Troubleshooting
Problem
I setup an alert on Inactive S-TAPs in Guardium with an accumlation interval of 3 minutes. However, when STAP was shutdown for 5 minutes, the alert was not generated.
Cause
Correlation alerts in Guardium are generated by an Anomaly Detection Engine. This engine polls the alerts at set intervals. If this polling interval is larger than the accumulation period in the alert, those events will be missed.
Resolving The Problem
The polling interval of the Anomaly Detection Engine is configured in the GUI under Administration Console/Configuration/Anomaly Detection, as illustrated below. Ensure that:
- The Anomaly Detection Engine is active and that it is green.
- The alert in question is active. If active, the alert will be listed under 'Active Alerts'. If the alert is not listed, activate the alert, as illustrated
- The polling interval is set to a value smaller than the accumulation interval in the alert
Activating the alert:
[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF016","label":"Linux"}],"Version":"9.0;8.2;8.1;8.0.1;8.0;9.1","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21577542