Use the diag command as directed by Guardium Support. There are no functions that you would perform with this command on a regular basis. Each main menu entry is described in a separate topic (see Main Menu Commands, above).
To use the diag command, follow the procedure outlined below:
Log into the Guardium appliance as the cli user.
Enter the diag command (with no arguments) at the command line prompt.
When prompted for a password, you must enter the password for a Guardium user having the admin or accessmgr role.
You are presented with the main command menu.
Do one of the following to move the option selection cursor (which is selecting the first item in the example above):
Type the desired entry number (the selection cursor moves to the selected entry).
Use the Up or Down arrow key to select the desired entry.
Press the Spacebar, the Left arrow key, or the Right arrow key to move the command selection cursor at the bottom of the display (which is selecting the OK command in the example above).
Perform an action by selecting the appropriate option in the display area and then doing one of the following:
Select the appropriate command with the command selection cursor, then press the Enter key
Click on the appropriate action command.
The diag command creates output in two directories:
/var/log/guard/diag/current
/var/log/guard/diag/depot
Each directory is described in the following subsections.
Most output from the diag commands is written in text format to the current directory. For most commands, this directory contains a separate output file. Each time you run the same command, output is appended to the single file for that command. For a smaller number of commands, a separate file is created for each execution, usually incorporating a date and time stamp in the filename.
We recommend that you “clean up” after each session, so in subsequent sessions you are not looking at old information. When you pack files to a single compressed file for exporting (see the following topic), all files in the current directory are deleted. Alternatively, you can use the Delete recordings command of the Output Management menu to delete individual files.
The files in the current directory are easy to identify since the names are created from menu and command names. For example, after you use the File Summary command from the System Interactive Queries menu, a file named interactive_filesummary.txt is created in the current directory.
If you look at the current directory while in the process of using a command, you may see a hidden temporary file with the same name as the one that will contain the output for that command. The temporary file will be removed when the output is appended to the command output file.
When you pack the diag output files in the current directory to a compressed file (to send to Guardium Technical Support, for example), it is stored in the depot directory. The filename is in the format diag_session_<dd_mm_hhmm>.tgz, where the variable portion of the name indicates when the file was created. For example, a file created at 12:15 PM on May 20th would be named as follows: diag_session_20_5_1215.tgz.
After exporting files (see the Export recorded files topic, below), you can remove them from the depot directory using the Delete recordings command of the Output Management menu.
The Output Management commands control what is done with the output produced by the diag command. Each Output Management command is described separately below.
Use this command to pack all diagnostic files in the current directory into a single compressed file, and remove those files from the current directory. When you enter this command, there is no feedback to indicate that the command has completed. You can verify that the command has finished by displaying the directory of the depot directory. When the command completes, there is a file named in the following format: diag_session_<mm_dd_hhmm>.tgz, where the variable portion of the name is a date and time stamp, as described previously. Use the Export recorded files command of the Output Management menu to send the file to another system.
Use this command to delete files in the depot or current directory. (To delete only the current session files, use the Delete current session files command.) When you enter this command, the depot directory structure displays:
You can navigate the directories using the Up and Down arrow keys and pressing Enter. For example, selecting ../ and pressing Enter moves the selection up one level in the directory structure.
You could then select the current directory and press enter, to navigate down to that folder and delete individual command output files. Note that you can navigate to other directories, but you cannot delete files except from the current and depot directories.
When you have selected the file you want to delete, press Enter.
Caution: You will not be prompted to confirm the delete action
Use this command to send a file from the depot directory to another site. To export a file:
Select Export recorded files from the Output Management menu. The depot directory displays.
Select the file to be sent or use the ../ and ./ entries to navigate up or down in the directory structure. (However, keep in mind that you can only export files from the depot directory.)
With the file to be transmitted selected, press Enter.
You are prompted to select FTP or exit. Select FTP and press Enter.
You are prompted to supply a host name. Enter the host name of the receiving system (or its IP address), and press Enter.
You are prompted for a user name. Enter a user account name for the receiving system, and press Enter.
You are prompted for a password. Enter the password for the user on the receiving system.
You are prompted to identify a directory to receive the sent file on the receiving system. Enter the path relative to the ftp root of the directory to contain the file on the receiving system and press Enter.
You are prompted to confirm the details of the transfer (the file to be sent and its destination). Press Enter to perform the transfer, or select Cancel and press Enter to start over.
You are informed of the success (or failure) of the operation.
Use this command to delete files created during the current session.
Use the Exit command to return to the main menu.
Use the System Static Reports command of the Main Menu to produce an extensive set of reports (described below).
Select System Static Reports from the Main Menu. You are informed that the process is running.
After the report has been created, it displays in the viewing area. Note that his report is lengthy and may be easier to view using a text editor, after exporting it to a desktop computer).
Use the Up and Down arrow keys to scroll up or down in the report. When you are done viewing the report, press Enter to return to the Main Menu.
For an outline of the information contained in this report, see below.
The following subtopics provide an outline of the major components of the System Static Reports output. The fragments of output shown are intended to illustrate the type and level of information contained in the report, rather than provide a detailed description of the actual contents (that is beyond the scope of this document).
The top portion of the System Static Reports output describes the build version, the patches applied, the current system up time, and name server information:
Build version: 34e1eb12eb68ba76cb49028251c9a0d6 /usr/local/guardium/etc/cvstag
Patches:
2006/02/22 16:16:50: START Installation of 'Update 5.0'
2006/02/22 16:18:04: Installation Done - Successfully Installed
< lines deleted… >
Current uptime:
09:03:43 up 6 days, 17:34, 1 user, load average: 0.44, 0.50, 0.41
System nameservers:
192.168.3.20
DB nameservers:
192.168.3.20
Gateway: 192.168.3.1 (system) 192.168.3.1 (def)
Next, the file system information displays (shown partially below):
Filesystem Size Used Avail Use% Mounted on
/dev/hdc3 2.0G 1.1G 813M 58% /
/dev/hdc1 97M 9.2M 83M 10% /boot
none 504M 0 504M 0% /dev/shm
/dev/hdc2 71G 1.2G 66G 2% /var
total: used: free: shared: buffers: cached:
Mem: 1055199232 1041711104 13488128 0 63275008 186220544
Swap: 536698880 295432192 241266688
MemTotal: 1030468 kB
MemFree: 13172 kB
< lines deleted… >
This is followed by information about the mail and SNMP servers configured:
SMTP server: 192.168.1.7 on port 25 : REACHABLE
SMTP user: undef
SMTP password: undef
SMTP auth: NONE
SNMP trapsink: undef UNREACHABLE
SNMP trap community: undef
SNMP read community: undef
The final section of the system configuration section describes the network configuration for the unit: IP address, host and domain names, etc:
eth0: 192.168.3.101 (system) 192.168.3.101 (def)
hostname: (system) g1 (def)
domain: (system) guardium.com (def)
mac address: 00:04:23:A7:77:F2 (MAC1) 00:04:23:A7:77:F2 (MAC2)
unit type: 548 Standalone STap
The next major section of the System Static Reports output contains information about the internal database status and threads (only the first few threads are shown):
uptime 77097 seconds.
27 threads.
78545028 queries.
+------+------------+-----------------------------+---------+---------+------+-----------
| Id | User | Host | db | Command | Time | State | +---------------------------------------------------------------------------------------
| 1137 | enchantedg | localhost | TURBINE | Sleep | 26 | | 1257 | enchantedg | localhost.localdomain:33587 | TURBINE | Sleep | 0 | | 1258 | enchantedg | localhost.localdomain:60409 | TURBINE | Sleep | 7716 | | 1259 | enchantedg | localhost.localdomain:48233 | TURBINE | Sleep | 322 |
< lines deleted… >
The list of threads is followed by an analysis of table status.
The next several sections of the System Static Reports output contain information about the Web servlet container environment (Tomcat):
============================================================================
Currently defined Tomcat port is 8443.
The TOMCAT daemon is running and listening on port(s): 8005 8443.
Currently OPEN ports
java run by tomcat on port *:8443
< lines deleted… >
============================================================================
These are the nanny latest actions:
May 19 14:13:09 guard nanny:[5528]: Also checking tomcat.
May 19 14:13:09 guard nanny:[5528]: Going for my initial nap.
< lines deleted… >
This is the TOMCAT command line:
463 sh -c ps -o pid,cmd -e | grep Dcatalina.base
21917 grep Dcatalina.base.
The next major section of the System Static Reports output contains information about the inspection engine:
============================================================================
This is the SNIF (pid: 13036) command line: 13036 /usr/local/guardium/bin/snif.
This is the SNIF status:
Name: snif
State: R (running)
Tgid: 13036
< lines deleted… >
============================================================================
Current timestamp is 2005-05-20 11:56:41
This is the last timestamp at GDM_CONSTRUCT_INSTANCE: 2005-05-20 11:56:41
This is the last timestamp at GDM_EXCEPTION: 2005-05-20 11:56:41
This is the last timestamp at GDM_POLICY_VIOLATIONS_LOG: 2005-05-20 11:56:41
============================================================================
Snif buf usage at Fri May 20 11:56:44 2005:
100 204800 buffers out of 204800
126 connection used, 32642 unused, 0 dropped (sniffer), 9 ignored (analyzer)
0 bytes lost, 60 connections ended, 601752099 bytes sent, 579063 request sent
Dropped Packets: 0 buffer full, 0 too short , 451 ignored
time now is 1116604603
Analyzer/Parser buffers size: 6 (66533) 0 (62902)
ms-tsql-logger 0 (11331)
syb-tsql-logger 0 (70)
ora-tsql-logger 79 (67803)
db2-sql-logger 0 (20544)
< lines deleted… >
The next major section contains information about the IP tables:
===========================================================================
IPTABLES:
-------------
tcp -- 192.168.2.0/24 192.168.1.0/24 tcp spts:1521:60000 set 0x23
tcp -- 192.168.1.0/24 192.168.2.0/24 tcp dpts:1521:60000 set 0x22
< lines deleted… >
The next major section contains S-Tap information:
============================================================================
STAP:
----
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:9500
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9500
2696 148K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:16016
2835 175K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:16016
< lines deleted… >
The next major section contains IP traffic information:
IP traffic statistics.
OUTPUT OF ETH0
Fri May 20 11:57:04 2005; ******** Detailed interface statistics started ********
*** Detailed statistics for interface eth0, generated Fri May 20 11:58:04 2005
< lines deleted… >
OUTPUT OF ETH1
Fri May 20 11:57:04 2005; ******** Detailed interface statistics started ********
*** Detailed statistics for interface eth1, generated Fri May 20 11:58:04 2005
Total: 82440 packets, 53892382 bytes
(incoming: 82440 packets, 53892382 bytes; outgoing: 0 packets, 0 bytes)
IP: 82440 packets, 52632747 bytes
(incoming: 82440 packets, 52632747 bytes; outgoing: 0 packets, 0 bytes)
< lines deleted… >
The next section contains the last messages output by the sniffer:
Snif STDERR:
< lines deleted… >
Snif STDOUT:
Fri_20-May-2005_04:04:35 : Guardium Engine Monitor starting
Fri_20-May-2005_04:14:37 : Guardium Engine Monitor starting
Fri_20-May-2005_04:24:38 : Guardium Engine Monitor starting
< lines deleted… >
The next section lists the import directory contents:
These are the contents of the importdir directory:
total 0
The last section lists aggregator activities (there are none in the example):
============================================================================
This is the aggregator last activities:
Select System Interactive Queries from the main menu to open the Interactive Queries menu, which is illustrated below. (Use the Down arrow key to scroll past the tenth item to see all items on this menu.)
In addition to displaying the requested information, each interactive query command creates output in a separate text file in the current directory. See the Overview topic above for more information about the files created.
Each command is described in the following sections.
Use the Files Changed command to display a list of files changed either before or after a specified number of days.
Select Files Changed from the Interactive Queries menu. You are prompted to enter a number days. Type a number and press Enter.
You are asked if you are interested in the files changed before or after that number of days. Select 1 or 2 and press Enter.
The full directory path for each changed file is displayed. Note that if not all data fits in the display area, use the Up and Down arrow keys to scroll through the data. The current position in the file is indicated by the number in the lower right part of the display. The white bars above and below the display area indicate the presence of more data with a plus sign.
Use this command to list the contents of various directories.
Select List Folder from the Interactive Queries menu.
You are prompted to select a directory. Select a directory and press Enter. The selected directory is displayed. Remember that if multiple commands of the same type are issued, the data for each execution of the command is appended to the single text file maintained for that command.
Press Enter or click Exit when you are done.
Use the Summarize Folder command to display the output of the du (Disk Usage) command, as illustrated below:
Select Summarize Folder from the Interactive Queries menu. There are no prompts. You are presented with a display of disk use for various directories.
Use the Up and Down arrow keys to scroll through the directories.
Press Enter or click Exit when you are done.
Use this command to list all or some portion of a log file.
Select File Summary from the Interactive Queries menu.
You are prompted to select a file. Use the Up and Down arrow keys to scroll the selection cursor to the file you want to view.
Press Enter or click OK.
You are prompted to select the number of lines to display. Make your selection and press Enter.
You are prompted to enter an optional search string. Use this box if you are searching for a particular log message (you can enter a regular expression). Otherwise leave the box empty and press Enter.
Following the prompt, press Enter to answer yes, meaning that only unique messages will be displayed. Otherwise select No and press Enter (all messages will be displayed).
Be aware that when the Summary Style is used, variables are replaced by the pound sign character (#). For some log data containing variables such as IP addresses or dates, the replacements can be extensive.
Use this command to send a test email using the configured SMTP server.
Select Test Email from the Interactive Queries menu.
You are prompted to select a recipient. Select Custom and press Enter.
You are prompted to supply an email address. Type an email address and press Enter. You will be informed of the output of the operation. Note that on the Administration Console, the Test Connection link in the SMTP pane of the Alerter configuration panel only tests that an SMTP port is configured, not that mail can actually be delivered via that server. You can use this command to test email delivery without having to configure and trigger a statistical or real-time alert, or an audit process notification.
Use this command to send a test SNMP trap to the configured SNMP server.
Select Test SNMP from the Interactive Queries menu.
You are informed of the activity and the results. Note that on the Alerter Configuration panel, the Test Connection link in the SNMP pane only tests that an SNMP port is configured, not that a trap can actually be delivered via that server. You can use this command to test trap delivery without having to configure (and trigger) a statistical or real-time alert, or an audit process notification.
Use this command to display the actual select statement used for a report query. This might be useful if a user-written report is producing unexpected output.
Select Report Query Data from the Interactive Queries menu.
You are prompted to make a selection from a list of report titles. Use the Up and Down arrow keys to select an entry and press the Enter key. Each entry in this list is a Report entity. All pre-defined reports are listed first. These are numbered in the range 100-225 (for version 3.6.1 – the numbers will most likely grow incrementally with each release, as more pre-defined reports are created).
User written reports are listed following the pre-defined reports, beginning with number 20001 (for version 3.6.1).
The selected report select statement will be displayed.
Use this command to display a count of observed SQL calls during a 100 second interval.
Select GDM Queries from the Interactive Queries menu.
A message displays requesting your patience. Select yes to continue. The CMD_CT column on the display lists the number of observed SQL calls from the specified clients to the specified servers.
Press Enter when you are done viewing the report.
Use this command to create a TCP dump. For this command, output is written to a command file only and not to the screen. Unlike most other commands, a separate file is created in the current directory for each execution of this command. The file name is in the format: tcpdump_<mmyyyy-hhmmss>, where the variable portion is a date and time stamp: mmyyyy is the month and year, and hhmmss is the hours, minutes, and seconds.
Select Generate TCP dump from the Interactive Queries menu.
You are prompted to select an interface. Select a port and press Enter.
You are prompted for an optional filter IP address. If you are interested in traffic from only a specific address, enter that IP address and press Enter. Otherwise, just press Enter.
You are prompted for an optional port number. If you are interested in traffic from only a specific port, enter that port number and press Enter. Otherwise, just press Enter.
You are prompted to select how many seconds of traffic to capture. Select a number of seconds and press Enter.
You are prompted to press Enter to start collecting data. Press Enter. You are returned to the menu after (approximately) the specified number of seconds.
To view the TCP dump data, select the Read TCP dumps command (see below) or export the file (see Export Reported Files on the Output Management menu, described previously).
Use this command to display a TCP dump file created previously.
Select Read TCP dumps from the Interactive Queries menu.
You are prompted to select file. The TCP dump files are listed from oldest to newest. The file name is in the format: tcpdump_<mmddyy-hhmmss>, where the variable portion is a date and time stamp: mmddyy is the month, day, and year; and hhmmss is the hours, minutes, and seconds. Select the file you want to view and press Enter.
The selected file displays. Use the Up and Down arrow keys to scroll through the display and press Enter when you are done.
Use this command to watch activity in the Guardium buffers:
Select Watch Buffer from the Interactive Queries menu. The display is updated every second.
Press Ctrl-C to close the display.
Use this command to run the slon utility, which tracks packets. Typically, you would only run this command as directed by Guardium Support. For this command, output is not written to the screen. Output is written to one of two command files in the current directory, for each execution of the command:
apks.txt.<day_dd-mmm-yyyy_hh.mm.ss.ttt>
OR
requests.txt.<day_dd-mmm-yyyy_hh.mm.ss.ttt>
The variable portions or the file names are date and time stamps. For example, apks.txt.Fri_20-May-2005_08.52.00.789.
Select Slon Utility from the Interactive Queries menu. You will for the type of action.
Select the action to be performed and click OK.
Regardless of your selection, you will be prompted to select the time period for the activity. Select a time period and press Enter.
You are notified that the program will run for the specified time and prompted to press Enter. Press Enter and wait.
When processing completes, a message will be displayed. You can use the File Summary command to display the output of this command. Because this command can produce a large amount of data, you will probably want to export the file to another system, where you can view the contents using a text editor. (Pack the current session data, and export the recordings as described earlier in this section.)
Use this command to show indexes for various internal tables:
Select Show Indexes from the Interactive Queries menu.
You are prompted to select a table. Select a table and press Enter to display the indexes for that table.
Use the Up and Down arrow keys to scroll through the display. Press Enter when you are done.
Use this command to display S-TAP definitions and traffic information:
Select STAP Check from the Interactive Queries menu.
The system’s unit type displays in numeric format. Press Enter.
You are prompted to select the number of seconds to monitor the S-TAP traffic. Use the Up and Down arrow keys to make a selection and press Enter.
You are informed of approximately how long to wait for output, and prompted to press Enter. Press Enter.
The S-TAP Definitions and Server Traffic reports display. Press Enter when you are done viewing the report.
Use this command to display interface link status.
Select Interface link status from the Interactive Queries menu.
The status of all interfaces displays. Use the Up and Down arrows to scroll through the display.
Press Enter when you are done. Note that this command displays the link status only. To display interface configuration information, use the show network interface all CLI command.
Use this command to display the results of a ps command.
Select Run Process List PS from the Interactive Queries menu.
The complete list of processes displays.
Use the Up and Down arrows to scroll through the display, and press Enter when you are done.
Select the Perform Maintenance Actions option from the Main Menu to open the Maintenance menu (illustrated below). Use these commands only under the direction of Guardium Support. These do not need to be run on a regular basis.
Use this command to optimize index cardinality on Guardium’s internal database. A progress bar displays while the operation is running. When the operation completes, you are returned to the Maintenance menu.
Use this command to analyze and re-index Guardium’s internal database.
Select TURBINE optimize ( index cardinality ) from the Maintenance menu. A progress bar displays while the operation is running.
When the operation completes, you are returned to the Maintenance menu.
Use this command to clean unused disk space. You are returned to the Maintenance menu when the procedure completes.
Select Clean disk space from the Maintenance menu. You will be prompted to select a directory.
Select the directory from which you want to remove files. The contents of the directory will be listed, and you will be prompted to confirm that you want to remove all files.
When the operation completes, you are returned to the Maintenance menu.
Use this command only under the direction of Guardium Support. This command provides access to the Management Menu of the RAID controller utility program, which can be used to display the status of the RAID drives, as illustrated below. If your system does not have a RAID controller, an error message displays if you select this command. You must be extremely careful when using the RAID controller utility program, since several of the functions provided will erase all information on the disk.
Use this command to restore a backed up version of the internal database. You will be prompted to confirm the operation.
Use this command to turn debugging on or off. You are prompted to enable or disable logging, or to reset the system defaults.
Use this option to change the timeout limit for long queries.
Use this option only when directed to do so by Guardium Support.
Select Exit to CLI on the Main Menu. Press Enter to close the diag command and return to the command line interface.