Management vaults
A Management Vault stores statistics data a device collects locally. The statistics that are collected to populate the graphs within the Manager Web Interface are important to identify long-term trends in system performance and planning.
The Management Vaults is also used to store Access Logs. It enables the Access Log to be stored indefinitely whereas the number of Access Logs saved on an Accessor device is limited based on OS disk size. By default, Access Logs are copied to the Management Vault. It is recommend that this setting not be changed for Accessor devices that host Protected Vaults.
Within 60 minutes of the current Access Log being rotated, it is uploaded to the Management Vault. When the Management Vault is configured initially, the backlog of rotated Access Logs is uploaded slowly into the Management Vault. It is expected to take a number of hours to complete.
The Access logs can be queried from the Management Vault by using the Cloud Storage Object API. If the system is in container mode, these requests must be executed through the Service API. The access logs are stored at <device_uuid>/accessLogs/. The <device_uuid> can be located in configureDevice.adm of the appropriate device. The individual Access Logs are named access.log-YYYY-MM-DDTHHMMSSMMM.gz. The time stamp indicates the time that this Access Log was rotated.
A log file that is named access.log-2014-12-08T182701330.gz was from 08 December 2014 at 18:27:01.330.
Notification logs are also stored in the management vault. If configured through the Manager UI/REST API, time-based rotation and upload to the management vault is in sync with the Access Log. Time-based rotation can be overridden using advanced configuration. See Notification log specification for more details.
In releases prior to ClevOS 3.10.0, management vaults are optional. In a new installation of ClevOs 3.10.0 or newer, management vaults are enabled and set to automatic configuration at installation. If you are upgrading to 3.10.0 or newer from a previous version of ClevOS, the system preserves the management vault settings (enabled or disabled) of the previous release.
If you plan to enable Vault Protection on the system, you must enable a Management Vault with the automatic configuration. You must also enable the backup of HTTP access logs to the Management Vault.
You can configure Management Vaults on the Settings tab, by navigating to , where you can make the following settings:
- Enable or disable the ability to configure Management Vaults in the system.
- Choose between automatic and manual management configuration. Note: Automatic configuration is recommended. If you plan to enable Vault Protection on the system, you must choose automatic configuration.
The Device Management Vault Configuration displays storage pools what contain devices.
- System configuration
- Backup of HTTP access logs.Note: Backup of access logs option must be selected to enable Vault Protection.Note: If Redact client information is selected, an "access log redaction time" must also be provided in the associated input field. The unit of the input is days. Any non-negative integer is valid up to 36500 (days). Rotated HTTP access logs in management vaults will not be redacted until at least "access log redaction" days have passed after the log was rotated. When Redact client information is enabled, a button to the Redaction Status Report displays.Note: An access log rotation period must be set if redaction is enabled.
- Remove client IP addresses. If Backup HTTP access logs is selected, Redact client IP addresses can also be selected.
- Back up of platform shell audit logs
- Backup of device statistics
When automatic configuration is selected, the Manager application performs the following items:
- Creates a single Management Vault for each storage pool in the system that has a vault.
- Updates the Management Vault of all Slicestor® devices in a storage pool to the vault created in that pool.
- Assigns Accesser® devices to a Management Vault.
- Assigns Manager device to the Management Vault with the least number of devices.
Automatic configuration follows these rules:
- New Slicestor devices are not assigned a Management Vault.
- New Accesser devices are not assigned a Management Vault until they are deployed to a vault. At that point, the Management Vault on that pool is assigned.
- New Management Vaults are created on a storage pool when the first vault on that pool is created. The Management Vault that is created has the same configuration (width, threshold, secure slice, and so on) as the new vault on the pool.
- A storage pool with Management Vaults can be deleted if the pool contains Management Vaults.
- Management Vaults cannot be created, edited, or deleted. Management Vaults for a device cannot be assigned or removed manually. Management vault's read, write, alert threshold and tags are the only editable.
The name and description for the Management Vault is generated automatically. The name is in the format csinternal-mgmt-poolName with a description of "Stores backups of internal statistic data".
Manual configuration has different restrictions:
- Management Vaults must be manually created/edited/deleted and assigned to devices.
- Management Vaults are created through the API or the /configureManagementVault page in the Manager Web Interface.
- Device management vaults can be managed by using a new Device Management Vault Configuration form.
At any time, a user can disable management vaults in the Manager. It does not delete any pre-existing Management Vaults but prevents any new data from being written to them.
- Management vaults cannot be deleted if they is associated with a Manager device.
- Management vaults cannot be disassociated from a Manager device.
- Management vaults' names cannot be edited if they are associated with a Manager device.