How to Customize Your Grafana Theme

Posted by on Dez 7, 2017 in Allgemein | Keine Kommentare

Grafana

Grafana is an open source dashboard tool that helps users to easily create and edit dashboards. Grafana uses Golang as a backend and Angular as frontend. It is quite a large codebase and supports a large number of options for its components (data sources, options, panels, etc.). Grafana’s stylesheet is written using the Sass CSS extension language. This preprocessor can help customizing themes.

Mehr

The Role of IT Asset Management in GDPR Compliance – Part I

Posted by on Nov 28, 2017 in Allgemein | Keine Kommentare

GDPR_NetEye_IT_AssetManagement

In this post, and in the one that will follow in the next weeks, I would like to analyze the role of IT Asset Management in adapting to the new General Data Protection Regulations (GDPR).
In this first article I will briefly introduce what the GDPR is, what measures it introduces, and how the IT Asset Management (ITAM) can support it.
In the next article, I will list the modules provided by NetEye, our IT System Management solution, for the ITAM implementation.

Introduction to GDPR

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It becomes enforceable from 25 May 2018 after a two-year transition period and, unlike a directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable. Wikipedia

Mehr

EriZone – Security Advisory

Posted by on Nov 27, 2017 in EriZone & OTRS, EriZone Security Advisories | Keine Kommentare

A vulnerability has been detected on the agent interface of the EriZone – OTRS system. The following is valid for all OTRS 3.3.x, Erizone 3.x and EriZone 5.x systems.

This vulnerability takes advantage of a Code injection in Kernel/System/Spelling.pm and is classified with a severity of 8.6 (high).

To guarantee the security of your system, we recommend applying last released patches.

 
For EriZone 5.2:

Via Admin >> Package Manager
Click on “Update repository information” and upgrade the packages strictly in the following sequence:

  • EriZoneCore
  • EriZoneTheme

 

For EriZone 3.6:

Via Admin >> Package Manager
Click on “Update repository information” and upgrade package:

  • EriZoneCore

 

For both systems, after previous procedure use a console to launch following commands:

  • /opt/otrs/scripts/EriZone/erizone.global_makelink
  • /opt/otrs/scripts/EriZone/Permissions.sh
  • /opt/otrs/scripts/EriZone/RestartEriZone.sh

 

Further information regarding this topic can be found on https://www.otrs.com/security-advisory-2017-07-security-update-otrs-framework/

The update on Erizone 5.2 will also fix some other theme bugs.

 


 

Technical details:

  • Date: 2017-11-21
  • Title: Remote code execution
  • Severity: 8.6 high
  • Product: OTRS 3.3.*, EriZone 3.* and EriZone 5.*
  • ID: OSA-2017-07
Mehr

EriZone to EriZone communication via web services

Posted by on Nov 14, 2017 in EriZone & OTRS | Keine Kommentare

EriZone_GI

The Generic Interface (GI) is an OTRS framework that allows EriZone5 to communicate with other systems via web service. The communication can be bidirectional: EriZone5 can act both as a service provider and/or as a service requestor.
You can use the GI to define a „Webservice“ and to configure its behavior as a requestor and/or a provider. „Operations“ can be defined and configured in order to perform the requested actions internally. In the other case, when a request should be performed by a remote system, „Invokers“ can be defined and configured to forward the request. Inside both the Operations and the Invokers it is possible to define, when required, a data mapping between the communicating systems in order to receive/send formatted data.
For both the provider and the requestor you can define the „Network transport“ which is the protocol over which OTRS/EriZone5 will communicate with the remote systems (e.g. another EriZone5 server).

A simple example of a webservice where EriZone5 is acting as a requestor

A simple example of a webservice where EriZone5 is acting as a requestor

Mehr

Deep Learning – a Recent Trend and Its Potential

Posted by on Nov 13, 2017 in Allgemein | Keine Kommentare

Artificial Intelligence (AI) refers to hardware or software that exhibits behavior which appears intelligent.  Machine Learning is a field of computer science that gives computers the ability to learn without being explicitly programmed.  Deep Learning is part of a broader family of machine learning methods based on learning data representations, as opposed to task-specific algorithms.

Gartner acknowledges Deep Learning to have delivered technology breakthroughs recently and they regard it as the major driver toward artificial intelligence.

One can expect a significant impact on most industries over the next three to five years.  It’s just one more reason to act now and understand its real potential.  Below I will answer the three questions I have been asked most often about deep learning over the last few months.

DL BootCamp

Susanne Greiner, Wuerth Phoenix @ Deep Learning BootCamp with experts from Google, Nvidia & Zalando Research, Dresden 2017

What is Deep Learning?

Mehr

Microsoft ADFS integration with Shibboleth

Posted by on Nov 9, 2017 in Microsoft Management | Keine Kommentare

Header_Blog
Starting with the Windows Server 2003 R2 version, Microsoft introduced the Active Directory Federation Services (ADFS), a software component which provides users with single sign-on access to systems and applications located across organizational boundaries.
ADFS is part of the Active Directory Services.

The authenticated user is provided with a series of Claims related to his / her identity that are inserted into a Token, which is digitally signed (a SAML Token). This token is then recognized and used by the various applications that accept this authentication scheme which enables Single Sign On mode for an application.

The advantage is that the user authenticates once on the ADFS service and then does not need to provide his/her credentials again to the various application servers that may also be outside the network containing the Active Directory Domain.

Mehr

Monitoren sie Ihren XtremIO EMC Storage

Posted by on Nov 7, 2017 in NetEye | Keine Kommentare

NetEye_XtremeIO
Sie haben eine XtremIO Dell EMC Storage und möchten sie gerne überwachen, dann habe ich das richtige dafür. Vor nicht allzu langer Zeit habe ich ein Monitoring Plugin für XtremIO Storages geschrieben. Was kann dieses Plugin:

  • XTREMIO_CTRL_Status: Damit überwachen sie die Kontroller und sehen den Status der Hardware
  • XTREMIO_DPG_Status: Damit überwachen sie ihre DPG Gruppen auf dem Storage
  • XTREMIO_Storage_Efficiency: Dies überprüft und visualisiert die aktuelle „deduplication und compress“ Effizienz des XtremIO
  • XTREMIO_Storage_Space: Dies überprüft ob sie noch genug Storage zur Verfügung haben

Und wie funktioniert es?

Mehr

Ihre CISCO Syslog in Elasticsearch, so geht es!

Posted by on Okt 31, 2017 in Log Auditing, NetEye, Syslog | Keine Kommentare

Elasticsearch
Sie haben eine CISCO Netzwerk Infrastruktur und möchten die Logs über das Syslog Protokol in eine Elasticsearch Datenbank schreiben? Hier erfahren Sie wie das geht mit allen notwendigen Filtern und Pattern für ihre Logstash Funktionalität.

Wie man weiss bekommt man über eine Logstash Instanz Daten in die Elasticsearch Datenbank. Der Vorteil liegt darin diese Daten zu analysieren und in Felder aufzuteilen so dass diese in Elasticsearch indiziert und verwendet werden können. CISCO ist als Netzwerkgeräte Hersteller sehr bekannt und eingesetzt, also ist es wichtig eine Lösung zu haben um die Logs welche ich von diesen Geräten schicken kann richtig zu indizieren.

Dieser Artikel beschäftigt sich grundlegend mit 2 Arten von CISCO Logs:

  • Netzwerkgeräte wie Switche oder Router
  • Cisco WLC
  • Die CISCO Radius Appliance

Das ganze habe ich in 2 filterrule getrennt da die RADIUS logs etwas total anderes sind und mit „normalen“ CISCO Logs nichts gemeinsam haben. Also habe ich dafür folgende Pattern benutzt:

CISCOTIMESTAMPTZ %{CISCOTIMESTAMP}( %{TZ})?
NEXUSTIMESTAMP %{YEAR} %{MONTH} %{MONTHDAY} %{TIME}( %{TZ})?
ISETIMESTAMP %{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})? %{ISO8601_TIMEZONE}?

Und dann habe ich folgende Filter Rules geschrieben, die Log Gruppe habe ich verwendet um das parsen auf eine gewisse Gruppe einzuschränken, man kann das auch weglassen wenn man möchte:

#
# FILTER - Try to parse the cisco log format
#
# Configuration:
#   clock timezone Europe +1
#   no clock summer-time
#   ntp server 0.0.0.0 prefer
#   ntp server 129.6.15.28
#   ntp server 131.107.13.100
#   service timestamps log datetime msec show-timezone
#   service timestamps debug datetime msec show-timezone
#   logging source-interface Loopback0
#   ! Two logging servers for redundancy
#   logging host 0.0.0.0 transport tcp port 8514
#   logging host 0.0.0.0 transport tcp port 8514
#   logging trap 6

filter {
  # NOTE: The frontend logstash servers set the type of incoming messages.
  if [type] == "syslog" and [host_group] == "Netzwerk" {
    # Parse the log entry into sections.  Cisco doesn't use a consistent log format, unfortunately.
    grok {
      patterns_dir => "/var/lib/neteye/logstash/etc/pattern.d"
      match => [
        # IOS
        "message", "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:logsource} ((%{NUMBER:log_sequence#})?:( %{NUMBER}:)? )?%{CISCOTIMESTAMPTZ:log_date}: %%{CISCO_REASON:facility}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}",
        "message", "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:logsource} ((%{NUMBER:log_sequence#})?:( %{NUMBER}:)? )?%{CISCOTIMESTAMPTZ:log_date}: %%{CISCO_REASON:facility}-%{CISCO_REASON:facility_sub}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}",

        # Nexus
        "message", "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:logsource} ((%{NUMBER:log_sequence#})?: )?%{NEXUSTIMESTAMP:log_date}: %%{CISCO_REASON:facility}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}",
        "message", "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:logsource} ((%{NUMBER:log_sequence#})?: )?%{NEXUSTIMESTAMP:log_date}: %%{CISCO_REASON:facility}-%{CISCO_REASON:facility_sub}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}",

	# WLC
	"message", "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:logsource} %{SYSLOGHOST:wlc_host}: %{DATA:wlc_action}: %{CISCOTIMESTAMP:log_date}: %{DATA:wlc_mnemonic}: %{DATA:wlc_mnemonic_message} %{GREEDYDATA:message}"
      ]

      overwrite => [ "message" ]

      add_tag => [ "cisco" ]
    }
  }

  # If we made it here, the grok was sucessful
  if "cisco" in [tags] {
    date {
      match => [
        "log_date",

        # IOS
        "MMM dd HH:mm:ss.SSS ZZZ",
        "MMM dd HH:mm:ss ZZZ",
        "MMM dd HH:mm:ss.SSS",
        
        # Nexus
        "YYYY MMM dd HH:mm:ss.SSS ZZZ",
        "YYYY MMM dd HH:mm:ss ZZZ",
        "YYYY MMM dd HH:mm:ss.SSS",
        
        # Hail marry
        "ISO8601"
      ]
    }

    # Add the log level's name instead of just a number.
    mutate {
      gsub => [
        "severity_level", "0", "0 - Emergency",
        "severity_level", "1", "1 - Alert",
        "severity_level", "2", "2 - Critical",
        "severity_level", "3", "3 - Error",
        "severity_level", "4", "4 - Warning",
        "severity_level", "5", "5 - Notification",
        "severity_level", "6", "6 - Informational"
      ]
    }

  } # if
} # filter

Für die CISCO RADIUS LOGS habe ich folgenden Filter verwendet:

 

#
# FILTER - Try to parse the ise logfiles (Radius)
#

filter {
  if [type] == "syslog" and [host_group] == "ISE" {
    grok {
      patterns_dir => "/var/lib/neteye/logstash/etc/pattern.d"
      match => [
        "message", "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:logsource} %{DATA:ise_log_type} %{NUMBER:ise_log_sequence} %{INT:ise_log_lines_split} %{INT:ise_log_line_sequence} %{ISETIMESTAMP} %{NUMBER:ise_log_number} %{NUMBER:ise_log_id} %{DATA:ise_log_facility} %{DATA:ise_log_id_description},.* Device IP Address=%{IP:ise_device_ip},.* UserName=%{DATA:ise_username},.* NetworkDeviceName=%{DATA:ise_network_device_name},.* User-Name=%{DATA:ise_user_name},.* (NAS-Port-Id=%{DATA:ise_nas_port_id},.* )?(cisco-av-pair=%{DATA:ise_cisco_av_pair},.* )?AuthenticationMethod=%{DATA:ise_authentication_method},.* (AuthenticationStatus=%{DATA:ise_authentication_status}, .*)?(EndPointMACAddress=%{DATA:ise_endpoint_mac_address},.*)? Location=%{DATA:ise_location},%{GREEDYDATA:message}"
      ]
      add_tag => [ "ISE" ]
      remove_tag => [ "_grokparsefailure" ]
      tag_on_failure => [ "_iseparsefailure" ]
    }
  }
} # filter

Das ganze zusammengesetzt ergibt nun gut formatierte CISCO Logs in Elasticsearch, mit welchen man dann auch wirklich etwas anfangen kann. Sie können all die oben genannten Dateien von hier (Cisco-Logstash-Elasticsearch) herunterladen.

Mehr

Oracle Exadata Monitoring with NetEye

Posted by on Okt 18, 2017 in Allgemein | Keine Kommentare

OracleExadata_01

More and more often I’ve needed to integrate an Oracle Exadata system with NetEye Monitoring.  The Oracle Exadata Database Machine is a combined compute and storage system marketed for running Oracle Database software.

The best way to integrate the Oracle Exadata system is to use SNMP Trap alerting.  Then, it depends on your particular Oracle installation whether you are using only the Exadata System or also the Oracle Enterprise Manager.  If you are only using the Exadata system, you can configure your alerts on it and send them via SNMP alerting to NetEye.  If you are also using the Enterprise Manager, you can first configure the alerts on the Oracle Enterprise Manager before configuring SNMP Trap alerting to send the alerts to NetEye.

Mehr

End to End Monitoring mit Alyvix auf der Heise Cloud-Konferenz

Posted by on Okt 5, 2017 in EriZone & OTRS, NetEye | Keine Kommentare

heise

 

Die „Heise Cloud-Konferenz – by c’t & iX“ am 17. Oktober 2017 in Köln bringt IT-Entscheider und Anbieter für einen Austausch zu den praktischen Erfahrungen mit Private, Hybrid und Public Cloud-Infrastrukturen zusammen. Fragen der Plattform-Auswahlkriterien, der Sicherheit (Datenschutz vs. Datensicherheit) oder des Preis-Leistungsverhältnisses werden ebenso wie konkrete technische Herausforderungen wie Multicloud-Sourcing, Monitoring oder Service Level Agreements beleuchtet.

Eröffnen wird die Konferenz unser Georg mit einem Beitrag zu Sourcing und Monitoring in Multicloud-Umgebungen. Er wird konkrete Features von Alyvix vorstellen und beleuchten, wie eine erhöhte Servicequalität aus Nutzersicht sichergestellt wird. Das durchwegs hochkarätig besetzte Event findet im KOMED, Mediapark 7 in Köln statt. Anmeldungen können direkt auf den Konferenzseiten vorgenommen werden. Hauptzielgruppe sind CIOs, Cloud-Experten, IT-Admins, Projektleiter, Entscheider, Datenschutzbeauftragte und Cloud-Anwender.

Mehr

Überwachung des Netzwerk-Traffics auf Microsoft Hyper-V Servern via PowerShell

Posted by on Sep 26, 2017 in Capacity Management, Nagios, Nagios Plugins, NetEye | Keine Kommentare

Die Überwachung des Netzwerk-Traffics auf Netzwerkgeräten basiert traditionell auf SNMP-Abfragen. Mittels vorgefertigter Programmbefehle können die Statistiken zur Übertragung von Datenpaketen einer oder mehrerer Netzwerkschnittstellen via SNMP abgefragt werden.

Während die Abfragen auf Netzwerkgeräten auch heute noch via SNMP abgefragt werden, so bedarf es bei der Abfrage dieser Informationen im Bereich der Microsoft Hyper-V-Server anderer Ansätze. Der Grund liegt in der Konfiguration der Netzwerkanbindung: So werden beispielsweise mehrere physikalische Netzwerkschnittstellen einer Hyper-V Appliance zu einer logischen Schnittstelle gebündelt, welche den Netzwerk-Traffic auch transparent über mehrere Netzwerkgeräte verteilen kann. Auf diese Art kann der Netzwerk-Traffic z.B. auf mehrere Switche verteilt werden und gleichzeitig die Ausfallsicherheit erhöht werden. Ein weiterer Grund zur Suche nach Alternativen ist die eingestellte Weiterentwicklung der SNMP-Implementierung durch Microsoft.

Schematisch dargestellt könnte eine physikalische Netzwerkverkabelung wie folgt aussehen: Ein physikalischer Hyper-V Host verfügt über 2 aktive physikalische Netzwerkanbindungen, welche über zwei Switche am Netzwerk angeschlossen warden.

Schematische Netz- und Verbindungsdarstellung

Schematische Netz- und Verbindungsdarstellung

Mehr

Eindrücke vom „Digital Business Forum“

Posted by on Sep 22, 2017 in EriZone & OTRS, NetEye | Keine Kommentare

Die voranschreitende Digitalisierung verändert Gesellschaft, Umwelt und Märkte. Mit welchen Infrastrukturlösungen und Prozessen sich digitale Vorreiter für die vernetze Zukunft rüsten, war Thema des „Digital Business Forums“ letzte Woche in Bozen.

Was dies für die Qualitätssicherung von IT-Diensten bedeutet, wie sich unsere tägliche Arbeit ändern wird und was konkret  im Bereich System Management zu erwarten ist, zeigten die teilnehmenden Experten u.a. von Microsoft Österreich, dem Fraunhofer Institut, der Universität Bozen und auch Würth Phoenix auf. Eindrücke von der Veranstaltung haben wir in einem kurzen Video zusammengefasst.

Mehr

EriZone – Security Advisory

Posted by on Sep 21, 2017 in EriZone & OTRS, EriZone Security Advisories | Keine Kommentare

A vulnerability has been detected on the agent interface of the EriZone – OTRS system. The following is valid for all OTRS 3.3.x, Erizone 3.x and EriZone 5.x systems.

This vulnerability takes advantage of a hole in agent statistics module and has been classified with a “high” risk.

To guarantee the security of your system, we recommend applying last released patches.

 
For EriZone 5.2:

Via Admin >> Package Manager
Click on “Update repository information” and upgrade the packages strictly in the following sequence:

  • EriZoneCore
  • EriZoneServiceDeskEnhancement
  • EriZoneTheme

 

For EriZone 3.6:

Via Admin >> Package Manager
Click on “Update repository information” and upgrade package:

  • EriZoneCore

 

For both systems, after previous procedure use a console to launch following commands:

  • /opt/otrs/scripts/EriZone/erizone.global_makelink
  • /opt/otrs/scripts/EriZone/Permissions.sh
  • /opt/otrs/scripts/EriZone/RestartEriZone.sh

 

Further information regarding this topic can be found on https://www.otrs.com/security-advisory-2017-04-security-update-otrs-versions/

The update for Erizone 5.2 will also fix two more bugs.

 


 

Technical details:

  • Date: 2017-09-19
  • Title: Code Injection / Privilege Escalation OTRS
  • Severity: High
  • Product: OTRS 3.3.*, EriZone 3.* and EriZone 5.*
  • ID: OSA-2017-04
Mehr

Do you want to prevent cyber-attacks? NetEye and Kibana can help.

Posted by on Sep 19, 2017 in Information Security Operations Center | Keine Kommentare

cyber attacks as a technology concept illustration design

IT security is one of the highest priorities for every CIO. Cyber-attacks are now a reality that we must deal with on a daily basis. More and more organizations have been the victims of so-called cybercrimes that are the cause of financial losses, operational problems and consequences to the company’s reputation.

That is why trying to better structure your defenses, and increase efficiency and reactivity in case of an attack, are now key goals for IT departments. How should we adapt to these new needs? One of the most important actions to take is the creation of an Information Security Operations Center, which implements IT security and proactively monitors IT infrastructure.

A new IT Security Management Strategy

Lately, in the Banca Informatica Bancaria Trentina Group where I work, we have increasingly focused on the realization of an Information Security Operations Center. To ensure security and to better control cyber-attacks, we are now leveraging the advantages offered by Kibana and Grafana: Data Visualization Modules integrated into NetEye. These tools allow you to create dashboards that are easy to interpret. More specifically, we focused on the generation of dashboards for infrastructure load (e.g., the CPU usage of the various nodes and the bandwidth load of the switches) and for the security events that allow us to rapidly identify if our organization is under attack.

These dashboards offer a concrete benefit in those situations where it is fundamental to quickly identify the root cause of a problem, such as within an ISOC.

Mehr