IBM Support

How to Collect Guardium ATAP logs For Terdata

Troubleshooting


Problem

When using Teradata ATAP to send packets to the Guardium Appliance sniffer, a Guardium report may show unexpected or inconsistent results. The problem could originate from KTAP or ATAP. To diagnose the issue, collect specific ATAP logs.

Symptom

The following scenarios may be observed

  • Unable to capture failed logins from Teradata SQL Assistant client tool using TCP. (No issue with successful login.)
  • Inconsistent DB username for successful and unsuccessful logins.

Cause

ATAP is not sending the decrypted packets to the Guardium sniffer. You need to see if there are internal ATAP errors or if ATAP is capturing these packets and not sending it through KTAP.

Diagnosing The Problem


At this point, ATAP should already be activated. (see Setup Teradata ATAP within this page to verify the steps are performed already)

Note: Please run problem scenarios whilst the diagnostic collections are running . It is important to capture logs during the problem scenario and not outside the problem situation


Steps to gather all ATAP logs: .


    1) Stop Teradata database.

    2) Edit the ATAP executor:
      /usr/local/guardium/modules/UTILS/current/files/bin/guard-tag edit executor/env [TERADATA DB INSTALL DIRECTORY]/bin/pdemain

    3) Uncomment the following lines:
      #ATAP_LOG_LEVEL=10
      #ATAP_LOG_PATH=/var/log/guard/atap/pid%05d-thr%08d.log

    4) Write and quit the file (:wq!).

    5) Start the database.
      **NOTE: If your Teradata DB cannot start up. You need to manually take the ATAP away.
          Perform below only if you are unable to start Teradata:

            5.1 cd [TERADATA INSTALL DIR]/bin/
            5.2 mv pdemain-guard-original pdemain
            5.3 rm -f /usr/local/guardium/etc/guard/executor/teradata
            5.4 Attempt to start the DB again. No ATAP is in place now.

    6) Login to the collector and start a slon capture

    7) In another root session for the DB Server, enable STAP debug with:
      echo -n 'd4' > /usr/local/guardium/modules/STAP/current/.stap.console

    8) Attempt to login and reproduce the scenarios as you did before. Run the following command to get Client IP/Port for each of the client sessions.
      netstat -natp | grep gtwgateway
      For example:
        tcp        0      0 :::1025                 :::*                    LISTEN 31292/gtwgateway
        tcp        0      0 9.70.157.181:1025       9.32.113.185:65265      ESTABLISHED 31292/gtwgateway

        If no connections are established then it is not a concern - it makes it easier to reference the connection in the ATAP log.

    9) Check ATAP log files in /var/log/guard/atap. Send any files to IBM Support for analysis.

    10) Stop stap debug with:
      echo -n 'd0' > /usr/local/guardium/modules/STAP/current/.stap.console

    11) Stop the slon capture on the collector.

    12) Stop the database.

    13) Edit the executor once again:
      /usr/local/guardium/modules/UTILS/current/files/bin/guard-tag edit executor/env [TERADATA DB INSTALL DIRECTORY]/bin/pdemain
      Comment the two lines for ATAP logging.

    14) Start the database back up.

    15) Send IBM Support these files:
      • all of /var/log/guard/atap/ and /tmp/guard_stap.stderr.txt from the DB Server.
      • the slon capture file from the collector.

[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Guardium Database Activity Monitor","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"10.0;10.0.1;10.1;8.2;9.0;9.1;9.5","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21971324

Page Feedback