IBM Support

Guardium S-TAP status is green in S-TAP control but red in Enterprise S-TAP view

Troubleshooting


Problem

S-TAPs are appearing red in a Central Manager Enterprise S-TAP View report. The timestamp on this report is up to date, indicating that the upload process is working. However, when viewing the S-TAP directly on the collector S-TAP control page the S-TAP is green.

Cause

The S-TAP status is broken down into two parts:

  2. S-TAP status - Is there an established connection between S-TAP and collector?
  3. Instance status - Is the database defined in the inspection engine active?

There may be cases where answer to 1. is yes and 2. is no. For example in a passive node on a cluster where the S-TAP is installed but not collecting any data.

Enterprise S-TAP View uses only 2. to determine if it should be green or red, whereas S-TAP control uses only 1. So it is possible for an S-TAP to be red in Enterprise S-TAP View but green in S-TAP control on the collector.

Resolving The Problem

The Enterprise S-TAP View is a system default report so it can not be edited. However, you can make a new report in the same domain to find the difference between 1. and 2. above.

1. Create a new query in the custom S-TAP Info domain:


    Tools -> Report Building -> Custom Query Builder -> S-TAP Info

2. Create a new query with S-TAP Info as the main entity.

3. Add all the fields (or select as you wish) but be sure to add Stap status and Instance status attributes.

4. Add this report to a pane in the GUI and view it. You can now find cases where S-TAP is active but instance is not.

Note - For new reports in S-TAP Info domain 'Query from' 'Query to' runtime parameters are based on the 'Timestamp' attribute - the last ping time of the S-TAP in question. This is different to the default Enterprise S-TAP view report where 'Query from' 'Query to' is based on the time the data was uploaded to the CM. If you compare a new S-TAP info report and the Enterprise S-TAP View report with the same runtime parameters, the results may be different. Setting 'Query from' to a long time in the past (e.g. a few weeks) in the new report should resolve this.

[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Guardium Central Manager and Aggregator","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.2;9.0;9.1;9.5","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21978098

Page Feedback