IBM Support

'DB User Name', 'OS User' and 'Source Program' fields are empty in my IBM Security Guardium reports when using SPAN port on MS SQL SERVERS

Question & Answer


Question

I am using a SPAN port and no STAP to record and pass data to my IBM Security Guardium appliances but all my traffic is missing data in the 'DB User Name', 'OS User' and 'Source Program' fields. Why is that and how do I solve this so that I can see that data

Cause


MS SQL Servers by default use encrypted login authentication - meaning that the login packets for all traffic, which contain the DB User, OS User and Source Program information, are ssl encrypted. This means that Guardium cannot read that data.

To solve this issue Guardium uses the STAP to inject a dll into the SQL server, which then sends the collector the login packets after they've been decrypted by the database engine itself.

However if a SPAN port is used to mirror the network database traffic, the login packets sent by SPAN are still encrypted and unreadable by Guardium.

Answer

Therefore the solution to this issue is to install an STAP on the MS SQL Server which will then send Guardium the decrypted login packets. This allows Guardium to correlate the decrypted login packet with the traffic it belongs to so that in your Guardium reports you will be able to see the 'DB User', 'OS User' and 'Source Program' data

[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Guardium Database Activity Monitor","Platform":[{"code":"PF033","label":"Windows"}],"Version":"10.0;10.0.1;9.0;9.1;9.5","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
12 December 2019

UID

swg21974097

Page Feedback