Troubleshooting Cloud Guard
Use troubleshooting information to identify and address common issues that can occur while working with Oracle Cloud Guard service.
No Problems Detected
Fix enablement problems that prevent Cloud Guard from detecting problems.
You have completed the steps in Enabling Cloud Guard, and no problems start to appear on the Problems page after about 30-60 minutes.
Ensure that a Detector Recipe Is Added to the Target
Steps in Enabling Cloud Guard force you to define a target, by specifying Compartments To Monitor in the OCI tenancy. If you didn't also select either an OCI Configuration Detector Recipe or an OCI Activity Detector Recipe, then no detectors were added to the target. Without adding at least one detector to the target, no problems can be reported.
Some Categories of Problems Not Detected
Fix enablement problems that prevent Cloud Guard from detecting all categories of problems.
You have completed the steps in Enabling Cloud Guard, and problems are appearing on the Problems page, but an entire category of problems still is not appearing.
Ensure that a Detector Recipe Is Added to the Target for Each Category
If you skipped select a detector recipe for particular problem category in Enabling Cloud Guard, then a detector recipe for that problem category is not added to the target. If a detector for a particular problem category is not added to the target, Cloud Guard doesn't detect problems for that category.
No Events Generated
Fix enablement problems that prevent Cloud Guard from generating events.
You have completed the steps in Enabling Cloud Guard, and problems are appearing on the Problems page, but no events are being generated for the Notifications service to pick up (see Configuring Notifications).
Ensure that the OCI Responder Recipe Is Added to the Target
Steps in Enabling Cloud Guard force you to define a target, by specifying Compartments To Monitor in the OCI tenancy. If you didn't also select the OCI Responder Recipe, then the Cloud Event responder rule in the OCI Responder Recipe is unable to send events to the Notifications service.
Can't Process PSM Problems
You can't dismiss or resolve problems related to the PaaS Service Manager (PSM)
You have completed the steps in Enabling Cloud Guard and all categories of problems are appearing on the Problems page. You are able to dismiss or resolve all problems, except problems related to the PSM compartment.
For more information on the
see Resources Created in Your Tenancy by
Create a Support Ticket to Provide Special Privileges
The PSM service controls access to the PSM compartment in your OCI tenancy, so the policies required by Cloud Guard do not affect your access through Cloud Guard to resources in the PSM compartment. To obtain the privileges necessary to dismiss or resolve problems related to the PSM compartment:
- Create an Oracle support ticket.
- Provide the following details on how these privileges necessary for Cloud Guard:
- OCI tenancy ID
- OCIDs of the Cloud Guard problems that you are trying to dismiss
- The PSM and the OCI Identity team then add the following policy:
allow group administrators to use cloud-guard-problems in compartment managedcompartmentforpaasNote
This is a special compartment, for which the ability to resolve Cloud Guard problems can only be granted to an administrative group.
- After the support team informs you that they've added the policy, you can dismiss and resolve problems with the PSM compartment.
"Not Authorized Or Not Found Exception" on API Call
Your API call fails with
These issues involve the Cloud Guard reporting region.
The Cloud Guard reporting region is NOT the same thing as the OCI home region.
To see the reporting region, from the Cloud Guard options panel on the left, select Settings.
To see the region that you are in, drop down the regions list at the top of the page.
Situation 1: When making API calls outside your Cloud Guard tenancy's reporting region:
READcalls are successful.
DELETEcalls fail with
Situation 2: When making API
LIST calls that don't specify the
reporting region, some calls fail with
Situation 1: Make CREATE, UPDATE, and DELETE API Calls Only on the Reporting Region
API calls are only allowed on the reporting region. Avoid making these types of API calls
outside the reporting region.
Situation 2: When Making LIST API Calls, Specify the Reporting Region
LIST API calls do not require the reporting region to be passed
as a parameter, you can avoid the
NotAuthorizedOrNotFoundException error by
always passing the reporting region in
LIST API calls.
If you get the
NotAuthorizedOrNotFoundException error on an API
LIST call where you didn't pass the reporting region, reissuing the call
with reporting region passed should clear the error.
Oracle-Managed Resources Not Visible
After enabling Cloud Guard through the Cloud Guard API or CLI, no Oracle-managed resources appear in the Cloud Guard console.
If the API call or CLI command that enables Cloud Guard passes
true, none of the default
Oracle-managed detector recipes, responder recipes, or managed lists appear in the Cloud Guard
You can't reverse the effect of enabling Cloud Guard with
true, so you have only two options
to fix this problem:
- Disable and re-enable Cloud Guard.
- Disable Cloud Guard through the console. See Managing Cloud Guard Settings.
- Re-enable Cloud Guard through the console. See Steps to Enable Cloud Guard.
Or you can enable Cloud Guard again thru the API or CLI.
This approach is usually best, especially if you catch the problem soon after Cloud Guard is enabled, and before much data has been ingested.
- Create user-managed versions of Oracle-managed resources, using Cloud Guard API
calls or CLI commands. See steps in the next section.
This approach is best if you intentionally enabled Cloud Guard with
Using Cloud Guard API or CLI to Creat User-Managed Resources
Details in the following steps are specific for using the Cloud Guard API.
Use UpdateConfiguration to enable Cloud Guard by explicitly setting
Invoke the following operations to list resources by including
resourceMetadataOnlyquery parameter as
- Use value of
idfield from the previous API response when invoking the following create operations:
idfield in response of create operation is the OCID of the Oracle-managed resource: detector recipe, managed list, or responder recipe.
The OCIDs generated in the preceding steps can be used when configuring target. See CreateTarget.