Follow

Eyeglass Isilon Remote Logging Service Tech Note

 

This Tech Note applies to:

  • Eyeglass Isilon Edition R1.1 

 

Overview

Remote Logging Service feature provides the ability to push the contents of the Eyeglass Appliance /var/log/messages logs received from managed devices to 3rd party log consumers such as vmware Log Insight and Splunk using a customized logging feature on the appliance.  

 

Based on this configuration as soon as the appliance receives a syslog message it applies tagging to the incoming messages based on the device type to include name and serial number information for each log message locally and then sends the message on port 514 via UDP to the configured 3rd party log consumers once configured.

 

This allows dashboards and analysis in logging tools to be done on serial number, device name and inventory data collected from the device and logged.   

 

The Eyeglass log includes information from various data sources not use syslog inputs.  For example inventory information, alarms, events, custom eyeglass events or failure tasks are all tagged to a managed device and sent to syslog.

 

This capability allows logging analysis tools to get much more information about the device than typical syslog only events.

 

The architecture of the solution is shown below







localhost messages

Eyeglass appliance syslog is configured to process messages from the appliance Host OS.  This includes messages from the Eyeglass "Security Core Agent".  Following selected entries from Eyeglass Security Core Agent main.log file are exposed to syslog:

> inventory logs

> alarm logs

 

The logs from the Security Core Agent will be sent to syslog already prefixed with <name>_<unique identifier> for the related device.  In the /var/log/messages file they will appear prefixed in addition with “localhost”.


For the remote log consumer, the prefix will be determined by the filter rule in syslog-ng.conf.  Message received is prefixed by syslog with “$HOST EYEGLASS”.  Example filtering from syslog-ng.conf:

 

### REMOTE CONFIGURATION FOR EYEGLASS to <3rd party log consumer>_<3rd party IP address> ###

filter eyeglass_EYEGLASS_<3rd party>_<ip address>_filter { netmask("127.0.0.1/32"); };

destination eyeglass_EYEGLASS_<3rd party>_<ip address>_dest { udp("<ip address>" port(514) template("$ISODATE $HOST EYEGLASS $MSGHDR$MSG\n") template_escape(no)); };

log { source(src); filter(eyeglass_EYEGLASS_<3rd party>_<ip address>_filter); destination(eyeglass_EYEGLASS_<3rd party>_<ip address>_dest); };

 

Managed Device messages

If the Eyeglass appliance has been configured as a syslog consumer on other devices, this device syslog data will also be processed by the Eyeglass syslog based on the filter rule in syslog-ng.conf.

 

Example filtering from syslog-ng.conf:

 >> note: 0050568c9968bf70e353361511555c347b98 would be replaced by the unique identifier for the managed device



### DEVICE CONFIGURATION FOR 0050568c9968bf70e353361511555c347b98 ###

filter eyeglass_0050568c9968bf70e353361511555c347b98_filter { netmask("192.168.1.191/32"); };

destination eyeglass_0050568c9968bf70e353361511555c347b98_dest { file("/var/log/eyeglassdevices" template("$ISODATE $HOST 0050568c9968bf70e353361511555c347b98 $MSGHDR$MSG\n") template_escape(no)); };

log { source(src); filter(eyeglass_0050568c9968bf70e353361511555c347b98_filter); destination(eyeglass_0050568c9968bf70e353361511555c347b98_dest); };

 

### REMOTE CONFIGURATION FOR 0050568c9968bf70e353361511555c347b98 to loginsight_172.16.84.40 ###

filter eyeglass_0050568c9968bf70e353361511555c347b98_loginsight_172.16.84.40_filter { netmask("192.168.1.191/32"); };

destination eyeglass_0050568c9968bf70e353361511555c347b98_loginsight_172.16.84.40_dest { udp("172.16.84.40" port(514) template("$ISODATE $HOST 0050568c9968bf70e353361511555c347b98 $MSGHDR$MSG\n") template_escape(no)); };

log { source(src); filter(eyeglass_0050568c9968bf70e353361511555c347b98_loginsight_172.16.84.40_filter); destination(eyeglass_0050568c9968bf70e353361511555c347b98_loginsight_172.16.84.40_dest); };

 

Viewing logs from Eyeglass UI

Eyeglass Log View

In addition to 3rd party log consumers, Eyeglass UI provides a window to fetch a copy or view in real time the following logs:

/opt/superna/sca/logs/main.log

/var/log/messages



3rd Party Logging Service

From the Eyeglass UI a shortcut to the provisioned 3rd party log consumers is provided.

 

Required Licenses

Logging Service requires following licenses are loaded:

Allow uploads to Log Insight

Without this license, syslog on the Eyeglass will not be configured to forward messages to 3rd party log services.



System Settings

Security Core Agent Log Forwarding Schedule

Default is 15 min - at 15 min the current in-memory inventory is sent by Security Core Agent to syslog.



Logs

Since native syslog is being used to manage the log forwarding, the native syslog log files should be used for troubleshooting.  The log can be viewed from the Eyeglass UI.

 

syslog Administration

 

Requires root login to the appliance

 

check syslog process : service syslog status

start syslog process : service syslog start

stop syslog process : service syslog stop

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk