Troubleshooting
Problem
IBM Guardium Database Monitor service is failing to start and causing "Correlation is not enabled in SQL Server" error messages.
Symptom
You notice certain errors in Stap.ctl and Windows Event Viewer log (evtlog2008.txt).
In Stap.ctl log-
Services: Unable to start the Guardium Database Monitor service: [<unknown error>]
Wfp: Correlation is not enabled in SQL Server
In Windows Event Viewer log (evtlog2008.txt) -
Description:
The IBM Security Guardium Database Monitor service failed to start due to the following error:
A privilege that the service requires to function properly does not exist in the service account configuration. You may use the Services Microsoft Management Console (MMC) snap-in (services.msc) and the Local Security Settings MMC snap-in (secpol.msc) to view the service configuration and the account configuration.
The IBM Security Guardium Database Monitor service failed to start due to the following error:
A privilege that the service requires to function properly does not exist in the service account configuration. You may use the Services Microsoft Management Console (MMC) snap-in (services.msc) and the Local Security Settings MMC snap-in (secpol.msc) to view the service configuration and the account configuration.
Cause
This is due to missing privilege of Guardium Database Monitor service account.
The newer versions of Windows S-TAP no longer use Local System (which means full privilege), and use Local Service with only Debug Program privilege.
The change was made in order to minimize authentication requirements for Windows STAPs, and
It was introduced in v10.6.0.191, v11.0.1.24 and v11.1
Environment
All supported Windows servers for Guardium STAP v10.6.0.191, v11.0.1.24, v11.1 and higher.
Diagnosing The Problem
Guardium Services group is supposed to have "Debug Program privilege", but in some environments, Customer's own hardening procedures remove Debug Program privilege from Guardium Services group.
You can check it by doing this:
- Run secpol.msc to launch Local Security Policy
- Navigate to Security Settings > Local Policies > User Rights Assignment > Debug programs
- You notice Guardium Service is not defined in Debug Programs.
Resolving The Problem
To permanently resolve the issue:
1) Modify hardening procedures to allow Debug privilege for Local Service.
Or
2) Install Windows S-TAP under Local System like it used to be done before the new feature was introduced.
You can refer IBM knowledge center article on Windows: S-TAP authentication guidelines
NOTE
The following can be used when installing / upgrading from the GUI GIM
Set the following parameters
WINSTAP_ENABLED = 2
WINSTAP_CMDLINE = -SERVICEUSER "LocalSystem"
INTERNAL INFORMATION
Guardium Technical Support engineers can also refer to the following Internal technote for further information
Guardium Database Monitor service failed to start due to missing privilege
(see also the internal notes for this technote)
Related Information
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Component":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All Supported Windows Servers for Guardium STAP v10.6.0.191, v11.0.1.24, v11.1 and higher","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Product Synonym
IBM Guardium
Was this topic helpful?
Document Information
Modified date:
23 September 2020
UID
ibm16097996