Support CLI Commands

Use the following CLI commands only under the direction of Technical Support.

These commands are to assist Guardium Technical Support to analyze the status of the machine, troubleshoot common issues, and correct some common problems. You do not need to perform these commands regularly.

store active_parser_engine

This CLI command controls which parser engine that sniffer uses. This CLI command is only applicable to database types supported by ANTLR3 parsers (such as Oracle, Db2, MS SQL, and MySQL).

Syntax 
store active_parser_engine <num>
Where num is
  • 1 - ANTLR3 parser errors reparsed by ANTLR2 (default)
  • 2 - ANTLR2 only
  • 3 - ANTLR3 only
Show command 
show active_parser_engine

store antlr3_cached_raw_context_count

Use this command to define how many cached results the sniffer antlr3 parser stores for each raw (prepared) statement map per sniffer thread. The typical workflow for raw statements is that first sniffer receives a raw SQL statement, which is parsed, stored in memory along with its ID, and logged. When sniffer later receives the bind data, the full SQL is reconstructed and reparsed.

With this feature, the cache creates a short-cut where the raw antlr3 parsed result is also stored in memory. It is much faster to retrieve and run the cached statements than having to reparse them on every retrieval. However, the caching also requires much more memory.

The command allows you to specify how many antlr3 raw statement parsed results are cached per sniffer thread, rather than reparsing the reconstructed statements.

Note: The store antlr3_cached_raw_context_count function allows the sniffer to process traffic more efficiently when raw statements are heavily used. However, caching the raw statements causes sniffer to consume more memory. It is recommended to enable only the store antlr3_cached_raw_context_count function on collectors that have at least 32 GB of memory.

Recommended values are 1000 - 2000 statements per GB of memory. For example, for a 32 GB collector, you can set store antlr3_cached_raw_context_count to 32 - 64 (that is, 32,000 - 64,000).

Syntax 
store antlr3_cached_raw_context_count <num>

Where num is a number between 0 (disabled) and 1000 (in thousands) or -1 (default) to have sniffer allocate the number of cached results based on the amount of available memory.

Examples

store antlr3_cached_raw_context_count 24 - Sets the limit to 24,000.

store antlr3_cached_raw_context_count 1000 - Sets the limit to 1,000,000.

Show command

show antlr3_cached_raw_context_count

If store antlr3_cached_raw_context_count is set to -1, the response is “Available.”

store antlr3_max

Use this command to help control data flow between the sniffer parser and logger for the antlr3 parser..

If the sniffer is running out of memory and restarting, try lowering the antlr3_max logger size. Alternatively, if the sniffer isn't using enough of the available system memory, increase the logger size to allow sniffer to use more system memory.

Note: The store antlr3_max command is an advanced parameter for expert users and Customer Support. This command helps control the data flow between parser and logger component of the sniffer for Oracle, Db2, MySQL, or MSSQL.
Syntax 
store antlr3_max <num>
Where num is the number of parsed SQL statements that can be processed by the logger queue and can be either:
  • A number in the range 1000 - 10000000.
  • 0 (the default) - Allows the sniffer to dynamically allocate space based on available memory. For every 500 MB of physical memory, this command allocates space for 1000 parsed SQL statements.

Show command

show antlr3_max

store antlr3_remove_comments

Use this CLI command to determine whether to log SQL comments in reports and alert messages.

Syntax 
store antlr3_remove_comments [on | off ]
Where:
  • on - Do not log comments in alerts and reports.
  • off - Log comments in alerts and reports.
Note: You must restart the inspection engine after you change this command.

Show command

show antlr3_remove_comments

This command shows whether store antlr3_remove_comments is enabled or disabled.

support analyze

Use this CLI command to analyze content.

Parameters
support analyze mssql_decryption_config
support analyze sniffer
support analyze tables
support analyze tap_property
support analyze static-tables
Analyze the content of static tables by sorting them based on the largest group per value length and value occurrence.
Note: The analyzed reports can be retrieved from the access logs on the file server using the following path: Access logs > opt-ibm-guardium-log > analyze
The following example is a list of analyzed reports in the Guardium access log:
analyze_mssql_decryption_config.log
analyze_sniffer_errors.log
analyze_tap_property.log

support app_debug

Turns on app_debug for the specified number of minutes.

Syntax 
support app_debug start

At the prompt, enter the number of minutes to run the app_debug function.

support check tables

Invokes the mysqlcheck -c command on tables (to check tables for errors). The default table is TURBINE.

Syntax 
support check tables [dbname [tablename]]

Checks run in parallel, so the overall run time can vary. The command shows progress in percentages. All checks time out after 3 minutes. If a check times out, the table name displays after the command completes.

Any errors that are found are stored in the following file.
/opt/IBM/Guardium/log/<dbname>_check_tables
Where <dbname> is the name of the database that you checked.
Within the <dbname>_check_tables file, for each table that contains an error, the CLI command generates a log file called:
check_table_child.<tablename>.<date>.log
Where:
  • <tablename> - The name of a table with errors
  • <date> - Current date
Log files are not generated for healthy tables.
  • Specify this command with no parameters to check all tables in TURBINE database.
  • Specify dbname to check all tables in a specified database. If you do not specify a database, Guardium checks the tables in TURBINE.
  • Specify dbname and tablename to check a single table in the database. Use this command to recheck individual tables where the check timed out. You can use a percent sign (%) as a wildcard in tablename parameter.
    For example, to search for all tables in TURBINE that begin with the word RULE:
    support check tables TURBINE RULE%
 

support clean audit_results

A way to manually purge audit results. Use this command only when absolutely necessary to deal with audit tasks that produce a high number of records and take up too much disk space.

Note: Consult with Technical Support before you run this command.
When you run the command, the following steps occur:
  1. A Warning message displays and you must confirm that you really want to take this step.
  2. This command lists the audit processes and tasks information. It presents the number of rows, ordered from the largest result set to the smallest. The number of report results is greater than or equal to the input value.
  3. Select the line number to delete the audit data for the selected process name.
Syntax 
support clean audit_results <rows>
Where rows is the number of rows to show. Default = 10.
Note: On a system with many audit tasks, this command can take some time to complete.

support clean log_files

This CLI command deletes the specified file after you confirm the delete. If it cannot find the file, it lists files larger than 10 MB in /var/log and provides a list of large files that you can select for deletion. A warning message is presented and a confirmation step is included.

Syntax 
support clean log_file <filename>
 >> add filename.
  

support clean centera_files

Guardium archives and backups that are stored within Centera have a deletion date marker that is attached to them by Guardium. However, no facility is available to invoke the deletion. Centera does not have a GUI to allow maintenance of its own files, so it relies on API invocations from client applications.

Use this command to delete marked files within Centera.

Syntax 
support clean centera_files

support clean DAM_data

A way to manually purge database activity monitoring data. Use this command only when absolutely necessary.

Consult with Technical Support before you run this command.

A Warning message and a confirmation step are included in the command.

Syntax 
support clean DAM_data <purge_type> <start_date> <end_date>

Input parameters

purge_type options - agg, exceptions, full_details, msgs, constructs, access, policy_violations, parser_errors, flat_log

start_date - YYYY-mm-dd

end_date - YYYY-mm-dd

support clean hosts

Syntax 
support clean hosts <IP address> <fully qualified domain name>

support clean InnoDB-dumps

Use this CLI command to purge InnoDB tables.

This command is password-protected (for Technical Support only)

Syntax 
support clean InnoDB-dumps

support clean servlets

Deletes *jsp*.java and *jsp*.class files and restarts GUI.

Use this CLI command to delete generated Java™ servlets and their classes.

Syntax 
support clean servlets

support execute

This utility is designed to provide Guardium Advanced Support with the ability to assist with remote diagnostics and support when direct remote access it not available or permitted.

The support execute command is not a replacement for direct remote connections, but allows Guardium Support at least some level of root access in a secure way without direct access.

The commands that are provided by Guardium Advanced Support can be SQL statements, O/S Commands, Shell Scripts, or SQL scripts. The scripts are provided to the customer along with a Secure Key to allow the command to run using the CLI. The Secure key is tied to the system that Guardium Support is working on with the customer, and is not valid for any other system. The command can only be run the number of times that are permitted by Guardium Support and is only valid for seven days from the agreed date.

The feature is disabled by default. Enable it using the CLI command in either normal and recovery mode.

Syntax 
support execute [enable | disable]

To permit the Guardium Advanced Support team to generate a Secure Key, the MAC address of the system in question must be provided for ens32.

Examples:
support execute <CMD String> <PMR #> <KEY> 
# main execute command provided by Guardium Advanced Support.

support execute showlog [<Secure Key>|main|files] 

# Show usage logs 
#'<Secure Key>' for full details of single entry 
# 'main' to display the main execute log 
# 'files' to display log directory list 
support execute mac
# ens32 MAC address required by support to generate secure key
support execute info
# Show ens32 MAC address, root passkey & other system information 
support execute version
# Display the "Support Execute" internal binary code version

support execute help

# Help details and purpose of utility information
Example of command provided by Guardium Advanced Support: 
support execute "select * from GDM_ACCESS%5CG" 11111,111,111 6254130c0f0c3c504b33687c57f41363e4c00

support gather_io_metrics

This command manages the gather_io_metrics service to collect information about I/O statistics on the Guardium appliance when you run the command. With the start parameter, this command creates a gather_io_metrics.txt file. In addition, Guardium includes the gather_io_metrics.txt file with the output of any must_gather command. For more information, see support must_gather commands.

Syntax 
support gather_io_metrics  [remove_log | start | status |stop]
Where:
  • remove_log - Delete the current gather_io_metrics.txt file.
  • start - Start to gather I/O metrics. By default, the service runs for 24 hours, unless you stop it sooner.
  • status - Provide the current status of the gather_io_metrics service. Reports on iostat command output, whether the service is running, and other information.
  • stop - Stops the gather_io_metrics service.

support logrotate message

By default, log files rotate weekly and store the four most recent log files. Use this command to change the log rotation strategy for the log files.

Syntax 
support logrotate message [frequency] [# of rotations] [# of steps]
Where:
  • frequency - The frequency with which to rotate the files. Frequency can be one of hourly | daily | weekly | monthly.
  • # of rotations (integer) - The number logs to keep. The default is 4. After Guardium reaches the specified number of logs, the oldest log is deleted. The following example rotates the logs every week and stores the three most recent logs:
    support logrotate message weekly 3
  • # of steps (integer) - The number of steps (an hour, day, week, or month) to skip in the specified frequency. The following example stores the five most recent logs and rotates the logs every second day: 
    support logrotate message daily 5 2

Show command

support show logrotate message

support must_gather commands

As the CLI user (that is, the user named CLI), you can run must_gather commands to generate specific information about the state of most Guardium® systems. After you run the command, upload this information from the appliance and send it to Guardium Technical Support whenever a PMR (Problem Management Record) is logged.

The CLI user can run the must_gather commands at any time, as follows.

  1. Open a PuTTY session (or similar) to the Guardium system of concern.
  2. Log in as user cli.
  3. Depending on the type of issue you are facing, enter the relevant must_gather commands into the CLI prompt in the following format.
    Syntax 
    support must_gather <arg>

    Where arg is a single must_gather command. You might need more than one must_gather command to diagnose the problem.

    • agg_issues - Aggregation process issues.
    • alert_issues - Alerting issues.
    • app_issues - Application issues.
    • audit_issues - Audit process issues.
    • auth_issues - Authentication issues (including LDAP and multifactor authentication).
    • auto_create_ie - Auto create inspection engines issues.
    • backup_issues - Backup process issues.
    • big_data_issues - Big data issues.
    • cm_issues - Central manager issues.
    • compliance_mon_issues - Compliance monitoring issues.
    • datamining_issues - Data mining issues.
    • datastreams_issues - Data streaming issues.
    • deploy_agents_issues - Deployment agents issues.
    • deployment_issues - Deployment issues.
    • eagle_eye_issues - Advanced threat scanning issues.
    • ecosystem_issues - Ecosystem issues.
    • enterprise_load_balancer_issues - Enterprise load balancer issues.
    • entitlement_issues - Entitlement optimization issues.
    • go_stream - Go stream issues.
    • jproxy_issues - Jproxy issues.
    • miss_dbuser_prog_issues - System database user issues.
    • native_auditing_issues - Native auditing issues.
    • network_issues - Network architecture issues.
    • patch_install_issues - Patch installation and upgrade issues.
    • purge_issues - Purge process issues.
    • risk_spotter - Risk spotter issues.
    • scanner_agent_issue
    • scheduler_issues - Scheduler issues.
    • slon_looper - Slon looper output.
    • sniffer_issues - Sniffer issues.
    • system_db_info - Guardium system database or operating space performance issues.
    • universal_connector_issues - Universal connector issues.

    The following commands might take a few minutes to complete.

    • support must_gather miss_dbuser_prog_issues
    • support must_gather sniffer_issues
    For the following commands, you are prompted for a time (in minutes) for how long you want to run the debugger to reproduce the problem.
    • support must_gather backup_issues
    • support must_gather scheduler_issues
    Guardium writes the output to the must_gather directory with filenames, for example: 
     must_gather/system_logs/.tgz
  4. Send the resulting output to IBM® Support.

Use the fileserver CLI command to upload the tgz files and send to them to support.

Send the output in an email or upload to ECUREP in, for example, the standard data upload specifying the PMR number and file to upload.

To purge must_gather files from the Guardium system, see show must_gather_file_max_age.

support must_gather datamining_issues

Collects necessary diagnostic information for Outliers, Quick search and data mart functionality. Information includes dumps of corresponding internal tables, necessary logs, state of corresponding processes, and standard must_gather diagnostics (general system and internal DB information).

Syntax 
support must_gather datamining_issues

support must_gather network_issues

The command gathers all network information from the appliance and polls hosts that Guardium interacts with by using ping, traceroute, corresponding port probing, and other measures. If the optional parameter is specified, then it polls only the host that was specified (if Guardium is configured to do any activity on this host).

Syntax 
support must_gather network_issues [--host=<HOST>]

Where optional parameter --host is the hostname or IP address.

support reset-managed-cli

Use this command from a central manager to login to each associated managed unit and set the CLI passwords and expirations to match the passwords and expiration dates as the central manager.

For this procedure to work, the root passkey must be set on each managed unit. For more information, see Resetting the root password.

Syntax
support reset-managed-cli

support reset-password

This command resets a password on the IBM Guardium appliance. For root and cloudsupport accounts, only use this command when requested to do so by IBM Technical Support.

Syntax 
support reset-password [ accessmgr | cloudsupport | root ]
Where:
  • accessmgr - Resets the accessmgr password.

    If the accessmgr email is set up, the system notifies the accessmgr account email.

  • cloudsupport - For cloud images only, resets the password for the cloudsupport account.

    The cloudsupport password uses a joint password mechanism for security. Your site holds the keys to the appliance in the form of an encoded numeric passkey. IBM holds the passkey decoder.

    When you call Guardium support, the support analyst will start a remote desktop sharing session and request the cloudsupport passkey for the Guardium appliance in question. Guardium support uses the cloudsupport password to gain access to the appliance as cloudsupport user.

    Use this command to reset the password key and support show passkey cloudsupport to view the passkey.

  • root - Resets the root password on the IBM Guardium appliance.

    This command requires that you provide a secret keyword in order to change the root password. Contact Technical Support if you need to change the root password.

    Note: Do not reset the root password unless required by business rules.
 

support schedule find_crashed_tables

Use this CLI command to enable or disable the daily cron job of find_crashed_tables.sh script.

Syntax 
support schedule find_crash_tables on ALL|db 
support schedule find_crash_tables off

This command enables or disables the daily schedule of find_crashed_tables script.

Note: Pay particular attention to the database entered. Enter "ALL" in order to process all five valid databases for crashed tables or just one of the five valid databases "TURBINE", "GDMS", "CUSTOM", "DATAMART or "DIST_INT".

support server

The support server is an advanced diagnostic utility that generates a summarized report of your Guardium system.

Use the support server command to list all of the support server CLI commands.

Run this command to enable the support server on your Guardium system.

support server enable

Run this command to disable the support server on your Guardium system.

support server disable

Use this command to get a summarized report of your Guardium system.

support server info

support show boot check

Use this command to perform a health check on the boot order of kernels in the boot loader. If the boot order has not been customized and the latest kernel version is not the first entry in the boot order, the command returns Failed. Otherwise, the command returns Passed. If the boot order has been customized, the command always returns Passed.

support show boot order

Use this command to display the boot order of kernels in the boot loader.

support show db-processlist

This command lists all of the database processes sorted by running time.

Syntax 
support show db-processlist all
support show db-processlist locked
support show db-processlist running
support show db-process full

Parameters:

support show db-processlist [ ]

Where:

  • all - Includes sleeping processes
  • full [optional] - Displays SQL queries in expanded format
  • locked - Displays all locked processes
  • running - View all running SQL statements

support show db-struct-check

This command displays all the structure differences that are found during aggregation process.

Syntax 
support show db-struct-check

support show db-top-tables

This command lists the 20 largest database tables sorted by size and lists tables sorted by used free table space for tables that use more than 80% free space. It allows filtering by table name. All table sizes are displayed in MB, free space usage in percentage.

Syntax 
support show db-top-tables all
support show db-top-tables like

Parameters

support show db-top-tables all

Lists the largest tables out of the entire database sorted by size.

support show db-top-tables like

Lists the largest tables by matching criteria, which can be any portion of the table name.

support show db-status

This command shows database usage.

Parameters are free, used, megabytes, percentage.

Syntax 
support show db-status free %
support show db-status used %
support show db-status free m
support show db-status used m

support show hardware-info

This command uses a script to collect hardware information and places this collected information in a directory for retrieval.

After running this CLI command, the following message displays:

Collected HW Info as /var/log/guard/Gather_hw_info-2012-06-25-17-43.tgz

Then run the fileserver CLI command to retrieve this .tar file from the server.

support show innodb-status

Use this CLI command to troubleshoot MySQL issues. Use this CLI command to check what is happening at runtime with MySQL tables. Use this CLI command to determine if long check times with MySQL tables are due to record lock or table lock.

Syntax 
support show innodb-status
0 queries inside InnoDB, 0 queries in queue 
0 read views open inside InnoDB 
Main thread process no. 7959, id 139923805550336, state: sleeping Number of rows inserted 6894, updated 6934, deleted 93, read 24787 0.33 inserts/s, 0.00 updates/s, 0.00 deletes/s, 0.67 reads/s
 ----------------------------
 END OF INNODB MONITOR OUTPUT

support show iptables

This command displays the output of system iptables command.

Syntax 
support show iptables diff
support show iptables list

Parameters

[diff | list] parameter controlling normal iptables output presentation versus displaying only differences/delta.

[accept | full] parameter filters output by accept row versus an unfiltered list.

support show large_files

This command lists all the files larger than <size> and older than <age> in the /var /tmp /root folders.

Syntax  

support show large_files

This command lists all the files larger than MB and older than days in the /var /tmp /root folders.

Input parameters:

   * size   - integer >  10 (in MB)

   * age    - integer >= 0 (in days)

Syntax:

support show large_files <size> <age>
Where:
  • size - The minimum size files to display (default 100M).
  • age - The number of days since the last modification.

show must_gather_file_max_age

Use this command to change the number of days that a must_gather file is stored in the Guardium system before purging.

Syntax 
store must_gather_file_max_age <num days>

Where the value for num days is any integer greater than 1 and the default value is 30.

The file cleanup_must_gather_files.log logs all the files that are purged by the store must_gather_file_max_age command.

support show netstat

This command displays the output of system netstat command. It allows filtering of the output by content using a grep parameter.

Syntax 
support show netstat [ all | grep ]
Where:
  • all - Shows the output of the system netstat command.
  • grep - An alphanumeric string to search. The command returns the output that matches the search parameters.

support show passkey

This command displays a passkey that you created using the support reset-password command.

Syntax

show passkey < accessmgr | cloudsupport | root ]

Where,

  • accessmgr shows the passkey for the accessmgr.
  • cloudsupport shows the passkey for cloud images, such as Azure, IBM Cloud, or Oracle OCI. Use show passkey cloudsupport to show the passkey (access key) that Guardium technical support requires to access a cloud image during a support call.
  • root shows the passkey for the current (non-cloud) appliance. Use this command to show the passkey that Guardium technical support requires to access the appliance if you are locked out of root.

For more information, see support reset-password. For more information about the root password, see Resetting the root password.

support show port open

This command is similar to using telnet to detect an open TCP port locally or on a remote host.

If we are able to connect successfully, a message similar to the following displays: 
Connection to 127.0.0.1 8443 port [tcp/*] succeeded!
If you are unable to connect, a message similar to the following displays: 
Connect to 127.0.0.1 port 1 (tcp) failed: 
Connection refused
Syntax 
support show port open

IP port - IP must be a valid IPv4 address (such as 127.0.0.1).

Port must be an integer with a value in 1-65535.

support show session_rules

Syntax 
support show session_rules <status|grammar>
Where:
  • status - Displays the current status of the session rules.
  • grammar - Displays the session rules syntax.

support show top

This command displays the output of system top command sorted by cpu, memory or running time. You can specify the number of iterations (default =1) and number of displayed rows (default =10).

Syntax 
support show top [ cpu | memory | time ]

Parameters

  • CPU <N > <R>
  • memory <N > <R>
  • time<N > <R>

Where N is number of iterations (between 1 and 10) and R is number of rows to display (minimum = 10).

support store boot custom

Use this command to manually define (customize) the first kernel entry in the boot loader. Use support store boot custom to show all installed kernels and the corresponding index value, then use the index value to define the first kernel entry in the boot loader. Use support store boot custom off to turn off boot loader customizations.

Syntax 
support store boot custom [ <index> | off ]

support store boot sanitize

Use this command to reorder the kernels in boot menu. If the boot order has not been customized, the command sorts all currently installed kernels in descending order by version. If the boot order has been customized, the command does nothing.

Syntax 
support store boot sanitize

support store datastreams_diag

Turn data stream debug level logging off or on. When logging is on, datastream logs are stored in ../opt/IBM/Guardium/log/datastreams.

Syntax 
support store datastreams_diag [ off | on ]

support store hosts

The support store hosts command appends an IP-address/domain-name pair to the operating system hosts file (/etc/hosts). The hosts file translates hostnames to IP addresses.

Syntax 
support store hosts <IP_address> <fully_qualified_domain name>
Example 
support store hosts 1.2.3.4 mydomain.company.com
This example adds the following line to the end of the hosts file: 
1.2.3.4 mydomain.company.com # CREATED BY CLI, DO NOT CHANGE

Show command

support show hosts

This command shows entries added to the /etc/hosts file using the support store hosts command.

support store ora_tns_errors

Controls handling of TNS errors early in processing, giving the option to not log them at all.

Syntax

support store ora_tns_errors [0 | 1]
  • 0 - Do not store TNS errors
  • 1 - Store TNS errors (default)

Show command 

show ora_tns_errors

support store rdsdiag

Manage Amazon Web Services (AWS) relational database service (RDS) monitoring.

Syntax
support store rdsdiag < clean | off | on >
where:
  • clean - Attempts to delete all core dumps older than 3 minutes from /var/tmp/rds.
  • off - When RDS monitoring is on, turn on RDS diagnostics.
  • on - When RDS monitoring is on, turn off RDS diagnostics.

For more information about turning on RDS monitoring, see start rds_monitoring.

support store session_rules

Use this command to install and manage sessions rules for session-level policies.

Syntax 
support store session_rules  <i|u|r|g|e|p> [in_file]
Where:
  • i - Install rules
  • u - Uninstall rules
  • r - Reinstall last rules
  • g - Get installed session rules into file ./srules.a to enable editing
  • e - Export installed encrypted session rules into file ./srules.exp
  • p - Set password for CLI user
  • in_file - Session rules file to input for i, u, g

support store snif_auto_hostname_cache

Use this command to toggle sniffer hostname caching.

Syntax 
support store snif_auto_hostname_cache [ on | off ]
Where:
  • on - Sniffer automatically detects and caches hostnames.
  • off - Use CLI commands to control hostname caching.

Show command

support show snif_auto_hostname_cache

support store snif_auto_os_name_cache

Use this command to toggle sniffer operating system name caching.

Syntax 
support store snif_auto_os_name_cache [ on | off ]
Where:
  • on - Sniffer automatically detects and caches operating system names.
  • off - Use CLI commands to control operating system caching.

Show command

support show snif_auto_os_name_cache

support store snif_auto_service_name_cache

Use this command to toggle sniffer service name caching.

Syntax 
support store snif_auto_service_name_cache [ on | off ]
Where:
  • on - Sniffer automatically detects and caches service names.
  • off - Use CLI commands to control service caching.

Show command

support show snif_auto_service_name_cache

support store snif-debug

Use this command to turn the snif debug on or off.

Syntax 
support store snif-debug [on | off ]

Show command

support show snif-debug

support store snif_dump_invalid_msgs

Use this command to control the maximum number of invalid TAP messages that snif will write to a log file in a 5 minute period.

Syntax 
support store snif_dump_invalid_msgs [ off | on | rate_limit | size_limit ]
Where:
  • off - Do not write invalid messages to the log file.
  • on - Write all messages to the log file, regardless of whether they are valid.
  • rate_limit <num-msgs> - Sets the maximum number of invalid TAP messages that are written to the log file in a 5-minute period, where num-msgs is 0 or greater.
  • size_limit <file-size-mb> - Sets the maximum file size for the snif log file containing invalid TAP messages. file-size-mb is the file size is between 1 and 4000, in MB.

Show command

support show snif_dump_invalid_msgs

support store snif_hostname_cache

Use this command to manage either IPv4 or IPv6 IP addresses cached for the sniffer hostname.

Syntax 
support store snif_hostname_cache [ remove | set ]
Where:
  • remove <IP> - Removes an IP address from the operating system name entry.
  • set <IP> - Sets the IP address for a hostname entry. This command overwrites any existing entries.

Show command

support show snif_hostname_cache [ all | search ]
Where:
  1. all - Show all cached hostname entries.
  2. search - Enter a set of characters to search on (such as all or part of an IP address or hostname).

support store snif_memory_max

Syntax 
support snif_memory_max <num>, where num is a number of | 33 | 50 | 75 |

This command applies to 64-bit systems only.

Show command

support show snif_memory_max

support store snif_os_name_cache

Use this command to manage either IPv4 or IPv6 IP addresses cached for sniffer operating system name.

Syntax 
support store snif_os_name_cache [ remove | set | upload ]
Where:
  • remove <IP> - Removes an IP address from the operating system name entry.
  • set <IP> - Sets the IP address for an operating system name entry. This command overwrites any existing entries.
  • upload <file> - Uploads one or more operating system name entries. The file name must be os.arc.upload, the first line is the number of operating system name entries in the file, each subsequent line contains the IP address and an OS name, separated by a space. For example: 
    2
192.168.1.100 test1.domain.com
192.168.1.101 test2.domain.com

Show command

support show snif_os_name_cache  [ all | search ]
Where:
  1. all - Show all cached operating system name entries.
  2. search - Enter a set of characters to search on (such as all or part of an IP address or operating system name).

support store snif_service_name_cache

Use this command to manage either IPv4 or IPv6 IP addresses cached for sniffer service names.

Syntax 
support store snif_service_name_cache  [ remove | set | upload ]
Where:
  • remove <IP> - Removes an IP address from the service name entry.
  • set <IP> - Sets the IP address for a service name entry. This command overwrites any existing entries.
  • upload <file> - Uploads one or more service name entries. The file name must be sn.arc.upload, the first line is the number of service name entries in the file, each subsequent line contains the IP address and a service name, separated by a space. For example: 
    2
192.168.1.100 mssqlInstance
192.168.1.101 mssqlInstance

Show command

support show snif_service_name_cache  [ all | search ]
Where:
  1. all - Show all cached service name entries.
  2. search - Enter a set of characters to search on (such as all or part of an IP address or service name).

support store slon

Turns on SLON utility that captures packets gotten by sniffer for debug. Results files slon_packets.tar.gz, slon_messages.tar.gz or slon_all.tar.gz can be found using the fileserver CLI command. The /var partition must have at least 15GB of free space.

Syntax 
support store slon [ on [parameter] | off [parameter] ]
Where:
  • on - Turns the SLON utility on. You can specify the following optional parameters:
    • packets - Dump analyzer packets (default)
    • snifsql - Log sniffer SQL activities and dump analyzer packets
    • secparams - Log secure parameters information and dump analyzer packets
    • sgate - Log S-GATE debugging info and dump analyzer packets
    • messages - TAP message data dump
  • off - Turn the SLON utility off. You can specify one of the following parameters:
    • packets -Stop dumping packets, logging secure parameters, S-GATE debug info and sniffer SQL activities (default)
    • messages - Stop TAP message data dump
    • all - Stop all activities
Show command
support show slo

support store tcpdump

Turns on TCPDUMP utility. After period ends, results file tcpdump.tar.gz can be found with the fileserver CLI command. The /var partition must have at least 15GB of free space.

Syntax 
support store tcpdump [ on <type> <period> <loglimit> [interface] [IP] [port] [protocol] | off]

Where:

  • on - Turns TCPDUMP utility on. Specify the following parameters:
    • type - Dump type:
      • 'headers' - Capture headers only
      • 'raw' - Capture whole packets
    • period - Dump period, NUMBER[SUFFIX], where optional SUFFIX can be 's' for seconds, 'm' for minutes (default)
    • loglimit - Dump logfile limit, from 1 to 6 gigabytes
    • Optional filter arguments:
      • interface - Network interface name (default the primary interface)
      • IP - IP address
      • port - Port
      • protocol - Protocol, which can be one of: 'tcp', 'udp', 'ip', 'ip6', 'arp', 'rarp', 'icmp' or 'icmp6'
  • off - Turns the TCPDUMP utility off. After stopping, the results file tcpdump.tar.gz can be found using the fileserver CLI command.

Example

support store tcpdump on headers 10m 1

This command runs TCPDUMP saving packets headers for 10 minutes and 1GB log file size limit.

Show command
support show tcpdump

support store zdiag

Toggles the Guardium for z/OS traffic diagnostics on or off. This includes collection of TCPDUMP and SLON, collections stop when corresponding files reach 2 GB size. After completion, the results files tcpdump.tar.gz and slon_all.tar.gz can be found using the fileserver CLI command. The /var partition must have at least 15GB of free space.

Syntax 
support store zdiag [ on [N] | off ]
Where:
  • on - Turns zdiag on. N (optional) is number of minutes to run diagnostics, from 10 to 600, 60 by default.
  • off - Turns zdiag off.
Show command
support show zdiag