Troubleshooting
Problem
In the Guardium policy there is a rule configured with "alert only" action. You have configured this alert with syslog as a reciever but you do not see the alerts appearing in the remote SIEM.
Cause
One possible cause is the facility.priority of the Guardium remotelog configuration.
Diagnosing The Problem
Check the remotelog configuration in the CLI:
show remotelog
Resolving The Problem
Please review the steps for shipping Guardium syslog to a remote server.
- To get the alerts for ALERT ONLY you must use USER.ALL in the remotelog config.
- If you use only DAEMON.ALL the alerts will not be sent.
If you have set up the configuration as described in the link above and are using facility.priority user.all or all.all please contact Guardium support to assist further.
[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Guardium Database Activity Monitor","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.2;9.0;9.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21690285