About Windows Agent Must Gather V3.0
Guardium Windows Agent Must Gather V3.0 (a.k.a. Windows S-TAP Must Gather) is the latest must gather script, which is released in Guardium V11.5.
It's included in all Guardium Windows agents (GIM, S-TAP, GAM, CAS, FAM monitor, FAM crawler, FDEC for NAS/SP, FAM for NAS/SP) in V11.5, and will be back-ported to all supported versions.
Index
- What's new in V3.0?
- S-TAP mode and STANDALONE mode
- How to run Must Gather V3.0?
- Must Gather V3.0 command options
- Where is the output of Must Gather?
- What files are collected?
- What if Must Gather doesn't generate output?
NOTE: This blog article covers the section 6. Click links to read other sections.
6. What files are collected by Must Gather V3.0?
As explained in section 2 "S-TAP mode and STANDALONE mode", the ZIP Source directory is %WINSTAP_DIR%\Logs in S-TAP mode, and %DIAG_DIR%\diag in STANDALONE mode. This means, the directory structure of the ZIP file in these modes are slightly different, even though both have the same contents.
S-TAP mode
- The files under %WINSTAP_DIR%\Logs are at the root folder in the ZIP.
- Guard_Tap.ini is in ini folder.
- %WINSTAP_DIR%\bin\diag files are in diag folder.
- Installer logs are in install folder.
- Files for other agents (e.g. GIM, GAM, FAM Crawler, etc) are in each agent folder (e.g. Guardium Installation Manager, Guardium Agent Monitor, FAMCrawler, etc)
|
STANDALONE mode
- The files under %DIAG_DIR%\diag are at the root folder in the ZIP.
- Win S-TAP files (including Guard_Tap.ini) are in Windows S-TAP folder.
- Installer logs are in install folder.
- Files for other agents (e.g. GIM, GAM, FAM Crawler, etc) are in each agent folder (e.g. Guardium Installation Manager, Guardium Agent Monitor, FAMCrawler, etc)
|
6.1 ZipSource.dir.txt
The ZipSource.dir.txt is the only file that always stays at the root folder, for both S-TAP mode and STANDALONE mode.
This file shows a whole list of files under ZIP Source directory. Technically speaking, it's the output of "Get-ChildItem %ZipSourceDir% -Recurse -Force".
This is a new feature in V3.0.
6.2 Files under diag folder (or root folder in STANDALONE mode)
The following files are included in the diag folder in S-TAP mode, and in the root folder in STANDALONE mode.
File Name |
Description |
Supported since |
summary.txt |
Must Gather V3.0 picks up important information from variety of files (e.g. system.txt, Guard_Tap.ini, ...) and creates summary.txt. This is the most useful file to know the system summary. |
V3.0 |
system.txt |
Windows system information. Must Gather V3.0 gathers the following command outputs:
- systeminfo
- whoami /ALL
- ipconfig /all
- netstat -nao
- ping -n 10 %COLLECTOR_HOST%
- tracert -w 2 -h 10 %COLLECTOR_HOST%
- typeperf '\Process(guardium_stapr)\% Processor Time' -sc 10
- typeperf '\Process(%DbMonitor%)\Handle Count' -sc 10
- typeperf '\Process(guardium_stapr)\Private Bytes' -sc 10
- typeperf '\Process(%DbMonitor%)\Private Bytes' -sc 10
- typeperf '\processor(_total)\% processor time' -sc 10
- Get-PSDrive
- Get-LocalGroupMember -Name Guardium Services
- secedit /export /cfg system.txt
Also, get the list of installed software by:
Get-ChildItem -Path('HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall') | % { Get-ItemProperty .PsPath | Select-Object DisplayName, DisplayVersion, Publisher }
|
V1.0 |
tasks.txt |
Windows process (task) and driver information. Must Gather V3.0 gathers the following command outputs:
- tasklist /svc
- driverquery
- tasklist /m Guardium*
- tasklist /m Correlator*
- tasklist /m Tag*
|
V1.0 |
reg.txt |
Windows registry information. Must Gather V3.0 gathers the following command outputs:
- reg query "HKLM\SOFTWARE\IBM" /s
- reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
- reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall" /s
- reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s
- reg query "HKLM\SYSTEM\CurrentControlSet\Control\GroupOrderList" /s
- reg query "HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder" /s
- reg query "HKLM\SOFTWARE\Microsoft\MSSQLServer" /s
- reg query "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server" /s
- reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\MSSQLServer" /s
- reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Microsoft SQL Server" /s
- reg query "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders" /s
|
V1.0 |
evtlog2008.txt |
Windows event log information. Must Gather V3.0 gathers the following command outputs:
- Get-WinEvent -LogName Application -FilterXPath "Event/System[Provider[(@Name='Guardium_STAP') or (@Name='NtTdidr') or (@Name='LhmonProxy') or (@Name='Nptrc') or (@Name='NpProxy') or (@Name='DB2 Tap') or (@Name='DB2TapProxy') or (@Name='DB2TapPRoxySvc') or (@Name='DB2TapSvc') or (@Name='Db2ProxySvc') or (@Name='DbMonitor') or (@Name='FAMsvc') or (@Name='Guardium_STAP_Must_Gather') or (@Name='Guardium Windows Agent Must Gather') or (@Name='GuardiumFamHostPolling') or (@Name='IIS Tap') or (@Name='SP Tap') or (@Name='MsiInstaller') or (@Name='MSSQLSERVER')]]" | Select-Object TimeCreated, @{N='EventID';E={.Id}}, LevelDisplayName, LogName, ProviderName, KeywordsDisplayNames, UserId, @{N='UserName';E={GetUserNameFromSid .UserId}}, MachineName, Message -First 2000
- Get-WinEvent -LogName System -FilterXPath "Event/System[(EventID=12 or EventID=13 or EventID=41 or EventID=1001 or EventID=6008)]" | Select-Object TimeCreated, @{Name='EventID';Expression={.Id}}, LevelDisplayName, LogName, ProviderName, KeywordsDisplayNames, @{Name='UserName (Sid)';Expression={GetUserNameFromSid2 .UserId}}, MachineName, Message -First 1000 - Get-WinEvent -LogName System -FilterXPath "Event/System[EventID=7036]" | Select-Object TimeCreated, @{Name='EventID';Expression={.Id}}, LevelDisplayName, LogName, ProviderName, KeywordsDisplayNames, @{Name='UserName (Sid)';Expression={GetUserNameFromSid2 .UserId}}, MachineName, Message -First 1000
- Get-WinEvent -LogName System -FilterXPath "Event/System[EventID=7031]" | Select-Object TimeCreated, @{Name='EventID';Expression={.Id}}, LevelDisplayName, LogName, ProviderName, KeywordsDisplayNames, @{Name='UserName (Sid)';Expression={GetUserNameFromSid2 .UserId}}, MachineName, Message -First 1000 - Get-WinEvent -LogName System -FilterXPath "Event/System[Provider[@Name='Schannel' or @Name='Microsoft-Windows-Schannel-Events']]" | Select-Object TimeCreated, @{Name='EventID';Expression={.Id}}, LevelDisplayName, LogName, ProviderName, KeywordsDisplayNames, @{Name='UserName (Sid)';Expression={GetUserNameFromSid2 .UserId}}, MachineName, Message -First 1000
|
V1.0 |
diag.log |
This log is generated by diag.ps1 in Must Gather V3.0 (and generated by diag.bat in Must Gather V2.x). This is useful if there is a problem in Must Gather. |
V2.0 |
diag.log.prev |
This is a previous diag.log. |
V2.0 |
STAP_Guard_Tap.xml |
This is a xml formatted Windows S-TAP Guard_Tap.ini. (*1) |
V3.0 |
GIM_conf.xml |
This is a xml formatted Windows GIM conf file. (*1) |
V3.0 |
FAM_Guard_Tap.xml |
This is a xml formatted Windows FAM Monitor Guard_Tap.ini. (*1) |
V3.0 |
FAMCrawler_conf.xml |
This is a xml formatted Windows FAM Crawler conf. (*1) |
V3.0 |
Component |
Folder name |
Files in the folder |
Windows S-TAP |
Windows S-TAP (root in S-TAP mode) |
- %WINSTAP_DIR%\Logs\*
- %WINSTAP_DIR%\Bin\Guard_Tap.ini
- wtap.dir.txt ... list of files under %WINSTAP_DIR%
|
Windows GIM |
Guardium Installation Manager |
- The conf, config, config.current, XXX_hooks.ps files in %WINGIM_DIR%\%COMPONENT%\current, where %COMPONENT% can be FAM, FAMMONITOR, GIM, GUC, WINSTAP, etc.
- central_logger.log
- wgim.dir.txt ... list of files under %WINGIM_DIR%
|
Windows GAM |
Guardium Agent Monitor |
- %WINGAM_DIR%\Bin\resmon.ini
- %WINGAM_DIR%\Bin\resmon_log.txt
- wgam.dir.txt ... list of files under %WINGAM_DIR%
|
Windows CAS |
IBM Windows CAS |
- %WINCAS_DIR%\conf\*.*
- %WINCAS_DIR%\logs\*.*
- wcas.dir.txt ... list of files under %WINCAS_DIR%
|
Windows FAM Monitor |
Windows Fam Monitor |
- %WINFAM_DIR%\Bin\Guard_Tap.ini
- %WINFAM_DIR%\Logs\*.*
- wfam.dir.txt ... list of files under %WINFAM_DIR%
|
Windows FAM Crawler |
FAMCrawler |
- %FAMCRAWLER_DIR%\FAM_security.properties
- %FAMCRAWLER_DIR%\files\conf\*.*
- %FAMCRAWLER_DIR%\files\logs\*.*
- %FAMCRAWLER_DIR%\files\bin\core.*.dmp
- %FAMCRAWLER_DIR%\files\bin\heapdump.*.phd
- %FAMCRAWLER_DIR%\files\bin\javacore.*.txt
- %FAMCRAWLER_DIR%\files\bin\Snap.*.trc
- %FAMCRAWLER_DIR%\files\bin\*.bat
- %FAMCRAWLER_DIR%\files\modules\ContentClassification\Bin\logs\*.*
- %FAMCRAWLER_DIR%\files\modules\ContentClassification\Filters\EmailFilter\*.log
- %FAMCRAWLER_DIR%\files\work\ldb\data\fam.db.log
- famcrawler.dir.txt ... list of files under %FAMCRAWLER_DIR%
|
FDEC for SP |
FDECforSP |
- %FDECSP_DIR%\Logs\*.*
- fdecforsp.dir.txt ... list of files under %FDECSP_DIR%
|
FDEC for NAS |
FDECforNAS |
- %FDECNAS_DIR%\Logs\*.*
- fdecfornas.dir.txt ... list of files under %FDECNAS_DIR%
|
FAM for SP |
FAMforSP |
- %FAMSP_DIR%\Logs\*.*
- famforsp.dir.txt ... list of files under %FAMSP_DIR%
|
DAM for NAS |
FAMforNAS |
- %FAMNAS_DIR%\Logs\*.*
- famfornas.dir.txt ... list of files under %FAMNAS_DIR%
|
6.4 Files under install folder
The install folder contains the following files:
Files |
Description |
Supported since |
IBM*.ctl |
Installer log files of all Guardium Windows agents, copied from %SystemDrive%\IBM*.ctl |
V2.0 |
root.dir.txt |
list of files under %SystemDrive% |
V2.0 |
custom\IBM*.ctl |
If you use custom install log folder when you install the product, the log will be created at: %CustomInstallLogDir%\IBM*.ctl. |
V2.0 |
%COMP_SHORT%.dir.txt |
list of files under %CustomInstallLogDir% folder. It's created when custom installer log is specified. (*1) |
V2.0 |
(*1) For example, if you install Windows FAM Monitor with FAMMONITOR_INSTALLER_LOG_DIR=D:\InstallerLog, then wfam.dir.txt will be created under \install\custom folder in the zip file, and the file contains a list of D:\InstallerLog directory.
What's next?