IBM Security Guardium: Logging for Policy Actions Alert Only and Alert Per Match

Question & Answer

Question

What is the difference between the action "Alert per Match" vs. "Alert Only"?

Answer

The policy rule action "Alert Only" does not log anything to the appliance database. As the rule implies, it only sends an alert. No constructs are saved to the collector and therefore will not show up in any reports. It is intended to be used in cases where you send the alerts to a SIEM product (such as QRadr) for reporting, as a type of "send and forget" scenario. For performance reasons, this type of alert is processed directly by the appliance inspection-core, a.k.a. sniffer (GuardiumSniffer). The Alerter process is not used for this type of alert.

All other alert policy rule actions such as "Alert per Match" or "Alert per Session" use the Alerter process for sending the alerts. For these alerts, the constructs are logged to the appliance and are available for reporting. These alerts are sent via the Alerter process (guard_sender) and not the sniffer.

Related Information

Rule actions

[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"10.0;10.0.1;10.1;10.1.2;8.2;9.0;9.1;9.5","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips

IBM Security Guardium: Logging for Policy Actions Alert Only and Alert Per Match

Question & Answer

Question

Answer

Related Information

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?