
  • diag.log.prev ... the previous log file for diag.bat script
  • diag.err ... This file exist when there is a problem in generating diag.log

These files are stored into diag directory in the zip file.

2. Basic Environmental Information Files


Windows S-TAP Must Gather executes some Windows commands to get environment information from the DB server where the Windows S-TAP is installed. It'll generate the following files:

  • tasks.txt ... Output of "tasklist /svc" and "driverquery"
  • system.txt ... Output of some other Windows commands such as "systeminfo"
  • evtlog2008.txt ... Information gathered from Windows Event Log
  • reg.txt ... Information gathered from Windows registry
  • stap.txt ... Content copy of guard_tap.ini. This is obsoleted because Windows S-TAP Must Gather V2 has a real copy of guard_tap.ini in ini directory (see 3), but keeps this file for compatibility.
  • wtap.dir.txt ... Output of "dir /S %WINSTAP%", where %WINSTAP% is the Windows S-TAP installed directory.


These files are stored into diag directory in the zip file.

3. Guard_Tap.ini

Windows S-TAP Must Gather V2 started storing the real copy of Guard_Tap.ini file.

  • Guard_Tap.ini ... Copy from %WINSTAP%\bin\Guard_Tap.ini


The file is stored under ini directory in the zip file.

4. Windows S-TAP driver files


Windows S-TAP generates driver log files and stores them into %WINSTAP%Logs directory, where %WINSTAP% is the Windows S-TAP installed directory, and the default is "C:\Program Files\IBM\Windows S-TAP\Logs".

These are typical driver log files generated by Windows S-TAP.

  • Stap.ctl ... Windows S-TAP service log
  • WfpMonitor.ctl ... WFP driver log
  • NmpMonitor.ctl ... NMP driver log
  • Correlator.ctl ... Data Correlation driver log
  • CorrelatorDll%INSTALNCE_NAME%.ctl ... Data Correlation driver log for specific to the %INSTANCE_NAME% instance
    , where %INSTANCE_NAME% is the instance name of MS SQL Server
  • Db2TAPService.ctl ... DB2 TAP driver log.
    [NOTE] This exists when DB2 TAP service is installed.

These files are stored into the root directory in the zip file.

5. Windows S-TAP startup log files

Windows S-TAP generates startup log at the same directory as the driver logs exist. It's a brief log that's collected only during starting up Windows S-TAP. When Windows S-TAP debug log is enabled, this file won't be created because it's a subset of debug log.

  • startup_%HOSTNAME%_%TIMESTAMP%.new ... the latest startup log
  • startup_%HOSTNAME%_%TIMESTAMP%.old ... the previous startup log


, where %HOSTNAME% is the host name of the database server, and %TIMESTAMP% is the timestamp of the file created  with YY-MM-DD_hhmmss format.

Windows S-TAP Must Gather also copies these files to the root directory of the output zip file.

6. Windows S-TAP debug log, memory dump and basic environment information generated by GUI

When you run Windows S-TAP Must Gather from GUI, you'll find some additional files in the must gather zip file.

  • snap.wstap.%HOSTNAME%_%TIMESTAMP%.log ... Windows S-TAP debug log.
  • dump.wstap.%HOSTNAME%_%TIMESTAMP%.dmp ... Windows S-TAP memory dump. It's generated when you run Windows S-TAP must gather from GUI with "Create STAP Memory Dump" checkbox checked.
  • diag.wstap.%HOSTNAME%_%TIMESTAMP%.diag ... Concatenated file of basic environmental information files. This is obsoleted. Windows S-TAP Must Gather V2 has the original files in diag folder, but keep this concatenated file for compatibility.


Windows S-TAP Must Gather also copies these files to the root directory of the output zip file.

[NOTE] When you enable Windows S-TAP debug log by editing guard_tap.ini and restart Windows S-TAP, the debug log will be generated at %WINSTAP%\Bin\StapBuffer directory. This file won't be included in Windows S-TAP Must Gather because the file could be huge. You must send the file separately from Windows S-TAP Must Gather if it's requested by Technical Support.

7. Windows S-TAP and all Guardium Windows agent install log files


Windows S-TAP and all Guardium Windows agents generate installer log at the root directory of the SystemDrive drive (e.g. C:\) when it's installed. These are example installer log files.

  • IBM Windows S-TAP.ctl ... Windows S-TAP install log file
  • IBM Windows GIM.ctl ... Windows GIM install log file
  • IBM Guardium Agent Monitor.ctl ... Windows GAM install log file
  • IBM Windows FAM montior.ctl ... Windows FAM install log file
  • IBM Windows CAS.ctl ... Windows CAS install log file


Installer log is created every time the product is installed. If the installer log exist, it'll be renamed to the original name plus timestamp (e.g. IBM Windows S-TAP0517202232.ctl)

Windows S-TAP Must Gather copies all these files to the install directory of the output zip file.

8. Guardium Agent Monitor (GAM) config and log files

If Windows GAM is installed in the database server, Windows S-TAP Must Gather will check if the following files exist under the GAM installed directory.

  • bin\resmon.ini ... Windows GAM configuration file
  • bin\resmon_log.txt ... Windows GAM log file


Note that GAM was called Guardium Resource Monitor when this feature was first released, so the file names remain using "resmon". The resmon.ini file exists by default, and resmon_log.txt is created at the first time when GAM service starts.

Windows S-TAP Must Gather copies all these files to the Guardium Agent Monitor directory of the output zip file.

9. Guardium Installation Manager (GIM) config and log files

If Windows GIM is installed in the database server, Windows S-TAP Must Gather copies the following files to the Guardium Installation Manager directory of the output zip file.

  • central_logger.log ... central logger log file
  • GIM\current\GIM.log ... GIM client log file
  • GIM\current\cong ... GIM client configuration file
  • GIM\current\PerlService.log ... Perl service log file
  • GIM\current\tmp1c.txt ... temporary output file used by GIM client
  • GIM\current\tmpc.txt ... temporary input file used by GIM client
  • WINSTAP\current\conf ... Windows S-TAP configuration file used by GIM client

10. Windows FAM Monitor config and log files



If Windows FAM is installed in the database server, Windows S-TAP Must Gather copies the following files to the Windows Fam Monitor directory of the output zip file.

  • Bin\Guard_Tap.ini ... Windows FAM configuration file
  • Logs\FAMsvc.ctl ... Windows FAM service log file
  • Log\FsMonitor.ctl ... File System (FS) driver log file

11. Windows CAS config and log files



If Windows CAS is installed in the database server, Windows S-TAP Must Gather copies all these files to the CAS directory of the output zip file.

  • conf\cas.ini ... Windows CAS configuration file
  • conf\casclient.cfg ... Windows CAS client configuration file (Java settings, etc)
  • conf\casclient_logger.config ... Windows CAS log configuration file
  • conf\*.properties ... Windows CAS properties file
  • logs\casclient.log ... Windows CAS client log file

My next blog post will pick up some major diagnostic files and share troubleshooting examples.



#Guardium
0 comments
14 views

Permalink