25. 09. 2014 Patrick Zambelli Uncategorized

Update of SyslogView 2.1.7 available

For the current NetEye 3.4 release, has been released an update of SyslogView. This version comes with these new features:

Version 2.1.7:

  • Add of new option -T to check_neteye_logManager.sh. This option check the TCP Socket 514 to be available on the local Rsyslog server
  • For now it is better to make use of -T and therefore the default option -A is also substituted by -T in the syslogview cron

Version: 2.1.6:

  • An improvement for the MD5 Hash-Sum generation was included, to make sure the signature is created, also if no logs have been collected.

Version 2.1.5:

Check and monitoring extension

Feature: Integration of an advanced control logic, to verify the activity of the Logging Server, as well as the correct archivation and signing of the log structures.
In detail there is a check “check_neteye_logManager.sh” coming with the following options:

  • -A     : Verify that at least a log archive folder of the day before has been created for the default group. This makes sure, that the log server is active and the content is created. The fact of verifying the date before, excludes the possibility that no logs have been received for the current day, yet. In the same moment, the SAFED log cache allows to recover logs from the last 2 days, so its no problem to restore a missing archive of 1 day.
  • -P     : Verify that the rsyslogd and auditd process is running. Principally a traditional check that a “rsyslogd” and an “auditd” process is running.
  • -S     : Verify for all ACTIVE Log Groups, that for yesterday ALL Logs are compressed and valid Signed. This checks options reads all active log groups and verifies the archivation status of the log archive of yesterday. The check principally consists in:
  1. Are there logs, still not archived ( compressed ) in the folder
  2. Have all logs a PGP signature and
  3. is this signature valid

Notification:

  • -e        : (default) Execution mode: Passive output to eventConsole ( MsgConsole ). A possible negative result of one of the test conditions is send into the EventConsole ( MessageConsole ). In this way no error situation is missed, since all notifications – if occured on more than one day – are tracked here.
  • -a        : Execution mode: Active check with output and perfdata. In this ways the check is run as a traditinal nagios check in an active way and also dedicated perfdata of the number of signed/unsigned log files and the processes is returned.

ADVICE: The execution of this check requires root permissions for signature check, since the PGP keys and the passphrase are protected from access.
Therefore the check is done in the simplest way via cron job. When implementing the active execution a sudoers entry is required for authorization delegation to user “nagios”.

Fixes and improvements

  • The daily execution of the archivation, signature and log indexing has been refactored. An improved logic and the extraction of the Log indexing from the Core feature of Archivation/Signature was done. This should prevent crashes during the nightly log archivation process.
    UPDATE: 2.1.6: An improvement for the MD5 Hash-Sum generation was included, to make sure the signature is created, also if no logs have been collected.
  • SAFED Log Recovery Logic: The nightly archivation process includes also a feature of “log integrity check”. All Safed messages are marked with a sequencial number and toghether with this, it is possible to identify lost log rows. SyslogView tries therefore automatically to recover missing rows from the cache archive of the Safed agent, to integrate contents that could be lost during network outages or (TCP/UDP) buffer overflows. Possible  Hostname / IP address recognitions are working now better and also the authentication mechanism was improved ( especially when customizing the authentication password to he Safed agent ).

HINT: The Nagios check for this log recovery activity would be:

/usr/lib/nagios/plugins/check_safed_recovery.sh /var/log/neteye/syslogview/checkLogIntegrity.log

Patrick Zambelli

Patrick Zambelli

Project Manager at Würth Phoenix
After my graduation in Applied Computer Science at the Free University of Bolzano I decided to start my professional career outside the province. With a bit of good timing and good luck I went into the booming IT-Dept. of Geox in the shoe district of Montebelluna, where I realized how a big IT infrastructure has to grow and adapt to quickly changing requirements. During this experience I had also the nice possibility to travel the world, while setting up the various production and retail areas of this company. Arrived at Würth Phoenix I started developing on our monitoring solution NetEye. Today, in my position as Consulting an Project Manager I am continuously heading to implement our solutions to meet the expectation of your enterprise customers.

Author

Patrick Zambelli

After my graduation in Applied Computer Science at the Free University of Bolzano I decided to start my professional career outside the province. With a bit of good timing and good luck I went into the booming IT-Dept. of Geox in the shoe district of Montebelluna, where I realized how a big IT infrastructure has to grow and adapt to quickly changing requirements. During this experience I had also the nice possibility to travel the world, while setting up the various production and retail areas of this company. Arrived at Würth Phoenix I started developing on our monitoring solution NetEye. Today, in my position as Consulting an Project Manager I am continuously heading to implement our solutions to meet the expectation of your enterprise customers.

Leave a Reply

Your email address will not be published. Required fields are marked *

Archive