Troubleshooting
Problem
This article provides general guidance on troubleshooting IBM® Security Guardium® S-TAP® for Db2® on z/OS® after you receive a write-to-operator (WTO) message.
Diagnosing The Problem
Following are tasks you can perform to troubleshoot IBM Guardium S-TAP for Db2 after you receive a WTO message:
- Ensure that the S-TAP started task started without errors
- Ensure that the S-TAP started task and Guardium Appliance can communicate
- Ensure that data collection started when a policy is activated
- Check for loss of communication between the S-TAP started task and Guardium Appliance that might lead to loss of audit data
- Detect whether the Db2 being audited shut down or started
- Monitor the S-TAP started task for termination
Resolving The Problem
Ensure the the S-TAP started task started without errors
Action: Issue the start command for the S-TAP task to view standard messages for a started task in the z/OS console log.
Result: The S-TAP started task started without errors if the standard message states STARTED.
Action: Issue the start command for the S-TAP task to view standard messages for a started task in the z/OS console log.
Result: The S-TAP started task started without errors if the standard message states STARTED.
IEF403I ADHBA91A - STARTED - TIME=21.15.10
ADHQ1001I Db2 AUDIT SQL COLLECTOR INITIALIZATION IN PROGRESS FOR SUBSYSTEM AC1A
ADHQ1002I Db2 AUDIT SQL COLLECTOR INITIALIZATION COMPLETE FOR SUBSYSTEM AC1A
Ensure that the S-TAP started task and Guardium Appliance can communicate
Action: Look for messages indicating that the S-TAP started task and Guardium appliance can communicate.
Result: The following messages indicate that the S-TAP started task successfully connected to and can communicate with the Guardium appliance.
ADHG000I Attempting connection to server 192.168.53.26 port=16022
ADHG001I Establishing ASC connection to server 192.168.53.26
ADHG002I Connection established to server 192.168.53.26
Ensure that data collection started when a policy activated
Action: When you successfully start or stop a collection policy, you enable the collection of events. Starting a collection policy results in several messages you can use to verify that data collection successfully started.
You can start a collection policy manually by selecting a collection to activate or a policy to install. Or, if you do not start a collection policy, the S-TAP Started Agent starts the collection policy in effect the last time the Started Agent was stopped.
You can start a collection policy manually by selecting a collection to activate or a policy to install. Or, if you do not start a collection policy, the S-TAP Started Agent starts the collection policy in effect the last time the Started Agent was stopped.
Result: The following messages indicate that data collection successfully started.
ADHQ3006I AUDITING AGENT ACTIVATED FOR AC1A
ADHQ3002I AUDITING AGENT STARTED FOR SUBSYSTEM AC1A
The following messages indicate that the collection events started for specific event types:
ADHQ1082I POLICY PUSH DETECTED FOR COLLECTION
ADHQ1069I STAGE 1 FILTERING IS ACTIVE- OBJECTS
ADHQ2013I CURRENTLY ACTIVE POLICY RESULTS IN GRANT REVOKE COLLECTION.
ADHQ2019I CURRENTLY ACTIVE POLICY RESULTS IN DB2 UTILITY COLLECTION.
ADHQ2020I CURRENTLY ACTIVE POLICY RESULTS IN FAILED LOGIN COLLECTION.
ADHQ2016I CURRENTLY ACTIVE POLICY RESULTS DB2 COMMANDS COLLECTION.
ADHQ2015I CURRENTLY ACTIVE POLICY RESULTS NEGATIVE SQL CODES COLLECTION.
The following message indicates that policy activation disabled the collection of events. Specifically, the message indicates that either a policy is not currently active or that the active policy disabled the collection of events.
ADHQ2010I CURRENTLY ACTIVE POLICY RESULTS IN DISABLED COLLECTION.
Check for loss of communication between the S-TAP started task and the Guardium Appliance that might lead to loss of audit data
Action: Look for messages indicating poor communication or loss of communication. These messages are generated as part of ongoing S-TAP task operations.
Result: The following messages indicate that poor communication between the S-TAP started task and Guardium Appliance led to a loss of audit data.
ADHG004W Connection was lost from server [appliance-server-address]
ADHG006E Data loss has occurred as the result of a network send failure
ADHG005S Unable to establish a connection to a server [appliance-server-address]
ADHG015W Primary server is unavailable
ADHP004W Connection was lost from server [appliance-server-address]
ADHP006E Data loss has occurred as the result of a network send failure
ADHP005S Unable to establish a connection to a server [appliance-server-address]
ADHP015W Primary server is unavailable
ADHQ12* messages occur as a result of either communications failures, exhaustion of internal memory objects, or both. These messages also indicate loss of audit data. Examples of ADHQ12* messages are:
ADHQ1213W SPACE IS FULL AND NO MORE EXTENTS CAN BE OBTAINED FOR SPACE - THREAD
ADHQ1203I
ASID=00AB,TCB=1FB6ADDB,CPID=00001A98_C297C000,MODULE=ADHMALOX,ADDR=1FB6AE02,RC=0008,RSN=0038
ADHQ1204I FUNC=G,SP=00,FLG2=30,FLG3=00
ADHQ1217W REQUEST WOULD HAVE EXCEEDED MAXIMUM ALLOCATIONS VALUE. SPACE - N/A
Detect whether the Db2 being audited shut down or started
Action: Look for messages indicating that the Db2 subsystem shut down or started.
Result: The following message indicates that the Db2 being audited was shut down.
Result: The following message indicates that the Db2 being audited was shut down.
ADHQ3003I DB2 SHUTDOWN DETECTED FOR SUBSYSTEM AC1A
The following message indicates that the Db2 being audited was started.
ADHQ3001I DB2 STARTUP DETECTED FOR SUBSYSTEM AC1A
Check the S-TAP started task for termination
Action: Verify that the S-TAP task started or stopped.
Result: The following messages indicate that the S-TAP started task stopped.
Result: The following messages indicate that the S-TAP started task stopped.
ADHQ1081I POLICY MANAGER STOPPED.
ADHP030I IBM Security Guardium S-TAP for Db2 on z/OS Policy connection is terminating
ADHQ1004I Db2 AUDIT SQL COLLECTOR TERMINATION IN PROGRESS FOR SUBSYSTEM AC1A
ADHG030I IBM Security Guardium S-TAP for Db2 on z/OS Audit SQL Collector is terminating
ADHQ1005I Db2 AUDIT SQL COLLECTOR TERMINATION COMPLETE FOR SUBSYSTEM AC1A
The following messages indicate that the S-TAP started task is uninstalled and terminated. These messages indicate that you can restart the STAP started task.
ADHQ5010I MONITORING AGENT DEINSTALLATION IN PROGRESS FOR SUBSYSTEM ssid
ADHQ5011I MONITORING AGENT DEINSTALLATION COMPLETE FOR SUBSYSTEM ssid
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSCA4SV","label":"IBM Security Guardium S-TAP for Db2 on z\/OS"},"ARM Category":[{"code":"a8m0z0000000CdpAAE","label":"z\\OS"}],"ARM Case Number":"","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
16 December 2020
UID
ibm16381890