Eyeglass How to setup Local and Remote Logging

Eyeglass Isilon Remote Logging Service Tech Note



Overview


Remote Logging Service feature provides the ability to push the contents of the Eyeglass Appliance /var/log/messages logs received from managed devices to 3rd party log consumers such as vmware Log Insight and Splunk using a customized logging feature on the appliance.  


Based on this configuration as soon as the appliance receives a syslog message it applies tagging to the incoming messages based on the device type to include name and serial number information for each log message locally and then sends the message on port 514 via UDP to the configured 3rd party log consumers once configured.


This allows dashboards and analysis in logging tools to be done on serial number, device name and inventory data collected from the device and logged.   


The Eyeglass log include information from various data sources collected from DR status data and output to syslog locally on Eyeglass.  For example inventory information, alarms, events, custom Eyeglass events or failure tasks are all tagged to a managed device and sent to syslog.


This capability allows logging analysis tools to get much more information about the device than typical syslog only events and build rules to trigger on data status log messages example DR not Ready on Access zone name xxxx is possible.


The architecture of the solution is shown below







localhost messages


Eyeglass appliance syslog is configured to process messages from the appliance Host OS.  This includes messages from the Security Core Agent.  Following selected entries from Eyeglass Security Core Agent main.log file are exposed to syslog:

> System alarms generated by DR monitoring


The logs from the Security Core Agent will be sent to syslog already prefixed with <name>_<unique identifier> for the related device.  In the /var/log/messages file they will appear prefixed in addition with “localhost”.





Viewing logs from Eyeglass UI

Eyeglass Log View

In addition to 3rd party log consumers, Eyeglass UI provides a window to fetch a copy or view in real time the following logs:

/opt/superna/sca/logs/main.log

/var/log/messages



3rd Party Logging Service

From the Eyeglass UI a shortcut to the provisioned 3rd party log consumers is provided.


Required Licenses

Logging Service requires following licenses are loaded:



Without this license, syslog on the Eyeglass will not be configured to forward messages to 3rd party log services.



System Settings



Logs


Since native syslog is being used to manage the log forwarding, the native syslog log files should be used for troubleshooting.  The log can be viewed from the Eyeglass UI.


syslog Administration


Requires root login to the appliance


check syslog process  : systemctl syslog status

start syslog process : systemctl syslog start

stop syslog process : systemctl syslog stop



Setup Eyeglass remote logging manually for log Analysis


1- Login to Eyeglass

To access Log View, Single Click on Log View Icon from Eyeglass Desktop or on the bottom left of the page and select logging option.


2- The Logging window should open. click on Remote Logging Services option: then

Add Remote Login Consumer

Fill in the required Connection Parameters and Select the Log Consumer type you wish to access. The default port is 514. You can replace it with the port number as required.

add remote log.JPG

When done, Single click on Submit. The Remote Log Consumer you just added will be displayed on Remote Logging Services Interface. splunk in Eyeglass.JPG


3-ssh to Eyeglass as admin and sudo su root , cd /etc/syslog-ng then edit syslog-ng.conf file

4-Open it using editor (example, vim) find  destination logserver command

5- Edit the IP address for the server and put the same REMOTE LOG CONSUMER IP that you added into Eyeglass UI

6- remove the # for both lines in the file example below


Notes:

  • Make sure to enable the command by removing line commented,  the # key in the beginning of the line.

  • Defect Number (3037) : Remote Logging Services will not work directly after adding the IP address of the server, you need to manually configure syslog-ng.conf file as above and save the configuration then restart syslog. then remote server should start receiving syslog packets.   


6- Save and close the file.

7- Restart syslog after changing the configuration in syslog-ng.conf . use  systemctl syslog-ng restart command

8- After editing the configuration in syslog-ng.conf The remote server should start receiving a syslog packets from Eyeglass after setting the configuration on the server.





Note: In your server make sure that the port you using for remote logging is available and not blocked by firewall for example.

if you used the default port 514 you may check if it's active by

(in Windows) cmd ---> netstat -an | grep 514 ---> to check if 514 is open

upd 514.JPG