IBM Security Guardium

 View Only
  • 1.  Old data showing

    Posted Mon February 03, 2020 01:31 PM

    When I run a report on several of my collectors,  I am getting old data that has a Timestamp that is outside my report parameter (past 24 hours), but has a Session Start and Session End time that is within my parameters.   This is consistently happening.

     

    For example in below table,  I just ran a report on the collector for past 24 hours on a report with  Access Period as the  Main Entity.    I get data back that has old timestamp, but a session start/end within the past 24 hours. 

     

    Any idea what is the problem here?

       

    Timestamp

    Session Start

    Session End

    8/2/2018 6:09

    2/3/2020 8:14

    2/3/2020 8:14

    8/2/2018 6:09

    2/3/2020 8:14

    2/3/2020 8:14

    8/2/2018 6:09

    2/3/2020 8:14

    2/3/2020 8:14

    12/5/2019 2:29

    2/3/2020 8:14

    2/3/2020 8:14

    12/5/2019 2:29

    2/3/2020 8:14

    2/3/2020 8:14

    12/5/2019 2:29

    2/3/2020 8:14

    2/3/2020 9:15

    1/3/2020 10:27

    2/3/2020 8:04

    2/3/2020 9:17

    1/28/2020 8:02

    2/3/2020 8:19

    2/3/2020 8:42

    1/28/2020 8:02

    2/3/2020 10:55

     

    1/28/2020 13:24

    2/3/2020 9:42

    2/3/2020 9:44

    1/29/2020 8:12

    2/3/2020 8:15

    2/3/2020 8:15

    1/29/2020 13:43

    2/3/2020 10:26

    2/3/2020 10:26

    1/29/2020 13:43

    2/3/2020 10:26

    2/3/2020 10:26

    1/30/2020 6:48

    2/3/2020 9:42

    2/3/2020 9:45

    1/30/2020 6:48

    2/3/2020 9:47

    2/3/2020 9:49

    1/30/2020 7:21

    2/3/2020 8:58

    2/3/2020 9:59

    1/30/2020 8:46

    2/3/2020 9:07

    2/3/2020 10:08

    1/31/2020 1:09

    2/3/2020 8:15

    2/3/2020 8:15

     

     

    Brian Greenwood CPC HCISSP-A

    Information Security Analyst II

     

    Arkansas Blue Cross and Blue Shield

    515 Pershing Blvd

    North Little Rock, Arkansas 72214

    Office | 501-210-4319

    image001.png@01D49078.6F8E0280

     


    Privacy Information: http://privacynotice.net (data rate charges may apply) or 800-524-2621.


  • 2.  RE: Old data showing

    IBM Champion
    Posted Mon February 03, 2020 01:55 PM
    Hi Brian:

    What Domain Entity are you getting your timestamp from?   It's possible that you are using the "Access - Client/Server" Timestamp and should be using the "Access - Session" Timestamp.

    Domain* - Entity Attribute(s) Meaning
    Access - Client/Server Timestamp The time on the collector when the client first connected to the server. For example, if a client is connecting to the server in the same way many days in a row this timestamp will be the time of the first connection. This may even be before the purge days of the appliance.
    Access - Session Timestamp The time on the collector when the session information was most recently updated. If the session is closed it will be the same time as the Session End.


    ------------------------------
    Wendy Zemba
    ------------------------------



  • 3.  RE: Old data showing

    Posted Tue February 04, 2020 09:32 AM
    Wow this is very helpful.  I see where we were missing this. Thank you so much!!

    ------------------------------
    Brian Greenwood
    ------------------------------



  • 4.  RE: Old data showing

    Posted Mon February 03, 2020 02:53 PM
    ​See Wendy's reply.

    For additional reference, there is a support page to help differentiate the different timestamps.

    ------------------------------
    Chase Walkup
    ------------------------------



  • 5.  RE: Old data showing

    Posted Wed February 05, 2020 03:03 AM

    Hi,

    Are you sure that your timestamp comes from Session entity?

    It looks that you refer to Client/Server timestamp in this report.

    Client/Server timestamp points time when collector saw this connection type (stap-collector) first time

    Session timestamp points the time of the latest execution SQL in the session.



    ------------------------------
    Zbigniew Szmigiero
    IBM
    Warsaw
    ------------------------------