Original Message:
Sent: Fri June 21, 2024 05:27 PM
From: Rizwan Joo
Subject: Misbehaviour of STAP
Hi Santosh,
If you have installed a SELECTIVE AUDIT TRAIL policy it is going to save on session level logging and make Guardium parser light. But obviously it is going to capture all the logs as per rules. Overall logs collection will be decreased.
------------------------------
Regards,
Rizwan Ali
Senior Guardium Consultant
Pakistan
Original Message:
Sent: Fri June 21, 2024 05:13 PM
From: Santhosh M
Subject: Misbehaviour of STAP
Hi Rizwan,
I have reinstalled the policy. But same amount of log is coming as like before.
Thanks for your patience.
------------------------------
Santhosh M
Original Message:
Sent: Fri June 21, 2024 04:54 PM
From: Rizwan Joo
Subject: Misbehaviour of STAP
Hi Santosh,
You need to check the selective audit trail and reinstall the policy, this will help you capture info as per rules and nothing extra which is happening now. Then you can you alert per match and see how much logs are being captured. OffCourse alert per match captures more logs then per session.
------------------------------
Regards,
Rizwan Ali
Senior Guardium Consultant
Pakistan
Original Message:
Sent: Fri June 21, 2024 04:45 PM
From: Santhosh M
Subject: Misbehaviour of STAP
Hi Rizwan,
Thanks for your reply.
If alert once per session is there it will capture say example insert is executed it will capture 1 st time in the session we cant see data for rest of the activity in session right ? So better alert per match but it is logging too much of data.
PFB:
![](https://dw1.s81c.com//IMWUC/MessageImages/087f868d3e2943b8969de716fbd202ca.png)
![](https://dw1.s81c.com//IMWUC/MessageImages/0e1ae6bf609b4989a2cd6b13006007f2.png)
------------------------------
Santhosh M
Original Message:
Sent: Fri June 21, 2024 04:23 PM
From: Rizwan Joo
Subject: Misbehaviour of STAP
Hi Santosh,
Log only vs Log full details, log only will capture the syntax alone and full details surely with values. Google it for more details.
Alert per session will also log all the details in Guardium and send to SIEM. so if you are using Alert per session don't use log only or any other rule action this is going to duplicate the data in Guardium tables.
What is your policy type? flat log? sensitive?
if possible give a ss of your data policy type.
------------------------------
Regards,
Rizwan Ali
Senior Guardium Consultant
Pakistan
Original Message:
Sent: Fri June 21, 2024 02:38 PM
From: Santhosh M
Subject: Misbehaviour of STAP
Hi Rizwan,
Can you give some kind of tips regarding how to reduce flat logs?
If I give log only action in dml rule it will send to policy violation table and alert once per session is sending to same table can you clarify one thing alert will be sending to siem first time if the rule is triggered and log only will capture rest of the triggered as well right?
Also please let me know exact difference between log only and log full details.
------------------------------
Santhosh M
Original Message:
Sent: Fri June 21, 2024 01:32 PM
From: Rizwan Joo
Subject: Misbehaviour of STAP
Hi Santhosh,
If you have enabled Firewall mode to block the traffic in case stap agent is not able to contact Guardium server then obviously it will impact db operations not otherwise.
Also, if due to high number of logs collection is making the db full it makes STAP processes slow and tcp networks also gets impacted and eventually there will be impact on db.
I suggest you to understand how to control logs collection making smart policy rules and less retention of logs.
------------------------------
Regards,
Rizwan Ali
Senior Guardium Consultant
Pakistan
Original Message:
Sent: Fri June 21, 2024 06:40 AM
From: Santhosh M
Subject: Misbehaviour of STAP
If there is sudden increase in collectors disk
Will STAP cause any kind of misbehaviour in db server like db slowness, unable to made connection like that?I have made firewall rule enabled as well please share any ideas
I am using redact masking so that firewall is enabled
Sudden hike in space caused sniffer was not fully active we have high number of flat logs so will it cause STAP memory to be affect in db server?
------------------------------
Santhosh M
------------------------------