Question & Answer
Question
How can I alert when there are increasing flat log requests on my collector?
Cause
Flat log requests in the Buffer Usage Monitor report indicate that the sniffer is dropping packets. This is most likely due to an analyzer queue overflow problem caused by high traffic. Flat log requests should not be increasing in a healthy collector.
For troubleshooting steps see - Identifying and resolving common sniffer problems with the Buffer Usage report.
For enterprise environments the analyzer queue parameter in units utilization or deployment health view can be used to track this problem. High analyzer queues are very likely to cause flat log requests.
Answer
The Alerter must be running in order to receive an alert.
v9 Administration Console->Configuration->Alerter. v10 Setup -> Tools and Views -> Alerter
v9v10
For the alert to work, the buffer usage process on the appliance must be active. Use this link to ensure that it is: Guardium S-TAP is collecting data but request rate and buffer usage reports are empty.
Pre made alert definition
This alert can be imported into your v9(p300 and above) and v10 appliances. There will be a compatibility warning when importing into v10 but it will import successfully.
1. Import the .sql file from GUI v9->Administration Console->Guardium Definitions->Import. v10 Manage -> Data Management ->Definitions Import. This must be done on the Central Manager if one exists in the environment.
2. If the alert is imported in the central manager it can be set to run on all or some managed units from the definition in v9 Tools -> Alert Builder. v10 Protect -> Database Intrusion Detection -> Alert Builder. e.g.
3. Currently the alert is set to send to syslog only, add any receivers that are required.
4. Confirm the alert is active from v9 Administration Console->Anomaly detection. v10 Setup -> Tools and Views -> Anomaly Detection
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21994542