Question & Answer
Question
After upgrading to Guardium v11p300 I am receiving lots of guardium_test_daemon messages via emails and over SIEM server every 5 minutes. How can I stop them?
Example messages:
Mar 8 11:34:59 Hostname root: guardium_test_user.alert
Mar 8 11:35:06 Hostname root: guardium_test_daemon.alert
Mar 8 11:35:13 Hostname root: guardium_test_syslog.alert
Mar 8 11:35:06 Hostname root: guardium_test_daemon.alert
Mar 8 11:35:13 Hostname root: guardium_test_syslog.alert
Cause
A new feature in v11p300 tests the remotelog configuration to confirm that Guardium can send a message to external SIEM.
When the test is run, those messages are expected to appear on SIEM side.
It can be run:
- From cli - show remotelog test
- From GUI - Remote Loggers page
- Runs by default automatically every 5 minutes as part of the internal 'nanny' process
In addition to the SIEM messages, if the test fails an email may be sent indicating the failure.
One known cause of failure is if the system has multiple IP addresses or ecosystem functionality enabled. This issue will be addressed in later v11.3 bundles.
There may be other causes of failure of the test which are false positives and may want to be ignored.
Answer
To stop receiving the guardium_test_daemon messages please run the following grdapi commands to disable writing test messages to syslog
grdapi modify_guard_param paramName=NANNY_ALERT_RSYSLOG paramValue=0
If this does not help you stop the messages, please open a case with IBM Security Guardium Technical Support team in a usual manner and provide the logs along with outputs of below commands
support must_gather alert
support must_gather network
Output of:
show remotelog host
show remotelog test
Related Information
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m0z000000Gp0JAAS","label":"APPLIANCE"}],"ARM Case Number":"TS005163241","Platform":[{"code":"PF016","label":"Linux"}],"Version":"11.3.0"}]
Was this topic helpful?
Document Information
Modified date:
09 March 2021
UID
ibm16427749