IBM Support

On my Guardium Aggregator - why is there a slight difference in data between my Audit Process Results and the equivalent GUI Report

Troubleshooting


Problem

Running a Guardium report as part of an Audit Process and running it interactively on the GUI show different results. The timespan of the results in the Audit Process report does not cover the parameters specified in the Audit Process definition.

Symptom

You set a report to run on the Aggregator as part of an Audit Process with time parameters, for example, "start of last day" "end of last day". When you look at the results of that report, each day you run it:

a) The first timestamps are always at a uniform time after 00.00 e.g. 02.00


    or

b) The last timestamps are always at a uniform time before 23.59 e.g. 21.59

When you run the report interactively on the GUI the timestamps are shown as you expect..

Cause


The Collector(s) and Aggregator time zones may not be set the same.

When data is imported into an Aggregator from a Collector, it is separated into one set of tables per Collector per day. In this example we use days 1, 2 and 3.

If the time zones on the appliances are different, there will be data from day 1 or day 3 inside the tables for day 2 on the Aggregator.

When the Aggregator runs an Audit Report with time parameters for day 2 it will look only at the tables from day 2, which may contain data from days 1 or 3. However, when the report is run interactively on the GUI, it looks at all tables from days 1, 2 and 3 so all the correct data appears.

Diagnosing The Problem

On an Aggregator run a report as follows

    • as an Audit Process
    • interactively on the GUI
If the first and last timestamps on the data are not the same on each report you may have this problem.

Resolving The Problem

Ensure all appliances are set to the same timezone.

To check the timezone of an appliance as user cli

    show system clock timezone

To change the timezone of an appliance as user cli

    store system clock timezone list  (lists all the timezones available)
    store system clock timezone <timezone> (sets the timezone to your choice)

Note 1: to ensure the time is correct on the appliance the following commands can be used with user cli
    show system clock datetime
    store system clock datetime

Note 2: The datetime can be synchronised using an ntp server - the following commands can be used as user cli :
    show system ntp all
    store system ntp state
    store system ntp server

[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Guardium Central Manager and Aggregator","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"9.0;8.2;8.0.1;8.0;7.0","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21625268

Page Feedback