IBM Security Guardium

Hi All,

We had an incident with two S-TAP agents where there was no traffic during 72 hours.  And we have a No Traffic alert configured, but it didn´t work in this case.  No notification alert was sent.  Any help?

Thanks,
Rodrigo

------------------------------
Rodrigo Xavier
------------------------------

Hi Rodrigo,

It could be any thing from closed port in firewall to process not running. Assuming FW is not an issue, I'd check it this way

source (was stap down ?) -------------> target (is sniffer up ?)

STAP side:
Run this command
# netstat -na |grep 16016
the output should return "ESTABLISHED" if stap and collector is physically connected
someone may have change STAP_ENABLE to 0 or KTAP_ENABLE to by accident. Both settings are GIM parameters.
==> for root case, collect stap mustgather and include the output in the support ticket.

Appliance side:
GUI > STAP Control , status is red could mean sniffer is down
In 11.2 you have this CLI command you can run: support show service_status all
look for "guard-snif.service active running"
if its not running, do "restart inspection-core"
==> for root cause, collect mustgather sniffer and include the output in the support ticket.

Even if the stap has recovered now you still can collect those mustgather data as they contain historical data.

------------------------------
DEMI SIEW PING LEE
------------------------------

Original Message:
Sent: Thu September 02, 2021 04:03 PM
From: Rodrigo Xavier
Subject: No Traffic Alert Issue

Hi All,

We had an incident with two S-TAP agents where there was no traffic during 72 hours.  And we have a No Traffic alert configured, but it didn´t work in this case.  No notification alert was sent.  Any help?

Thanks,
Rodrigo

------------------------------
Rodrigo Xavier
------------------------------

Hi Demi,

The s-taps is working now.  The problem was an linux kernel update that the customer did, and this update was not supported by k-tap version of s-tap.  After the update from s-tap 10.6 to 11.2, everything worked fine.

Our No Traffic alert is working.  We´re receiving the notification when there is no traffic against the database in weekends, for example.  

The question is, why we didn´t receive the No Traffic alert when s-taps stopped collect?  Does this alert only trigger in case of non-traffic only with operational s-taps?

Regards,
Rodrigo

------------------------------
Rodrigo Xavier
------------------------------

Original Message:
Sent: Thu September 02, 2021 11:13 PM
From: DEMI SIEW PING LEE
Subject: No Traffic Alert Issue

Hi Rodrigo,

It could be any thing from closed port in firewall to process not running. Assuming FW is not an issue, I'd check it this way

source (was stap down ?) -------------> target (is sniffer up ?)

STAP side:
Run this command
# netstat -na |grep 16016
the output should return "ESTABLISHED" if stap and collector is physically connected
someone may have change STAP_ENABLE to 0 or KTAP_ENABLE to by accident. Both settings are GIM parameters.
==> for root case, collect stap mustgather and include the output in the support ticket.

Appliance side:
GUI > STAP Control , status is red could mean sniffer is down
In 11.2 you have this CLI command you can run: support show service_status all
look for "guard-snif.service active running"
if its not running, do "restart inspection-core"
==> for root cause, collect mustgather sniffer and include the output in the support ticket.

Even if the stap has recovered now you still can collect those mustgather data as they contain historical data.

------------------------------
DEMI SIEW PING LEE

Original Message:
Sent: Thu September 02, 2021 04:03 PM
From: Rodrigo Xavier
Subject: No Traffic Alert Issue

Hi All,

We had an incident with two S-TAP agents where there was no traffic during 72 hours.  And we have a No Traffic alert configured, but it didn´t work in this case.  No notification alert was sent.  Any help?

Thanks,
Rodrigo

------------------------------
Rodrigo Xavier
------------------------------

Its difficult to say what happened. The condition for "No Traffic" is no logging in the last 48h i.e. 2 consecutive days. Unless this condition is met, alert will not be generated. It can be verified from internal tables. Please raise a support case if you have concerned.



------------------------------
DEMI SIEW PING LEE
------------------------------

Original Message:
Sent: Fri September 03, 2021 08:20 AM
From: Rodrigo Xavier
Subject: No Traffic Alert Issue

Hi Demi,

The s-taps is working now.  The problem was an linux kernel update that the customer did, and this update was not supported by k-tap version of s-tap.  After the update from s-tap 10.6 to 11.2, everything worked fine.

Our No Traffic alert is working.  We´re receiving the notification when there is no traffic against the database in weekends, for example.  

The question is, why we didn´t receive the No Traffic alert when s-taps stopped collect?  Does this alert only trigger in case of non-traffic only with operational s-taps?

Regards,
Rodrigo

------------------------------
Rodrigo Xavier

Original Message:
Sent: Thu September 02, 2021 11:13 PM
From: DEMI SIEW PING LEE
Subject: No Traffic Alert Issue

Hi Rodrigo,

It could be any thing from closed port in firewall to process not running. Assuming FW is not an issue, I'd check it this way

source (was stap down ?) -------------> target (is sniffer up ?)

STAP side:
Run this command
# netstat -na |grep 16016
the output should return "ESTABLISHED" if stap and collector is physically connected
someone may have change STAP_ENABLE to 0 or KTAP_ENABLE to by accident. Both settings are GIM parameters.
==> for root case, collect stap mustgather and include the output in the support ticket.

Appliance side:
GUI > STAP Control , status is red could mean sniffer is down
In 11.2 you have this CLI command you can run: support show service_status all
look for "guard-snif.service active running"
if its not running, do "restart inspection-core"
==> for root cause, collect mustgather sniffer and include the output in the support ticket.

Even if the stap has recovered now you still can collect those mustgather data as they contain historical data.

------------------------------
DEMI SIEW PING LEE

Original Message:
Sent: Thu September 02, 2021 04:03 PM
From: Rodrigo Xavier
Subject: No Traffic Alert Issue

Hi All,

We had an incident with two S-TAP agents where there was no traffic during 72 hours.  And we have a No Traffic alert configured, but it didn´t work in this case.  No notification alert was sent.  Any help?

Thanks,
Rodrigo

------------------------------
Rodrigo Xavier
------------------------------