IBM Support

IBM Security Guardium: Sender IP is not populating correctly in the real-time alerts

Troubleshooting


Problem

I am using real time alerts to send data to SIEM Server and I noticed that Guardium is unable to send correct sender ip.

Symptom

In the messages file from support must_gather system logs, we can see sender ip is not correctly populated

Cause

This is because the Senderip is not correctly defined in the Global Profile template
Senderip=%%SenderIp - With lower case p as final character is not correct 
The Fields in the alert message template are case sensitive.
Senderip=%%SenderIP - With upper case P as final character is correct

Environment

Guardium appliances v11.X

Diagnosing The Problem

To diagnose the issue, please follow the steps
1. Take support must_gather system logs
2. Check the messages file from the logs, you will notice senderip is not correctly populated in the alert
Mar 8 12:43:24 Coll01 GuardiumSniffer[885]: subject "SQLGUARD ALERT", "LEEF:1.0|IBM|Guardium|11.0|Log Full Detils|ruleID=20397|ruleDesc=Log Full Detils|severity=INFO|devTime=2021-03-08 12:43:21|serverType=ORACLE|classification=|category=|dbProtocolVersion=3.17| usrName=:PU=SYS|sourceProgram=SQL DEVELOPER|start=1615196601918|dbUser=SYS|dst=XXXXX.11.128| dstPort=1521|src=XXXX.3.23|srcPort=52514|protocol=TCP|type=SQL_LANG|violationID=0 |sql=select * from v$version where banner like '%Oracle%'|error=|Senderip=%%SenderIp"
3. Now on the GUI, navigate to "Global Profile" and check the template you are using, the senderip is defined as SenderIp
%%SenderIp

Resolving The Problem

To resolve the issue, please follow the below steps
1. Navigate to "Global Profiles"
2. Edit the Named template you are using and change Senderip=%%SenderIP (the final P is changed to upper case)
%%SenderIP
Once this is changed, you will see that the SenderIP is now correctly populated.
Example:
Mar 8 12:46:37 Coll01 GuardiumSniffer[885]: subject "SQLGUARD ALERT", "LEEF:1.0|IBM|Guardium|11.0|Log Full Detils|ruleID=20397|ruleDesc=Log Full Detils|severity=INFO|devTime=2021-03-08 12:46:37|serverType=ORACLE|classification=|category=|dbProtocolVersion=3.17| usrName=:PU=SYS|sourceProgram=SQL DEVELOPER|start=1615196601918|dbUser=SYS|dst=XXXXX.11.128| dstPort=1521|src=XXXX.3.23|srcPort=52514|protocol=TCP|type=SQL_LANG|violationID=0 |sql=select * from v$version where banner like '%Oracle%'|error=|Senderip=%%XXXXX.3.25"
If the issue is not resolved even after correcting the typo, please open a case with IBM Security Guardium Technical Support team and provide the logs
2. support must_gather alert
3. support must_gather snif
4. From Global profile-Named template used

Related Information

Release notes v11.2

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m0z0000001ermAAA","label":"ALERTS"}],"ARM Case Number":"TS005124038","Platform":[{"code":"PF016","label":"Linux"}],"Version":"11.0.0;11.2.0;11.3.0"}]

Document Information

Modified date:
12 March 2021

UID

ibm16428971

Page Feedback