IBM Support

How to control Guardium nanny's monitoring of rsyslog receivers

Troubleshooting


Problem

Guardium uses a nanny process to monitor various components of Guardium.  This includes verifying that a remote syslog receiver is listening on the port configured in Guardium for remote syslog shipping.  The nanny process uses nmap to verify that the port is open on the receiver.  Some enterprises block port scanning, which prevents nmap from functioning correctly.  This results in a message to syslog that the remote receiver is not receiving messages.  For example:
Aug 31 05:10:45 g106cm1 nanny:[4335]: One of more remote syslog servers are not accepting logs: 192.168.1.100
This message could be a false negative, if the syslog receiver is functioning correctly, and Guardium is unable to discern this, as nmap fails due to the blocking of port scanners.

Resolving The Problem

Guardium version 10 patch 630 introduces two configurable parameters to control how it monitors remote syslog receivers.

NANNY_ALERT_RSYSLOG

Purpose:  If Guardium should monitor syslog receivers or not

Valid values:

0:         Do not monitor syslog receivers

1:         Monitor syslog receivers

If port scanning is blocked, set this parameter to 0 to avoid false negatives

NANNY_ALERT_RSYSLOG_FREQ

Purpose:  How frequently in hours, should Guardium check syslog receivers.

Valid values:

0:         Default of every 300 seconds

>0:       Once every configured hour

If the default value results in too many messages sent, adjust this parameter as necessary

These parameters are viewed and modified by grdapi command get_guard_param and modify_guard_param.

Viewing the configured values:

grdapi get_guard_param paramName=NANNY_ALERT_RSYSLOG

grdapi get_guard_param paramName=NANNY_ALERT_RSYSLOG_FREQ

Example:

g106cm1.example.com> grdapi get_guard_param paramName=NANNY_ALERT_RSYSLOG

ID=0

NANNY_ALERT_RSYSLOG value: 1

ok

Modifying the parameters:

g106cm1.example.com> grdapi modify_guard_param paramName=NANNY_ALERT_RSYSLOG paramValue=0

ID=0

ok

g106cm1.example.com> grdapi get_guard_param paramName=NANNY_ALERT_RSYSLOG

ID=0

NANNY_ALERT_RSYSLOG value: 0

ok

Changes to NANNY_ALERT_SYSLOG and NANNY_ALERT_SYSLOG_FREQ will be logged to syslog.  For example:

Aug 30 15:48:24 g11cm1 nanny:[14960]: NANNY_ALERT_RSYSLOG set to 0.  Nanny will not monitor rsyslog servers
Aug 30 17:28:33 g11cm1 nanny:[16757]: NANNY_ALERT_RSYSLOG set to 1
Aug 30 17:32:07 g11cm1 nanny:[18457]: NANNY_ALERT_RSYSLOG_FREQ set to 1 hour(s)

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"10","Edition":"p630","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
02 October 2019

UID

ibm11072462

Page Feedback