GBDI 4.1

GBDI Overview

IBM Security® Guardium® Big Data Intelligence (GBDI) is a system for storing, managing and providing access to the IBM® InfoSphere® Guardium® Database Activity Monitoring (DAM) system (referred to as "Guardium" throughout this documentation).

This section provides an overview of the GBDI system, including a high-level view of the system architecture, and a description of the data model.

GBDI Architecture

GBDI is a Big Data system that uses the SonarW NoSQL Data Warehouse to store data extracted from Guardium collectors. GBDI centralizes all Guardium data into a single database store, regardless of the number of collectors – thus eliminating the need for complex aggregation processes.

GBDI's advanced database architecture allows for unparalleled performance in reporting and analytics. The proprietary database also allows customers to retain Guardium data for long periods of time, without impacting performance.

GBDI includes the following components:

  • The SonarW NoSQL Data Warehouse.

  • The SonarCollector ETL layer and specific Guardium ETL algorithms.

  • The GBDI Application.

  • The SonarK discovery tool (based on Kibana).

  • SonarSQL, providing SQL access to Guardium data stored within SonarW.

  • JSON Studio, providing a graphical user interface (GUI) for advanced analytic query building and visualization.


The GBDI software package is installed on a RHEL Linux server. GBDI can be installed on a physical server or a virtual machine.

It is strongly recommended that GBDI is the only application on the server, and not co-located with other applications. GBDI's Big Data workloads area resource-intensive, consuming all available compute, memory and I/O resources. It is therefore recommended to run GBDI on its own server.

GBDI receives data from Guardium collectors through an SCP process of compressed extraction files. These files are produced by the collectors and the mechanism is supported for Guardium versions 9.x and 10.x. For systems running version 9.5 collectors, the IBM data extraction patch 609 (or a cumulative later patch) must be installed. Consult your GBDI account manager for the precise IBM patch required. Guardium 10 has built-in support for producing these extract files.

Guardium data is copied to a staging server, where it is processed by GBDI ETL into GBDI using Guardium-specific processes. The staging server can be the SonarG server (preferred) or another server. When configuring data extraction in Guardium, the staging server should specified under “hostname.’

Guardium collectors produce and copy files on an hourly basis. The GBDI ETL process runs continuously and ingests these extract files on an ongoing basis. Data is therefore available in GBDI with a lag not longer than ~60-75 minutes.

Once the data is in SonarW, various tools provide access to the Guardium data. These include a GBDI custom-built reporting layer, JSON Studio for building queries, reports and visualizations directly over the Guardium data, a Web Services layer and a SQL layer. All these are installed on the GBDI server as part of the GBDI installer.