IBM Security Guardium

 View Only

Guardium Windows Must Gather V3.0 - Part 6 - What files are collected?

By SATOSHI KAWASE posted Sun October 23, 2022 07:00 AM

  

About Windows Agent Must Gather V3.0

Guardium Windows Agent Must Gather V3.0 (a.k.a. Windows S-TAP Must Gather) is the latest must gather script, which is released in Guardium V11.5.

It's included in all Guardium Windows agents (GIM, S-TAP, GAM, CAS, FAM monitor, FAM crawler, FDEC for NAS/SP, FAM for NAS/SP) in V11.5, and will be back-ported to all supported versions.

Index

  1. What's new in V3.0?
  2. S-TAP mode and STANDALONE mode
  3. How to run Must Gather V3.0?
  4. Must Gather V3.0 command options
  5. Where is the output of Must Gather?
  6. What files are collected?
  7. What if Must Gather doesn't generate output?

          NOTE: This blog article covers the section 6. Click links to read other sections.

          6. What files are collected by Must Gather V3.0?

          As explained in section 2 "S-TAP mode and STANDALONE mode", the ZIP Source directory is %WINSTAP_DIR%\Logs in S-TAP mode, and %DIAG_DIR%\diag in STANDALONE mode. This means, the directory structure of the ZIP file in these modes are slightly different, even though both have the same contents.

          S-TAP mode

          • The files under %WINSTAP_DIR%\Logs are at the root folder in the ZIP.
          • Guard_Tap.ini is in ini folder.
          • %WINSTAP_DIR%\bin\diag files are in diag folder.
          • Installer logs are in install folder.
          • Files for other agents (e.g. GIM, GAM, FAM Crawler, etc) are in each agent folder (e.g. Guardium Installation Manager, Guardium Agent Monitor, FAMCrawler, etc)

          STANDALONE mode

          • The files under %DIAG_DIR%\diag are at the root folder in the ZIP.
          • Win S-TAP files (including Guard_Tap.ini) are in Windows S-TAP folder.
          • Installer logs are in install folder.
          • Files for other agents (e.g. GIM, GAM, FAM Crawler, etc) are in each agent folder (e.g. Guardium Installation Manager, Guardium Agent Monitor, FAMCrawler, etc)

           

          6.1 ZipSource.dir.txt

          The ZipSource.dir.txt is the only file that always stays at the root folder, for both S-TAP mode and STANDALONE mode.

          This file shows a whole list of files under ZIP Source directory. Technically speaking, it's the output of "Get-ChildItem %ZipSourceDir% -Recurse -Force".

          This is a new feature in V3.0.

           

          6.2 Files under diag folder (or root folder in STANDALONE mode)

          The following files are included in the diag folder in S-TAP mode, and in the root folder in STANDALONE mode.

           

          File Name Description Supported since
          summary.txt Must Gather V3.0 picks up important information from variety of files (e.g. system.txt, Guard_Tap.ini, ...) and creates summary.txt. This is the most useful file to know the system summary. V3.0
          system.txt

          Windows system information. Must Gather V3.0 gathers the following command outputs:

          • systeminfo
          • whoami /ALL
          • ipconfig /all
          • netstat -nao
          • ping -n 10 %COLLECTOR_HOST%
          • tracert -w 2 -h 10 %COLLECTOR_HOST%
          • typeperf '\Process(guardium_stapr)\% Processor Time' -sc 10
          • typeperf '\Process(%DbMonitor%)\Handle Count' -sc 10
          • typeperf '\Process(guardium_stapr)\Private Bytes' -sc 10
          • typeperf '\Process(%DbMonitor%)\Private Bytes' -sc 10
          • typeperf '\processor(_total)\% processor time' -sc 10
          • Get-PSDrive
          • Get-LocalGroupMember -Name Guardium Services
          • secedit /export /cfg system.txt

          Also, get the list of installed software by:

          Get-ChildItem -Path('HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall') | % { Get-ItemProperty .PsPath | Select-Object DisplayName, DisplayVersion, Publisher }

          V1.0
          tasks.txt

          Windows process (task) and driver information. Must Gather V3.0 gathers the following command outputs:

          • tasklist /svc
          • driverquery
          • tasklist /m Guardium*
          • tasklist /m Correlator*
          • tasklist /m Tag*
          V1.0
          reg.txt

          Windows registry information. Must Gather V3.0 gathers the following command outputs:

          • reg query "HKLM\SOFTWARE\IBM" /s
          • reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
          • reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall" /s
          • reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s
          • reg query "HKLM\SYSTEM\CurrentControlSet\Control\GroupOrderList" /s
          • reg query "HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder" /s
          • reg query "HKLM\SOFTWARE\Microsoft\MSSQLServer" /s
          • reg query "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server" /s
          • reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\MSSQLServer" /s
          • reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Microsoft SQL Server" /s
          • reg query "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders" /s
          V1.0
          evtlog2008.txt

          Windows event log information. Must Gather V3.0 gathers the following command outputs:

          • Get-WinEvent -LogName Application -FilterXPath "Event/System[Provider[(@Name='Guardium_STAP') or (@Name='NtTdidr') or (@Name='LhmonProxy') or (@Name='Nptrc') or (@Name='NpProxy') or (@Name='DB2 Tap') or (@Name='DB2TapProxy') or (@Name='DB2TapPRoxySvc') or (@Name='DB2TapSvc') or (@Name='Db2ProxySvc') or (@Name='DbMonitor') or (@Name='FAMsvc') or (@Name='Guardium_STAP_Must_Gather') or (@Name='Guardium Windows Agent Must Gather') or (@Name='GuardiumFamHostPolling') or (@Name='IIS Tap') or (@Name='SP Tap') or (@Name='MsiInstaller') or (@Name='MSSQLSERVER')]]" | Select-Object TimeCreated, @{N='EventID';E={.Id}}, LevelDisplayName, LogName, ProviderName, KeywordsDisplayNames, UserId, @{N='UserName';E={GetUserNameFromSid .UserId}}, MachineName, Message -First 2000
          • Get-WinEvent -LogName System -FilterXPath "Event/System[(EventID=12 or EventID=13 or EventID=41 or EventID=1001 or EventID=6008)]" | Select-Object TimeCreated, @{Name='EventID';Expression={.Id}}, LevelDisplayName, LogName, ProviderName, KeywordsDisplayNames, @{Name='UserName (Sid)';Expression={GetUserNameFromSid2 .UserId}}, MachineName, Message -First 1000 - Get-WinEvent -LogName System -FilterXPath "Event/System[EventID=7036]" | Select-Object TimeCreated, @{Name='EventID';Expression={.Id}}, LevelDisplayName, LogName, ProviderName, KeywordsDisplayNames, @{Name='UserName (Sid)';Expression={GetUserNameFromSid2 .UserId}}, MachineName, Message -First 1000
          • Get-WinEvent -LogName System -FilterXPath "Event/System[EventID=7031]" | Select-Object TimeCreated, @{Name='EventID';Expression={.Id}}, LevelDisplayName, LogName, ProviderName, KeywordsDisplayNames, @{Name='UserName (Sid)';Expression={GetUserNameFromSid2 .UserId}}, MachineName, Message -First 1000 - Get-WinEvent -LogName System -FilterXPath "Event/System[Provider[@Name='Schannel' or @Name='Microsoft-Windows-Schannel-Events']]" | Select-Object TimeCreated, @{Name='EventID';Expression={.Id}}, LevelDisplayName, LogName, ProviderName, KeywordsDisplayNames, @{Name='UserName (Sid)';Expression={GetUserNameFromSid2 .UserId}}, MachineName, Message -First 1000
          V1.0
          diag.log This log is generated by diag.ps1 in Must Gather V3.0 (and generated by diag.bat in Must Gather V2.x). This is useful if there is a problem in Must Gather. V2.0
          diag.log.prev This is a previous diag.log. V2.0
          STAP_Guard_Tap.xml This is a xml formatted Windows S-TAP Guard_Tap.ini. (*1) V3.0
          GIM_conf.xml This is a xml formatted Windows GIM conf file. (*1) V3.0
          FAM_Guard_Tap.xml This is a xml formatted Windows FAM Monitor Guard_Tap.ini. (*1) V3.0
          FAMCrawler_conf.xml This is a xml formatted Windows FAM Crawler conf. (*1) V3.0

          (*1) Must Gather V3.0 parses several text files (e.g. Guard_Tap.ini, conf, etc) and retrieves some parameter values when generating summary.txt. Everything is done on memory, but it also saves the parsed objects to xml files for just in case. These xml files could be useful if there is a problem in the parse logic and summary.txt has an unexpected value.

          6.3 Files under Component folder

          Must Gather V3.0 reads Windows registry and get a list of installed Guardium components, and gather diagnostic files from there. Some files may not exist in each component folder. Must Gather V3.0 copies the files only when exist. Newer Must Gather may collect more files.

          Component Folder name Files in the folder
          Windows S-TAP Windows S-TAP (root in S-TAP mode)
          • %WINSTAP_DIR%\Logs\*
          • %WINSTAP_DIR%\Bin\Guard_Tap.ini
          • wtap.dir.txt ... list of files under %WINSTAP_DIR%
          Windows GIM Guardium Installation Manager
          • The conf, config, config.current, XXX_hooks.ps files in %WINGIM_DIR%\%COMPONENT%\current, where %COMPONENT% can be FAM, FAMMONITOR, GIM, GUC, WINSTAP, etc.
          • central_logger.log
          • wgim.dir.txt ... list of files under %WINGIM_DIR%
          Windows GAM Guardium Agent Monitor
          • %WINGAM_DIR%\Bin\resmon.ini
          • %WINGAM_DIR%\Bin\resmon_log.txt
          • wgam.dir.txt ... list of files under %WINGAM_DIR%
          Windows CAS IBM Windows CAS
          • %WINCAS_DIR%\conf\*.*
          • %WINCAS_DIR%\logs\*.*
          • wcas.dir.txt ... list of files under %WINCAS_DIR%
          Windows FAM Monitor Windows Fam Monitor
          • %WINFAM_DIR%\Bin\Guard_Tap.ini
          • %WINFAM_DIR%\Logs\*.*
          • wfam.dir.txt ... list of files under %WINFAM_DIR%
          Windows FAM Crawler FAMCrawler
          • %FAMCRAWLER_DIR%\FAM_security.properties
          • %FAMCRAWLER_DIR%\files\conf\*.*
          • %FAMCRAWLER_DIR%\files\logs\*.*
          • %FAMCRAWLER_DIR%\files\bin\core.*.dmp
          • %FAMCRAWLER_DIR%\files\bin\heapdump.*.phd
          • %FAMCRAWLER_DIR%\files\bin\javacore.*.txt
          • %FAMCRAWLER_DIR%\files\bin\Snap.*.trc
          • %FAMCRAWLER_DIR%\files\bin\*.bat
          • %FAMCRAWLER_DIR%\files\modules\ContentClassification\Bin\logs\*.*
          • %FAMCRAWLER_DIR%\files\modules\ContentClassification\Filters\EmailFilter\*.log
          • %FAMCRAWLER_DIR%\files\work\ldb\data\fam.db.log
          • famcrawler.dir.txt ... list of files under %FAMCRAWLER_DIR%
          FDEC for SP FDECforSP
          • %FDECSP_DIR%\Logs\*.*
          • fdecforsp.dir.txt ... list of files under %FDECSP_DIR%
          FDEC for NAS FDECforNAS
          • %FDECNAS_DIR%\Logs\*.*
          • fdecfornas.dir.txt ... list of files under %FDECNAS_DIR%
          FAM for SP FAMforSP
          • %FAMSP_DIR%\Logs\*.*
          • famforsp.dir.txt ... list of files under %FAMSP_DIR%
          DAM for NAS FAMforNAS
          • %FAMNAS_DIR%\Logs\*.*
          • famfornas.dir.txt ... list of files under %FAMNAS_DIR%

          6.4 Files under install folder

          The install folder contains the following files:

          Files Description Supported since
          IBM*.ctl Installer log files of all Guardium Windows agents, copied from %SystemDrive%\IBM*.ctl V2.0
          root.dir.txt list of files under %SystemDrive% V2.0
          custom\IBM*.ctl If you use custom install log folder when you install the product, the log will be created at: %CustomInstallLogDir%\IBM*.ctl. V2.0
          %COMP_SHORT%.dir.txt list of files under %CustomInstallLogDir% folder. It's created when custom installer log is specified. (*1) V2.0

          (*1) For example, if you install Windows FAM Monitor with FAMMONITOR_INSTALLER_LOG_DIR=D:\InstallerLog, then wfam.dir.txt will be created under \install\custom folder in the zip file, and the file contains a list of D:\InstallerLog directory.

          What's next?

          The next blog will explain 7. What if Must Gather doesn't generate output?

          Questions?

          If you have any questions, please feel free to comment on this article. You can also ask questions to IBM Security Guardium discussion in IBM Security Community or open a technical support ticket.

          Reference

          0 comments
          6 views

          Permalink