January 24, 2019 | Written by: Sachin Patil
Categorized: Articles | Identity and Governance
Share this post:
Log forwarder configuration in IBM® Security Identity Governance and Intelligence Virtual Appliance (IGI-VA)
Starting from IGI V5.2.4, virtual appliance (VA) has provided a feature to forward all the logs in VA to the centralized log management server. Internally, VA uses “filebeat” as an agent to forward all the VA logs. A user can configure the filebeat from the VA panel by navigating through Manage -> Maintenance -> Log forwarder configuration.
The logs that are forwarded from the VA can be consumed by the external Logstash server or ELK (Elastic Search, Logstash, Kibana dashboards). A user can configure the ELK stack to filter the VA logs, generate various dashboards, etc.
Configuring Log forwarder in VA
Log forwarder can be configured with Logstash server that is running in non-SSL or SSL. Following are the required fields to configure:
Host name or Port fields are mandatory (this is the logstash server host or port). The Tags field is optional, but this field will be useful while filtering out the VA logs on the logstash server or for any other log analysis purposes. If the logstash server is running in SSL, then provide the logstash server SSL port and select the SSL check box. Refer the VA documentation to configure the log forwarder.
Sample Logstash server configuration
Following are the simple steps to configure the logstash server.
- Download the logstash install bundle. For example, logstash-5.4.2.tar.gz.
- Extract on any Linux server.
- Create a configuration file. For example, config, ssl.config.
- Run the logstash server.
$Logstash_install_path/bin/logstash -f non_ssl.config &
A sample non_ssl.config, which outputs logs to text file is as follows:
A sample ssl.config, which outputs logs to text file is as follows:
Java required for Logstash
Use OpenJDK or Oracle Java to run the logstash server. The Logstash server must run with a non-IBM version of Java, Version 1.8 or higher.
Sample SSL certificate creation
To configure the logstash server in SSL, openssl can be used to generate certificates.
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt
Note: If the server hostname is provided in ssl.config and IP is used while configuring log forwarder in VA, then logs may not get forwarded. For this operation to work, while creating the certificates specify the subject alternative name as follows: