IBM Security Guardium

If there is sudden increase in collectors disk 

Will STAP cause any kind of misbehaviour in db server like db slowness, unable to made connection like that?I have made firewall rule enabled as well please share any ideas

I am using redact masking so that firewall is enabled

Sudden hike in space caused sniffer was not fully active we have high number of flat logs so will it cause STAP memory to be affect in db server? 

Hi Santhosh,

If you have enabled Firewall mode to block the traffic in case stap agent is not able to contact Guardium server then obviously it will impact db operations not otherwise.

Also, if due to high number of logs collection is making the db full it makes STAP processes slow and tcp networks also gets impacted and eventually there will be impact on db.

I suggest you to understand how to control logs collection making smart policy rules and less retention of logs.

If there is sudden increase in collectors disk 

Will STAP cause any kind of misbehaviour in db server like db slowness, unable to made connection like that?I have made firewall rule enabled as well please share any ideas

I am using redact masking so that firewall is enabled

Sudden hike in space caused sniffer was not fully active we have high number of flat logs so will it cause STAP memory to be affect in db server? 

Hi Rizwan, 

Can you give some kind of tips regarding how to reduce flat logs? 

If I give log only action in dml rule it will send to policy violation table and alert once per session is sending to same table can you clarify one thing alert will be sending to siem first time if the rule is triggered and log only will capture rest of the triggered as well right? 

Also please let me know exact difference between log only and log full details. 

Hi Santhosh,

If you have enabled Firewall mode to block the traffic in case stap agent is not able to contact Guardium server then obviously it will impact db operations not otherwise.

Also, if due to high number of logs collection is making the db full it makes STAP processes slow and tcp networks also gets impacted and eventually there will be impact on db.

I suggest you to understand how to control logs collection making smart policy rules and less retention of logs.

If there is sudden increase in collectors disk 

Will STAP cause any kind of misbehaviour in db server like db slowness, unable to made connection like that?I have made firewall rule enabled as well please share any ideas

I am using redact masking so that firewall is enabled

Sudden hike in space caused sniffer was not fully active we have high number of flat logs so will it cause STAP memory to be affect in db server? 

Hi Santosh,

Log only vs Log full details, log only will capture the syntax alone and full details surely with values. Google it for more details.

Alert per session will also log all the details in Guardium and send to SIEM. so if you are using Alert per session don't use log only or any other rule action this is going to duplicate the data in Guardium tables.

What is your policy type? flat log? sensitive?

if possible give a ss of your data policy type.

Hi Rizwan, 

Can you give some kind of tips regarding how to reduce flat logs? 

If I give log only action in dml rule it will send to policy violation table and alert once per session is sending to same table can you clarify one thing alert will be sending to siem first time if the rule is triggered and log only will capture rest of the triggered as well right? 

Also please let me know exact difference between log only and log full details. 

Hi Santhosh,

If you have enabled Firewall mode to block the traffic in case stap agent is not able to contact Guardium server then obviously it will impact db operations not otherwise.

Also, if due to high number of logs collection is making the db full it makes STAP processes slow and tcp networks also gets impacted and eventually there will be impact on db.

I suggest you to understand how to control logs collection making smart policy rules and less retention of logs.

If there is sudden increase in collectors disk 

Will STAP cause any kind of misbehaviour in db server like db slowness, unable to made connection like that?I have made firewall rule enabled as well please share any ideas

I am using redact masking so that firewall is enabled

Sudden hike in space caused sniffer was not fully active we have high number of flat logs so will it cause STAP memory to be affect in db server? 

Hi Rizwan,

Thanks for your reply.

If alert once per session is there it will capture  say example insert is executed it will capture 1 st time in the session we cant see data for rest of the activity in session right ? So better alert per match but it is logging too much of data. 

PFB:

Hi Santosh,

Log only vs Log full details, log only will capture the syntax alone and full details surely with values. Google it for more details.

Alert per session will also log all the details in Guardium and send to SIEM. so if you are using Alert per session don't use log only or any other rule action this is going to duplicate the data in Guardium tables.

What is your policy type? flat log? sensitive?

if possible give a ss of your data policy type.

Hi Rizwan, 

Can you give some kind of tips regarding how to reduce flat logs? 

If I give log only action in dml rule it will send to policy violation table and alert once per session is sending to same table can you clarify one thing alert will be sending to siem first time if the rule is triggered and log only will capture rest of the triggered as well right? 

Also please let me know exact difference between log only and log full details. 

Hi Santhosh,

If you have enabled Firewall mode to block the traffic in case stap agent is not able to contact Guardium server then obviously it will impact db operations not otherwise.

Also, if due to high number of logs collection is making the db full it makes STAP processes slow and tcp networks also gets impacted and eventually there will be impact on db.

I suggest you to understand how to control logs collection making smart policy rules and less retention of logs.

If there is sudden increase in collectors disk 

Will STAP cause any kind of misbehaviour in db server like db slowness, unable to made connection like that?I have made firewall rule enabled as well please share any ideas

I am using redact masking so that firewall is enabled

Sudden hike in space caused sniffer was not fully active we have high number of flat logs so will it cause STAP memory to be affect in db server? 

Hi Santosh,

You need to check the selective audit trail and reinstall the policy, this will help you capture info as per rules and nothing extra which is happening now. Then you can you alert per match and see how much logs are being captured. OffCourse alert per match captures more logs then per session.

Hi Rizwan,

Thanks for your reply.

If alert once per session is there it will capture  say example insert is executed it will capture 1 st time in the session we cant see data for rest of the activity in session right ? So better alert per match but it is logging too much of data. 

PFB:

Hi Santosh,

Log only vs Log full details, log only will capture the syntax alone and full details surely with values. Google it for more details.

Alert per session will also log all the details in Guardium and send to SIEM. so if you are using Alert per session don't use log only or any other rule action this is going to duplicate the data in Guardium tables.

What is your policy type? flat log? sensitive?

if possible give a ss of your data policy type.

Hi Rizwan, 

Can you give some kind of tips regarding how to reduce flat logs? 

If I give log only action in dml rule it will send to policy violation table and alert once per session is sending to same table can you clarify one thing alert will be sending to siem first time if the rule is triggered and log only will capture rest of the triggered as well right? 

Also please let me know exact difference between log only and log full details. 

Hi Santhosh,

If you have enabled Firewall mode to block the traffic in case stap agent is not able to contact Guardium server then obviously it will impact db operations not otherwise.

Also, if due to high number of logs collection is making the db full it makes STAP processes slow and tcp networks also gets impacted and eventually there will be impact on db.

I suggest you to understand how to control logs collection making smart policy rules and less retention of logs.

If there is sudden increase in collectors disk 

Will STAP cause any kind of misbehaviour in db server like db slowness, unable to made connection like that?I have made firewall rule enabled as well please share any ideas

I am using redact masking so that firewall is enabled

Sudden hike in space caused sniffer was not fully active we have high number of flat logs so will it cause STAP memory to be affect in db server? 

Hi Rizwan, 

I have reinstalled the policy. But same amount of log is coming as like before. 

Thanks for your patience. 

Hi Santosh,

You need to check the selective audit trail and reinstall the policy, this will help you capture info as per rules and nothing extra which is happening now. Then you can you alert per match and see how much logs are being captured. OffCourse alert per match captures more logs then per session.

Hi Rizwan,

Thanks for your reply.

If alert once per session is there it will capture  say example insert is executed it will capture 1 st time in the session we cant see data for rest of the activity in session right ? So better alert per match but it is logging too much of data. 

PFB:

Hi Santosh,

Log only vs Log full details, log only will capture the syntax alone and full details surely with values. Google it for more details.

Alert per session will also log all the details in Guardium and send to SIEM. so if you are using Alert per session don't use log only or any other rule action this is going to duplicate the data in Guardium tables.

What is your policy type? flat log? sensitive?

if possible give a ss of your data policy type.

Hi Rizwan, 

Can you give some kind of tips regarding how to reduce flat logs? 

If I give log only action in dml rule it will send to policy violation table and alert once per session is sending to same table can you clarify one thing alert will be sending to siem first time if the rule is triggered and log only will capture rest of the triggered as well right? 

Also please let me know exact difference between log only and log full details. 

Hi Santhosh,

If you have enabled Firewall mode to block the traffic in case stap agent is not able to contact Guardium server then obviously it will impact db operations not otherwise.

Also, if due to high number of logs collection is making the db full it makes STAP processes slow and tcp networks also gets impacted and eventually there will be impact on db.

I suggest you to understand how to control logs collection making smart policy rules and less retention of logs.

If there is sudden increase in collectors disk 

Will STAP cause any kind of misbehaviour in db server like db slowness, unable to made connection like that?I have made firewall rule enabled as well please share any ideas

I am using redact masking so that firewall is enabled

Sudden hike in space caused sniffer was not fully active we have high number of flat logs so will it cause STAP memory to be affect in db server? 

Hi Santosh,

If you have installed a SELECTIVE AUDIT TRAIL policy it is going to save on session level logging and make Guardium parser light. But obviously it is going to capture all the logs as per rules. Overall logs collection will be decreased.

Hi Rizwan, 

I have reinstalled the policy. But same amount of log is coming as like before. 

Thanks for your patience. 

Hi Santosh,

You need to check the selective audit trail and reinstall the policy, this will help you capture info as per rules and nothing extra which is happening now. Then you can you alert per match and see how much logs are being captured. OffCourse alert per match captures more logs then per session.

Hi Rizwan,

Thanks for your reply.

If alert once per session is there it will capture  say example insert is executed it will capture 1 st time in the session we cant see data for rest of the activity in session right ? So better alert per match but it is logging too much of data. 

PFB:

Hi Santosh,

Log only vs Log full details, log only will capture the syntax alone and full details surely with values. Google it for more details.

Alert per session will also log all the details in Guardium and send to SIEM. so if you are using Alert per session don't use log only or any other rule action this is going to duplicate the data in Guardium tables.

What is your policy type? flat log? sensitive?

if possible give a ss of your data policy type.

Hi Rizwan, 

Can you give some kind of tips regarding how to reduce flat logs? 

If I give log only action in dml rule it will send to policy violation table and alert once per session is sending to same table can you clarify one thing alert will be sending to siem first time if the rule is triggered and log only will capture rest of the triggered as well right? 

Also please let me know exact difference between log only and log full details. 

Hi Santhosh,

If you have enabled Firewall mode to block the traffic in case stap agent is not able to contact Guardium server then obviously it will impact db operations not otherwise.

Also, if due to high number of logs collection is making the db full it makes STAP processes slow and tcp networks also gets impacted and eventually there will be impact on db.

I suggest you to understand how to control logs collection making smart policy rules and less retention of logs.

If there is sudden increase in collectors disk 

Will STAP cause any kind of misbehaviour in db server like db slowness, unable to made connection like that?I have made firewall rule enabled as well please share any ideas

I am using redact masking so that firewall is enabled

Sudden hike in space caused sniffer was not fully active we have high number of flat logs so will it cause STAP memory to be affect in db server? 

If there is sudden increase in collectors disk 

Will STAP cause any kind of misbehaviour in db server like db slowness, unable to made connection like that?I have made firewall rule enabled as well please share any ideas

I am using redact masking so that firewall is enabled

Sudden hike in space caused sniffer was not fully active we have high number of flat logs so will it cause STAP memory to be affect in db server? 

Dear Santosh,

If collector internal db is more than 55% full the Sniffer service including GUI will stop working. to address this issue you need to tune rules to logs less activities or/and decrease logs retention in Guardium in the Data Archive purge data settings.

If there is sudden increase in collectors disk 

Will STAP cause any kind of misbehaviour in db server like db slowness, unable to made connection like that?I have made firewall rule enabled as well please share any ideas

I am using redact masking so that firewall is enabled

Sudden hike in space caused sniffer was not fully active we have high number of flat logs so will it cause STAP memory to be affect in db server?