25. 09. 2014
NetEye Updates, Syslog
Update of SyslogView 2.1.7 available
For the current NetEye 3.4 release, has been released an update of SyslogView. This version comes with these new features:
- Add of new option -T to check_neteye_logManager.sh. This option check the TCP Socket 514 to be available on the local Rsyslog server
- For now it is better to make use of -T and therefore the default option -A is also substituted by -T in the syslogview cron
- An improvement for the MD5 Hash-Sum generation was included, to make sure the signature is created, also if no logs have been collected.
Check and monitoring extension
Feature: Integration of an advanced control logic, to verify the activity of the Logging Server, as well as the correct archivation and signing of the log structures.
In detail there is a check “check_neteye_logManager.sh” coming with the following options:
- -A : Verify that at least a log archive folder of the day before has been created for the default group. This makes sure, that the log server is active and the content is created. The fact of verifying the date before, excludes the possibility that no logs have been received for the current day, yet. In the same moment, the SAFED log cache allows to recover logs from the last 2 days, so its no problem to restore a missing archive of 1 day.
- -P : Verify that the rsyslogd and auditd process is running. Principally a traditional check that a “rsyslogd” and an “auditd” process is running.
- -S : Verify for all ACTIVE Log Groups, that for yesterday ALL Logs are compressed and valid Signed. This checks options reads all active log groups and verifies the archivation status of the log archive of yesterday. The check principally consists in:
- Are there logs, still not archived ( compressed ) in the folder
- Have all logs a PGP signature and
- is this signature valid
- -e : (default) Execution mode: Passive output to eventConsole ( MsgConsole ). A possible negative result of one of the test conditions is send into the EventConsole ( MessageConsole ). In this way no error situation is missed, since all notifications – if occured on more than one day – are tracked here.
- -a : Execution mode: Active check with output and perfdata. In this ways the check is run as a traditinal nagios check in an active way and also dedicated perfdata of the number of signed/unsigned log files and the processes is returned.
ADVICE: The execution of this check requires root permissions for signature check, since the PGP keys and the passphrase are protected from access.
Therefore the check is done in the simplest way via cron job. When implementing the active execution a sudoers entry is required for authorization delegation to user “nagios”.
Fixes and improvements
- The daily execution of the archivation, signature and log indexing has been refactored. An improved logic and the extraction of the Log indexing from the Core feature of Archivation/Signature was done. This should prevent crashes during the nightly log archivation process.
UPDATE: 2.1.6: An improvement for the MD5 Hash-Sum generation was included, to make sure the signature is created, also if no logs have been collected.
- SAFED Log Recovery Logic: The nightly archivation process includes also a feature of “log integrity check”. All Safed messages are marked with a sequencial number and toghether with this, it is possible to identify lost log rows. SyslogView tries therefore automatically to recover missing rows from the cache archive of the Safed agent, to integrate contents that could be lost during network outages or (TCP/UDP) buffer overflows. Possible Hostname / IP address recognitions are working now better and also the authentication mechanism was improved ( especially when customizing the authentication password to he Safed agent ).
HINT: The Nagios check for this log recovery activity would be:
Latest posts by Patrick Zambelli