Troubleshooting Cloud Guard

Identify the causes and fixes for common problems with the Oracle Cloud Guard service.

No Problems Detected

Fix enablement problems that prevent Cloud Guard from detecting problems.

You have completed the steps in Enabling Cloud Guard, and no problems start to appear on the Problems page after about 30-60 minutes.

Ensure that a Detector Recipe Is Added to the Target

Steps in Enabling Cloud Guard force you to define a target, by specifying Compartments To Monitor in the OCI tenancy. If you didn't also select either an OCI Configuration Detector Recipe or an OCI Activity Detector Recipe, then no detectors were added to the target. Without adding at least one detector to the target, no problems can be reported.

See Modifying Recipes Added to a Target.

Some Categories of Problems Not Detected

Fix enablement problems that prevent Cloud Guard from detecting all categories of problems.

You have completed the steps in Enabling Cloud Guard, and problems are appearing on the Problems page, but an entire category of problems still is not appearing.

Ensure that a Detector Recipe Is Added to the Target for Each Category

If you skipped select a detector recipe for particular problem category in Enabling Cloud Guard, then a detector recipe for that problem category is not added to the target. If a detector for a particular problem category is not added to the target, Cloud Guard doesn't detect problems for that category.

See Modifying Recipes Added to a Target.

No Events Generated

Fix enablement problems that prevent Cloud Guard from generating events.

You have completed the steps in Enabling Cloud Guard, and problems are appearing on the Problems page, but no events are being generated for the Notifications service to pick up (see Configuring Notifications).

Ensure that the OCI Responder Recipe Is Added to the Target

Steps in Enabling Cloud Guard force you to define a target, by specifying Compartments To Monitor in the OCI tenancy. If you didn't also select the OCI Responder Recipe, then the Cloud Event responder rule in the OCI Responder Recipe is unable to send events to the Notifications service.

See Modifying Recipes Added to a Target.

Can't Process PSM Problems

You can't dismiss or resolve problems related to the PaaS Service Manager (PSM) compartment (named ManagedCompartmentForPaaS).

You have completed the steps in Enabling Cloud Guard and all categories of problems are appearing on the Problems page. You are able to dismiss or resolve all problems, except problems related to the PSM compartment.

For more information on the ManagedCompartmentForPaaS compartment, see Resources Created in Your Tenancy by Oracle.

Create a Support Ticket to Provide Special Privileges

The PSM service controls access to the PSM compartment in your OCI tenancy, so the policies required by Cloud Guard do not affect your access through Cloud Guard to resources in the PSM compartment. To obtain the privileges necessary to dismiss or resolve problems related to the PSM compartment:

  1. Create an Oracle support ticket.
  2. Provide the following details on how these privileges necessary for Cloud Guard:
    • OCI tenancy ID
    • OCIDs of the Cloud Guard problems that you are trying to dismiss
  3. The PSM and the OCI Identity team then add the following policy:

    allow group administrators to use cloud-guard-problems in compartment managedcompartmentforpaas

    Note

    This is a special compartment, for which the ability to resolve Cloud Guard problems can only be granted to an administrative group.
  4. After the support team informs you that they've added the policy, you can dismiss and resolve problems with the PSM compartment.