Issue FAM Agent

View Only

Expand all | Collapse all

1. Issue FAM Agent

0 Like
Rodrigo Diaz
Posted Wed July 10, 2019 12:19 PM

Reply
Hi Community,
We are having problems with the consumption of resources in the fileserver that we installed the fam agent. Basically when we installed the FAMs we configured the source directory, then from the investigation dashboard you can generate rules based on the found files. We do not have rules implemented more than any of testing, for which the FAM is consuming resources just for doing the crawler that we understood that it should work correctly since just above that rules apply.

We configured source directory for example as 'E:/', we see all the files on the investigation dashboard and we can apply rules from this dashboards, but the resources (RAM & CPU) of file server are very high.

Can you help us with that issue? or maybe We need a scope to define the installation of guardium FAM agents.

Thanks in advance,
Best regards,
Rodrigo

------------------------------
Rodrigo Diaz
------------------------------
2. RE: Issue FAM Agent

0 Like
Zbigniew (Zibi) Szmigiero
Posted Thu July 11, 2019 06:55 AM

Reply
The policy to audit all I/O operations leads to consumption a lot of CPU and Network I/O
Good policy should focus on directories which contain the sensitive information only. Also auditing any operation is not the best idea - try to configure more specific policy and remove from auditing the noise (not important for auditing) operations.

------------------------------
Zbigniew Szmigiero
IBM
Warsaw
------------------------------

Original Message
3. RE: Issue FAM Agent

0 Like
Rodrigo Diaz
Posted Thu July 11, 2019 08:30 AM

Reply
Hi Zbigniew,
How are you? But we don't have any policy defined, we only configure the "source directory" when we installed it. You said that we need to do specific policies but if we not have policies? We only have the source directory configured and we think that if we only configure the source directory, we can use the investigation dashboard for files to create policies.

For example, when we install the FAM agent with the source directory=E:/, when we finished the installation it starts a file crawler on the source directory location, its ok this?
You think that we need to be more specifc on the source directory?

Best regards,
Rodrigo

------------------------------
Rodrigo Diaz
------------------------------

Original Message
4. RE: Issue FAM Agent

0 Like
Zbigniew (Zibi) Szmigiero
Posted Mon July 15, 2019 03:53 AM

Reply
Hi Rodrigo,
I suggest create separate rules for each directory which needs audit:
e:\dir1\*
e:\dir2\*
etc.

File policy allows put many rules and different actions for it
It should decrease the number of audited I/O operations and CPU utilization

------------------------------
Zbigniew Szmigiero
IBM
Warsaw
------------------------------

Original Message
5. RE: Issue FAM Agent

0 Like
Rodrigo Diaz
Posted Mon July 15, 2019 08:35 AM

Reply
Hi Zbigniew,
But we don't have any rule or policy configured yet. We only defined the "Source directory", it's related to this that we think that the crawler is the issue. I'm trying to get information about the crawler and how can we do to desactivate it.

------------------------------
Rodrigo Diaz
------------------------------

Original Message
6. RE: Issue FAM Agent

0 Like
Zbigniew (Zibi) Szmigiero
Posted Mon July 15, 2019 09:34 AM

Reply
Sorry, I missed this information.

FAM module provides 2 functionalities - crawler and classifier. Which one is responsible for huge CPU utilization?
Also crawler and classifier allows you to provide list of paths.

------------------------------
Zbigniew Szmigiero
IBM
Warsaw
------------------------------

Original Message
7. RE: Issue FAM Agent

0 Like
Paul Spencer
Posted Thu July 11, 2019 12:27 PM

Reply
There are two parts to FAM, that work independently:
- the FAM monitoring, which generates alerts or blocks file access;
- the FAM crawler, which discovers files that may contain sensitive information.
The two work completely separately - you can run one, or the other, or both. In your case, it sounds like your performance hit is because of the crawler process; that may be because, after installation, it needs to investigate the entire file system once. After the initial pass, it will consume less resources, since it only needs to run periodically and look for any changes.
If you do not need the crawler capabilities - in other words, if you already know what files you want to protect - then of course you can just stop the crawler. FAM monitoring/alerting will continue to be active.

------------------------------
Paul Spencer
------------------------------

Original Message
8. RE: Issue FAM Agent

0 Like
Rodrigo Diaz
Posted Mon July 15, 2019 08:32 AM

Reply
Hi Paul,
How are you? You said that we could desactivated the crawler, how can we do it? I think that the crawler is the issue but I dont know what parameter on the FAM installatión we can desactivate.

Thanks in advance,
Best regards,
Rodrigo

------------------------------
Rodrigo Diaz
------------------------------

Original Message
9. RE: Issue FAM Agent

0 Like
Zbigniew (Zibi) Szmigiero
Posted Mon July 15, 2019 10:15 AM

Reply
Crawler cannot be deactivated - but it will be very strange that this functionality utilizes a lot of CPU - it gets only files metadata.
So, what is the goal for FAM module - data classification?

I suggest:
- switch classification off - FAM_IS_DEEP_ANALYSIS=FALSE
and check the CPU state
- Use FAM_SOURCE_DIRECTORIES to define these directories which should be audited
- Maybe you set interval to very small value and process is repeated every few minutes
- Use EXCLUDE parameters to define the real audit scope

------------------------------
Zbigniew Szmigiero
IBM
Warsaw
------------------------------

Original Message
10. RE: Issue FAM Agent

0 Like
Rodrigo Diaz
Posted Fri July 19, 2019 11:47 AM

Reply
Hi,
We tried desactivating Deep Analysis but it doesn't work, we configured source directory with a 500gb location, desactivate the Deep Analysis, but the RAM continues on high values.

any other sugerence?

Thanks in advance,
Best regards,
Rodrigo

------------------------------
Rodrigo Diaz
------------------------------

Original Message
11. RE: Issue FAM Agent

0 Like
Zbigniew (Zibi) Szmigiero
Posted Sun July 21, 2019 05:27 AM

Reply
Looks as a bug. Please open support case - there is no reason to consume a lot of memory to gather metadata.

------------------------------
Zbigniew Szmigiero
IBM
Warsaw
------------------------------

Original Message

IBM Security Guardium

Issue FAM Agent

Rodrigo DiazWed July 10, 2019 12:19 PM

Zbigniew (Zibi) SzmigieroThu July 11, 2019 06:55 AM

Rodrigo DiazThu July 11, 2019 08:30 AM

Zbigniew (Zibi) SzmigieroMon July 15, 2019 03:53 AM

Rodrigo DiazMon July 15, 2019 08:35 AM

Zbigniew (Zibi) SzmigieroMon July 15, 2019 09:34 AM

Paul SpencerThu July 11, 2019 12:27 PM

Rodrigo DiazMon July 15, 2019 08:32 AM

Zbigniew (Zibi) SzmigieroMon July 15, 2019 10:15 AM

Rodrigo DiazFri July 19, 2019 11:47 AM

Zbigniew (Zibi) SzmigieroSun July 21, 2019 05:27 AM

1. Issue FAM Agent

2. RE: Issue FAM Agent

3. RE: Issue FAM Agent

4. RE: Issue FAM Agent

5. RE: Issue FAM Agent

6. RE: Issue FAM Agent

7. RE: Issue FAM Agent

8. RE: Issue FAM Agent

9. RE: Issue FAM Agent

10. RE: Issue FAM Agent

11. RE: Issue FAM Agent