Configuration and Control CLI Commands

? (question mark)

To find more information about a command, enter a question mark at any point to display the arguments.

Syntax

<partial_command> ?

CLI> show account strike ?

USAGE:  show account strike <arg>, where arg is:
?, count, interval, max
ok
CLI>

commands

Displays an alphabetical listing of all CLI commands.

Syntax

commands

debug

Enable/disable debug mode. Without an argument, it toggles the debug state. Optionally, a state argument can be passed.

Syntax

debug <on | off>

clean load_balance_inactive_stap_queue

Use this command to manually clear an inactive S-TAP and its corresponding collector from the inactive S-TAPs queue in the load balancer.

Syntax

clean load_balance_inactive_stap_queue <stapHost> <collectorName>

delete unit type

Use this command to clear one or more unit type attributes. Note that not all unit type attributes can be cleared by using this command. See the table, located after the store unit type command, for more information.

Syntax

delete unit type [manager | standalone] [aggregated] [netinsp] [network routes static] [stap] [mainframe]

delete scheduled-patch

To delete a patch install request, use the delete scheduled-patch CLI command.

For more information about installing patches, see the store system patch install CLI command.

eject

This command dismounts and ejects the CD ROM, which is useful after upgrading or re-installing the system, or installing patches that were distributed via CD ROM.

Syntax

eject

forward support email

When the support-state option is enabled (which it is by default), this command sets the email address to receive system alerts.

Syntax

forward support email to <email address>

Show Command

show support-email

iptraf

IPTraf is a network statistics utility distributed with the underlying operating system. It gathers a variety of information such as TCP connection packet and byte counts, interface statistics and activity indicators, TCP/UDP traffic breakdowns, and LAN station packet and byte counts.  The IPTraf User Manual is available on the internet at the following location (it may be available at other locations if this link does not work):

http://iptraf.seul.org/2.7/manual.html

Syntax

iptraf

license check

Indicates if the installed license if valid. Use this command after you install a new product key.

Syntax

license check

ping

Sends ICMP ping packets to a remote host. This command is useful for checking network connectivity. The value of host can be an IP address or host name.

Syntax

ping <host>

quit

Exits the command line interface.

Syntax

quit

recover failed

Command to restore failed CSV/CEF/PDF transfer files, placing the files back into the export folder for another export attempt.

Syntax

recover failed [csv|cef|pdf]

register management

Registers the Guardium system for management by the specified central manager. The pre-registration configuration of this Guardium system is saved, and that configuration is restored later if the unit is unregistered.

Syntax

register management  <manager ip> <port>

Parameters

manager ip is the IP address of the Central Manager.

port is the port number used by the Central Manager (usually 8443).

restart gui

Restarts the IBM® Guardium® Web interface. To optionally schedule a restart of the GUI once a day or once a week, use additional parameters. HH is hours 01-24. MM is minutes 01-60. W is the day of the week, 0-6, Sunday is 0. If HHMM is listed twice, only the last entry is used. The parameter clear deletes the scheduled time.

In order to restart the Classifier and Security Assessments processes, run the restart gui command from the CLI (not from the GUI).

Running restart GUI from the GUI only restarts the web services. It is necessary to run the restart GUI command from the CLI to fully restart all processes, including Classifier and Security Assessments processes. It is necessary to run the restart GUI command from the CLI for each managed unit to restart the Classifier listener.

Syntax

restart gui [HHMM|HHMMW|clear]

restart stopped_services

Use this CLI command to restart services previously stopped with the store auto_stop_services_when_full CLI command.

Syntax

restart stopped_services

restart system

Reboots the Guardium system. The system will completely shut down and restart, which means that the cli session will be terminated.

Syntax

restart system

show buffer

This command displays a report of buffer use for the inspection engine process. If you are experiencing load problems, IBM Technical Support may ask you to run this command.

Syntax

show buffer <log | snif>

Examples

To display the buffer usage of the inspection engine process:

show buffer log

To display the buffer usage of the sniffer:

show buffer snif

show build

Displays build information for the installed software (build, release, snif version).

Syntax

show build

show defrag

Identify fragmented packets and attempt to reconstruct the packets before they get to the network sniffing process. The defrag is relevant only for network sniffing through SPAM or a TAP device.

Syntax

show defrag <parameters>

Parameters

Packet size- The packet size in bytes, up to a maximum of 217 (131072)

Time interval - The time interval

Trigger level - The trigger level

Release level - The release level specified as a number of seconds, up to a maximum of the 31st power of two (2147483648).

show load_balance_inactive_stap_queue

This command shows the list of inactive S-TAPs and corresponding collectors that have accumulated in the load balancer's inactive S-TAP queue.

Syntax

show load_balance_inactive_stap_queue 

show network routes static

Permit the user to have only one IP address per appliance (through eth0) and direct traffic through different routers using static routing tables. List the current static routes, with IDs.

Syntax

show network routes static

Delete command

delete network routes static

show password

Syntax

show password disable [0|1] 
show password expiration [CLI|GUI] 90 
show password validation [ON|OFF]

show security policies

Displays the list of security policies.

Syntax

show security policies

show system patch available

Displays the already installed patches and patches scheduled to be installed--showing date/time and the install status.

Syntax

show system patch installed

show system patch installed

Displays the already installed patches and patches scheduled to be installed--showing date/time and the install status.

Syntax

show system patch installed

show system public key

Displays the public key for cli or tomcat. If none exists, this command creates one.

Note: See show system key, store system key in Certificate CLI commands.

Syntax

show system public key <cli | tomcat | grdapi>

stop gui

Stops the Web user interface.

Syntax

stop gui

stop system

Stops and powers down the appliance.

Syntax

stop system

store apply_user_hierarchy

Use this CLI command to apply user hierarchy to audit receiver.

If ON, the non-audit group receiver (the receiver other than the audit group receiver (normal or role) will only see audit results with a group IP beneath the receiver's hierarchy, including the receiver.  

Syntax

store apply_user_hierarchy [ON | OFF]

Show command

show apply_user_hierarchy

store alert_timestamp_unit [millisecond | second]

Controls the timestamp unit for syslog alerts. Default is seconds.

Syntax

store alert_timestamp_unit millisecond 
store alert_timestamp_unit second

Show command

show alert_timestamp_unit

store allow_simulation

Enables (on) or disables (off) the ability to run the Policy Simulation on the appliance.

To run the simulation,  the original traffic must be replayed through the rules engine (with the policy needing to be tested). This requires some of the original SQL on the appliance to be saved with their values. The enable or disable of allow_simulation instructs IBM Guardium to save or NOT save any SQL or values whatsoever.

Syntax

store allow_simulation [on|off]

Show command

show allow_simulation

store alp_throttle

Use this CLI to determine the amount of data logged by the Analyzer into the GDM_FLAT_LOG table.

Use store alp_throttle to choose how much data to log into the GDM_FLAT_LOG table.

Syntax

store alp_throttle <n>

• If n = 0 (the default), report without logging any SQL statements.
• If n is a positive integer, report and log every nth SQL statement in GDM_FLAT_LOG.

Examples

To report and log all SQL statements (100%):

store alp_throttle = 1

To report and log every 2nd SQL statement (50%):

store alp_throttle = 2

store alp_throttle = 1000

store analyzer

This command sets the value of the timeout of the ignore session and sets the duration of the ignore session.

Ignore session: The current request and the remainder of the session will be ignored. This action does log a policy violation, but it stops the logging of constructs and will not test for policy violations of any type for the remainder of the session. This action might be useful if, for example, the database includes a test region, and there is no need to apply policy rules against that region of the database.

Syntax

store analyzer [ignore_sess_timeout | max_open_sess]

Show command

show analyzer

store auto_stop_services_when_full

When ON, stops internal services if the database exceeds the 90% full threshold.

Inspection Engine, Classification and other Collection-related services will stop. Also, Aggregation import/restore will not process any new files.

To remediate, use the various Support commands (support clean audit_task, support clean log_files, support clean DAM_data, support show large_files) to analyze and manually purge large tables.

Syntax

store auto_stop_services_when_full [ON | OFF]

Show command

show auto_stop_services_when_full

store connect oracle_parser

Use this command to connect and disconnect the Oracle parser from the DB2 parser. The default is OFF (disconnect).

Syntax

store connect oracle_parser [ON | OFF]

Usage: store connect_oracle_parser [state], where state is ON/OFF. ON is connect and OFF is disconnect.

Show command

show connect oracle_parser

store csv_fetch_size

This command is used by the report REST service to control total number of records. Guardium reports can be downloaded in CSV file format.

store csv_fetch_size and store csv_max_size are GLOBAL_PROFILE parameters that can only be modified via CLI .

Syntax

show csv_fetch_size <num>

where <num> is a number is greater than 0

Show command

store csv_fetch_size

store csv_max_size

This command controls the size of the CSV downloads that are retrieved when you click Download all records from the report export menu.

Syntax

store csv_max_size <num>

where <num> is a number is greater than 0.

Show command

show csv_max_size

store default_queue_size

Use this command to control the configuration parameter ADMINCONSOLE_PARAMETER.DEFAULT_QUEUE_SIZE. The default is 25. The range is 25-300.

The sniffer must be restarted after a change in value.

Syntax

store default_queue_size <N>, where N is the number in range of 25 to 300

Show command

show default_queue_size 25

store defrag

Use this command to restore defragmentation defaults, or to set the defragmentation size. After entering this command, you must issue the restart inspection-core command for the changes to take effect. The defrag is relevant only for network sniffing through SPAM or a TAP device.

Syntax

store defrag [default | size <s> interval <i> trigger <t> release <r>]

Show command

show defrag

Parameters

• default: Restore the default size.
• s: The packet size  in bytes, up to a maximum of 217 (131072)
• i: The time interval
• t: The trigger level
• r : The release level specified as a number of seconds, up to a maximum of the 31st power of two (2147483648).

store delayed_firewall_correlation

Use this CLI command to hold a user connection until the decryption correlation has taken place.

Syntax

store delayed_firewall_collection [on | off]

Show command

show delayed_firewall_correlation

store full-bypass

This command is intended for emergency use only, when traffic is being unexpectedly blocked by the Guardium system. When on, all network traffic passes directly through the system, and is not seen by the Guardium system.

When using this command, you will be prompted for the admin user password.

Syntax

store full-bypass <on | off>

store gdm_analyzer_rule

Analyzer rules - Certain rules can be applied at the analyzer level. Examples of analyzer rules are: user-defined character sets, source program changes, and firewall watch or firewall unwatch modes. In previous releases, policies and rules were applied at the end of request processing on the logging state. In some cases, this meant a delay in decisions based on these rules. Rules applied at the analyzer level means decisions can be made at an earlier stage.

Syntax

store gdm_analyzer_rule [active_flag | new ]  
store gdm_analyzer_rule active_flag <id> <on|off>

where <id> is the rule ID.

Show command

Use the CLI command, show gdm_analyzer_rule, to see a list of GDM analyzer rules.

show gdm_analyzer_rule

store gdm_analyzer_rule new

Use the Guardium CLI to add an analyzer rule for a direct regular expression to Mask UID Chain pattern.

Syntax

store gdm_analyzer_rule new
Enter rule description (optional):
Enter rule type (required):

Example

store gdm_analyzer_rule new
Please enter rule description: new rule 4
Rule type
 1. Change source program
 2. Set alternate character set
 3. Send verdict
 4. HADOOP exclude
 5. Define protocol and port
 6. Ignore session after packets
 7. Set empty Oracle DB user when login information is missed
 8. Force MS SQL login
 9. Transform string
Please select rule type (required): 9
Please enter pattern (required, regex string): (.*)(-ppassword)(.*)
Please enter format (required, regex string): \\\\1-p****\\\\3
Do you want to activate the rule now? (Yes/No)
Y
ok

store gdm_http_session_template

Use this CLI command to set the template for the HTTP session.

Usage

store gdm_http_session_template [activate] [add] [deactivate] [remove]

Show command

show gdm_http_session_template 

Attempting to retrieve the template information. It may take time. Please wait.

store log external

Use this command to set file size, flush period, gdm error and state of the log external. This rule displays only if the following CLI command is executed:

Then log external shows up as a policy action.

CLI command to check the state:

show log external state

CLI command to enable and disable this action:

store log external state on/off

Usage

store log external [file_size] [flush_period] [gdm_error] [state]

Syntax

store log external gdm_error <state>

Where state is on or off. 'on' is to enable and 'off' is to disable.

store log external file_size <num>

Where <num> is the size of the file. Default is 4096 bytes.

store log external flush_period <num>

Where <num> is the flush period. Default is 60 seconds.

store log external state <state>

Where state is on or off. 'on' is to enable and 'off' is to disable.

Show command

show log external [file_size] [flush_period] [gdm_error] [state]

store monitor gdm_statistics

Use this CLI command to get information about the Unit Utilization. Default is 1 (run the script every hour).

Syntax

store monitor gdm_statistics

USAGE: store monitor gdm_statistics <hour>, where hour is a value from 0 to 24. Default value is 1, means to run the script every hour. Value 0, means not to run the script.

Show command

show monitor gdm_statistics 

Disable command

Disable gdm_statistics monitor

store gui

store gui [port | session_timeout | csrf_status]

Sets the TCP/IP port number on which the IBM Guardium appliance management interface accepts connections. The default is 8443.

n must be a value in the range of 1024 to 65535. Be sure to avoid the use of any port that is required or in use for another purpose.

Set session timeout: Sets the length of time (in seconds) with no activity before timeout. After the no-activity-timeout has been reached, it is necessary to log on again to Guardium. The default length is 900 seconds (15-minutes).

Enable or disable the Cross-site Request Forgery (CSRF) status. Trying to use certain web browser functions (for example, F5/CTRL-R/Refresh/Reload, Back/Forward) results in a 403 Permission Error message.

The new session timeout value will take effect only after the next GUI restart.

Syntax

store gui port <n>
store gui session_timeout <n>
store gui csrf_status [on | off]

Show command

Displays the GUI port number, state, session timeout (in seconds) and/or CSRF status.

show gui [port | state | all | session_timeout | csrf_status ]

store gui cache

Use this CLI command to turn web browser caching ON or OFF (Enable or Disable).

The response is:

The parameter has been changed. 
Restarting gui 
Changing to port 8443 
Stopping....... 
Safekeeping xregs 
ok 

The default setting for browser caching is enabled.

The act of changing the cache setting will automatically restart the Guardium web server.

For Firefox, in order for the setting to take affect, you must clear the browser cache.

Syntax

store gui cache [ON | OFF]

Show command

show gui cache

store gui xss_status

Use this CLI command to enable or disable the Cross-Site Scripting (XSS) status. This option is enabled by default on upgraded systems.

Syntax

store gui xss_status [ on | off ]

Show command

show gui xss_status

store gui hsts_status

Use this CLI command to enable or disable the HSTS (HTTP Strict Transport Security Filter). This option is disabled by default on upgraded systems and is recommended to be turned on after valid certificates are installed. See the topic, How to install an appliance certificate to avoid a browser SSL certificate challenge, for further reference.

Syntax

store gui hsts_status [ on | off ] 

Show command

show gui hsts_status 

store installed security policy

Sets the security policy named policy-name as the installed security policy.

Syntax

store installed security policy <policy-name>

Show Command

show installed security policy

store keep_psmls

Use this CLI command to retain the current layouts/profiles/portlets created the users of the Guardium application. Set this CLI command to ON before an upgrade, and the psmls from the previous version will be retained.

Syntax

store keep_psmls [ON | OFF]

Show command

show keep_psmls

store ldap-mapping

Store LDAP mapping parameters - allow a custom mapping for the LDAP server schema. This command permits customized mapping to the LDAP server schema for email, firstname and lastname attributes. The paging parameter is used to facilitate transfer between any LDAP server type (Active Directory, Novell Directory, Open LDAP, Sun One Directory, Tivoli® Directory). If the paging parameter is set to on, but paging is not supported by the server, the search is performed without paging.

Example for paging. If the CLI command, ldap-mapping paging is set to ON, then Microsoft Active Directory will download the maximum number users defined under the limit value on the LDAP Import configuration screen. If CLI command, ldap-mapping paging is set to OFF, then Active Directory will download up to only 1000 users not matter what the limit value is set to. All other LDAP server configurations must use the CLI command, ldap-mapping paging off in order to download users up to the set limit value.

Note: Each time you change the CLI ldap-mapping attributes you also need to select Override Existing Changes on the LDAP Import configuration screen in IBM Guardium GUI before updating. This action must occur each time you change the CLI ldap-mapping email, firstname or lastname attributes and import LDAP users.

Show commands

show ldap-mapping [email] [firstname][lastname] <name>
show ldap-mapping paging ON|OFF

A GUI restart of the CLI is required for new parameters to take effect.

Examples

store ldap-mapping firstname name
store ldap-mapping lastname sn
store ldap-mapping email mail
store ldap-mapping paging on 

store license

This command applies a new license key to the appliance.

A license key may be of one of two kinds: override type or append type; an override type replaces the currently installed license while the append type license will be appended to the currently installed license. Append-type licenses can only add functionality; new functions may be enabled and when relevant - expiration dates be updated, remaining number of scans and datasources will be increased, and a certain numeric fields in the license, such as number of managed  units will be replaced.

Syntax

store license

Show Command

show license

Example

When using the store license command, you will be prompted to paste the new product key:

CLI> store license
Paste the string received from IBM Guardium and then press Enter.
Copy and paste the new product key at the cursor location, and then press Enter. The product key
contains no line breaks or white space characters, and it always ends with (and includes) a trailing
equal sign. A series of messages will display, ending with:
>We recommend that the machine be rebooted at the earliest opportunity in order to complete the
license updating process.
ok
CLI>
Run the restart gui command at this time.

store log classifier level

Sets the debugging level for the classifier, to one of the values shown.

Syntax

store log classifier level DEBUG|INFO|WARN|ERROR|FATAL

Show command

show log classifier level

store log sql parser_errors

Sets the logging of syntactically wrong SQL commands.

Syntax

store log sql parser_errors [on|off]

Show command

show log sql parser_errors

store log object_join_info

Sets the logging of object_join.

A join table is a way of implementing many-to-many relationships. Use join entity to join tables in a SELECT SQL statement.

Syntax

store log object_join_info [ on | off]

Show command

show log object_join_info

store log session_info

Sniffer-related.

Syntax

store log session_info [ on | off]

Show command

show log session_info

store log exception sql

When on, logs the entire SQL command when logging exceptions.

Syntax

store log exception sql <on | off>

Show command

show log exception sql

store logging granularity

Sets the logging granularity to the specified number of minutes. You must use one of the minute values shown in the syntax. The default is 60.

Syntax

store logging granularity <1, 2, 5, 10, 15, 30 or 60>

Show command

show logging granularity

store max_audit_reporting

Displays the audit report threshold. The default is 32. When defining reports in Audit Process, the number of days of the report (defined by the FROM-TO fields) should not exceed a certain threshold (one month by default). See the Workflow Process, Central Management and Aggregation section of the Compliance Workflow Automation help topic for further information on this using this CLI command.

Syntax

store max_audit_reporting

Show command

show max_audit_reporting

store max_result_set_size

Store the max_result_set_size, default value is 100 (size is between 1 and 65535) and aids in tuning the inspection engine when observing returned data. This command sets the limitation for total result set size. This parameter works for any type of database. If the value is beyond the defined threshold, the analyzer will not retrieve data to calculate records affected value.

Syntax

store max_result_set_size <size>

Show command

show max_result_set_size

store max_result_set_packet_size

Store the max_result_set_packet_size, default value is 32 (size is between 1 and 65535) and aids in tuning the inspection engine when observing returned data. This command sets the limitation for packet size in response. This parameter works for any type of database. If the value is beyond the defined threshold, the analyzer will not retrieve data to calculate records affected value.

Syntax

store max_result_set_packet_size <size>

Show command

show max_result_set_packet_size

store max_tds_response_packets

Store the max_tds_response_packets, default value is 5 (size is between 1 and 65535) and aids in tuning the inspection engine when observing returned data. This command sets the limitation for number of packets in response. This parameter works for MS SQL only. If the value is beyond the defined threshold, the analyzer will not retrieve data to calculate records affected value.

Syntax

store max_tds_response_packets <size>

Show command

show max_tds_response_packets

store maximum query duration

Sets the maximum number of seconds for a query to the value specified by n. The default is 180. We recommend that you do not set this value greater than the default, because doing so increases the chances of overloading the system with query processing. This value can also be set from the Running Status Monitor panel on the administrator portal.

Syntax

store maximum query duration <n>

Show Command

show maximum query duration

store monitor [ buffer | custom_db_usage | gdm_statistics ]

Use the store monitor buffer CLI command to set the interval of how often the script must run that retrieves the information shown in the Buffer Usage Monitor report of the IBM Guardium Monitor tab.

Syntax:

store monitor buffer

Use thestore monitor custom_db_usage CLI command to set the state to on and to specify a time to run this job.

Syntax

store monitor custom_db_usage

USAGE: store monitor custom_db_usage <state> <hour> where state is on/off.

If state is on, specify the hour to run. Valid value is number from 0 to 23

Use the store monitor gdm_statistics CLI command to get information about the Unit Utilization. Default is 1 (run the script every hour).

Syntax

store monitor gdm_statistics

USAGE: store monitor gdm_statistics <hour>, where hour is value from 0 to 24.

Default value is 1, which runs the script every hour. Set the value to 0 to not to run the script.

Show Commands

show monitor buffer
show monitor custom_db_usage
show monitor gdm_statistics

store mysql_utf8mb4

Enable support for 4-byte UTF-8 encoding (utf8mb4).

This command modifies Guardium sniffer processes and internal databases to correctly capture and store 4-byte UTF-8 characters. Enabling utf8mb4 may be useful if datasources in your environment contain 4-byte characters, for example as used for Chinese, Japanese, and Korean ideographs.

Syntax

store mysql_utf8mb4

Show Command

show mysql_utf8mb4

Examples

> show mysql_utf8mb4

mysql configuration NOT set with UTF8MB4.
ok 

 store mysql_utf8mb4

Attempting to change the mysql config file. It may take time. Please wait.
Start to modify mysql config file
Restarting mysql
Mysql has been restarted. Please exit CLI and log back on.
The parameter IS_UTF8MB4 has been changed to 1.

> show mysql_utf8mb4

mysql configuration set with UTF8MB4.
ok

store packet max-size

Limit the maximum size of packets from the sniffer.

Syntax

store packet max-size 1536

Show Command

show packet max-size

store pdf-config

Use this command to change the font size and orientation of the PDF image body content (excluding header/footer).

Size unit ranges from 1 (smallest) to 10 (largest) with default value of 6.

Orientation unit is 1 (for landscape orientation) or 2 (for portrait). The default value is 1.

The change takes effect immediately after typing the CLI command and pressing the Enter key.

Syntax

store pdf-config [ orientation | size ]

Show command

show pdf-config [ orientation | size ]

store pdf-config multilanguage_support

There are different static PDF generator config files for English (Used on English version) and language C/J (Used on Chinese/Japanese). Use this CLI command to define the fonts in the PDF generator. Default is English. Multi-language is language C/J.

Syntax

CLI> store pdf-config multilanguage_support

Current setting is Default

1  Default
2  Multi-language
Please select the option (1,2, or q to quit)

Show command

show pdf-config multilanguage_support

store populate_from_query_maxrecs

Sets the maximum number of records that can be used to populate groups and aliases from a query.

Use caution when setting a maximum records value via this CLI command. Setting it too high may result in incomplete populate group from query processes. The maximum threshold is dynamic and dependent on the system load and memory utilization. This CLI command is limited to a high value of 200000.

Syntax

store populate_from_query_maxrecs 100000

Show command

show populate_from_query_maxrecs

store product gid

Sets the stored unique product <n> GID value.

Syntax

store product gid <n>

Show command

show product gid

store purge object

Sets the age (in days) at which non-essential objects will be purged. Use the show purge objects age command to display a table showing the index, object name, and age for each object type for which a purge age is maintained. Then use the appropriate index from that table in the command to set the purge age.

Note: The value of number of days will be set to the default (90 days) when the unit type changes between managed unit/Manager/standalone unit.

Syntax

store purge object age <index> <days>

Show command

show purge object age

Example

Assume you want to keep an Event Log for 30 days. First issue the show purge objects age command to determine the index (do not use the table; your list may be different). Then enter the store purge object command.

CLI>show purge objects age

Index Name, Age

1.     Central Management Persistent Operations, 7

2.     S-TAP Event Log, 14

4.     Assessment Tests, 7

5.     Central Management Temporary Policies, 7

6.     S-TAP Change History, 14

7.     Kerberos Authentication Information, 1

8.     Comment History, 60

9.     Comment Local History. 60

10.    Call Graph History, 90

. . .

ok

CLI> store purge object age 2 30

ok

store quartz_thread_run

This CLI command is for use by Technical Support.

The Java™ Virtual Machine allows the application to have multiple threads. Thread is a piece of the program execution.

Use the store quartz_thread_num CLI command to set the number of threads that can run at the same time.

Use this command to ease conflict between too many threads running at the same time.

The show quartz_thread_num CLI command displays the number of Quartz scheduler threads that run at the same time.

Syntax

store quartz_thread_run <number>

USAGE: store quartz_thread_num <number>, where number is in range 3 to 15 with default value = 5.

Show command

show quartz_thread_num
org.quartz.threadPoll.threadCount= 5

store remotelog

Controls the use of remote logging. In addition to system messages, statistical alerts and policy rule violation messages can be written to syslog (optionally). For each facility.priority combination, messages can be directed to a specific host. This command can also control the use of remote logging through an optional port number and can designate a mandatory protocol (UDP or TCP). This command works with any syslog implementation that supports TCP.

If you enable remote logging, be sure that the receiving host has enabled this capability (see the note).

Syntax

store remotelog [help|add|clear] facility.priority host [optional port number:mandatory protocol
(UDP or TCP)]

SYSLOGD_OPTIONS=-r -m 0

/etc/init.d/syslog  restart

/var/log/messages

CLI commands for remotelog

show remotelog host

store remotelog ?

store remotelog add ?

store remotelog add encrypted

USAGE: store remotelog add encrypted <facility.priority> <host[:port]> <tcp|udp>

Possible facilities: all auth authpriv cron daemon ftp kern local0 local1 local2 local3 local4 local5 local6 local7 lpr mail mark news security syslog user uucp

Possible priorities: alert all crit debug emerg err info notice warning

Note:

To send the encrypted remote log message to the server, the rsyslog configuration in the server needs to accept encrypted messages.

Encrypted setting on client and server only works in TCP mode.

Switching from one mode to other on the same remote server: it needs to modify the configuration file to sync with the designated mode and the remote service needs to restart.

Example

store remotelog add non_encrypted
store remotelog clear
g32.guard.swg.usma.ibm.com> show remotelog host
*.*    @9.70.148.175:10514

Use the example to store the certificate as ca.pem in /etc/pki/rsyslog/. This will open a new window and asks the user to paste the certificate.

store remote add encrypted all.all <IP address>:<port number> tcp

Encrypting syslog

Alerts and other messages can be forwarded to a remote syslog receiver, such as a SIEM system. This message traffic can be encrypted from the collector or aggregator to the remote syslog receiver.

Note: Encryption only works in TCP mode. By default, syslog forwarding uses UDP, so if encryption is required, specify TCP for the CLI command, store remotelog.

Before you begin:

The procedure documented here must be repeated on every collector or aggregator that is sending traffic to the encrypted host.

The certificate used by the remote syslog receiver is needed. Store that certificate on the Guardium system.

1. Have the public certificate available from a CA (Certificate Authority) such as Verisign, Thwate, or in-house.
2. Log into the CLI on the individual Guardium system from which to send the encrypted syslog. Before you execute the command, obtain the appropriate certificate (in PEM format) from the CA, and copy the certificate, including the Begin and End lines, to your clipboard.
3. Enter the following CLI command:

   store remotelog add encrypted daemon.all <IP address of encrypted remote host>:<port number of remote host> tcp

   Note: This example uses daemon because Guardium sends its application events using daemon.
4. The following instructions display:

   Please paste your CA certificate, in PEM format. Include the BEGIN and END lines, and then press CTRL-D.

   Paste the PEM-format certificate to the command line, then press CRTL-D. Guardium will take this input and store it as /etc/pki/rsyslog/ca.pem

   Guardium returns a message informing you of the success or failure of the store operation.

   When successful, Guardium can send encrypted traffic to the remote system with the correct key.

5. Repeat the procedure for each collector and aggregator that is sending syslog traffic to the encrypted host.

store s2c

Sets several configurable parameters for ADMINCONSOLE. These parameters are used for throttling server-to-client (S2C) traffic.

Minimum and maximum values:

ANALYZER_S2C_IGNORE = {0,1,2,3}

MAX_S2C_VELOCITY (K bytes/sec) - number >=0 and <= 2147483647

MAX_S2C_INTERVAL (sec) - number >=1 and <= 2147483647

See also the CLI command Store Throttle.

Syntax

store s2c
USAGE: store s2c ignore I maxrate M maxinterval T
where 0<=I<=3 (level),  0<=M<=2147483647 (K/sec), and 1<=T<=2147483647
(seconds) OR store throttle default

store s2c ignore 3 maxrate 300 maxinterval 5007

The new configuration will be effective once the CLI command, restart inspection-core, command is
executed.

Show command

show s2c

Throttle S2C parameters (defaults):

         Ignore:         0

         Max rate:      999999

         Max interval:  30

-------------------

ANALYZER_S2C_IGNORE (0,1,2,3) - Switch s2c throttling mechanisms on/off based on scenarios. This flag is based on bits. 0 = the s2c throttling mechanism is OFF. 1 = turns on the function described in scenario 1, 2 = turns on the function described by scenario 2. 3 = turns both on.

MAX_S2C_VELOCITY - maximal rate (K bytes/sec). If this rate is exceeded, then analyzer should send CLI commands, ignore session, or ignore session reply, request to S-TAP® or sniffer.

MAX_S2C_INTERVAL - time interval in seconds (default 30 sec.) between possible CLI commands, ignore session, or ignore session reply, requests.

Scenario 1

The sniffer starts to receive traffic from S-TAP or network in the middle of large query. Since all incoming packets are DB server responses, no new session will be created by the analyzer and therefore no information will be sent to logger and rules engine. This type of traffic is useless for the sniffer. From the other side, this type of traffic can create additional S-TAP and sniffer load. A throttling mechanism helps to decrease S-TAP and network sniffer load by sending a ignore session message from the analyzer, if the S2C velocity is greater than MAX_S2C_VELOCITY. If for some reason S-TAP or network sniffer were not affected, then analyzer will send ignore session request again after MAX_S2C_INTERVAL seconds. In order to switch this throttling mechanism on, set ANALYZER_S2C_IGNORE flag to 1.

Scenario 2

If the incoming traffic has a high S2C rate (>MAX_S2C_VELOCITY), then a throttling mechanism
sends a ignore session reply request to S-TAP for local database connections in the case when S2C velocity is greater than MAX_S2C_VELOCITY. If from some
reason S-TAP was not affected, then analyzer will send ignore
session reply request again after MAX_S2C_INTERVAL seconds. In order to switch this throttling
mechanism on, set ANALYZER_S2C_IGNORE flag to 2.

store sender_encoding

Use this CLI command to encode outgoing messages (email and SNMP traps) in different encoding schemes, where previously everything is encoded in UTF8.

For example, a Guardium customer wanted to encode all of the outgoing SNMP messages in SJIS - an alternative Japanese encoding.

Syntax

store sender_encoding <str>,

where str is the encoding with maximum length 16

Show command

show sender_encoding

store set_partitions_for_queries

Use this CLI command to enable/disable partition selection on queries.

Usage:

store set_partitions_for_queries <on|off>

show snif_alert_only_syslog_with_subject

Use this command to determine whether the subject of alerts displays in the syslog. Set to OFF to hide the subject of alert messages. The default is ON, which displays the alert subject in the syslog.

Syntax

store snif_alert_only_syslog_with_subject on|off

Show command

show snif_alert_only_syslog_with_subject

store snif_mask_sql_value

Syntax

store snif_mask_sql_value on|off

Show command

show snif_mask_sql_value

store snif_use_feed_analyzer_thread

The store snif_use_feed_analyzer_thread command allows you to have sniffer use a separate internal queue for these S-TAPs.

The default for store snif_use_feed_analyzer_thread is OFF. If you expect traffic on both ports (that is 16016 or 16018 and 16021 or 16022), set store snif_use_feed_analyzer_thread to ON before the S-TAPs start.

In addition, if the sniffer detects traffic from both ports, sniffer sets the parameter to ON, causing sniffer to use separate queues after the next restart.

store snif_use_feed_analyzer_thread [ON | OFF ]

Show command

show snif_use_feed_analyzer_thread

store stap approval

Use this function to block unauthorized S-TAPs from connecting to the Guardium appliance.

If ON, then S-TAPs can not connect until they are specifically approved.

If an unapproved S-TAP connects, it is immediately disconnected until the specific authorization of the IP Address of that S-TAP.

A pre-defined report for approved clients, Approved TAP clients, is available on the Daily Monitor tab.

Syntax

store stap approval ON | OFF

Show command

show stap approval

GuardAPI command

grdapi store_stap_approval
The new configuration takes effect after running the CLI command, restart
inspection-core.

store stap certificate

Stores a certificate from the S-TAP host (usually a database server), on the IBM Guardium appliance. This command functions exactly like the store certificate console command, described later.

Syntax

store stap certificate

You will be prompted as follows:

Please paste your new server certificate, in PEM format.

Include the BEGIN and END lines, then press CTRL-D.

If you have not done so already, copy the server certificate to your clipboard. Paste the PEM-format certificate to the command line, then press CRTL-D. You will be informed of the success or failure of the store operation.

When you are done, use the restart gui command to restart the IBM Guardium GUI.

store stap network_latency

S-TAP verification is a feature by which customers can verify if a S-TAP is monitoring database traffic or not. The verification feature is affected by the customer's network traffic/latency. Since latency is different for each customer, there is a need for a way to list and change the default value that the verification feature uses.

Syntax

store stap network_latency

USAGE: store stap network_latency <N>

where N is the number greater than 0 seconds.

The default value is 5 seconds.

If the number goes higher the S-TAP verification process will become slower.

Show command

show stap network_latency

store storage-system

store storage-system

Adds or deletes a storage system type for archiving or system backup.

Syntax

store storage-system <Centera | TSM>   <backup | archive> <on | off>

Show command

show storage-system

Example

Assume you are currently using Centera for system backups, but want to switch to a TSM system. You must turn off the Centera backup option (unless you want to leave that as another option), and turn on the TSM backup option. The commands to do this are highlighted in the example. The show commands are not necessary, but are for illustration only.

CLI> show storage-system

NETWORK :
CENTERA : backing-up
TSM     :
SCP     : archiving and backing-up
FTP     : archiving and backing-up
ok 
CLI>store storage centera backup off 
ok
CLI> store storage tsm backup on
ok
CLI> show storage-system
NETWORK :
CENTERA :
TSM     : backing-up
SCP     : archiving and backing-up
FTP     : archiving and backing-up
ok
CLI>

store support state

Enables (on) or disables (off) the sending of email alerts to the support email address, which can be configured using the forward support email command. By default, the support state is enabled (on), and the default support email address is support@guardium.com.

Syntax

store support state <on | off>

Show command

show support state

store throttle

This CLI command stores the throttle parameters. After entering this command, you must issue the CLI command, restart inspection-core for the changes to take effect.

This command is used to filter out (ignore) large packets. Throttling has two modes: Thresholds, per session - ignore sessions when identifying a long enough burst (duration configurable) of large packets (size configurable) and stop ignoring the session when traffic goes under a certain threshold (also configurable); and, Overall - ignore all packets larger than a certain size (configurable) in all sessions. This throttling mode completely ignores long and excessive non-database packets smaller than a predefined size (useful for VNC clients and other types of white-noise traffic). Use for network traffic through SPAM port or hardware TAP. For S-TAP traffic, only network TCP traffic picked up by PCAP. See also the CLI command, store s2c.

Syntax

store throttle [default | size <s> interval <i> trigger <t> release <r>]

USAGE:   store throttle size S interval I trigger T release R

         where 0<=S<=2^17 (bytes), 1<=I,T,R,<=2^31 (seconds)

         OR store throttle default

Show command

show throttle

Throttle parameters:
Packet size:   228000
Time interval: 604800
Trigger level: 10000000
Release level: 10000000

Parameters

• default - Enter the keyword default to restore the system defaults (no other parameters are used). The default throttling parameters are never throttle.
• s - The packet size in bytes, up to a maximum of 217 (131072).

  The remaining parameters are in seconds, up to a maximum of 231 (2147483648):

• i - The time interval
• t - The trigger level
• r- The release level

store timeout

Sets the timeout value of a CLI session and/or fileserver session. The default value is 600 seconds. A timeout will also close the CLI session.

If the fileserver is stopped because of a timeout, a message will appear, Warning : Fileserver stopped because of timeout. The file upload may not be complete. Stopping the process.

Use the CLI commands, show timeout db_connection, to show the socketTimeout value in the conf file, and store timeout db_connection <value>, to set the value of the timeout. The value should be greater than 0. The default value is 25000 seconds. These CLI commands are used in managing the communications between the Central Manager and the managed unit when DNS is not configured.

Syntax

store timeout cli_session <n>
store timeout fileserver_session <n>
store timeout db_connection <n>

Show command

show timeout cli_session 600
show timeout fileserver_session 600
show timeout db_connection 25000

store transfer-method

Sets the file transfer method used for CSV/CEF export. For export file, need to use CLI command, store transfer-method csv, to set the method of transfer. For backup/archive, use the CLI command, store transfer-method backup, to set the method of transfer.

Syntax

store transfer-method <FTP | SCP>

Show command

show transfer-method

store uid_chain_polling_interval

Set the interval for UID Chain polling with this CLI command. UID chain is a mechanism which allows S-TAP (by way of K-Tap) to track the chain of users that occurred prior to a database connection.

Set the interval to 0 to turn off the UID Chain processing, in order to improve database performance. If the UID Chain processing is turned off, then calculating the UID Chain and updating children sessions are skipped.

Syntax

store uid_chain_polling_interval <n>

Where n is time in minutes (>= 1 minute; default is 2 minutes). Set N = 0 to turn off the UID Chain processing

Show command

show uid_chain_polling_interval

store upd_session_end

This CLI command adds an option to skip the update for the session_end time using Session Inference. For more information, see Session Inference.

Syntax

store upd_session_end <state>

Where <state> is on|off

Show command

show upd_session_end

store unit type

Use this CLI command to set unit type attributes for the Guardium appliance. See the Unit Type Attributes table for a description of all unit type attributes that can be displayed by this command.

Syntax

store unit type [manager | standalone] [netinsp] [stap] [mainframe] [sink]

Use store unit type sink to switch collected DRDA traffic timestamp granularity from 1 millisecond to 1 microsecond.

Show command

show unit type

support store ora_tns_errors

Controls handling of TNS errors early in the processing, giving the option to not log them at all. (Previous to v10.6, TNS-related errors were logged and categorized as failed logins, and were filtered using either exception policy rules or error code groups.)

Syntax

support store ora_tns_errors [0 | 1]

• 0: do not store TNS errors
• 1: store TNS errors (default)

Show command

show ora_tns_errors

Unit Type Attributes

unregister management

The unregister command restores the configuration that was saved when the appliance was registered for central management. If that happened under a previous release of the IBM Guardium software, restoring that configuration without first applying a patch to bring the saved configuration to the current software release level will disable the appliance, potentially causing the loss of all data stored there. Accordingly, do not unregister a unit until you have verified that the pre-registration configuration is at the current software release level. If you are unsure about how to verify this, contact Technical Support before unregistering the unit.

Syntax

unregister management