Troubleshooting Cloud Guard
Use troubleshooting information to identify and address common issues that can occur while working with Oracle Cloud Guard service.
No Problems Detected
Fix enablement problems that prevent Cloud Guard from detecting problems.
You have completed the steps in Enabling Cloud Guard, and no problems start to appear on the Problems page after about 30-60 minutes.
Ensure that a Detector Recipe Is Added to the Target
Steps in Enabling Cloud Guard force you to define a target, by specifying Compartments To Monitor in the OCI tenancy. If you didn't also select either an OCI Configuration Detector Recipe or an OCI Activity Detector Recipe, then no detectors were added to the target. Without adding at least one detector to the target, no problems can be reported.
Some Categories of Problems Not Detected
Fix enablement problems that prevent Cloud Guard from detecting all categories of problems.
You have completed the steps in Enabling Cloud Guard, and problems are appearing on the Problems page, but an entire category of problems still is not appearing.
Ensure that a Detector Recipe Is Added to the Target for Each Category
If you skipped select a detector recipe for particular problem category in Enabling Cloud Guard, then a detector recipe for that problem category is not added to the target. If a detector for a particular problem category is not added to the target, Cloud Guard doesn't detect problems for that category.
No Events Generated
Fix enablement problems that prevent Cloud Guard from generating events.
You have completed the steps in Enabling Cloud Guard, and problems are appearing on the Problems page, but no events are being generated for the Notifications service to pick up (see Configuring Notifications).
Only new problems that Cloud Guard detects trigger event notifications. To trigger event notifications for older problems:
- Locate the problem's row on the Problems page.
- Select the checkbox on the left end of the row for the problem.
You can select additional problem to be processed in one operation.
- Click Mark as resolved at the top of the problems list.
A trigger is fired for the event rule that you marked as resolved, if the conditions are met to classify it as a new problem. See Problem Lifecycle.
Ensure that the OCI Responder Recipe Is Added to the Target
Steps in Enabling Cloud Guard force you to define a target, by specifying Compartments To Monitor in the OCI tenancy. If you didn't also select the OCI Responder Recipe, then the Cloud Event responder rule in the OCI Responder Recipe is unable to send events to the Notifications service.
Can't Process PSM Problems
You can't dismiss or resolve problems related to the PaaS Service Manager (PSM)
compartment (named ManagedCompartmentForPaaS
).
You have completed the steps in Enabling Cloud Guard and all categories of problems are appearing on the Problems page. You are able to dismiss or resolve all problems, except problems related to the PSM compartment.
For more information on the ManagedCompartmentForPaaS
compartment,
see Resources Created in Your Tenancy by
Oracle.
Create a Support Ticket to Provide Special Privileges
The PSM service controls access to the PSM compartment in your OCI tenancy, so the policies required by Cloud Guard do not affect your access through Cloud Guard to resources in the PSM compartment. To obtain the privileges necessary to dismiss or resolve problems related to the PSM compartment:
- Create an Oracle support ticket.
- Provide the following details on how these privileges necessary for Cloud Guard:
- OCI tenancy ID
- OCIDs of the Cloud Guard problems that you are trying to dismiss
- The PSM and the OCI Identity team then add the following policy:
allow group administrators to use cloud-guard-problems in compartment managedcompartmentforpaas
Note
This is a special compartment, for which the ability to resolve Cloud Guard problems can only be granted to an administrative group. - After the support team informs you that they've added the policy, you can dismiss and resolve problems with the PSM compartment.
"Not Authorized Or Not Found Exception" on API Call
Your API call fails with NotAuthorizedOrNotFoundException
error.
These issues involve the Cloud Guard reporting region.
The Cloud Guard reporting region is NOT the same thing as the OCI home region.
To see the reporting region, from the Cloud Guard options panel on the left, select Settings.
To see the region that you are in, drop down the regions list at the top of the page.
Situation 1: When making API calls outside your Cloud Guard tenancy's reporting region:
- API
READ
calls are successful. - All
CREATE
,UPDATE
, andDELETE
calls fail withNotAuthorizedOrNotFoundException
error.
Situation 2: When making API LIST
calls that don't specify the
reporting region, some calls fail with NotAuthorizedOrNotFoundException
error.
Situation 1: Make CREATE, UPDATE, and DELETE API Calls Only on the Reporting Region
By design, CREATE
, UPDATE
, and DELETE
API calls are only allowed on the reporting region. Avoid making these types of API calls
outside the reporting region.
Situation 2: When Making LIST API Calls, Specify the Reporting Region
While some LIST
API calls do not require the reporting region to be passed
as a parameter, you can avoid the NotAuthorizedOrNotFoundException
error by
always passing the reporting region in LIST
API calls.
If you get the NotAuthorizedOrNotFoundException
error on an API
LIST
call where you didn't pass the reporting region, reissuing the call
with reporting region passed should clear the error.
Oracle-Managed Resources Not Visible
After enabling Cloud Guard through the Cloud Guard API or CLI, no Oracle-managed resources appear in the Cloud Guard console.
If the API call or CLI command that enables Cloud Guard passes
selfManageResources
as true
, none of the default
Oracle-managed detector recipes, responder recipes, or managed lists appear in the Cloud Guard
console UI.
You can't reverse the effect of enabling Cloud Guard with
selfManageResources
as true
, so you have only two options
to fix this problem:
- Disable and re-enable Cloud Guard.
- Disable Cloud Guard through the console. See Managing Cloud Guard Settings.
- Re-enable Cloud Guard through the console. See Steps to Enable Cloud Guard.
Or you can enable Cloud Guard again thru the API or CLI.
This approach is usually best, especially if you catch the problem soon after Cloud Guard is enabled, and before much data has been ingested.
- Create user-managed versions of Oracle-managed resources, using Cloud Guard API
calls or CLI commands. See steps in the next section.
This approach is best if you intentionally enabled Cloud Guard with
selfManageResources
astrue
.
Using Cloud Guard API or CLI to Creat User-Managed Resources
Details in the following steps are specific for using the Cloud Guard API.
-
Use UpdateConfiguration to enable Cloud Guard by explicitly setting
selfManageResources
totrue
. -
Invoke the following operations to list resources by including
resourceMetadataOnly
query parameter astrue
: - Use value of
id
field from the previous API response when invoking the following create operations:The
id
field in response of create operation is the OCID of the Oracle-managed resource: detector recipe, managed list, or responder recipe.The OCIDs generated in the preceding steps can be used when configuring target. See CreateTarget.