IBM Security Guardium

Windows S-TAP Must Gather V2.1

By SATOSHI KAWASE posted Tue April 06, 2021 12:06 PM

  

What's Windows S-TAP Must Gather?

Windows S-TAP Must Gather is a Windows batch script that gathers troubleshooting information as well as Windows environment information. The file name is diag.bat, and it's installed as a part of Windows S-TAP.

In Guardium V11.2, the Must Gather script (diag.bat V2) was significantly improved. See the following articles in IBM Security Community site for details.

The biggest improvement of the script in Guardium V11.3(diag.bat V2.1) is STANDALONE feature. The script can run separately from Windows S-TAP, and the script is installed in all Guardium Windows agents such as GIM, FAM, CAS, etc.

How to run the script?

It's simple. Open Windows Command Prompt as Administrator, and run
%WINSTAP_DIR%\Bin\diag.bat. The output files are zipped at
%WINSTAP_DIR%\Bin\zipTmp\xxx.zip.

C:\Program Files\IBM\Windows S-TAP\Bin>diag.bat
Windows S-TAP Must Gather V2
DIAG VERSION: V2.1.19 (2021/02/17)
...
[I] Wed 02/17/2021 02:24:30.44 : Completed
Return Code               : 0
Must Gather script log    : C:\Program Files\IBM\Windows S-TAP\Bin\diag\diag.log
Must Gather File Location : C:\Program Files\IBM\Windows S-TAP\Bin\zipTmp\WSTAP_L3-WIN2K19-01_2021-02-17T02-24-05-7336859-05-00.zip (20396 KB)


C:\Program Files\IBM\Windows S-TAP\Bin>


The new Must Gather script (diag.bat V2.1) can run in any place in Windows Server. For example, if you put the script under C:\tmp directory, it'll generate a zip file at C:\tmp\zip\xxx.zip. This is how STANDALONE mode works. It's supported since Guardium V11.3 (diag.bat V2.1).

C:\tmp>diag.bat
Windows S-TAP Must Gather V2
DIAG VERSION: V2.1.19 (2021/02/17)
...
[I] Wed 02/17/2021 02:33:14.63 : Completed
Return Code               : 0
Must Gather script log    : C:\tmp\diag\diag.log
Must Gather File Location : C:\tmp\zip\GRD_WIN_DIAG_2021-02-17T02-33-00-05.zip (14271 KB)


C:\tmp>

What's S-TAP mode and STANDALONE mode?

Until Guardium V11.2, Windows S-TAP Must Gather (diag.bat) is supposed to be a part of Windows S-TAP. It should be in Windows S-TAP installed directory, and it works with some other Windows S-TAP components. It can be executed from Guardium GUI, and generates a zip file as an output, and it'll be sent to the collector when UPLOAD_FEATURE is set to 1. This is how Must Gather works in S-TAP mode.

Starting Guardium V11.3, Must Gather (diag.bat) can work without any other Windows S-TAP components. You can copy diag.bat to any place in Windows server and run it standalone. It's called STANDALONE mode.

 

# Title S-TAP Mode STANDALONE Mode
1 diag.bat script version V2.0 and V2.1 (*1) V2.1
2 Guardium version V11.2 all V11.1.0.178 and newer V11.0.1.96 and newer V10.6.0.260 and newer V11.3 all V11.2.0.220 and newer V11.1.0.208 and newer V11.0.1.111 and newer V10.6.0.300 and newer
3 Supported component Windows S-TAP only Windows S-TAP Windows GIM Windows GAM Windows CAS Windows FAM monitor Windows FAM crawler (*2) Windows FAM for SP Windows FAM for NAS Windows FDEC for SP Windows FDEC for NAS
4 location of diag.bat %WINSTAP%\bin\diag.bat (anywhere)\diag.bat
5 location of diag.log %WINSTAP%\bin\diag\diag.log ~\diag\diag.log
6 ZIP source (*3) %WINSTAP%\Logs ~\diag
7 ZIP target (*3) %WINSTAP%\bin\zipTmp ~\zip
8 ZIP file name WSTAP_HOST_YYYY-MM-DDTHH-MM-SSTZD.zip GRD_WIN_YYYY-MM-DDTHH-MM-SSTZD.zip
9 -help, -keep, -quick, -version options supported supported
10 ZIP tool (*4) ExternalZip.exe compress-archive (PowerShell)
11 Run from GUI supported NOT supported
12 UPLOAD FEATURE supported NOT supported

[NOTES]

(*1) The diag.bat V2.1 script runs as S-TAP mode when it's in Windows S-TAP directory, and run as STANDALONE mode when it's in other directory.

(*2) Windows FAM Crawler is supported in diag.bat V2.1.16 and newer.

(*3) The script generates some files and copies config/log files from Guardium agents (S-TAP, GIM, FAM, etc) to the ZIP source directory, and create a zip file at the ZIP target directory

(*4) The ExternalZip.exe is a part of Windows S-TAP. The compress-archive is a PowerShell command. It's support in Windows Server 2016 and newer, and Windows Server 2012 plus Windows Management Framework (WMF) 5.1. If you run diag.bat script in STANDARD mode on Windows Server 2012 without WMF 5.1, compress-archive doesn't exist and the script will keep all files under ZIP source directory, instead of generating a ZIP file. You can manually create a ZIP file from Windows Explorer.



Which mode should we use?

It depends. Let me show some examples.

  • If you're using Windows S-TAP and you want to run Must Gather from Guardium GUI, you'll use S-TAP mode.
  • If you get a problem in installing Windows S-TAP. If it's somehow installed, you can run Must Gather in S-TAP mode. If it's not installed yet, just copy diag.bat V2.1 to somewhere (e.g. C:\tmp) and run it in STANDALONE mode.
  • If you install GIM, FAM, etc but not S-TAP, and want to run Must Gather. You can run Must Gather in any of the installed directory. It'll run in STANDALONE mode.



Questions?

If you have questions, please feel free to comment on this article. You can also ask questions to IBM Security Guardium discussion in IBM Security Community or open a technical support ticket.


#Guardium
0 comments
10 views

Permalink