Guardium Big Data Intelligence Monitoring Gap Analytics

Guardium Big Data Intelligence Gap Analytics help you discover issues in monitoring/capture of data. It resolves problems where an STAP may be showing green but in reality database activity is not being captured. This may occur due to a number of reasons - misconfigured STAPs or configuration changes that have an error, mismatch between a KTAP and the kernel of the OS, and more.

Gap analytics do two types of analysis:

  1. Historical analysis where a gap is identified as a significant drop of connections of a certain type in the last 24 hours as compared with the daily average of the same type of connections over the past 10 days. If some change happens causing a drop (to zero or some significant percentage drop) then this will be identified as a gap. A connection type is a combination of the server IP, the service name and the network protocol. For example, if TCP continues to be monitored but an Oracle executable has moved causing a gap of Bequeth collection this will be identified as such. Significance is defined by you on the SAGE profiling engine screen as a pecentage. For example, if you choose 25 that means that a gap is signaled when the number of connections drops below 1/4 of the daily average. Note that if you set this to 0 then a gap is flagged only when there are no connections captured of that type in the last 24 hours (but some were collected in the last 10 days). The default threshold for alerts is set to 0.
  2. Comparison of STAP status and sessions collections. A gap is signaled when an active STAP record for a server IP exists in the past 24 hours but no corresponding session exists. Active means that the STAP was in an active state for any period within the 24 hours.

When you use gap analytics you will get daily alerts with all the gaps found. There is also a Gaps dashboard on the main Guardium Big Data Intelligence page where you can change the threshold and see the results. Note that these are complex analytics and may take many seconds or even a few minutes to compute on very large data sets.

Finally, there are two supporting collections in the sonargd database that you may populate (usually with a feed from an asset management system or from a spreadsheet):

  1. gap_vips is a collection that maps a field “Server IP” to a field “Virtual IP”. Use this when you have clusters and the sessions will be reported using the virtual IP while the STAPs are deployed on the physical IPs. Gaps are analyzed per all nodes of the cluster together.
  2. gap_excludes is a collection that just has a list of “Server IP” for servers that should be excluded from the analysis (e.g. development or test servers where connection numbers can fluctuate wildly).