Troubleshooting
Problem
I am using real time alerts to send data to SIEM Server and I noticed that Guardium is unable to send correct sender ip.
Symptom
In the messages file from support must_gather system logs, we can see sender ip is not correctly populated
Cause
This is because the Senderip is not correctly defined in the Global Profile template
Senderip=%%SenderIp - With lower case p as final character is not correct
The Fields in the alert message template are case sensitive.
Senderip=%%SenderIP - With upper case P as final character is correct
Environment
Guardium appliances v11.X
Diagnosing The Problem
To diagnose the issue, please follow the steps
1. Take support must_gather system logs
2. Check the messages file from the logs, you will notice senderip is not correctly populated in the alert
Mar 8 12:43:24 Coll01 GuardiumSniffer[885]: subject "SQLGUARD ALERT", "LEEF:1.0|IBM|Guardium|11.0|Log Full Detils|ruleID=20397|ruleDesc=Log Full Detils|severity=INFO|devTime=2021-03-08 12:43:21|serverType=ORACLE|classification=|category=|dbProtocolVersion=3.17| usrName=:PU=SYS|sourceProgram=SQL DEVELOPER|start=1615196601918|dbUser=SYS|dst=XXXXX.11.128| dstPort=1521|src=XXXX.3.23|srcPort=52514|protocol=TCP|type=SQL_LANG|violationID=0 |sql=select * from v$version where banner like '%Oracle%'|error=|Senderip=%%SenderIp"
3. Now on the GUI, navigate to "Global Profile" and check the template you are using, the senderip is defined as SenderIp
Resolving The Problem
To resolve the issue, please follow the below steps
1. Navigate to "Global Profiles"
2. Edit the Named template you are using and change Senderip=%%SenderIP (the final P is changed to upper case)
Once this is changed, you will see that the SenderIP is now correctly populated.
Example:
Mar 8 12:46:37 Coll01 GuardiumSniffer[885]: subject "SQLGUARD ALERT", "LEEF:1.0|IBM|Guardium|11.0|Log Full Detils|ruleID=20397|ruleDesc=Log Full Detils|severity=INFO|devTime=2021-03-08 12:46:37|serverType=ORACLE|classification=|category=|dbProtocolVersion=3.17| usrName=:PU=SYS|sourceProgram=SQL DEVELOPER|start=1615196601918|dbUser=SYS|dst=XXXXX.11.128| dstPort=1521|src=XXXX.3.23|srcPort=52514|protocol=TCP|type=SQL_LANG|violationID=0 |sql=select * from v$version where banner like '%Oracle%'|error=|Senderip=%%XXXXX.3.25"
If the issue is not resolved even after correcting the typo, please open a case with IBM Security Guardium Technical Support team and provide the logs
2. support must_gather alert
3. support must_gather snif
4. From Global profile-Named template used
Related Information
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m0z0000001ermAAA","label":"ALERTS"}],"ARM Case Number":"TS005124038","Platform":[{"code":"PF016","label":"Linux"}],"Version":"11.0.0;11.2.0;11.3.0"}]
Was this topic helpful?
Document Information
Modified date:
12 March 2021
UID
ibm16428971