IBM Security Guardium

  • 1.  No Traffic Alert Issue

    Posted Thu September 02, 2021 04:04 PM
    Hi All,

    We had an incident with two S-TAP agents where there was no traffic during 72 hours.  And we have a No Traffic alert configured, but it didn´t work in this case.  No notification alert was sent.  Any help?

    Thanks,
    Rodrigo

    ------------------------------
    Rodrigo Xavier
    ------------------------------


  • 2.  RE: No Traffic Alert Issue

    Posted Thu September 02, 2021 11:13 PM
    Hi Rodrigo,

    It could be any thing from closed port in firewall to process not running. Assuming FW is not an issue, I'd check it this way

    source (was stap down ?) -------------> target (is sniffer up ?)

    STAP side:
    Run this command
    # netstat -na |grep 16016
    the output should return "ESTABLISHED" if stap and collector is physically connected
    someone may have change STAP_ENABLE to 0 or KTAP_ENABLE to by accident. Both settings are GIM parameters.
    ==> for root case, collect stap mustgather and include the output in the support ticket.

    Appliance side:
    GUI > STAP Control , status is red could mean sniffer is down
    In 11.2 you have this CLI command you can run: support show service_status all
    look for "guard-snif.service active running"
    if its not running, do "restart inspection-core"
    ==> for root cause, collect mustgather sniffer and include the output in the support ticket.

    Even if the stap has recovered now you still can collect those mustgather data as they contain historical data.

    ------------------------------
    DEMI SIEW PING LEE
    ------------------------------



  • 3.  RE: No Traffic Alert Issue

    Posted Fri September 03, 2021 08:20 AM
    Hi Demi,

    The s-taps is working now.  The problem was an linux kernel update that the customer did, and this update was not supported by k-tap version of s-tap.  After the update from s-tap 10.6 to 11.2, everything worked fine.

    Our No Traffic alert is working.  We´re receiving the notification when there is no traffic against the database in weekends, for example.  

    The question is, why we didn´t receive the No Traffic alert when s-taps stopped collect?  Does this alert only trigger in case of non-traffic only with operational s-taps?

    Regards,
    Rodrigo

    ------------------------------
    Rodrigo Xavier
    ------------------------------



  • 4.  RE: No Traffic Alert Issue

    Posted Mon September 06, 2021 04:06 AM
    Its difficult to say what happened. The condition for "No Traffic" is no logging in the last 48h i.e. 2 consecutive days. Unless this condition is met, alert will not be generated. It can be verified from internal tables. Please raise a support case if you have concerned.



    ------------------------------
    DEMI SIEW PING LEE
    ------------------------------