1. op5 Logserver Extension 3.7.1
Contents
1. During upgrade Forever will be converted to 999 months which is the maximum limit Enable fulltext index In some environments full text indexing of log messages is not really a good thing For example if you have a lot of log messages from a firewall that contains a lot of non words binary data dumps and such Log messages like that can hog your CPU and affect the responsiveness of the op5 LogServer system If you turn off the full text index queries using full text syntax will still work but a bit slower The monitor host Here you can define the hostname of your op5 monitor server that will be used in the links in the host field in the search result Use Monitor 5 6 Check this check box to have the links in the host field in the search result pointing to the new Ninja Gui instead of the old 4 x version Host information page If you like to have an custom URL instead of the standard URL to Monitor for the link in the host field in the search result you can define it here You still need to define the hostname in the text field The monitor host This can be any URL and to have the hostname added to the URL just use a host like in this example index php host host Import filter You can import already exported filters here Just click on Browse to choose the file Then click on Import to import the filters Every imported filter will be set as global with default permissions Export filters Choose the filters you l2. About op5 LogServer stores the logged data in three different locations e A local database for normal web access of latest data e Compressed archive for longer term storage on local filesystem e Compressed archive on remote file server for storage up to many years only limited by the amount of disk space available We recommend that you use op5 Monitor to check the available disk space on all disks used to store log data so that you receive an alert if disk space is insufficient The picture below shows how the settings page looks like Each option will be described in the next sections Change setlings E Raak dulaburse alo a Local warem pa E Pap arhin in eel storage a Remote slorage path Gy Heep archive ln remote sorage Enable folic ken E eneak hui E akna 12 PaT equi aro el ml wpe 12 mon EN nnd A AE a Nee irformirdos 530 titanes pps burra hoz Se Cancel Ej mpo fiers Dopage Ingat a Csm Tore Asaable Bers Beloriod Tra ENL ANSE mado woe am F amp F aao meh ka Meet wri inalkrotien Cono ditiir an TS Worley dere Le raat Tuma HTAA Ti mrii misi Espal Table of Content e About e Storage Settings e Database Storage e Local Storage e Remote storage Enable fulltext index The monitor host Use Monitor 5 6 Host information page Import filter e Export filters e Users and Groups e User Managemen t Storage Settings Database Storage How long you wish to keep da
3. Local Storage for more information Remote Storage The remote storage has the same information as the local storage but it is meant for saving data over a longer period of time Normally this is located on a file server where it is also should be backed up The data on the remote storage is deleted after a configured amount of time see chapter Remote storage for more information The Syslog Protocol and implementations About Syslog was originally written by Eric Allman as a part of his application sendmail but turned out to be so useful that it was turned into a project of it s own in the 1980 s Syslog is not only a protocol but it also refers to various syslog implementations such as the local syslog daemon that takes care of local logging on any UNIX compatible computer In 2001 RFC 3164 was published as an effort to unify syslog implementations Table of Content e About e Usage Usage On UNIX most applications send their logs to the syslog process running on the same machine This process then either stores the messages locally in var log or sends them to a syslog server for central storage All logging machines send their log data using TCP IP to port 514 n the reciving logserver Typically syslog uses UDP but modern implementations such as op5 LogServer also support TCP Most log servers simply store this data in text files and retrieving historical data is a manual procedure and often impossible unlike op5 LogSe
4. daemons may log only using the mail facility and you will find most log on failures in the auth facility This field is part of the syslog specification Host The name of the logging host Source IP Displays the IP address of the logging host Ident This is normally the name of the logging application PID This is a unique Process ID for the application sending the logs Event ID This is only used by Windows hosts it is the Event ID field from Windows Event Log Message This is the actual log message This is the field that is the least well defined You may want to use this to exclude any messages that clutter your search results Full text Use these fields to specify search criteria that should be applied to all fields Save your search query The basic concept for using op5 LogServer is a search filter Similar to any database search EA Stray 1 Br aoe Ser rss T Ties To ao ue Zik gi ee ee ee me E a T Fill out a number of criteria in the Search area or use the Query Builder Decide if you want to make the filter Global for everyone or Local for yourself Type a name for the filter in the Save this search area Click Save The saved filter will be based on the one selected in Search among Search using a saved filter To be able to extend your search you can us an existing filter saved search query e Select the filter you want to search within e Enter your search criteria You can use a
5. is a statistics solution for graphing your IT infrastructure Buy or Try D op5 LogServer is a log server for storing and managing logs from many systems in l Gop5 LogS rver a company IT infrastructure Version 3 6 0 Log in fj op5 LogServer Login Table of Content e About e Logging In Logging In Point your web browser to the server you installed op5 LogServer Extension on and click the icon for op5 LogServer That will take you to the login window 0p5 LogServer Username Password Login To log in fill out your user name and password and click the login button Default user name is admin and password is admin Audit tracking Audit tracking Since version 3 5 of op5 LogServer we have included audit tracking to make sure an administrator can se what the users have been doing The following actions is logged Password and settings changes Logging in and out Creating editing deleting and viewing of auto reports Adding editing deleting and viewing users and groups Creating editing deleting and viewing of summary reports Changing filter permissions Importing logs Creating editing and deleting filters Making filters global private and viewing changing permissions on filters Importing exporting filters Exporting result sets to CSV Everything is logged via syslog so the logs will show up in the GUI Two filters are added to make it easy ti either see or hide the audit messages Filterna
6. ng Syslog ng is the component that receives and stores syslog data If you want to know more about syslog ng havve a look at http www balabit com network security syslog ng Table of Content e Syslog ng e PostgreSQL e Apache Web Server with PHP PostgreSQL In op5 LogServer all data is stored in a PostgreSQL database for a limited amount of time for easy access from the web interface and rotated to disk after a configurable amount of time Apache Web Server with PHP The web interface is written in PHP and served by an Apache web server op5 LogServer Storage About op5 LogServer has three storage facilities Data is written to all three of these upon being received however it is deleted according to separate settings Table of Content e About e The PostgreSQL database e Local Storage e Remote Storage The PostgreSQL database All messages ar initially stored in the PostgreSQL database This is used as the default source of information for the web interface The data in the PostgreSQL database is deleted after a configured amount of time See chapter Database Storage for more information Local Storage Data is also compressed with bzip and saved to disk for future reference as archived data When you restore archived data it is fetched from the local storage if possible otherwise it is fetched from the remote storage The data in the local storage is deleted after a configured amount of time See chapter
7. the postgresql configuration to a file with larger memory settings Stop PostgreSQL Service replace var lib ogsqi data postgresql cont with opt logserver db contig postgresq conf Start PostgreSQL Service For further information please refer to the PostgreSQL manual http www postgresql org docs 8 3 static index html Table of Content e Advanced DataBase Management
8. 1 OPS LOGSCIVEREXICNSIONS alt A A A ce nh tite AAA dare yh ethane oar A aye waa pee aoe 2 1 LOGSEIhVerINSIQIQUON 2222008 tad IA AS ge ga Nae oka hed Mad tied we ee ae ee oe Rate 2 a Baseni alau aaa ce Mca A AS atten A EIA AA Sap sea dee ened eden ge ah Meer 2 lie WebIntemace sorter da chat Sete tog aac ee Shayne each eed A AA aa anda ah ek ard edd ened ae ee he 3 2d PRUE ACKING et ods ca e cece et Dc E AAA A a 4 122 OG SEIVEGIAGOOINS rta A AAA A AAA E EA oe eee ty 5 REE o A A RE dunes een coeds TE 8 12 A SCUINGS cite EA NA A Rea as eee 15 De NOW REN ae 19 ISL OG OEIVE VVOMMIOW sra pat SII tind OA be Sag Neate a had AS eerie bees A 20 1 4 COnlgunng LOGoeCIVEr Cane aid A Wate ha detente Naa wana dnd dan A eee Nae es 21 TA TORE rEQUPMEN basa A cake ah ara aac tha ng ends ae A den 21 TAZ UNAX AMIGOS zapata ee espa ba Sie AAA ee age Syn AAA wh Sepa Sanaa 22 LAS WINCOWS MACnINSS ata A AA ota Peace AA ER Dua ere ag 23 IO OPS LOG SEIVER TECAMOIOQY veta ti AA AA A A Ai AA E wheat 24 tS Topp LOGSEIVEl COMPONEMIS RA ASA AA AA A REA a 24 T2872 OPS LOJ SENES ODO soom ka Er RAE AA AA a a Sparc Sa aware 24 1 5 3 The Syslog Protocol and implementations 1 AA AA A eke hw EAS E a 25 SUSTO Temote Storage errar IA A A A A A ater wha 25 1 7 Advanced DataBase Management vitrina 26 op5 Logserver Extension 3 7 1 e Preface i Since version 7 0 of op5 Monitor the log server functionality has been integrated into the main product Documen
9. ap Hr as Her A E ETE E ar ye copes val car raaa Fa abo pp Fila E Mam s hk 41 gl ook oe O E Een om ku u nh a ra El Lek Se ee A id e 2 ede ee dl ae Pa Edit To edit a report Click on the tothe right of the auto report or double click on the row in the list Edit the fields you want to change and click on Save Deleting To delete a report Click on the ual to the right of the report Click OK on the popup Send now You can force a send of the selected report by clicking the envelope Summary reports The global and private summary reports is used to e Print graphs over how many logs matches a filter e Display statistics over top 10 hosts found with a filter To be able to add or delete a report your user have to belong to the group Filter administrators To veiw a report your user only have to belong to the Summary viewers group Creating global or private summary report If you wish to create a global or private summary report for instance you might want to view the number of hits for a filter matching incorrect ssh connections you should start by creating the appropriate search filter See section Search Filtersfor information on how to create filters If you have your search filter ready and wish to use it to create a report click Reports in the top menu and click Add new report Summary report global When you create global filers summary reports for the global filter will be creat
10. arch filter ready and wish to us it to create a report click Reports in the top menu and click Add new report Create the appropriate search filter Click Reports in the top menu Fill out the parameters see section Auto report Parameters Auto report Parameters Report name This is the name of the report you are creating Choose a name that is descriptive not only for your own sake but also for your colleagues Sometimes it is a good idea to use your own name as part of the report for future reference Description Brief decription of your report Search filter Choose your search filter from the menu Recipient Type Choose Email if you want the report to be sent via e mail Choose path if you want the report tot be created on a file server You need to mount the file share on your op5 LogServer server in order to have a local path See Using Remote Storage Email Recipients or File Path Enter the email addresses that should receive the report separated with comma or the path in which it should be saved Generating Interval Choose Every hour Every 6 hours Every 12 hours Daily Weekly or Monthly How often the report should be genreated Click Save when you are done filling out the fields and then your report will be created Manage an Auto Report When you have created your report it will show up every time you click Reports in the page top menu i T rie a E ver IA a i h su F Sa m ESTA SEEE AT b
11. chive var log oslogd archive and Insert logs into database Rotate It s a cronjob Runs every hour at xx 30 and put logs from the temporary archive to local and remote archives Runs every hour checks database and local archive for old logs and rotate configured in settings menu Runs every day checks remote archive for old logs and rotate configured in settings menu Configuring LogServer Clients Introduction This chapter covers basic configuration of clients that can be configured to send logs to op5 LogServer Other Equipment Other Equipment Many devices from broadband firewalls for the home to office printers can send their logs to a syslog server Look at the manual for your respective devices for information on how to configure it to send logs to op5 LogServer Table of Content e Other Equipment UNIX Machines About A UNIX machine has built in support for syslog and hence you do not need to install any extra software Table of Content About syslogd syslog ng Sending Text Files to LogServer syslogd On most systems you will find a config file callet etc syslog conf this is where you enter the host name or IP address of your op5 LogServer host If your op5 LogServer host is on IP address 172 16 32 64 and you want to forward all facilities to it append the following to etc syslog conf and restart your syslog daemon 172 16 32 64 Some systems do not understand if this is the cas
12. d in op5 Installation and Configuration Customer Guide where you also find a list of recommended helper utilities for your administrators desktop If you have not received op5 Installation and Configuration Customer Guide please notify op5 Support or download it here http www opb com manuals extras op5_quick_install_ guide pdf Table of Content e About e Installing op5 LogServer Extension e Obtaining tar gz files e Updating e Upgrading Installing op5 LogServer Extension op5 LogServer is delivered as tar gz files to be installed onto op5 Appliance System CentOS 5 or Red Hat Enterprise Linux 5 See http w ww op5 com support for hardware requirements If you install it on op5 Appliance System and have a support agreement the support includes not only op5 LogServer but also op5 Appliance System and hardware support If you use another vendor for your operating system or hardware please contact their support Obtaining tar gz files Download from our download area at op5 com http www op5 com get op5 monitor download using your user name and password If you have not received a user name and password please notify op5 Support When you have downloaded the files copy them onto your op5 server root directory root and then run the following commands cd root tar xvzf op5b logserver tar gz cd logserver install sh This will install op5 LogServer Extension Then you can point your web browser to the machin
13. e and log on to your newly installed op5 LogServer Updating If you run your op5 LogServer on op5 Appliance System you can update all installed packages by logging on to your server via SSH and then type yum update Or just simply log in to the web interface in op5 Portal with your root password that you find on the address of your op5 LogServer installation http logserver ip For alternative ways of updating such as offline updates or other please contact op5 Support or look at the op5 Appliance System documentation To be able to upgrade you must have a valid license If you use Mac OSX or UNIX you can copy files to your server using scp If you use Windows you can use WinSCP You can t update from 2 x to 3 x with yum update but once 3 x is installed you can update your system op5 Support can be reached at support op5 com or at 46 31 7740924 Upgrading If you are going to upgrade from op5 LogServer 2 x you have to do it in the following steps e Upgrade to op5 LogServer 3 0 e Then upgrade to op5 LogServer 3 6 When migrating from op5 LogServer 2 x there will be a migration process during installation updating The following will be migrated by default e Users Passwords e Settings for Archive e Filters To Upgrade your system from a 2 x release you follow the steps in obtain the tar gz file and follow the on screen instructions During the last step on the upgrade the installation ask if you want to convert your a
14. e you have to enter all facilities separatly auth 172 16 32 64 authpriv 172 16 32 64 cron 172 16 32 64 daemon 172 16 32 64 ftp 172 16 32 64 kern 172 16 32 64 lpr 172 16 32 64 mail 172 16 32 64 mark 172 16 32 64 news 172 16 32 64 security 172 16 32 64 syslog 172 16 32 64 user 172 16 32 64 uucp 172 16 32 64 local0 172 16 32 64 local1 172 16 32 64 local2 172 16 32 64 local3 172 16 32 64 local4 172 16 32 64 local5 172 16 32 64 local6 172 16 32 64 local7 172 16 32 64 Note that on some systems notably Solaris the blank between the facility and the reciving host has to be made up of tabs not spaces For details on how to configure syslog conf please refer to the manual man syslog conf syslog ng More and more clients uses syslog ng for sending syslog messages to a loghost If you use syslog ng you can benefit from the stability to use tcp connection instead of the standard udp Sample etc syslog ng syslog ng conf to setup logging to loghost all known message sources source s_all message generated by Syslog NG internal standard Linux log source this is the default place for the syslog function to send logs to unix stream dev log messages from the kernel file proc kmsg log prefix kernel Y destination d_loghost tep 172 16 32 64 port 514 5 Y send everything to loghost log source s_all destination d_lo
15. ed automaticaly However if you delete your contact or upgrade you might have to create one manually dl Manage reports E Global Filter windows evente flltered tast Sana Cancal Summary report private dl Manage reports User Private Filter Save Cancel Choose user that the report should belong to Choose what private filter you like to base the report on Click on Save and your report is created When you have added your report it will take maximum 5 minutes until any graps is created Manage a global or private summary report When you have created your report it will show up every time you click Reports in the page top menu and then Global or Private su mmary reports flap TEA Jel TE m F i am pay oh Fami Jaun AOT ar SE Far hram i KU ag rapes oe bee pe uk i on ein E Deleting To delete a report Click on the La to the right of the report Click OK on the popup Viewing To view a report click on the to the right of the report You will see a view like this Logs per minute Filter windows events filtered de 5 0 oc 4 4 e od f E r al I a i E T a a 17 45 17 56 139 0 18 15 1E 0 19 30 From 2612 01 11 16 36 51 To 2012 01 11 17 36 51 BFilter windows events Tiltered Last 5 5 Awg 7 58 Max 6 4 1 Yaar 1 Month Z Weg 1 Waak 1 Day 12 Hours 1 Hour Top 10 logging hozis Log messages webinar 20 185246 Winds Sth nm adit windows sih 28988 w2k3el 3014 19 163 1 200 32 r
16. g all i TEHA raria Y sandi laan BITHA oc Qo huita EN A wu li ear Tli Lav Fesh 1 Ea T Ely zp 120 3200 Rests of searching using the fitter A Ir bal co Ce Scweniy 2 Facility a Recs Time ASEO You can export the retrived data in CSV format by clicking on The format is a pipe separated list Depending of the user setting see modify view settings Timeline Browsing You can move back and forth in time by using the timeline If you go back in time and lack the data in the database you can easily import it see mport archived data Select date To be able to browse search on a specific day hour you have to select it on the timeline Sa 11 oem Herati Daa H ET 04 8 Ob 06 OF D8 17 00 00 171253 17 DO im 00 e Select the month e Select the date e Select the hour you wish to display from The GUI will now display the X messages matching the search criteria within the given time To change the number or messages displayed see modify view settings Messages are by default searched from the time you selected until the last message in database If you select 2012 01 09 hour 17 you will be able to search on all messages between 17 00 and the last message imported into the database No day limit or unlimited search mod is deprecated this is now the normal behavior Move in time To move in time you click the small arrows they will move in time and display the X previoius following messages matc
17. g cul Rows in database 558319 Date 2012 01 12 1321 Version 36 0 F Pressing the username will popup a Update password dialogue Update password sa Curren pate word New password Repeal new password Saye Cancel Enter your old password Type in your new password Verify your new password by re typing it Group Management As default all new created user can see all log messages To have it the opposite way you should remove the group all from the filter al The you create groups for different level of users and set the permissions on the filters for the groups you created Default Groups op5 LogServer comes with a couple of default groups that can t be deleted Group Description Filter Administrators Create Manage Global filters Create Manage Summary reports Import Administrators Import old logs from archive into DB Report Administrators Create Manage Auto reports No access to Summary reports Settings Administrators Access Change Settings User Administrators Create Manage Users Groups Summary Viewers View Summary reports Add Group FA Users A Lorea To add a new group click on in the top menu Then on the tap aus And press Add new group L S View 2 Reports it Setlings C Users Groups amp Portal 7 Help Showusers Show groups Manage users amp groups foral egr Cure Wane Parra admin Description a Save Cancel Fill in name Description Select and move the users you will assign remove to this gr
18. ge In op5 LogServer we have created a own Query Language to be able to do more complex searches The usage is described below Column Query Descriptor Severity sev severity Facility fac facility Event ID event event_idjeventid Src IP ip Src_ip source_ip sourceip Vey Ve Ident ident a A Host host lt sy Ts PID pid Message msg message El 4 Information about descriptors means contains means starts with means matches regular expression For more info about PostgreSQL Regular Expression see the PostgreSQL Manual Examples msg connection will search for any message including the string connection sev warn info statistics daemon msg Log ident sshd Logs that have severity warn or info and do not contain words statistics or daemon in any field and where field msg does not begin with Log and that were not generated by sshd host 192 168 1 971158 msg root CMD Match host 192 168 1 97 or 158 and messages not starting with root CMD msg UserName x09 alnum S_ S Match msg that contains UserName lt tab gt username and user name does not end with Available fields sev fac event ip ident host pid msg Severities emerg ency alert crit ical err or warn ing notice info debug and user name does not end with Facilities kernel user mail daemon auth syslog lpr news uucp cron authpriv ftp nt
19. ghost Y Sending Text Files to LogServer Some applications do not send their logs to syslog but store them in a file on disk Most applications can be configured to use syslog and changing the configuration of those applications should be your first hand choice Another option is using tail and logger to read the log file and sen appended lines to syslog This command will read var log myapp log and send it to syslog as facility daemon and severity info tail f var log myapp log logger p daemon info You can use a command like the one above for your application and make sure it is executed in reboot on many systems this can be done by placing the command in etc rc local Windows Machines Windows Machines To make a Windows computer send their logs to LogServer you have to download the Windows Syslog Agent from http www op5 com sup port and install it Windows Syslog Agent sends the Windows Event Log content to the IP address of your op5 LogServer and can optionally send plain text log files too for applications that keep their own logs You can find the manual for Windows Syslog Agent here http www op5 com manuals extras op5_SyslogAgent_3 3 5_manual pdf Table of Content e Windows Machines op5 LogServer Technology About This chapter covers the underlying technology that op5 LogServer uses to save data and brief information of the syslog protocol Table of Content op5 Logserver Components Syslog
20. hing the time in the timeline Movw l1 Dec 11 j n 05 06 OF 08 K 16 55 19 16 58 02 T i I 4 15 16 47 18 Import archived data Data is kept in the database only for a limited amount of time so that archived data does not occupy uncompressed disk space and slow down your searches However the archived data is not discarded until after a much longer time It is merely compressed and archived for possible future access When you have started an import it will continue in the background so you can continue to browse your messages un dur ALE TI sapt et T beri 11 eee 11 A 17 19 20 zaz 23 2 25 28 oF 2h 2 3 10 11 12 13 1 Ps y 18 iF 18 186 20 21 2 23 Ihesa Logs are ariba Import hour day month To change the time data is stored in database see Database Storage To look into very old data e Select the date you want to import e Choose hour day month to import Apr 11 May 11 Jun 11 Juli Aug 17 Sep 11 Oct 11 16 17 18 19 21 22 oul 24 25 26 12 00 00 12 02 54 I T l 08 08 10 TT 12 13 14 15 16 17 18 if These Logs are archived Import e day month The import process will start to import the logs that correspond to your selection A status message in the upper left corner of the GUI will display the status of the import E T Vice Ee Reporte iprortit 2011 142 50 12 A red hour number in the timeline indicates that the data is being imported A black hour number in the timeline indicate that the impor
21. ide a Apart 1 The view is divided in two parts e A graph displaying number of filter matches e Atop 10 logging hosts table with number of matches per host You can zoom in on the grap by selecting what timeframe you want to look at by pressing the links under the graph image 1 Year 1 Month 2 Weeks 1 Week 1 Day 12 Hours 1 Hour Search Search To search for a message simply type your search phrase in the search form box and press enter You will then do a search in the full text search index table in the database Both the result table and the timebar are updated when each hour of data are searched through in the database If you want to stop the search just click on Stop just below the search text field A Full text search searches in all fields of the database for words you type in Example search of connect instead of msg connect will be searched in all text fields taking more resources from the server If you want to define a more advanced search query you can use the op5 LogServer query language Table of Content e Search e Query Language e Examples e Query Builder e Search Filters e Search Criteria e Save your search query Search using a saved filter Manage Filters e Delete filter e Edit filter e Global Priva te filters e Auto Refresh e CSV export e Timeline Browsing e Select date e Move in time e Import archived data Search Result e Modify view settings e Columns to display Query Langua
22. ike to export and move them over from Available filters to Selected filters Click on Export to save the XML file containing the filters You can then import them via the Importfilters section in Settings When exporting a filter that depends on an other filter both of them will be exported to make sure dependencies are untouched Both global and private filters can be exported and no permission settings will be included Users and Groups To access Users and Groups you have to be logged on as a user with admin privileges If you have user administrator privileges you will A Users amp Groups see a link called Users and Groups in the main menu at the top User Management Add user debi A A To add a new user click on Ser LG oo Hrs ppi 2 Manage users amp uupa rakke popa Curren groure p tan Ig Filo wip aa kasal hori hukni Reval bani huka El Heder E inp adria nia Earra vires Ue winni eka B rca mic nk E marma E pani pa el o Lila al bles A A are am Ea Fill in Username Real Name Email Password Repeat Password Select the group s you want the user to belong to Select the default filter to be used for the user And press Save Edit User To edit a user click on Fa Delete User To delete a user click on and answer OK on the popup Changing password as user When logged in to the op5 LogServer you will see your username and a logout button in the top right corner Welcome mood Lo
23. me Description audit Shows all audit messages useful for admins all except audit Shows everyting except for audit messages This is useful as a base for other filters so that users don t see audit messages Table of Content e Audit tracking LogServer Reports About The reports section of op5 LogServer has to main functions Auto reports Does scheduled searches and sends them to a list of user via e mail or save them in a folder on your file server Summary reports Gives you top 10 hosts based on hits for each filter you have access to and create graphs message per minute from global private filters Do e ee eee TR al kenapa apa it owe Pies palo pp F ie y iru a Few y Easier y Tee kee a Ted iT Table of Content e About e Auto Reports e Creating auto reports e Auto report Parameters e Manage an Auto Report e Summary reports e Creating global or private summary report Manage a global or private summary report Auto Reports Creating auto reports If you wish to create an Auto report for instance you might want a log of failed password login attempts sent to you weekly you should start by creating the appropriate search filter See section Search Filters for information on how to create filters Buus reper Ea Gota UT Peal Prolog re po i Manage reporte a Japri Mark 17 haz inn E Sarh Fer l E Accel Topo Erai Gy red A E E ians erel Evry hmr z Ermm Cana If you have your se
24. n kr DA mi AAA ae a AAA TLA pee ee eee pee A era hi He His Oer nm Me ee eee Y Pe OPP ee ee A PPLA i ea eee A FL B L hkl nk AE E A AS CES ET A EE A AAA SR EE A L A E Pan E i A a ehai a deb iia EPA LR EA a Hipmi CE ea nal S000 Th ee ee seman er d pair bm aarahi bri rroa Mr am Tiy emr wh H Leen Mer mlh ESA kirma TEET ma r Akl iik He Bh PENA Mam eS ee a T LEB RES Tbs SE ande PLL ES AS ES This is the first page you get to when you log in The page is divided into 3 sections e Search e Timeline Browsing e Search Result When you click on View you will see the 75 last received messages as default This can be changed as displayed in section Modify view settings LogServer Workflow About This chapter describes how op5 LogServer is designed and how it transports received log data internally Table of Content e About e Workflow e Connector e Rotate Workflow Workflow of op5 LogServer Unix syslogs gt syslog ng Windows syslogs Spool to disk Marflog o slogd spac Error var logfosiagd error Connector daemon Temporary Archive Nar log oslogd archive Rotate Cronjab Local Archive fopt logserver archive wf Remote Archive Connector It s a Daemon op5 logserver loader Runs two times minute Read logs from spool directory var log oslogd spool If they contain illegal char move to Error var log oslogd error and stop Move logs to temporary ar
25. oup And press Save Edit group To edit a group click on s or double click on the row for the group A Maragur A cep fal iia ro rmp me Tmn mnhm i Pei al i i bib r umbea Lh TE ee ee ee A A A irrar ee vier Ges hri cle sa ieee cere hir cinder ra Fis odd et be all ee ee en ee a lai e feign shire wher SS AT a A A erm ih EE TEL a Pa lhe i h wer A eee a ra lll 0 m LE r T iii JLRS a bein Mmm Srm Se es er A La To delete a group click on E and answer OK on the popup View View Aral L lee PaaS See Ses O a feeds D Eras lbr Fam ri Tapt ghee ura laag dilu bak mg amp A mg Does mi bari aw ROEI IDR Boe seg BPL LAT Laer bs Q Rote o cree ee Heey rie he l Do Ea A oe nn s Pee iv Cece Thre ln p Dri D are i ri PAS E ES L FLET ha an A a et AL ha oF Doe Sl Be tot TIE ba eme SUT Sa Ss ae ot a fu oe EL E E A A a inh T JD Ci bid TIE Sa I N C ie de A AR AA A DN LEAN ri ina IDE RE FEST ewe rR Ps kim p ae ne eae fea rer u ml ee nehe oe rr mi Ta ee Pd SS F T A da FA r dr m Y AS TA Sra pal 7 nM ST Lu Mn ET Ar al see Te a HT N n 1 2 Oo H G amp G rn Dimi a E a H z f Hen s PE y me Hale 1 LH EE Hite E alan Pi ah AA ci po e LL O road eed oe a m m a ipri Tr YTTI pii E T mmea hl de p da rpi PANT y ce m dn rh E piar da s u da all ai l ELY ma dada cd la a Momar A A ET AAA A A E T Lm RETIE TIA TM ATE AE rd keer TiM ee eee ra a
26. oup you can view how your filter looks like and also change assign permission to filters A iW W Manag permizsiore ee a li PRALE A i RAN nAAL A iri T 2d IAY P aT F A C Iek atira A E m Sicilia A a 5 iy j kga iadi braker tagi i anini rake re A AN A AA A dl arabes wal wal a Aa A A h Pe 4 r Ga G no ae Global filter To make a filter Global you mark it under My filters and press the ll button Available Users Groups Users Groups you can grant permission to use the selected filter Current Users Groups Users Groups that have permission to use the selected filter Making a filter global will also make all its parent filters global too When you create manage a filter you need to decide which users should be able to use it Default is none If you want the filter to be visible for all users us the All group My filters To make a filter My filters private you mark it under Global and press the Since it s a private filter no permissions can be applied Making a filter private will make all its child filters private as well Private filters are private filter administrators can t view your private filters Auto Refresh By clicking on the Down arrow on the Search now button will allow you to set a refresh period of the page You can set it between 30 and 300 seconds The Auto refresh works like the UNIX program tail showing the last x messages To cancel a refresh setting click on cancel Soproh amon
27. p logaudit logalert clock2 local to local7 mark Query Builder We have also created a Query builder function to make it easy for users to build their custom filters The Query Builder is bidirectional since op5 LogServer 3 3 meaning that it will expand your filter s criteria to the correct boxes when selecting a filter You can only get OR function in Query Builder Enclose your text with quotes Example User Name monitoruser Press the E located under the Search area to get a drop down with options y Sera ri y Fag iliby SvTiergency kerrel A aert m user ribucal rra il rro darman aang La auti lica Al slog Aa rlz i a Hiast Soros IP Ident Pini Event 10 Message Pull te ct To select more than one Severity or Facility press and hold the Ctrl key and click to select additional items Enter the criteria you want to include in the search Enter the criteria you want to exclude from the search Regular expressions are not allowed in Query Builder Search Filters Search Criteria When you create a search filter you have several criteria to choose from Some of these apply only to Windows and some only to UNIX Severity Most UNIX daemons log their messages with more than one severity depending on the message your database server might send a notice message or a critical message or any of the other available messages Facility This is the category of data For instance Your mail server
28. rchive to the new format this will take a lot of time if you have a large archive You can always start the convert process after the installation is done by executing opt logserver migrate2to3 convert sh lt src_dir gt lt dest_dir gt e lt src_dir gt the location of your 2 x logs e lt dest_dir gt the local or remote archive location 4 lol af Keep in mind that remote storage Forever will be converted to 999 months Web Interface About Most operations you perform on your op5 LogServer is done from the web interface including configuration The web interface is intuitive and you will find a clickable question mark near many options where you can find context related help If you need information about a specific option you should look at context related help popups If you need information about how to solve a specific task this manual is the right place to look Gop5 Start Configure System License Information About Support op5 com ya Welcome to op5 Portal This is the start page on your op5 system Here you can reach all op5 products that you currently have installed You can also configure the basic settings on you system If you have any question please contact our support we value your input The op5 team op5 Monitor is a highly flexible monitoring system for IT infrastructure op5 Monitor is based on the widely known open source monitoring system Nagios Buy or Try E op5 Statistics
29. rver where you have an easy to use grapichal interface with easy import from archives sendmail was the de facto standard email server for two decades RFC for syslog available at http tools ietf org html ric3 164 Using remote storage Introduction op5 LogServer and it s underlying operating system op5 Appliance System gives you a variety of options to attach external storage This chapter will cover two of the possibilities for remote storage Windows fileserver and NFS Table of Content e Introduction e Using Remote Storage e Mounting a Windows Fileserver e Mounting an NFS share Using Remote Storage When you use remote storage you have to create a folder and use it as a mount point by defining it in the file etc fstab LABEL ext3 data writeback noatime 1 1 LABEL boot boot ext3 data writeback noatime 1 2 devpts dev pts devpts gid 5 mode 620 0 0 tmpfs dev shm tmpfs defaults 0 0 proc proc proc defaults 0 0 sysfs sys sysfs defaults 0 0 tmpfs tmp tmpfs nodev nosuid noatime 0 0 LABEL SWAP sda5 swap swap defaults 0 OU Normally everthing in etc fstab is mounted on system startup lf you want to mount everything after editing you can issue the command mount a and if you want to check what is currently mounted you can issue the command df and mount using the commands mount and umount Mounting a Windows Fileserver Add a line to etc fstab where the first column the device is the Windows pa
30. simple full text search the query language or the query builder e Press Search now The search will now use the criteria in the Filter and the criteria you typed in the Search field Since the filters are organized in a hierarchical data model a tree like structure you can create multiple filters in multiple levels based on the same parent filter Filters created from filters will become dependent on the filter out of which they were created Manage Filters The user management in op5 LogServer supports making filters Global or Private My filters and assigning special permissions to the filters Search among All Global filters My filters Ge All eA eT CPS IFS Failed Login ai demo 12 a demo wam emerg l all except audit audit Delete filter To delete a filter select it from the droodown menu and press the button If you want to remove a filter that has other filters based on it you must first delete the sub filters Otherwise the sub filters are left unusable Edit filter To view edit the search criteria of an existing filter select it from the filter dropdown menu and press the edit icon h Search among Al nowindows A x 2 host windows sth You can now edit the search criteria directly in the search box or by using the Query builder A user can t edit Global filters unless they are member of the Filter administrators group Global Private filters If you are member of Filter administrators gr
31. t is done The date will become gray indicating that you have logs on that date The import can take alot of time depending of the amount of logs in your archive Search Result Modify view settings You can change display settings these settings will be reseted when logging out Number of rows returned E Results of searching using the filter All EX 10 Severity Facility ReevTi ELA 5 info authprie 2012 41 75 1439 57 0 inio Lear 2017 01 100 111351 10 250 inl user zo12 07 500 13 29 51 0 1000 inke auth 2012 01 17 133349 2012 01 11 13 37 10 556 Click on EXA Select the number of rows you want to be displayed EventID In the search result there is a column called EventID If the log row contains a MS Windows Event the eventid is displayed as a link directly to www eventids net If you click on the link you will be sent to the page for the eventid in the log row Event ID a Ci D E ESTA wel Columns to display To hide unhide columns on the page E Results of searching using lhe filler All E EXA e e Sevenby Severty Facllty Recv Time Facility v Ae Tire inta aulhors 2012 41 71 1 a Misa Tine U ima Ua 2042 04 11 1 Eveni 10 51 0 lt Sm IF infa ii ear 2012 01 14 2a Ident ci oo lt Host irta Aih 2012 01 11 13 FID 910 53 2 Mirage infa auih 2012 01 11 13 3543 2012 07 11 12 37 10 520 Click on Check Uncheck the field s you want to hide unhide Settings
32. ta in the database the Rotate database After setting depends on how much data you log Most organisations are happy with the default setting of 5 days but if you log very much data you may need to store it for a shorter amount of time regarding performance and disk space used Old values will be converted if you upgrade Local Storage The Local Storage Path is a setting you normally do not need to touch unless you wish to save it on another storage unit The Keep archave in local storage setting with its default of 5 days regulates for how long the data will be stored in the local filesystem on the op5 LogServer machine After this period of time data will be stored only on the remote file server still accessible but the access will be slower The issue is disk space you would normally want to save data for as long as possible without filling up the local hard disk Keep in mind that since the amount of logged data per day often increases over time you need a lot of free disk space for the future Old values will be converted if you upgrade Remote storage You should mount a remote file server in the file system on your LogServer machine You can read more about this in Using Remote Storage When you have done so set the Remote Storage Path to the mount point you can use opt logserver remote or any other path you choose If you wish to impose a time limit on the remote storage with the setting Keep Archive in Remote Storage
33. tation for the built in syslog functionality can be found in the User manual and in the Administrator manual Preface Modern organisations have higher demands to secure their IT environment than just a few years ago for many reasons e They store credit card information e Because of legislation e Because of demands on public service organizations e Securing high quality towards your customers This makes op5 LogServer Extension an increasingly important part of many organisations IT systems Virtually every modern computer application logs what happens and you can not know in advance which information will be important or not The syslog protocol an important part of the op5 LogServer architecture provides a business standard for how to transfer data op5 LogServer is unique in it s design and flexibility for storing large volumes of data and accessing archived data is very easy It is our hope that your organisation will benefit from using op5 LogServer on many levels and that this manual will answer your questionsquickly and to the point If you have any queries about this manual please send these to support op5 com or call 46 31 774 09 24 LogServer Installation Basic installation About If you have bought an op5 hardware appliance you should install op5 Appliance System on it Installation of op5 Appliance System any op5 Hardware and basic configuration of the system such as IP address and SMTP relay server is covere
34. th for the share you want to mount using forward slashes instead of backslashes The second column should be a path that exists where you want to mount it If you would like to mount it on var remotearchive you can create the folder by issuing the command mkdir p var remotearchive The third column should say cifs and the fourth fifth and sixth should be defaults O and O respectively 192 168 0 3 logs opt logserver remote cifs defaults 0 0 Mounting an NFS share If you have a UNIX environment it is quite common to have NFS shares published from the file server using etc exports and then mounted on one or several client systems This chapter only describes NFS since it is the most common file server system but if you are using a more advanced file server system such as AFS or Coda you can mount these just as on any other Linux system Add a line to etc fstab where the first column is the NFS server followed by a and the path on the file server Let the second column be an existing path where you want the NFS share to be mounted for this example var remotearchive Let the third column be nodev nosuid and the forth and fifth columns both be 0 192 168 0 3 exports logs opt logserver remote nis nodev nosuid 0 0 Advanced DataBase Management Advanced DataBase Management The original postgresq l conf file is tuned to run on low RAM machines lt 3Gb RAM If you have a server with more than 3GB of RAM you should change
Download Pdf Manuals
Related Search