Topic
  • 15 replies
  • Latest Post - ‏2014-11-01T08:36:05Z by sanar
DorSe
DorSe
18 Posts

Pinned topic Configuration monitoring

‏2013-12-25T10:16:08Z |

Hello,
We want to send notifications about changes in configuration made in DataPower to an SNMP server.
What do you suggest?

BR,
Dor

  • JoeMorganNTST
    JoeMorganNTST
    427 Posts

    Re: Configuration monitoring

    ‏2013-12-26T18:26:41Z  

    Just setup your SNMP settings to add the required event subscriptions.  Your generally looking for the "audit" category, but you can trigger notifications on just about everything.

    You can also create an SNMP Log Target.

     

  • DorSe
    DorSe
    18 Posts

    Re: Configuration monitoring

    ‏2013-12-26T19:53:55Z  

    Just setup your SNMP settings to add the required event subscriptions.  Your generally looking for the "audit" category, but you can trigger notifications on just about everything.

    You can also create an SNMP Log Target.

     

    Hi Joe,
    Thanks for your comment.

    I created a log target with a subscription to audit.
    The log entries I get won't give me any details, and actually I get no information about what happened.

    I want to get one notification per change and not a few for every change made.
    For example. if I set a DNS Static Host on an ethernet interface, I get notifications for every object that exists on that ethernet interface.

    We found out that if we set a log target with 'cli' subscription the common is that every command has an exit message at the end, except for deleting objects, and of course if someone is doing changes from the cli itself.

    The main idea is to get a notification for a change made, find out what was changed and forward it on.

    BR,
    Dor

  • JoeMorganNTST
    JoeMorganNTST
    427 Posts

    Re: Configuration monitoring

    ‏2013-12-26T19:56:38Z  
    • DorSe
    • ‏2013-12-26T19:53:55Z

    Hi Joe,
    Thanks for your comment.

    I created a log target with a subscription to audit.
    The log entries I get won't give me any details, and actually I get no information about what happened.

    I want to get one notification per change and not a few for every change made.
    For example. if I set a DNS Static Host on an ethernet interface, I get notifications for every object that exists on that ethernet interface.

    We found out that if we set a log target with 'cli' subscription the common is that every command has an exit message at the end, except for deleting objects, and of course if someone is doing changes from the cli itself.

    The main idea is to get a notification for a change made, find out what was changed and forward it on.

    BR,
    Dor

    The audit log will give you that info.  If the logging target doesn't, you may need to come up with some way of off-loading the log.

     

  • DorSe
    DorSe
    18 Posts

    Re: Configuration monitoring

    ‏2013-12-26T20:20:55Z  

    The audit log will give you that info.  If the logging target doesn't, you may need to come up with some way of off-loading the log.

     

    Hi Joe,
    I might be reading the audit log wrong, but I don't see any information about changes made.
    Most of the messages I get are the same, and I get more than one message for each change made.

    Most of the messages look something like this:

    <log-entry serial='838'>
    <date>Thu Dec 26 2013</date>
    <time utc='1388067411249'>09:16:51</ time>
    <date-time>2013-12-26T09:16: 51</date-time>
    <type>audit</type>
    <class></class>
    <object></object>
    <level num='6'>info</level>
    <transaction-type></ transaction-type>
    <transaction>182945</ transaction>
    <client>192.168.180.1</client>
    <code>0x82400012</code>
    <file></file>
    <message>(SYSTEM:default:*: 192.168.180.1): xmlfirewall &apos;web-mgmt&apos; - Request from 
    192.168.180.1:64872 to 
    192.168.180.133:9090 accepted</message>
    </log-entry>
    
    So, if I do get this right, using the audit log won't provide a good solution for what I'm looking for.
    I need a "parse-able" log where I can point configuration changes once for each configuration change.
    
    Updated on 2013-12-26T20:21:17Z at 2013-12-26T20:21:17Z by DorSe
  • JoeMorganNTST
    JoeMorganNTST
    427 Posts

    Re: Configuration monitoring

    ‏2013-12-26T20:44:21Z  
    • DorSe
    • ‏2013-12-26T20:20:55Z

    Hi Joe,
    I might be reading the audit log wrong, but I don't see any information about changes made.
    Most of the messages I get are the same, and I get more than one message for each change made.

    Most of the messages look something like this:

    <pre dir="ltr" style="white-space: pre-wrap; word-wrap: break-word;"><log-entry serial='838'> <date>Thu Dec 26 2013</date> <time utc='1388067411249'>09:16:51</ time> <date-time>2013-12-26T09:16: 51</date-time> <type>audit</type> <class></class> <object></object> <level num='6'>info</level> <transaction-type></ transaction-type> <transaction>182945</ transaction> <client>192.168.180.1</client> <code>0x82400012</code> <file></file> <message>(SYSTEM:default:*: 192.168.180.1): xmlfirewall &apos;web-mgmt&apos; - Request from 192.168.180.1:64872 to 192.168.180.133:9090 accepted</message> </log-entry> So, if I do get this right, using the audit log won't provide a good solution for what I'm looking for. I need a "parse-able" log where I can point configuration changes once for each configuration change. </pre>

    I just have a program that polls the audit log directly. 

    Try this... add an event code (type it in manually, because I don't think you can select it) "0x8240001c" to the list of events.  The go to some object, type something in the comment field and save.  Then save the config.  Let me know if that shows up in your log.

     

  • DorSe
    DorSe
    18 Posts

    Re: Configuration monitoring

    ‏2013-12-26T20:55:46Z  

    I just have a program that polls the audit log directly. 

    Try this... add an event code (type it in manually, because I don't think you can select it) "0x8240001c" to the list of events.  The go to some object, type something in the comment field and save.  Then save the config.  Let me know if that shows up in your log.

     

    Shows nothing.

  • JoeMorganNTST
    JoeMorganNTST
    427 Posts

    Re: Configuration monitoring

    ‏2013-12-26T21:06:54Z  
    • DorSe
    • ‏2013-12-26T20:55:46Z

    Shows nothing.

    What is your logging level set to in the target?  You may have it set too restrictive... set it to info.

     

  • DorSe
    DorSe
    18 Posts

    Re: Configuration monitoring

    ‏2013-12-26T21:57:57Z  

    What is your logging level set to in the target?  You may have it set too restrictive... set it to info.

     

    Log level is set to debug.
    As you can see in the example I posted before, I do get 'info' level log entries.

  • JoeMorganNTST
    JoeMorganNTST
    427 Posts

    Re: Configuration monitoring

    ‏2013-12-26T22:01:36Z  
    • DorSe
    • ‏2013-12-26T21:57:57Z

    Log level is set to debug.
    As you can see in the example I posted before, I do get 'info' level log entries.

    Yeah... I'm probably just fishing now... like I said... I have a tool that pulls the audit log off the box... I thought it would be easy...

     

  • DorSe
    DorSe
    18 Posts

    Re: Configuration monitoring

    ‏2013-12-26T22:06:10Z  

    Yeah... I'm probably just fishing now... like I said... I have a tool that pulls the audit log off the box... I thought it would be easy...

     

    Thank you Joe.
    I'm still working on it and I hope I'll come up with a good idea soon during the weekend.

  • momasa
    momasa
    35 Posts

    Re: Configuration monitoring

    ‏2013-12-27T07:52:36Z  
    • DorSe
    • ‏2013-12-26T22:06:10Z

    Thank you Joe.
    I'm still working on it and I hope I'll come up with a good idea soon during the weekend.

    Hello,
    we had a similar requirement and solved it (with some difficulties) in the following manner.
    First of all, the "native" DP audit functionality doesn't fit the requirement at all. I didn't get a complete list what is captured and what is not from an IBM support request, but I got the statement that only "very critical changes" will be audited.
    So we set up a SYSLOG log target with these event categories (based on support information):
    audit - information
    auth - debug
    cert-monitor - debug
    cli - debug
    file - debug
    user - debug
    And yes you are right this produces much more than one line of information of what was changed. But we live with that and it's up to the SYSLOG system to generate some appropriate notifications.
    Be aware of some pitfalls if you want to log file manipulation (copy, delete, change whether from SOMA or from Admin-GUI).
    You have to enable "Auditing" and "Logging" for local file monitoring for every desired domain (in default domain > Application Domain > your domain > section "local: File Monitoring")
    There is one more thing you have to pay attention to if you copy files by SOMA requests and you would like log this.

    If your CLI request doesnt contain the domain i.e. the domain is specified only in the path, this copy will NOT be logged.

    Won't be logged:
    <dp:request xmlns:dp="http://www.datapower.com/schemas/management">
       <dp:set-file name="local://MyDomain/MyFile.txt">TmV3IGZpbGUgdGVzdA==</dp:set-file>
    </dp:request>

    Will be logged:
    <dp:request domain="MyDomain" xmlns:dp="http://www.datapower.com/schemas/management">
       <dp:set-file name="local:///MyFile.txt">TmV3IGZpbGUgdGVzdA==</dp:set-file>
    </dp:request>

    There was opened an RFE for this issue (status Planned for Future Release).

    And the very last: Of course you have to do some thougths on reliability of all this depending on your purpose. Somebody could switch of some of the above settings and do some changes on the system (so you could see at least the switch off). Or somebody could interrupt or manipulate the SYSLOG communication (so perhaps signing the entries could be a topic).

    Greetings

  • sanar
    sanar
    4 Posts

    Re: Configuration monitoring

    ‏2014-10-27T10:36:02Z  
    • momasa
    • ‏2013-12-27T07:52:36Z

    Hello,
    we had a similar requirement and solved it (with some difficulties) in the following manner.
    First of all, the "native" DP audit functionality doesn't fit the requirement at all. I didn't get a complete list what is captured and what is not from an IBM support request, but I got the statement that only "very critical changes" will be audited.
    So we set up a SYSLOG log target with these event categories (based on support information):
    audit - information
    auth - debug
    cert-monitor - debug
    cli - debug
    file - debug
    user - debug
    And yes you are right this produces much more than one line of information of what was changed. But we live with that and it's up to the SYSLOG system to generate some appropriate notifications.
    Be aware of some pitfalls if you want to log file manipulation (copy, delete, change whether from SOMA or from Admin-GUI).
    You have to enable "Auditing" and "Logging" for local file monitoring for every desired domain (in default domain > Application Domain > your domain > section "local: File Monitoring")
    There is one more thing you have to pay attention to if you copy files by SOMA requests and you would like log this.

    If your CLI request doesnt contain the domain i.e. the domain is specified only in the path, this copy will NOT be logged.

    Won't be logged:
    <dp:request xmlns:dp="http://www.datapower.com/schemas/management">
       <dp:set-file name="local://MyDomain/MyFile.txt">TmV3IGZpbGUgdGVzdA==</dp:set-file>
    </dp:request>

    Will be logged:
    <dp:request domain="MyDomain" xmlns:dp="http://www.datapower.com/schemas/management">
       <dp:set-file name="local:///MyFile.txt">TmV3IGZpbGUgdGVzdA==</dp:set-file>
    </dp:request>

    There was opened an RFE for this issue (status Planned for Future Release).

    And the very last: Of course you have to do some thougths on reliability of all this depending on your purpose. Somebody could switch of some of the above settings and do some changes on the system (so you could see at least the switch off). Or somebody could interrupt or manipulate the SYSLOG communication (so perhaps signing the entries could be a topic).

    Greetings

    Hi,

     

    We have a similar kind of request to redirect audit logs to an external server using syslog.I configured the syslog target to receive the audit logs on external server.I subscribed to the below event categories..

    audit - information
    auth - debug
    cert-monitor - debug
    cli - debug
    file - debug
    user - debug

    and I don't receive any logs on my external server .So does it support remote  audit logging to syslog server ?

    Would appreciate a response asap .

    Best Regards,

     

     

     

    Updated on 2014-10-27T10:56:56Z at 2014-10-27T10:56:56Z by sanar
  • kenhygh
    kenhygh
    1620 Posts

    Re: Configuration monitoring

    ‏2014-10-27T12:57:22Z  
    • sanar
    • ‏2014-10-27T10:36:02Z

    Hi,

     

    We have a similar kind of request to redirect audit logs to an external server using syslog.I configured the syslog target to receive the audit logs on external server.I subscribed to the below event categories..

    audit - information
    auth - debug
    cert-monitor - debug
    cli - debug
    file - debug
    user - debug

    and I don't receive any logs on my external server .So does it support remote  audit logging to syslog server ?

    Would appreciate a response asap .

    Best Regards,

     

     

     

    Yes.

    Turn your log target to all/debug, send some transactions through, make sure your syslog server gets the messages. If not, you have something else wrong.

  • sanar
    sanar
    4 Posts

    Re: Configuration monitoring

    ‏2014-10-27T13:31:41Z  
    • kenhygh
    • ‏2014-10-27T12:57:22Z

    Yes.

    Turn your log target to all/debug, send some transactions through, make sure your syslog server gets the messages. If not, you have something else wrong.

    Hi,

     

    Thanks for the quick response..I am interested in only audit logs and now I got a confirmation from IBM that the audit logs are not accessible that way by design

    "you can subscribe to the audit events but the contents (audit log) won't be sent out to the syslog server"

     

  • sanar
    sanar
    4 Posts

    Re: Configuration monitoring

    ‏2014-11-01T08:36:05Z  
    • sanar
    • ‏2014-10-27T13:31:41Z

    Hi,

     

    Thanks for the quick response..I am interested in only audit logs and now I got a confirmation from IBM that the audit logs are not accessible that way by design

    "you can subscribe to the audit events but the contents (audit log) won't be sent out to the syslog server"

     

    I configured my log target subscribed to audit/info and it is logging to my remote sys log server.