Troubleshooting
Problem
This scenario is based on the usage of the Windows S-TAP monitoring DB2 Database.
The concern arises after Guardium® Administrator receives Windows S-TAP inactive alert frequently and needs to go and manually restart the Windows S-TAP to resume the DAM activities.
Symptom
- Windows S-TAP stops suddenly and post restart works fine until the next stoppage
- Post executing the Windows S-TAP diagnostics, it was evident from the diag_out.txt file that the Windows S-TAP was not keeping up with the DB2 database traffic
Log Name: Application
Source: DB2 Tap
Date: 2020-10-27T07:36:24.000
Event ID: 12
Task: Transmitter
Level: Warning
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: <SERVER_HOST_NAME>
Description:
One or more log events have been dropped. STAP is not reading from the server fast enough.
Source: DB2 Tap
Date: 2020-10-27T07:36:24.000
Event ID: 12
Task: Transmitter
Level: Warning
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: <SERVER_HOST_NAME>
Description:
One or more log events have been dropped. STAP is not reading from the server fast enough.
Cause
"One or more log events have been dropped. STAP is not reading from the server fast enough."
This descriptive error message during the S-TAP stoppage indicates that the incoming DB2 database traffic in this scenario is overwhelming for the current S-TAP configuration to cope up with and hence needs configuration changes.
Environment
This scenario explanation is for Windows S-TAP V10.6 but in general this can happen for all versions of V10+ Windows S-TAPs.
Diagnosing The Problem
Windows S-TAP diagnostics need to be collected in order to refer and conclude-
> current Windows S-TAP (WINSTAP) configuration i.e. guard_tap.ini file
> event logs
> stap log
> diag_out.txt
This helps to find out the relevant traces during the time when the incident happened
Resolving The Problem
"One or more log events have been dropped. STAP is not reading from the server fast enough."
This trace message from the WINSTAP diagnostics helps to find out that the WINSTAP's current buffer size is unable to accommodate the incoming traffic packets from the database.
In such cases, the "BUFFER_FILE_SIZE" if is kept to a standard default value of 50 is recommended to be increased to a higher value of 200.
With this configuration change if the issue occurrence still happens at a lower frequency than earlier this value can be increased further and WINSTAP needs to be monitored for stability.
Windows S-TAPs V10.5 and onwards have an additional intelligent scalability feature to handle such scenarios.
DYNAMIC_BUFFER_INCREASE parameter was introduced in V10.5. The default value is 0.
When this feature is enabled with below parameter configuration in guard_tap.ini,
DYNAMIC_BUFFER_INCREASE=1
BUFFER_FILE_MAX_SIZE = 250
BUFFER_FILE_SIZE = 50
the Windows S-TAP can use up to 250 Mb of buffer file size
In high-performance environment recommended value is:
BUFFER_FILE_MAX_SIZE = 800
BUFFER_FILE_MAX_SIZE = 800
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m0z000000Gp0IAAS","label":"STAP"}],"ARM Case Number":"TS004382744","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All Version(s)"}]
Product Synonym
IBM Security Guardium®;
Was this topic helpful?
Document Information
Modified date:
11 November 2020
UID
ibm16365117