DCAP Central 4.1

DCAP Central Overview

jSonar® Data-Centric Audit and Protection (DCAP) Central is a system for storing, managing and providing access to the IBM® InfoSphere® Guardium® Database Activity Monitoring (DAM) system (referred to as "Guardium" throughout this documentation).

This section provides an overview of the DCAP Central system, including a high-level view of the system architecture, and a description of the data model.

DCAP Central Architecture

DCAP Central is a Big Data system that uses the SonarW NoSQL Data Warehouse to store data extracted from Guardium collectors. DCAP Central centralizes all Guardium data into a single database store, regardless of the number of collectors – thus eliminating the need for complex aggregation processes.

DCAP Central's advanced database architecture allows for unparalleled performance in reporting and analytics. The proprietary database also allows customers to retain Guardium data for long periods of time, without impacting performance.

DCAP Central includes the following components:

  • The SonarW NoSQL Data Warehouse.

  • The SonarCollector ETL layer and specific Guardium ETL algorithms.

  • The DCAP Central Application.

  • The SonarK discovery tool (based on Kibana).

  • SonarSQL, providing SQL access to Guardium data stored within SonarW.

  • JSON Studio, providing a graphical user interface (GUI) for advanced analytic query building and visualization.


The DCAP Central software package is installed on a RHEL Linux server. DCAP Central can be installed on a physical server or a virtual machine.

It is strongly recommended that DCAP Central is the only application on the server, and not co-located with other applications. DCAP Central's Big Data workloads area resource-intensive, consuming all available compute, memory and I/O resources. It is therefore recommended to run DCAP Central on its own server.

DCAP Central receives data from Guardium collectors through an SCP process of compressed extraction files. These files are produced by the collectors and the mechanism is supported for Guardium versions 9.x and 10.x. For systems running version 9.5 collectors, the IBM data extraction patch 609 (or a cumulative later patch) must be installed. Consult your DCAP Central account manager for the precise IBM patch required. Guardium 10 has built-in support for producing these extract files.

Guardium data is copied to a staging server, where it is processed by DCAP Central ETL into DCAP Central using Guardium-specific processes. The staging server can be the SonarG server (preferred) or another server. When configuring data extraction in Guardium, the staging server should specified under “hostname.’

Guardium collectors produce and copy files on an hourly basis. The DCAP Central ETL process runs continuously and ingests these extract files on an ongoing basis. Data is therefore available in DCAP Central with a lag not longer than ~60-75 minutes.

Once the data is in SonarW, various tools provide access to the Guardium data. These include a DCAP Central custom-built reporting layer, JSON Studio for building queries, reports and visualizations directly over the Guardium data, a Web Services layer and a SQL layer. All these are installed on the DCAP Central server as part of the DCAP Central installer.