IBM Security

Professional Certification Program

Exam Study Guide

C1000-127: IBM Security Guardium v11.x

Administrator
Contents
Role Definition .......................................................................................................................................... 4
Key Areas of Competency ......................................................................................................................... 4
Purpose of Exam Objectives ..................................................................................................................... 5
Section 1 – Plan for the Guardium System ............................................................................................... 6
1.1 Describe Guardium architecture.................................................................................................... 6
1.2 Define the differences between Guardium agents ....................................................................... 6
1.3 Identify the ports for Guardium and agents ................................................................................. 8
1.4 Define the roles of the Guardium appliance ................................................................................. 9
1.5 Explain how the firewall works on DAM and FAM ..................................................................... 10
Section 2 – Deploy and Configure the Guardium System ....................................................................... 12
2.1 Configure Guardium appliances .................................................................................................. 12
2.2 Install license keys ........................................................................................................................ 13
2.3 Install and Configure Guardium agents ....................................................................................... 14
2.4 Configure and attach identity providers ..................................................................................... 16
2.5 Configure SMTP on the appliance................................................................................................ 17
2.6 Configure SIEM on appliance ....................................................................................................... 17
Section 3 – Discover & Classify ............................................................................................................... 19
3.1 Discover the databases on the network ...................................................................................... 19
3.2 Locate and classify sensitive data ................................................................................................ 19
Section 4 – Protect & Monitor ................................................................................................................ 21
4.1 Build a policy ................................................................................................................................ 21
4.2 Define and implement Policy Rules logic .................................................................................... 22
4.3 Setup outlier detection settings .................................................................................................. 23
4.4 Differentiate between policy actions .......................................................................................... 24
4.5 Interpret results of analytic engines............................................................................................ 24
4.6 Monitor resources of appliance ................................................................................................... 25
Section 5 – Audit & Report .................................................................................................................... 27
5.1 Create custom report queries ...................................................................................................... 27
5.2 Configure audit flow..................................................................................................................... 28
Section 6 – Assess & Harden ................................................................................................................... 29
6.1 Identify vulnerabilities in different databases and platforms .................................................... 29
pg. 2
 6.3 Configure and operate Configuration Audit System (CAS) ......................................................... 29
Section 7 – Maintain & Manage ............................................................................................................. 31
7.1 Configure high availability functions for appliances and agents ................................................ 31
7.2 Configure alerts ............................................................................................................................ 31
7.3 Install patches (collectors, agents, central manager) ................................................................. 32
7.4 Configure data management processes ...................................................................................... 32
7.5 Manage and maintain groups ...................................................................................................... 34
7.6 Setup and maintain user accounts .............................................................................................. 34
Section 8 – Problem Determination ....................................................................................................... 36
8.1 Troubleshoot installation issues .................................................................................................. 36
8.2 Troubleshoot data capture issues (add content about health dashboard)............................... 37
8.3 Troubleshoot operational issues ................................................................................................. 37
8.4 Generate must gathers ................................................................................................................ 38

pg. 3
Role Definition
An IBM Certified Administrator – Security Guardium v11.x is an individual familiar with the architecture
and use cases of IBM Security Guardium. They can plan, install, configure, support, and maintain the
IBM Security Guardium environment. Additionally, they will be familiar with database activity
monitoring, policy rule definition, and custom report creation. They can complete these tasks with little
to no assistance from product documentation, peers or support. Pre-requisite skills:

The administrator is responsible for the security of the CP4S environment, which may involve
appropriate access to the cloud hosting environment, a working knowledge of the RH OpenShift
Container Platform, and an understanding of the security structure of their organization.

Key Areas of Competency

• Working knowledge of operating systems and databases
• Basic knowledge of hybrid cloud
• Working knowledge of hardware and virtual machines
• Working knowledge of networking and protocols
• Basic knowledge of risk management, auditing, and compliance

pg. 4
Purpose of Exam Objectives

When a certification exam is being developed, a team of Subject Matter Experts work
together to define the job role the certified individual will fill. They define all the tasks and
knowledge that an individual would need to have in order to successfully perform that role.
This creates the foundation for the objectives and measurement criteria, the foundation of
the certification exam. The Certification item writers used these objectives write questions
that appear on the exam.

It is recommended that you review these objectives carefully. Do you know how to complete
the tasks in the objective? Do you know why that task needs to be done? Do you know what will
happen if you do it incorrectly? If you are not familiar with a task, then work through the
objective and perform that task in your own environment. Read more information about the
task. If there is an objective on a task, it is almost certain that you WILL see questions about it
on the actual exam.

After you have reviewed the objectives and completed your own research, don’t forget to
review the free sample questions for this exam on the IBM Certification website. These
sample question come complete with an answer key and will give you a feel for the type and
style of question on the actual exam.

After that, take the assessment exam. The questions on the assessment exam were
developed at the same time and by the same people who wrote the question on the actual
exam. The assessment exam is weighted to be equally difficult to the actual test so your
results should be predictive of your expected results on the actual test. While the assessment
exam will not tell which questions are answered incorrectly, it will tell you how you did on a
section-by-section basis so you will know where to focus your further studies.

pg. 5
Section 1 – Plan for the Guardium System
This section focuses on skills related to planning a Guardium deployment. It covers Guardium
architecture, Guardium agents, and networking considerations.

This section accounts for approximately 10% of the exam.

1.1 Describe Guardium architecture

Subtask:

1.1.1 Describe the Guardium architecture principles:

1.1.1.1 Central Management & Uniform policies

1.1.1.2 Central data aggregation

1.1.1.3 A unified architecture for diverse architectures

1.1.1.4 Enforcement through an agent that serves as gatekeeper to all data access requests

1.1.1.5 Heterogeneous data source support

1.1.2 Describe Guardiums’ use of a tiered hierarchy of collectors, aggregators, and central managers

References:

IBM Course 8G101 Unit 1

https://www.ibm.com/docs/en/guardium/11.3?topic=started-components-topology

1.2 Define the differences between Guardium agents

Subtask:

1.2.1 Describe the characteristics of the Guardium Installation Manager (GIM) agent

1.2.1.1 Allows for configuration, maintenance, and upgrade of Guardium agents without further system
administrator intervention

1.2.1.2 Installed by system administrator (root/admin)

1.2.1.3 Available for Windows, Linux, and UNIX

1.2.2 Describe the characteristics of the S-TAP agent

1.2.2.1 Captures traffic for structured and unstructured (defined in Inspection Engines) for analysis
and forwarding to Guardium Collector according to installed policy

1.2.2.2 Installed directly (by system administrator) or via GIM (by Guardium administrator)
pg. 6
1.2.2.3 Sometimes needs additional components and verification (KTAP modules, ATAP
configuration)

1.2.2.4 Available for Windows (structured only), Linux, and Unix

1.2.3 Describe the characteristics of the File Activity Monitor (FAM) agent

1.2.3.1 Captures traffic against unstructured data for analysis and forwarding to Guardium
Collector according to installed policy

1.2.3.2 Installed directly (by system administrator) or via GIM (by Guardium administrator)

1.2.3.3 Available for Windows, Linux, and UNIX

1.2.4 Describe the characteristics of the Fam Monitor agent

1.2.4.1 Enables monitoring and collection of audit information and policy rules, and real time alerts
or blocking of suspicious users or connections

1.2.4.2 Installed directly (by system administrator) or via GIM (by Guardium administrator)

1.2.4.3 Available only for Windows

1.2.5 Describe the characteristics of the File Discovery, Entitlement, and Classification agent

1.2.5.1 Enables scanning for file (unstructured) entitlement and classification of sensitive data

1.2.5.2 Available for NAS and SharePoint

1.2.5.3 Must be installed by system administrator on a SharePoint server or a gateway box to the NAS

1.2.6 Describe the characteristics of the File Activity Monitor agent for FAM or NAS

1.2.6.1 Monitors activity across files and directories residing on NAS devices and SharePoint servers
in the Windows environment

1.2.7 Describe the characteristics of the Guardium Universal Connector (GUC) agent

1.2.7.1 Can be used to manage native log forwarding in MongoDB to support sending data to the
Universal Connector

1.2.7.2 Installed by system administrator (root)

1.2.7.3 Available for Linux only

1.2.8 Describe the characteristics of the S-TAP for Db2 on z/OS agent

1.2.8.1 Captures and forwards traffic from Db2 on z/OS to a Guardium Collector

1.2.8.2 Only available from ShopZ, not FixCentral

1.2.8.3 Must be installed by system programmer, does not support GIM

1.2.8.4 Supports multi-stage filtering (S-TAP and Collector) to reduce network volume
pg. 7
1.2.9 Describe the characteristics of the S-TAP for IMS on z/OS agent

1.2.9.1 Captures and forwards traffic from IMS on z/OS to a Guardium Collector

1.2.9.2 Only available from ShopZ, not FixCentral

1.2.9.3 Must be installed by system programmer, does not support GIM

1.2.9.4 Supports multi-stage filtering (S-TAP and Collector) to reduce network volume

1.2.10 Describe the characteristics of the S-TAP for Data Sets on z/OS agent

1.2.10.1 Captures and forwards traffic from Data Sets (VSAM) on z/OS to a Guardium Collector

1.2.10.2 Only available from ShopZ, not FixCentral

1.2.10.3 Must be installed by system programmer, does not support GIM

1.2.10.4 Supports multi-stage filtering (S-TAP and Collector) to reduce network volume

1.2.11 Describe the characteristics of the S-TAP for DB2 for IBM I agent

1.2.11.1 Captures and forwards traffic from IBM I (iSeries, AS400) to a Guardium Collector

1.2.11.2 Must be installed by *SECOFR, does not support GIM

1.2.11.3 Requires specific PTF levels and PASE installed

1.2.11.4 Can be managed and controlled from Guardium Collector

1.2.11.5 Supports multi-stage filtering (S-TAP and Collector) to reduce network volume

1.2.12 Describe the characteristics of the External S-TAP agent

1.2.12.1 Intercepts traffic for cloud and on-premises database services without installing an
inspection agent on the database server

1.2.12.2 Can be deployed through Kubernetes or on a standalone Docker host

1.2.12.3 Requires a load balancer and reconfiguration of database clients

References:
https://www.ibm.com/support/pages/understanding-guardium-agent-types-and-agent-names

https://www.ibm.com/docs/en/guardium/11.3?topic=external-s-tap

1.3 Identify the ports for Guardium and agents

Subtask:

1.3.1 Ports used by the Guardium STAP DB Server – Collector

pg. 8
1.3.2 Ports used by the Guardium Collector – Aggregator

1.3.3 Ports used by the Guardium Central Manager – Managed Devices

1.3.4 Ports used by the Guardium File Activity Monitoring (FAM)

1.3.5 Ports used by the Guardium Installation Manager (GIM)

1.3.6 Ports used by the Guardium Quick search

1.3.7 Ports used by the Guardium SMTP, SNMP and NTP

1.3.8 Ports used by the Guardium Mainframe

References:
https://www.ibm.com/docs/en/guardium/11.0/11.0?topic=system-guardium-port-requirements

1.4 Define the roles of the Guardium appliance

Subtask:

1.4.1 The Guardium contains three types of components, that can you choose one of them in the
installation media.

1.4.1.1 Collectors: Collectors perform real-time capture and analysis of the database activity, and logs it
for further analysis and use in alerting.

1.4.1.2 Aggregators: Guardium aggregators collect and merge information from multiple Guardium
collectors, and optionally from other aggregators. They produce holistic views of an entire environment.
Collection and aggregation processes allow Guardium to easily generate enterprise-level reports. In a
large enterprise environment, for example, several Guardium systems can be used for monitoring
different geographic locations or business units. You can export data from multiple collectors to a single
aggregator, and view database usage across all geographic areas or business units. Reports,
assessments, and audit processes run from this aggregator would then reflect data collected from across
the environment.

1.4.1.3 Central Managers: The central manager (CM) is a specialized functionality that is enabled on an
aggregator. In this configuration, one Guardium system is designated as a central manager that controls
and monitors an entire Guardium environment, from a single console. In this configuration, collectors
and aggregators are referred to as managed units. While some applications (Audit Processes, Queries,
Portlets, etc.) can be run from either a managed unit or from the central manager, application's
definitions are stored on the central manager. Central management supports hierarchical aggregation
where multiple aggregators merge their data repositories to a central aggregator. This is useful for
multi-level views. For example, with different Guardium aggregators assigned to different geographic
locations, a central management aggregator can merge the contents of all aggregators into a single
global view spanning all geographies.
pg. 9
References:
https://www.ibm.com/docs/en/guardium/11.3?topic=started-components-topology

1.5 Explain how the firewall works on DAM and FAM

Subtask:

1.5.1 Guardium DAM uses two options for firewalling database connections: S-TAP Terminate and S-
GATE and S-TAP Terminate

1.5.1.1 S-TAP Terminate

1.5.1.1.1 The S-TAP Terminate terminates a database's session and prevents new requests on that
session. But, when the session have additional requests on that, sometimes, more than one request may
go through before the session is terminated.

1.5.1.2 S-GATE

1.5.1.2.1 The S-GATE provides database protection via the S-TAP for both network and local
connections.

1.5.1.2.2 The S-GATE has two modes:

1.5.1.2.2.1 Attached (S-GATE is "on"): S-TAP is in firewalling mode for that session, and it holds the
database requests and waits for a verdict on each request before releasing its responses. Latency is
expected in this mode, but it ensures that rogue requests are blocked.

1.5.1.2.2.2 Detached (S-GATE is "off"): S-TAP is in normal monitoring mode for that session, and it passes
requests to the database server without any delay. Latency is not expected in this mode. It is possible to
alter the default S-GATE configuration in real time using S-GATE policy rule actions. Which are:

1.5.1.2.2.2.1 S-GATE Attach: sets S-GATE mode to "Attached" for a specific session. Intended for use
when a certain criteria is met that raises the need to closely watch (and if needed block) the traffic on
that session.

1.5.1.2.2.2.2 S-GATE Detach: sets S-GATE mode to "Detached" for a specific session. S-GATE Detach is
intended for use on sessions that are considered safe or sessions that cannot tolerate any latency.

1.5.1.2.2.2.3 S-GATE Terminate: applies only when the session is attached, S-GATE Terminate drops the
reply of the firewalled request and terminates the session on some databases. The S-GATE TERMINATE
policy rule action causes a previously watched session to terminate.

1.5.1 Guardium FAM firewall for files

1.5.1.1 FAM monitors, alerts and blocks file access according to the Guardium policy rules. Monitored
Operations are Read, Write, Execute, Delete, Change Owner, Permissions, Properties.

pg. 10
1.5.1.2 Access to files can also be blocked, even if the operating system permissions allow access. The
rules are preloaded into the S-TAP, which then preloads them into the file system filter driver. The driver
blocks access to the file so that the data in the file is never delivered to the user.

References:
https://www.ibm.com/docs/en/guardium/11.3?topic=actions-blocking-rule

https://www.ibm.com/docs/en/guardium/11.3?topic=servers-file-activity-monitoring-functionality

pg. 11
Section 2 – Deploy and Configure the Guardium System
This section focuses on installation, deployment, and configuration of Guardium appliances and agents,
including licensing.

This section accounts for approximately 13% of the exam.

2.1 Configure Guardium appliances

Subtask:

2.1.1 Most of the information on the System Configuration panel is set by using the CLI at installation
time using a installation media.

2.1.1.1 You need perform a mount of media installation on server to initiate a installation.

2.1.1.2 You can deploy a Guardium system in any of several operating modes. As you plan your
Guardium environment, you might deploy systems in any or all of these operating modes as described
on task 1.4.

2.1.1.3 Set up the physical or virtual appliance.

2.1.1.4 The initial step should be the network configuration, which must be done locally through the
Command Line Interface (CLI) accessible through the serial port or the system console. In the following
steps, you will supply various network parameters to integrate the Guardium system into your
environment, using CLI commands.

2.1.1.4.1 Set the primary and secondary system IP addresses.

2.1.1.4.2 Set the Default Router IP Address.

2.1.1.4.3 Set DNS Server IP Address.

2.1.1.4.4 Set the SMTP Server.

2.1.1.4.5 Set Host and Domains Names.

2.1.1.4.6 Set the Time Zone, Date and Time.

2.1.1.4.6 Set the Initial Unit Type.

2.1.1.4.7 Resetting the root password.

2.1.1.4.8 Validate all settings.

2.1.1.4.9 Reboot the system.

2.1.2 About System Shared Secret:

2.1.2.1 The Guardium administrator defines the system shared secret in the System Configuration
window. The system shared secret is used for two general purposes:

pg. 12
2.1.2.1.1 To sign and encrypt files for export or archive, and for importing or restoring data exports and
data archives and to establish secure communications between Central Managers and managed units.

2.1.2.1.2 If you are using Central Management and/or aggregation, you must set the System Shared
Secret for all related systems to the same value. The system shared secret value is null at installation
time. Depending on a company’s security practices, it may be necessary to change the system shared
secret on a periodic basis. Each appliance maintains a shared secret keys file, containing an historical
record of all shared secrets defined on that appliance. The same system thus will have no problem at a
later date decrypting information that has been encrypted on that system. When information is
exported or archived from one system, and imported or restored on another, the latter must have
access to the shared secret used by the former. For these cases, there are CLI commands that can be
used to export the system shared secrets from one Guardium system, and import them on another.

2.1.3 Modifying the System Configuration:

2.1.3.1 You can modify some parameters that you setup early, like a System IP Address, Domain name,
etc. Click Setup > Tools and Views > System to open System Configuration.

References:
https://www.ibm.com/docs/en/guardium/11.3?topic=system-configuration

https://www.ibm.com/docs/en/guardium/11.3?topic=system-operating-modes

https://www.ibm.com/docs/en/guardium/11.3?topic=system-step-4-set-up-initial-basic-configuration

2.2 Install license keys

Subtask:

2.2.1 License Keys: Establishing a functional Guardium system requires both a base license and one or
more append licenses.

2.2.1.1 Procedure install license keys: Installing a Guardium license key is a two-step
process: you need to install the license key and then read and accept the terms of the license
agreement. After installing a Guardium license key, the user interface will reload to reflect the
functionality enabled by the new license.

Establishing a functional Guardium system requires installing both a base and at least one append
licenses. The base license must be installed and accepted before installing and accepting any
append licenses

2.2.1.1.1 Install license key with command line (cli)

2.2.1.1.1.1 store license command: This command applies a new license key to the appliance.

2.2.1.1.1.2 show license command: Shows details about the license for this appliance

pg. 13
2.2.1.1.1.3 license check command: Indicates if the installed license if valid. Use this command after you
install a new product key.

2.2.1.1.2 Install license key with graphical user interface (gui)

References:
https://www.ibm.com/support/pages/what-licenses-do-i-need-set-guardium-v101x-and-newer-appliances

https://www.ibm.com/docs/en/guardium/11.3?topic=next-install-license-keys

https://www.ibm.com/docs/en/guardium/11.3?topic=system-license-keys

https://www.ibm.com/docs/en/guardium/11.3?topic=commands-configuration-control-cli

2.3 Install and Configure Guardium agents

Subtask:

2.3.1 Guardium Installation Manager

2.3.1.1 Installing the GIM client on a Windows server

2.3.1.2 Installing the GIM client on a UNIX server

2.3.1.3 Uninstalling GIM and its modules on a UNIX database

2.3.1.4 Deploy monitoring agents

2.3.1.5 Create and manage custom GIM certificates

2.3.2 S-TAP

2.3.2.1 Linux-UNIX: Installing, upgrading and uninstalling S-TAP agents

2.3.2.1.1 Linux-UNIX: Install S-TAP agents installation flow

2.3.2.1.2 Linux-UNIX: S-TAP installation prerequisites

2.3.2.1.3 Linux-UNIX: Before you start installing S-TAP

2.3.2.1.4 Linux-UNIX: Use GIM to install, upgrade, uninstall the S-TAP

2.3.2.1.5 Linux-UNIX: Use RPM to install, upgrade, uninstall the S-TAP

2.3.2.1.6 Linux-UNIX: Use shell installer to install, upgrade, uninstall the S-TAP

2.3.2.1.7 Linux-UNIX: Use native installers to install, upgrade, uninstall the S-TAP

2.3.2.1.8 Linux-UNIX: Special environments configuration

2.3.2.1.9 Linux-UNIX: Work with K-TAP

pg. 14
2.3.2.2 Windows: Install, upgrade, and uninstall the S-TAP agent

2.3.2.2.1 Windows: Use GIM to install, upgrade, uninstall the S-TAP

a. Windows: Prerequisites: installing S-TAP

2.3.2.2.2 Windows: Use interactive installer (wizard) to install, upgrade, uninstall the S-TAP

2.3.2.2.3 Windows: Use CLI to install, upgrade, uninstall the S-TAP

2.3.2.2.4 Windows: Remove the S-TAP using Add/Remove Programs

2.3.2.2.5 Windows: S-TAP installation flow on Oracle RAC

2.3.2.2.6 Windows: Managing S-TAP when upgrading your database

2.3.2.2.7 Windows: Managing S-TAP when upgrading your database operating system

2.3.2.2.8 Windows: When to restart or reboot the database server after S-TAP installation or upgrade

2.3.2.3 DB2 for IBM i S-TAP

2.3.2.3.1 Monitoring strategy

2.3.2.3.2 Installing the S-TAP for IBM I

2.3.2.4 z/OS agents

2.3.2.3.1 DB2 for z/OS

2.3.2.3.2 IMS for z/OS

2.3.2.3.3 Data Sets for z/OS

2.3.3 Configuration auditing system (CAS)

2.3.3.1 Prerequisites, installing, and running CAS on a Windows server

2.3.3.1.1 Installing CAS from the CLI

2.3.3.1.2 Installing CAS with GIM

2.3.3.2 Prerequisites, installing and running CAS on a Linux, UNIX server

2.3.4 File activity monitoring agent

2.3.4.1 Installing and activating the agents on LUW servers

2.3.4.2 Installing agents for SharePoint

2.3.2.3 Installing agents for NAS

pg. 15
References:
https://www.ibm.com/docs/en/guardium/11.0/11.0?topic=manager-installing-gim-client-windows-server

https://www.ibm.com/docs/en/guardium/11.0/11.0?topic=manager-installing-gim-client-unix-server

https://www.ibm.com/docs/en/guardium/11.0/11.0?topic=guide-linux-unix-installing-upgrading-uninstalling-tap-agents

https://www.ibm.com/docs/en/guardium/11.0/11.0?topic=guide-windows-install-upgrade-uninstall-tap-agent

https://www.ibm.com/docs/en/guardium/11.0/11.0?topic=cas-prerequisites-installing-running-windows-server

https://www.ibm.com/docs/en/guardium/11.0/11.0?topic=cas-prerequisites-installing-running-linux-unix-server

https://www.ibm.com/docs/en/guardium/11.0/11.0?topic=db2-tap

IBM Security Guardium S-TAP for Db2 on z/OS - IBM Documentation

IBM Security Guardium S-TAP for IMS on z/OS - IBM Documentation

IBM Security Guardium S-TAP for Data Sets on z/OS - IBM Documentation

2.4 Configure and attach identity providers

Subtask:

2.4.1 Understand the (types of?) identity providers supported by Guardium

2.4.1.1 LDAP vs RADIUS vs smart card

2.4.2 Define which users cannot be authenticated against external repositories

2.4.2.1 cli

2.4.2.2 admin

2.4.2.3 accessmgr

2.4.2.4 guardcliX

2.4.3 Differentiate between user import and user authentication

2.4.3.1 user import = creating user accounts in Guardium by importing from an LDAP query

2.4.3.2 user authentication = leveraging an external identity provider to validate an identity

2.4.4 Configure Guardium to authenticate users against the identity provider

2.4.5 Configure Guardium to use 2FA

2.4.6 Test authentication in the Guardium environment

pg. 16
References:
https://www.ibm.com/docs/en/guardium/11.3?topic=system-configuring-authentication

2.5 Configure SMTP on the appliance

Subtask:

2.5.1 SMTP Server: An SMTP server is required to send system alerts. Enter commands to set your SMTP
server IP address, set a return address for messages, and enable SMTP alerts on startup.

2.5.2 Configure Alerter: You can configure the Alerter subsystem to send messages to both SMTP and
SNMP servers

2.5.2.1 SMTP STARTTLS : Sets encryption for the email server.

References:
https://www.ibm.com/docs/en/guardium/11.3?topic=configuration-smtp-server

https://www.ibm.com/docs/en/guardium/11.3?topic=commands-alerter-cli

2.6 Configure SIEM on appliance

Subtask:

2.6.1 Remote loggers

2.6.1.1 Show remotelog

2.6.1.2 Store remotelog add

2.6.2 Combining real-time alerts and correlation analysis with SIEM products

2.6.2.1 CEF Mapping

2.6.2.2 LEEF Mapping

2.6.3 Bidirectional integration IBM Security QRadar and Guardium

2.6.4 Integrating with 3rd party SIEM products

References:
https://www.ibm.com/docs/en/guardium/11.3?topic=system-remote-loggers

https://www.ibm.com/docs/en/guardium/11.3?topic=commands-configuration-control-
cli#concept_dgk_2cj_4lb__store_remotelog

pg. 17
https://www.ibm.com/docs/en/guardium/11.3?topic=commands-configuration-control-
cli#concept_dgk_2cj_4lb__show_remotelog_status

https://www.ibm.com/docs/en/guardium/11.3?topic=pi-combining-real-time-alerts-correlation-analysis-siem-products

https://www.ibm.com/docs/en/guardium/11.3?topic=integration-cef-mapping

https://www.ibm.com/docs/en/guardium/11.3?topic=integration-leef-mapping

https://www.ibm.com/docs/en/guardium/11.3?topic=integration-qradar-guardium

https://www.ibm.com/docs/en/guardium/11.3?topic=integration-installing-integrating-splunk

pg. 18
Section 3 – Discover & Classify
To protect sensitive data, you must first locate it and determine the nature of the data. This section
covers discovering databases, probing discovered databases for sensitive information, and classifying
the information.

This section accounts for approximately 7% of the exam.

3.1 Discover the databases on the network

Subtask:

3.1.1 Linux-UNIX: Discover database instances

3.1.2 Windows: Discover database instances

3.1.3 Configure and run discovery at S-TAP installation, upgrade and regular intervals

3.1.4 Create and run inspection engines on newly discovered Databases

3.1.5 Modify the guard_tap.ini as needed

3.1.6 Configure the Guardium autodiscovery application

3.1.7 Define, run and schedule Scan Jobs and Probe Jobs

References:
https://www.ibm.com/docs/en/guardium/11.3?topic=tap-windows-discover-database-instances

https://www.ibm.com/docs/en/guardium/11.3?topic=tap-linux-unix-discover-database-instances

https://www.ibm.com/docs/en/guardium/11.3?topic=discover-database-discovered-instances-rules

IBM Course 8G101 Unit 8

3.2 Locate and classify sensitive data

Subtask:

3.2.1 Use Discover > Classification > Discover Sensitive Data

3.2.2 What to discover: Create policies consisting of rules and rule actions for discovering and classifying
sensitive data

3.2.3 Explain and configure classification policies

3.2.4 Modify the classification process for a minimal performance impact

3.2.5 Run the classification process and review the results

pg. 19
References:
https://www.ibm.com/docs/en/guardium/11.3?topic=data-discovery-scenarios

https://www.ibm.com/docs/en/guardium/11.3?topic=data-run-discovery-review-report

https://www.ibm.com/docs/en/guardium/11.3?topic=discover-classification

https://www.ibm.com/docs/en/guardium/11.3?topic=audit-manage-classification-vulnerability-assessment

pg. 20
Section 4 – Protect & Monitor
Policies protect and monitor known sensitive data. This section addresses design and implementation of
policy.

This section accounts for approximately 18% of the exam.

4.1 Build a policy

Subtask:

4.1.1 Understanding policies

4.1.1.1 Rule types, categories, classifications

4.1.1.2 Minimum counts and reset intervals

4.1.1.3 Record values with policy violation

4.1.1.4 Values and groups of values in rules

4.1.1.5 Matching patterns with regular expressions

4.1.1.6 Special pattern tests

4.1.1.7 Log flat

4.1.1.8 Rules on flat

4.1.1.9 Selective audit trail

4.1.1.10 Analyzer rules

4.1.1.11 Character sets

4.1.2 Session-level policies

4.1.2.1 Session-level policy actions

4.1.2.2 Database support for session-level policies

4.1.2.3 Creating session-level policies

4.1.3 Create and install a policy and policy rules

4.1.4 Use the Policy Installation tool

References:
https://www.ibm.com/docs/en/guardium/11.0/11.0?topic=policies-understanding

https://www.ibm.com/docs/en/guardium/11.0/11.0?topic=policies-session-level

pg. 21
https://www.ibm.com/docs/en/guardium/11.0/11.0?topic=policies-creating-installing-policy-policy-rules

https://www.ibm.com/docs/en/guardium/11.0/11.0?topic=policies-using-policy-installation-tool

4.2 Define and implement Policy Rules logic

Subtask:

4.2.1 Define session-level policy actions vs. SQL level policy actions

4.2.2 Define the different types of policy rules, actions available in each rule type and their use cases.

4.2.2.1 Access rules

4.2.2.2 Exception rules

4.2.2.3 Extrusion rules

4.2.3 Define Ignore actions and Selective Audit Trail -- how data is handled in each and their use
cases.

4.2.3.1 Differentiate between Ignore actions vs. Skip logging actions

4.2.3.2 Differentiate between different available Ignore SQL actions vs. Ignore Session actions

4.2.4 Define blocking rule actions

4.2.4.1 S-GATE Attach, Detach behaviors

4.2.4.2 S-TAP Terminate vs. S-GATE Terminate and their use cases

4.2.4.3 Define the required STAP FIREWALL parameters and how they relate to different blocking
actions/behaviors

4.2.4.4 Limitations to blocking actions

4.2.5 Define alert rule actions

4.2.5.1 Available notification types and use cases of each (Email / SNMP / SYSLOG and its different
formats...etc.)

4.2.5.2 Differentiate available alert actions and their behaviors (e.g. Alert once per section, Alert per
match, Alert only...etc.)

4.2.6 Define Log actions and their use cases

4.2.6.1 Differentiate between Log Full Details vs. Log Masked Details vs. Log only vs. Allow actions

4.2.6.2 Define the differences between Log Full Details vs. default logging behaviors, performance
impact and data usage/retention of each.

pg. 22
4.2.7 Define sequence of policy rules logic and knowing how to apply different policy rules based on
different requirements

4.2.8 Define policy tags

4.2.9 Using Policy analyzer to assist with policy tuning

References:
https://www.ibm.com/docs/en/guardium/11.3?topic=protect-policies

4.3 Setup outlier detection settings

Subtask:

4.3.1 Enable and start auditing outlier detection in two easy steps, letting Guardium do the work of
identifying abnormal server and user behavior, and providing early detection of possible attacks.

4.3.1.1 By default, Outliers detection is disable. To enable, log in to the Guardium system as a user or
administrator with the CLI role.

4.3.1.2 These Guardium API commands, enable_outliers_detection and disable_outliers_detection, are

used for enabling and disabling outliers detection on any Guardium system, in any topology.

4.3.2 Enable outliers detection on a CM to enable/disable outliers detection on all managed units, and
on all units registered to the CM thereafter, by running the API command with no additional
parameters. Alternatively, you can limit the enable/disable to a list of units. Similarly, disabling outliers
detection on a CM disables it on a units registered with the CM.

4.3.2.1 Enable outliers detection on a collector that extracts data to an aggregator. Outliers
detection is enabled on the aggregator (if not already enabled) and the collector starts sending
data to the aggregator. When disabling on a collector, if this is the only collector sending data to the
aggregator, then the collector stops sending data, and outliers detection is disabled on the aggregator.

4.3.2.2 When enabling on a collector that extracts data to an aggregator that is not in the same CM
environment as the collector, the collector starts sending data to the aggregator, and the API responds
with the name of the aggregator that needs to be enabled for outliers detection. When enabling on an
aggregator, outliers detection is enabled and collectors in the same CM environment start sending data.
If the aggregator receives data from collectors in a different CM environment, the API responds with a
list of all collectors that need to be enabled for outliers detection. To enable on individual aggregators or
collectors, use the commands enable_outliers_detection_cross_cm_agg and
enable_outliers_detection_cross_cm_collector.

pg. 23
References:
https://www.ibm.com/docs/en/guardium/11.3?topic=protect-outliers-detection

4.4 Differentiate between policy actions

Subtask:

4.4.1 Explain the actions for session level rules vs. data security policy actions

4.4.2 Configure and use Blocking rule actions (S-TAP Terminate and S-GATE)

4.4.3 Configure and user Alerting rule actions for Guardium email, SMTP email, SNMP traps or syslog
messages

4.4.4 Set logging granularity using the Manage > Activity Monitoring > Inspection Engines tool.

References:

IBM Course 8G101 Unit 7

https://www.ibm.com/docs/en/guardium/11.3?topic=policies-policy-rule-actions

https://www.ibm.com/docs/en/guardium/11.3?topic=actions-blocking-rule

https://www.ibm.com/docs/en/guardium/11.3?topic=actions-alerting-rule

4.5 Interpret results of analytic engines

Subtask:

4.5.1 Active Threat Analytics and Outlier detection

4.5.1.1 Define the different types of threats identified by Active Threat Analytics

4.5.1.2 User/DB activities that can be identified as suspected outliers

4.5.1.3 Working with case reports – available actions and integration with ticketing systems

4.5.2.4 Using Investigation Dashboards – quick search, charts available for investigation and drill-down
symptoms with use case scenarios

4.5.2.5 Knowledge of risk-based approach

4.5.3 Risk Spotter

4.5.3.1 Define the different risk indicators used in Risk Spotter algorithms

pg. 24
4.5.3.2 What to do for identified high risk users (e.g. Add to watchlist; add to trusted users group;
investigate / drill down using Investigation dashboards; check access to sensitive objects...etc.)

References:
https://www.ibm.com/docs/en/guardium/11.3?topic=protect-active-threat-analytics

https://www.ibm.com/docs/en/guardium/11.3?topic=analytics-threat-descriptions

https://www.ibm.com/docs/en/guardium/11.3?topic=analytics-working-case-reports

https://www.ibm.com/docs/en/guardium/11.3?topic=spotter-risk-risk-indicators

4.6 Monitor resources of appliance

Subtask:

4.6.1 You can monitor the Guardium system using a combination of built-in and custom correlation
alerts. And through the Deployment health views.

4.6.1.1 Alerts

4.6.1.1.1 Alert users to issues that may affect system performance, such as: CPU utilization, database
disk space, inactive STAPs, and no traffic situations.

4.6.1.1.2.1 The Sniffer Buffer Usage domain is the basis for most of the following alerts:

4.6.1.1.2.2 Sniffer Restart Alert

4.6.1.1.2.3 High CPU Utilization

4.6.1.1.2.4 Database Disk Space Alerts

4.6.1.1.2.5 Inactive S-TAP Alerts

4.6.1.1.2.6 No Traffic Alerts

4.6.1.2 Deployment health views

4.6.1.2.1.2 Deployment health dashboard

4.6.1.2.1.2.1 The deployment health dashboard provides an at-a-glance summary of issues that are
found across a Guardium deployment. The dashboard is especially useful for identifying patterns and
trends in the health data before investigating individual systems where problems are identified.

pg. 25
References:
https://www.ibm.com/docs/en/guardium/10.1?topic=SSMPHH_10.1.0/com.ibm.guardium.doc.admin/adm/how_to_monitor_t
he_guardium_system_via_alerts.html

https://www.ibm.com/docs/en/guardium/11.3?topic=functions-deployment-health-views

pg. 26
Section 5 – Audit & Report
Auditing is an important component of data security. This section focuses on creating queries and
reports that are used for auditing data security.

This section accounts for approximately 13% of the exam.

5.1 Create custom report queries

Subtask:

5.1.1 If the predefined reports do not meet your needs, create a query from scratch, or clone and
modify an existing query.

5.1.1.1 Open the Query Builder by navigating to Investigate > Exceptions > Query-Report Builder or
Reports > Report Configuration Tools > Query-Report Builder.

5.1.1.2 Create a query using these guidelines:

5.1.1.2.1 Select an pre-defined query. A dialog box opens and you can choose to:

5.1.1.2.1.1 Open the original query (click Open original) to modify some attributes (for example:
Managing query security roles, Adding a query to a datamart, Modifying the query drilldown control,
Modifying the API assignment, Creating dashboards and adding reports). You cannot modify its query
attributes or conditions.

5.1.1.2.1.2 Make a copy by clicking Make copy and giving it a new name. Continue with Defining the
query name and attributes.

5.1.1.2.2 Select the domain you want to query from the Select Domain drop-down. Select one for
copying or click New. The New Query page opens. Continue with Defining the query name and
attributes.

5.1.1.2.3 Select a user-defined query. Its properties open in the right hand pane. You can edit the query,
or click Clone icon to copy the query. Continue with any query configuration tasks.

5.1.1.2.4 Create a new query: Click New. The New Query page opens. Continue with Defining the query
name and attributes.

5.1.2 Define the common reporting domains used in Guardium

5.1.3 Explain the importance of the main entity when building a report

5.1.4 Explain entities and attributes in common domains

References:
https://www.ibm.com/docs/en/guardium/11.3?topic=reports-using-query-report-builder

pg. 27
5.2 Configure audit flow
Subtask:

5.2.1 Workflow Builder

5.2.1.2 How to use Customized Workflows

5.2.1.3 Open Workflow Process Results

5.2.2 Building audit processes

5.2.2.1 Explain how to create a Audit Process using pre-defined report

5.2.2.2 Explain how audit processes can be used to automate Guardium functionalities

5.2.3 Audit process receivers

5.2.4 Differentiate between export options

References:
https://www.ibm.com/docs/en/guardium/11.3?topic=audit-workflow-builder

https://www.ibm.com/docs/en/guardium/11.3?topic=builder-how-use-customized-workflows

https://www.ibm.com/docs/en/guardium/11.3?topic=builder-opening-workflow-process-results

https://www.ibm.com/docs/en/guardium/11.3?topic=audit-building-processes

https://www.ibm.com/support/pages/ibm-security-guardium-how-create-audit-process-using-pre-defined-report

https://www.ibm.com/docs/en/guardium/11.3?topic=processes-audit-process-receivers

pg. 28
Section 6 – Assess & Harden
This section focuses on scanning databases and platforms to discover and remediate vulnerabilities.

This section accounts for approximately 7% of the exam.

6.1 Identify vulnerabilities in different databases and platforms

Subtask:

6.1.1 Describe the vulnerability assessment feature

6.1.2.1 Quarterly updated tests, suggests remediation activities

6.2.1 View results of an assessment

6.2.2 Assessment test categories

6.2.3 Assessment results summary

6.2.4 Assessment test tuning

6.2.5 Assessment custom test

6.2.6 Assessment exceptions

References:

IBM Course 8G101 Unit 7

https://www.ibm.com/docs/en/guardium/11.3?topic=harden-configuration-auditing-system-cas

https://www.ibm.com/docs/en/guardium/11.3?topic=commands-configuration-auditing-system-apis

https://www.ibm.com/docs/en/guardium/10.5?topic=harden-introducing-guardium-vulnerability-assessment

https://www.ibm.com/docs/en/guardium/11.0/11.0?topic=assessments-viewing-assessment-results

https://www.ibm.com/docs/en/guardium/11.1?topic=assessments-tuning-test

6.3 Configure and operate Configuration Audit System (CAS)

Subtask:

6.3.5 Configuration Auditing System (CAS)

6.3.5.1 CAS hosts

6.3.5.2 CAS status

6.3.5.3 CAS reporting

pg. 29
6.3.5.4 CAS Config domain

6.3.5.4.1 CAS Changes domain

6.3.5.4.2 CAS Host History domain

6.3.5.5 CAS start-up and failover

6.3.5.6 CAS server authentication with SSL

6.3.6 Working with CAS templates

6.3.6.1 CAS templates

6.3.6.2 Create CAS template

References:
https://www.ibm.com/docs/en/guardium/11.3?topic=cas-prerequisites-installing-running-windows-server

https://www.ibm.com/docs/en/guardium/11.3?topic=cas-prerequisites-installing-running-linux-unix-server

https://www.ibm.com/docs/en/guardium/11.3?topic=parameters-linux-unix-configuration-auditing-system-cas

https://www.ibm.com/docs/en/guardium/11.3?topic=server-installing-cas-gim

https://www.ibm.com/docs/en/guardium/11.3?topic=server-installing-cas-from-cli

https://www.ibm.com/docs/en/guardium/11.3?topic=harden-configuration-auditing-system-cas

https://www.ibm.com/docs/en/guardium/11.3?topic=cas-hosts

https://www.ibm.com/docs/en/guardium/11.3?topic=cas-status

https://www.ibm.com/docs/en/guardium/11.3?topic=cas-reporting

https://www.ibm.com/docs/en/guardium/11.3?topic=domains-cas-config-domain

https://www.ibm.com/docs/en/guardium/11.3?topic=domains-cas-changes-domain

https://www.ibm.com/docs/en/guardium/11.3?topic=domains-cas-host-history-domain

https://www.ibm.com/docs/en/guardium/11.3?topic=cas-start-up-failover

https://www.ibm.com/docs/en/guardium/11.3?topic=cas-server-authentication-ssl

https://www.ibm.com/docs/en/guardium/11.3?topic=cas-working-templates

https://www.ibm.com/docs/en/guardium/11.3?topic=cas-templates

https://www.ibm.com/docs/en/guardium/11.3?topic=reference-create-cas-template

pg. 30
Section 7 – Maintain & Manage
This section addresses configuring the Guardium environment for high availability, setting up alerts,
applying fixes and managing the information that Guardium collects. It also addresses user and role
management and group management.

This section accounts for approximately 18% of the exam.

7.1 Configure high availability functions for appliances and agents

Subtask:

7.1.1 High availability load balancing for appliances

7.1.2 STAP High availability / failover options

7.1.3 Enterprise Load Balancer

7.1.1.1 Associate an S-TAP with managed units for enterprise load balancing

7.1.1.2 View the enterprise load balancing load map

7.1.1.3 View an enterprise load balancing activity report

7.1.1.4 Enterprise load balancing Guardium configuration parameters

References:
https://www.ibm.com/docs/en/guardium/11.0/11.0?topic=luct-linux-unix-tap-load-balancing-models-configuration-guidelines

https://www.ibm.com/docs/en/guardium/11.0/11.0?topic=functions-enterprise-load-balancing

https://www.ibm.com/docs/en/guardium/11.0/11.0?topic=balancing-associating-tap-managed-units-load

https://www.ibm.com/docs/en/guardium/11.0/11.0?topic=balancing-viewing-enterprise-load-load-map

https://www.ibm.com/docs/en/guardium/11.0/11.0?topic=balancing-viewing-enterprise-load-activity-report

https://www.ibm.com/docs/en/guardium/11.0/11.0?topic=balancing-enterprise-load-configuration-parameters

7.2 Configure alerts

Subtask:

7.2.1 Explain how to create a real-time alert

7.2.2 Custom Alerting Class Administration

7.2.3 Predefined Alerts

7.2.4 Correlation Alerts

pg. 31
References:
https://www.ibm.com/docs/en/guardium/11.0/11.0?topic=system-how-create-real-time-alert

https://www.ibm.com/docs/en/guardium/11.0/11.0?topic=system-custom-alerting-class-administration

https://www.ibm.com/docs/en/guardium/11.0/11.0?topic=system-notifications

https://www.ibm.com/docs/en/guardium/11.0/11.0?topic=system-predefined-alerts

7.3 Install patches (collectors, agents, central manager)

Subtask:

7.3.1 Review patch prerequisites

7.3.2 Install patches by cli

7.3.3 Install patches by gui

7.3.4 Distribute patches

7.3.5 Verify patches installation

7.3.6 Install dps patch

7.3.7 Differentiate the different types of patches for example gpu, sniffer, dps, health check, etc

References:
https://www.ibm.com/docs/en/guardium/11.1?topic=SSMPHH_11.1.0/com.ibm.guardium.doc.install/upgrade/install_distribut
e_patch.html

7.4 Configure data management processes

Subtask:

7.4.1 Differentiate between the Guardium data management processes

7.4.1.1 Data Archive > Data Archive backs up the audit data that Guardium captured, for a specified
date, to another location. Typically, data is archived for the previous day, which ensures that if there is a
catastrophe, only the data of that day is lost.

7.4.1.2 Backup > Guardium’s Backup functions are always full backups of the configuration of the
appliance, the database of the appliance, or both.

pg. 32
7.4.1.3 Data Export > Data Export is the first part of the Guardium aggregation process. It sends audit
data that Guardium captured, for a specified date, to an Aggregator. In some cases, Export can also
send from an Aggregator to another Aggregator (multi-tier aggregation). Typically, data is exported for
the previous day.

7.4.1.4 Data Import > Data Import is the second part of the Guardium aggregation process. It takes any
and all data that has been exported to it and loads that data into it the Aggregator’s database.

7.4.1.5 Definitions Import/Export > Guardium definitions can be exported from one appliance and
imported on another appliance.

7.4.1.6 Results Archive > The results archive includes: reports, assessment tests, entity audit trail,
privacy sets, classification processes, and the view and sign-off trails and the accumulated comments
from workflow processes. Use Archived results for compliance purposes.

7.4.1.7 Results Export > CSV, CEF, and PDF files can be created by workflow processes. This function
exports all such files that are on the Guardium system to the target system specified.

7.4.1.8 Data Restore > You can restore archived data files to review historical data, and run reports or
investigations. Restoration uses the Data and Result catalogs on each Guardium system to track archived
files.

7.4.2 Define supported platforms for data management (SCP, SFTP, Amazon S3, IBM COS (Cleversafe),
EMC Centera, Tivoli Storage Manager)

7.4.3 Configure Archive

7.4.4 Configure Backup

7.4.5 Configure Export

7.4.6 Configure Import

7.4.7 Perform Definitions Export

7.4.8 Perform Definitions Import

7.4.9 Configure Results Archive

7.4.10 Enter the destination specifics

7.4.11 Set the schedule

7.4.12 Perform a Data Restore

7.4.11.1 Ensure the System Shared Secret that protects the Archive File is entered on the appliance
where the restore is taking place

7.4.11.2 Stop the Sniffer if needed

pg. 33
7.4.11.3 If the target restore system is not the system that generated the archive, create a location entry
in the catalog manually or through export/import

References:
https://www.ibm.com/docs/en/guardium/11.3?topic=system-managing-data-archive-restore-aggregation-backup

7.5 Manage and maintain groups

Subtask:

7.5.1 Create groups

7.5.2 Modifying groups

7.5.3 View group memberships

7.5.4 Check where the groups are being used

7.5.5 How to populate groups

7.5.5.1 Use the import menu to add group members, by the following methods

7.5.5.1.1.1 CSV

7.5.5.1.1.1 Group

7.5.5.1.1.1 External datasource

7.5.5.1.1.1 Query

7.5.5.1.1.1 LDAP

References:
https://www.ibm.com/docs/en/guardium/11.3?topic=groups-using-group-builder

7.6 Setup and maintain user accounts

Subtask:

7.6.1 Define the Guardium user roles

7.6.2 Manage users

7.6.2.1 Explain user account management in the Central Manager (e.g. Add new user/role in CM, it may
take up to an hour for managed units to sync)

pg. 34
7.6.2.2 Data Security – User hierarchy and database associations

7.6.2.3 Knowledge of integration options (e.g. LDAP, cyberark etc.)

7.6.2.3.1 Importing users from LDAP

7.6.2.3.1 Knowledge of Cyberark integration option

References:
https://www.ibm.com/docs/en/guardium/11.3?topic=overview-understanding-roles

https://www.ibm.com/docs/en/guardium/11.3?topic=overview-access-default-roles-applications

https://www.ibm.com/docs/en/guardium/11.3?topic=management-guardium-component-services

https://www.ibm.com/docs/en/guardium/11.3?topic=overview-data-security-user-hierarchy-database-associations

https://www.ibm.com/docs/en/guardium/11.3?topic=overview-importing-users-from-ldap

pg. 35
Section 8 – Problem Determination
This section covers troubleshooting and monitoring Guardium system health.

This section accounts for approximately 14% of the exam.

8.1 Troubleshoot installation issues

Subtask:

8.1.1 Check the validity of the installation file(s)

8.1.1.1 Confirm that the installation file is correct for the operating system

8.1.1.2 Confirm that the installation file checksum is correct

8.1.2 Verify all installation pre-requisites have been met

8.1.3 Set the debug level and review log files for errors

8.1.4 Modify parameters when S-TAP fails to start and/or crashes

8.1.4.1 Check for Linux/Unix buffer size too large error

8.1.4.2 Check Linux/Unix S-TAP for greater than 16 inspection engines

8.1.4.3 Check for the correct Windows S-TAP software_tap_ip

8.1.5 Create the /etc/event.d directory manually with the command mkdir /etc/event.d if GIM
installation fails

8.1.6 Install GIM in Program Files(x86) on Windows

8.1.7 Correct the Ktap installation parameters when Ktap installation fails

8.1.8 Open a Support case to obtain IBM assistance to resolve the issue

References:
https://www.ibm.com/docs/en/guardium/11.3?topic=troubleshooting-problems

https://www.ibm.com/support/pages/node/6334261#external_s-tap

https://www.ibm.com/docs/en/guardium/11.3?topic=solutions-s-taps-other-agents

https://www.ibm.com/docs/en/guardium/11.3?topic=gim-error-installing-guardium-installation-manager

https://www.ibm.com/docs/en/guardium/11.3?topic=gimg-guardium-installation-manager-gim-service-does-not-start-in-
windows

https://www.ibm.com/docs/en/guardium/11.3?topic=solutions-installing-your-guardium-system

https://www.ibm.com/support/pages/node/733923

https://www.ibm.com/docs/en/guardium/11.3?topic=iygs-missing-file-directory-after-new-guardium-s-tap-installation

pg. 36
8.2 Troubleshoot data capture issues (add content about health dashboard)
Subtask:

8.2.1 Confirm that Inspection Engines are properly configured

8.2.2 Determine if the database connections are encrypted

8.2.2.1 Activate A-TAP

8.2.2.2 Implement User exit

8.2.3 Configure and capture debug logs

8.2.3.1 Choose S-TAP logging and set debug level

8.2.3.2 Choose K-TAP logging and set debug level

8.2.3.3 Choose Run Diagnostics

8.2.3.4 View S-TAP events

8.2.4 Review debug logs

8.2.5 Open a support case for expert assistance

References:
https://www.ibm.com/docs/en/guardium/11.3?topic=stoa-linux-s-tap-is-not-capturing-db2-exit-traffic

https://www.ibm.com/docs/en/guardium/11.3?topic=stoa-error-opening-shared-memory-area-when-you-configure-guardium-
comm-exit-list-db2

https://www.ibm.com/docs/en/guardium/11.3?topic=stoa-guardium-fails-collect-shared-memory-traffic-from-informix

https://www.ibm.com/docs/en/guardium/11.3?topic=agents-s-tap-is-not-capturing-tap-traffic

https://www.ibm.com/docs/en/guardium/11.3?topic=system-cannot-configure-stap-after-upgrade

https://www.ibm.com/docs/en/guardium/11.3?topic=guide-linux-unix-configuring-s-tap

https://www.ibm.com/support/pages/node/733923

8.3 Troubleshoot operational issues

Subtask:

8.3.1 Check the Services Status panel for Issues

8.3.2 Perform self monitoring

8.3.2.1 Establish system health alerts

pg. 37
8.3.2.2 Enable the System Health Monitor

8.3.2.3 Review alerts and nanny process messages

8.3.2.4 Configure SNMP monitoring

8.3.2.5 Review Deployment Health Dashboard

8.3.2.6 Review S-TAP and GIM Dashboard

8.3.3 Create and review Self-monitoring reports

8.3.3.1 Review Buffer Usage Monitor report

8.3.3.2 Review Unit Utilization and Unit Utilization Details reports.

8.3.4 Open a support case for expert assistance

References:
https://www.ibm.com/docs/en/guardium/11.3?topic=monitoring-services-status-panel

https://www.ibm.com/docs/en/guardium/11.3?topic=monitoring-self

https://www.ibm.com/docs/en/guardium/11.3?topic=reference-enable-health-analyzer

https://www.ibm.com/docs/en/guardium/11.3?topic=monitoring-running-query-monitor

https://www.ibm.com/docs/en/guardium/11.3?topic=performance-unit-utilization-unit-utilization-details-reports

https://www.ibm.com/docs/en/guardium/11.3?topic=views-deployment-health-dashboard

https://www.ibm.com/support/pages/node/733923

8.4 Generate must gathers

Subtask:

8.4.1 Collect the must gather information using the UI

8.4.2 Collect the must gather information using the cli

8.4.2.1 Enter the relevant must_gather commands into the CLI prompt in the format support
must_gather <issue>

8.4.2.2 Retrieve the Must Gather data collection from the must_gather directory with a file name,
similar to: must_gather/system_logs/.tgz

pg. 38
References:
https://www.ibm.com/docs/en/guardium/11.3?topic=support-running-must-gather-in-ui

https://www.ibm.com/docs/en/guardium/11.3?topic=support-running-must-gather-from-cli

https://www.ibm.com/docs/en/guardium/11.3?topic=support-must-gather-unixlinux-s-tap

https://www.ibm.com/docs/en/guardium/11.3?topic=bis-must-gather-windows-s-tap-other-windows-agents

pg. 39