Data Collection Tool

The Data Collection Tool extracts information from your system to help CA Support troubleshoot an issue. It collects logs, configurations, and system metrics such as disk usage, thread dumps, and heap dumps. It also captures the current state of the machine and the network.
gateway93
The Data Collection Tool extracts information from your system to help CA Support troubleshoot an issue. It collects logs, configurations, and system metrics such as disk usage, thread dumps, and heap dumps. It also captures the current state of the machine and the network.
The Data Collection Tool supports all form factors of the 
Layer7 API Gateway
 except:
  • Software Gateways running Solaris
  • Gateways running in Docker
Contents:
Observe the following precautions before using the Data Collection Tool:
  • Run this tool as directed by CA Support. Its output may not be meaningful for other purposes.
  • This tool can only collect data from the same machine the tool is run. The tool cannot collect data from remote systems.
  • Ensure that you have sufficient free disk space (at least 1GB), as the amount of data that is collected can be large. Also, a separate archive is created each time that this tool is run, multiplying the disk space requirements. You should remove unneeded output files by deleting them from the 
    /home/ssgconfig
     directory (or the user-specified directory if the default is not used).
  • This tool requires root privileges to execute. CA Technologies recommends accessing this tool from the privileged shell
  • Output from the Data Collection Tool may vary depending on the operating system, state, or configuration of the 
    Layer7 API Gateway
     at the time of execution.
Upgrading from Version 9.2:
If you used this tool in version 9.2, any old archives you may have preserved remain in the "/opt/SecureSpan/Collector" directory. Versions after v9.2 store the tool in "/opt/DCT" and the archive files in "/home/ssgconfig" (unless specified otherwise using the "-f" option). All Data Collection Tool system files are removed from "/opt/SecureSpan/Collector" during the upgrade. Old archive files and any other files are not removed.
Prerequisite:
  • Gateway is currently running. To verify, option 7 (Manage CA API Gateway status) in the Gateway Configuration Menu (Appliance) should show "RUNNING". 
    The Data Collection Tool can still be used on a non-running Gateway, but some output files may be affected.
To run the Data Collection Tool:
  1. Access the privileged shell.
  2. Run the following script with the appropriate options. Your CA Support representative will tell you which options to use. If not specified, just use the "-a" option to include all modules.
    # /opt/DCT/collect.sh
     <options>
    Where 
    <options>
     is one or more of (space separated, case sensitive):
    Option
    Description
    -a
    Collect data for all modules.
    -m
    <module>
    Collect data from a single module, where
    "<module>"
    is one of:
    • devices
    • filesystems
    • gateway
    • java
    • kernel
    • monitor
    • mysql
    • network
    • os
    • vmware
    For details about what information is included in each module, see "Information Collected by Module" below.
    You can output from only one module at a time (unless the "-a" option is used). The output is categorized by module within the ZIP file.
    -D
    Include a Heap Dump.
    Note:
    Use with caution, as heap dumps can affect performance significantly.
    -f
    <outputDirectory>
    Place collected data into this directory. If an output directory is not specified, the output is placed in
    /home/ssgconfig
    .
    -h
    Display help text for the script.
    -s
    Include data from these directories:
    • /etc/sudoers
    • /etc/passwd
    • /etc/group
    The "-s" option lets you control whether sensitive data like username or passwords are included in the data collection. However, there may be other information that your organization deems sensitive. If so, please notify your Support representative and they will assist you in removing the information manually before it is sent to CA Technologies.
    Examples:
    • Collect data from all modules (excludes heap dump or sensitive information from "-a" option):
      ./collect.sh -a
    • Collect data from the 'gateway' module:
      ./collect.sh -m gateway
    • Collect a heap dump only:
      ./collect.sh -D
    • Collect data from all modules, including a heap dump and sensitive data, and output the files to /tmp:
      ./collect.sh -a -D -s -f /tmp
  3. Send the output .ZIP file from 
    <outputDirectory>
     to your CA Support representative. This file name has the format:
    ssg-dct-<version>_<year>-<month>-<day>_T<hour><minute><second>_<time zone name>-<time zone num>.zip
    The output archive contains a README.txt file that contains information such as the version of the Data Collection Tool and the command options used to generate the output.
Information Collected by Module
The following table lists the information that is collected for each module:
Module
Information
devices
  • cp /proc/meminfo
  • lspci -tv
  • cp /proc/cpuinfo
  • ls -Rl /dev
  • dmidecode -t 1
filesystems
  • free -m
  • df
  • /proc/mdstat
  • mdadm --detail --scan
  • mount
  • lsblk
  • pvdisplay
  • vgdisplay
  • lvdisplay
  • /etc/mdadm.conf
  • mdadm --detail --scan
  • mdadm --query --detail /dev/md*
  • mdadm --examine /dev/sd*
gateway
  • rpm -qa | grep -e ssg -e ssem
  • rpm -q --verify ssg ssg-appliance ssem ssg-platform ssg-nshieldpci
  • ls -halt /opt/SecureSpan/Gateway/runtime/modules/assertions/
  • ls -halt /opt/SecureSpan/Gateway/runtime/modules/lib/
  • ls -l /opt/SecureSpan/Gateway/node/default/etc/conf/omp.dat
  • cp /opt/SecureSpan/Gateway/node/default/etc/conf/node.properties
  • cp /opt/SecureSpan/Gateway/node/default/etc/conf/system.properties
  • cp /opt/SecureSpan/Gateway/node/default/etc/conf/ssglog.properties
  • cp /opt/SecureSpan/Gateway/runtime/etc/profile.d/appliancedefs.sh
  • cp /opt/SecureSpan/Gateway/runtime/etc/profile.d/ssgruntimedefs.sh
  • cp /opt/SecureSpan/Appliance/config/ssgsysconfig.log
  • cp /opt/SecureSpan/Gateway/node/default/var/logs/*.log
  • cp /opt/SecureSpan/Controller/var/logs/patches.log /opt/SecureSpan/Controller/var/logs/*.log
  • cp /opt/SecureSpan/Controller/var/patches/*.status
  • ls -halt /opt/SecureSpan/Controller/var/patches//*.L7P
  • su -c /opt/SecureSpan/JDK/bin/jstack -l <gateway pid> -s /bin/sh gateway (4 samples at 15s intervals)
  • /var/logs/ssg_gc.log.*
java
  • /opt/SecureSpan/JDK/bin/java -version
  • ls /opt/SecureSpan/JDK/jre/lib/ext
  • cat /opt/SecureSpan/JDK/jre/lib/security/java.security
kernel
  • cat /proc/version
  • lsmod
  • cat /etc/sysctl.conf
  • cat /proc/cmdline
monitor
  • ps axjf
  • vmstat 1 30
  • timeout 30s netstat -i 1
  • ps auxwww | grep gateway
mysql
  • service mysql status
  • mysql ssg -e select * from ssg_version
  • mysql ssg -e show tables
  • mysql ssg -e show slave status
  • mysql ssg -e show master status
  • cat /etc/my.cnf
  • /var/lib/mysql/*-slow.log
  • /var/log/mysqld.log
The Data Collection Tool assumes that the default database name "ssg" was used when the Gateway was configured. If another database name was used instead, then certain information from the 'mysql' module is not collected.
network
  • ifconfig -a
  • netstat -nr
  • iptables -nL
  • iptables -v -nL
  • ss -o state established \( sport = :8080 or sport = :8443 or sport = :9443 \) \ dst 0.0.0.0/0 | egrep -v Recv-Q | wc -l
  • ss -o state established \( sport = :8080 or sport = :8443 or sport = :9443 \) \ dst 0.0.0.0/0 | grep -v ^0 | egrep -v Recv-Q | wc -l
  • ss -o state established \( dport = :http or dport = :https \) \ dst 0.0.0.0/0 | egrep -v Recv-Q | wc -l
os
  • uname -a
  • /etc/redhat-release
  • chkconfig --list
  • rpm -qa
  • /var/log/messages*
  • who -r
  • dmesg
  • cat /etc/ntp.conf
  • ntpq -p
  • cat /etc/security/limits.conf
  • cat /etc/security/limits.d/99-ssg-appliance.conf
  • whoami
  • su -c ulimit -S -a -s /bin/sh gateway
  • su -c ulimit -H -a -s /bin/sh gateway
  • /var/log/bash_commands.log
  • top -b -n 1
vmware
  • vmware-checkvm
  • vmware-checkvm -hp
  • vmware-toolbox-cmd stat balloon
  • vmware-toolbox-cmd stat memlimit
  • vmware-toolbox-cmd stat memres
  • vmware-toolbox-cmd stat cpures
  • vmware-toolbox-cmd stat cpulimit
  • vmware-toolbox-cmd timesync status
Frequently Asked Questions
Question
Answer
I only need information from a couple of modules. Can I specify multiple modules in the options?
No. You can specify either a single module or use the "-a" option to include all modules. Run the tool multiple times to gather information for several modules.
How can I learn more about the information collected by each module?
The list provided in this topic is intended for CA Support staff and advanced technical users. Most end users will not need to know about the details. No sensitive information will be collected unless you include the "-s" option.
What if I have sensitive information not listed in the "-s" option?
If your organization does not want to reveal other potentially sensitive information, please work with your Support representative to remove this information manually before the archive is sent to CA Technologies.
How do I submit the information to Support?
Your Support representative will tell you the best way to send the information.
Our audits are sent to an external syslog. Will these be included?
No. The Data Collection Tool can only gather information from the host on which the tool is run.
My Gateway is not operational. Can I still run this tool?
Yes, you can still run the Data Collection Tool even if your Gateway is not operational. The information it gathers may differ slightly compared to an operational Gateway.
The tool will not run because of insufficient disk space.
Remove unneeded output files by deleting them from the
/home/ssgconfig
directory (or the user-specified directory if the default is not used) and then try again.
Can I rename the output file from the tool?
Yes, you may rename the file to include your organization name and remove unneeded information (such as time zone, etc.) Just be sure to notify your Support representative. The name should make it evident that this is output from the Data Collection Tool.