IBM Security Guardium

 View Only

Guardium Windows Agent Must Gather V3.0 - Part 2 - S-TAP mode and STANDALONE mode

By SATOSHI KAWASE posted Sun September 25, 2022 07:00 AM

  

About Windows Agent Must Gather V3.0

Guardium Windows Agent Must Gather V3.0 (a.k.a. Windows S-TAP Must Gather) is the latest must gather script, which is released in Guardium V11.5.

It's included in all Guardium Windows agents (GIM, S-TAP, GAM, CAS, FAM monitor, FAM crawler, FDEC for NAS/SP, FAM for NAS/SP) in V11.5, and will be back-ported to all supported versions.

Index

2. What is "S-TAP mode" and "STANDALONE mode"?

When you run diag.bat (or diag.ps1) under %WINSTAP_DIR%\Bin, the script will run as S-TAP mode. This will use S-TAP features. For example, use ExternalZip.exe to create a zip file, and upload the zip file to the collector using Upload Feature.

You can also run Must Gather from Guardium GUI, or from Windows Start menu. These are available only when Windows S-TAP is installed.

On the other hand, diag.bat and diag.ps1 are also included in other Guardium Windows agents such as GIM, GAM, CAS, FAM Monitor, FAM Crawler, FAM for NAS, etc... Also, you can put diag.bat and diag.ps1 in any location (e.g. C:\tmp) on Windows and run it. In these cases, diag.bat (diag.ps1) will not use any Windows S-TAP feature, and will run as STANDALONE mode. This is a new feature in Must Gather V2.1.

There are some differences between S-TAP mode and STANDALONE mode. See below for details. Must Gather script temporarily gathers all files to ZIP Source directory and create a zip file under ZIP Target directory, then clean up the temporarily gathered files in ZIP Source directory.

S-TAP mode STANDALONE mode
location of diag.bat %WINSTAP_DIR%\Bin\diag.bat
(e.g. C:\Program Files\IBM\Windows S-TAP\Bin\diag.bat)

%DIAG_DIR%\diag.bat
(e.g. C:\tmp\diag.bat)

NOTE: anywhere except %WINSTAP_DIR%\Bin

location of diag.log %WINSTAP_DIR%\Bin\diag\diag.log %DIAG_DIR%\diag\diag.log
ZIP Source directory %WINSTAP_DIR%\Logs %DIAG_DIR%\diag
ZIP Target directory %WINSTAP_DIR%\bin\zipTmp %DIAG_DIR%\zip
ZIP filename WSTAP_%HOST%_%YYYY-MM-DDTHH-MM-SSTZD%.zip GRD_WIN_DIAG_%YYYY-MM-DDTHH-MM-SSTZD%.zip
ZIP tool ExternalZip.exe Powershell compress-archive command
command options supported supported
S-TAP features (Run from GUI / Upload) supported NOT supported

Tips

Q1) I archived the files under %WINSTAP_DIR%\Logs. Is it good enough as must gather output?
A1) No. All files are temporarily gathered into %WINSTAP_DIR%\Logs in S-TAP mode, but the temporarily gathered files are removed after archived. Use the zip file that Must Gather generates under the ZIP Target directory. You don't need to archive files by yourself.

Q2) What if we run Must Gather in STANDALONE mode on Windows Server 2012 / 2012 R2?
A1) Must Gather V3.0 uses PowerShell compress-archive cmdlet if it's available. On the other hand, 
PowerShell version on Windows Server 2012 and 2012 R2 is very old and it doesn't support the cmdlet by default. In this case, Must Gather will keep all the gathered files under the ZIP Source directory and notify you to archive the files in ZIP Source directory by your self. See below for a typical message on console.

C:\tmp>diag.bat
Guardium Windows Agent Must Gather V3 - PowerShell version  DIAG VERSION V3.0.8 (2022/08/16)
Running with Administrator role.

Diag Log : C:\tmp\diag\diag.log
Start Time : 2022-08-16T23:09:03
End Time : 2022-08-16T23:11:42 
ZIP file was not created because it's STANDALONE mode and the powershell version (4) doesn't support Compress-Archive command.
All files are gathered to "C:\tmp\diag\" folder. See "C:\tmp\diag\diag.log" for  details.
C:\tmp> 

You should also find a GRD_WIN_DIAG_compress-archive_failed.txt file under the ZIP target directory, which says:

`E 2022-08-16T23:11:42.5701 STEP7.1: PowerShell version is 4. Compress-Archive command is not supported.
`E 2022-08-16T23:11:42.5701 STEP7.1: Zip file was not created. Please zip the files under "C:\tmp\diag" by yourself, or install Windows Management Framework [WMF] 5.1 to enable Compress-Archive command. (NOTE: The default PowerShell version of Windows Server 2012 R2 is V4.) 

If you get this situation, you can choose the one of the following actions:

  1. Zip the files under the ZIP source directory by yourself.
  2. Upgrade the PowerShell version by installing Microsoft WMF 5.1. Then, compress-archive command will be available on your Windows Server 2012 / 2012 R2 and Must Gather will generate a ZIP file.

Ref) Install and Configure WMF 5.1 (Microsoft)

What's next?

The next blog will explain 3. How to run Must Gather V3.0?

Questions?

If you have any questions, please feel free to comment on this article. You can also ask questions to IBM Security Guardium discussion in IBM Security Community or open a technical support ticket.

Reference

0 comments
19 views

Permalink