Working with Status and Logs
The Status and Logs screen allows you to access system monitor information, examine top memory and CPU usage, and view appliance logs. You can access it from the CLI Manager main screen. This screen shows the hostname to which you are connected, and it allows you to view and manage your audit logs.
The following figure shows the Status and Logs screen.
In addition to the existing logs, the following additional security logs are generated:
- Appliance’s own LDAP when users are added and removed.
- SUDO commands are issued from the shell.
- There are failed attempts to log in from SSH or Web UI.
- All shell commands: This is a PCI-DSS requirement.
1 - Monitoring System Statistics
Using System Monitor, you can view the following system statistics.
- CPU usage
- RAM
- Disk space free or in use.
- If more hard disks are required, and so on.
To view the system information, login to the CLI Manager, navigate to Status and Logs > System Monitor.
2 - Viewing the Top Processes
Using Top Processes, you can examine in real-time, the processes using up memory or CPU.
To view the top processes, login to the CLI Manager, navigate to Status and Logs > Top Processes.
3 - Working with System Statistics (SYSSTAT)
The System Statistics (SYSSTAT) is a tool to monitor system resources and their performance on LINUX/UNIX systems. It contains utilities that collect system information, report CPU statistics, report input-output statistics, and so on. The SYSSTAT tool provides an extensive and detailed data for all the activities in your system.
The SYSSTAT contains the following utilities for analyzing your system:
- sar
- iostat
- mpstat
- pidstat
- nfsiostat
- cisfsiostat
These utilities collect, report, and save system activity information. Using the reports generated, you can check the performance of your system.
The SYSSTAT tool is available when you install the appliance.
On the Web UI, navigate to System > Task Scheduler to view the SYSSTAT tasks. You must run the following tasks to collect the system information:
- Sysstat Activity Report to collect information at short intervals
- Sysstat Activity Summary to collect information at a specific time daily
The following figure displays the SYSSTAT tasks on the Web UI.
The logs are stored in the /var/logs/sysstat directory.
The tasks are disabled by default. You must enable the tasks from the Task Scheduler for collecting the system information.
4 - Auditing Service
The Linux Auditing System is a tool or utility that allows to monitor events occurring in a system. It is integrated with the kernel to watch the system operations. The events that must be monitored are added as rules and defined to which extent that the event must be tracked. If the event is triggered, then a detailed audit log is generated. Based on this log, you can track any violations to the system and improve security measures to prevent them.
In Protegrity appliances, the auditing tool is implemented to track certain events that can pose as a security threat. The Audit Service is installed and running in the appliance for this purpose. On the Web UI, navigate to System > Services to view the status of the service. The Audit Service runs to check the following events:
- Update timezone
- Update AppArmor profiles
- Manage OS users and their passwords
If any of these events occur, then a low severity log is generated and stored in the logs. The logs are available in the /var/log/audit/audit.log directory. The logs that are generated by the auditing tool, contain detailed information about modifications triggered by the events that are listed in the audit rules. This helps to differentiate between a simple log and an audit log generated by the auditing tool for monitoring potential risks to the appliance.
For example, consider a scenario where an OS user is added to the appliance. If the Audit Service is stopped, then details of the user addition are not displayed and logs contain entries as illustrated in the following figure.
If the Audit Service is running, then the same event triggers a detailed audit log describing the user addition. The logs are illustrated in the following figure.
As illustrated in the figure, the following are some audits that are triggered for the event:
- USER_CHAUTHOK: User attribute is modified.
- EOE: Multiple record event ended.
- PATH: Recorded a path file name.
Thus, based on the details provided in the type attribute, a potential threat to the system can be monitored.
For more information about the audit types, refer to the following link:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-audit_record_types
On the Web UI, an Audit Service Watchdog scheduled task is added to ensure that the Audit Service is running. This task is executed once every hour.
Caution: It is recommended to keep the Audit Service running for security purposes.
5 - Viewing Appliance Logs
Using Appliance Logs, you can view all logs that are gathered by the appliance.
To view the appliance logs, login to the CLI Manager, navigate to Status and Logs > Appliance Logs.
These logs are listed in the following table:
Table: Appliance Logs
Logs | Logs Types | Description | Appliances
Specific |
ESA | DSG |
System Event Logs | Syslog | All appliance logs. | ✓ | ✓ |
Installation | Installation logs contain all of the information
gathered during the installation procedure. These logs include all
errors during installation and information on all the processes,
resources, and settings used for installation. | ✓ | ✓ |
Patches | Patches installed on appliance | ✓ | ✓ |
Patch_SASL | Proxy Authentication (SASL) related logs | | |
Authentication | Authentication logs, such as user logins. | ✓ | ✓ |
Web Services | Logs generated by the Web Services modules. | ✓ | ✓ |
Web Management | Logs generated by the Appliance Web UI engine | ✓ | ✓ |
Current Event | Current event logs contain all the operations performed
on the appliance. It gathers all information from different
services and appliance components. | ✓ | ✓ |
Kernel | System kernel logs. | ✓ | ✓ |
Web Services Server | Web Services Apache logs | ✓ | ✓ |
Patch_Logging | Logging server related logs such as
installation log: logging server and so on. | ✓ | ✓ |
Web Services Engine | Web Services HTTP-Server logs | Appliance Web UI related logs. | ✓ | ✓ |
Service Dispatcher | Access Logs | Service Dispatcher Access Logs | ✓ | ✓ |
Server Logs | Service Dispatcher Server Logs | ✓ | ✓ |
Logging | Startup | ESA logging and reporting mechanism specific
logs. | ✓ | |
WatchDog | | ✓ | |
Database Access Layer | | ✓ | |
Database Engine | | ✓ | |
PEP Server | | Logs received from PEP Server that is located on the FPV
and DSG. | | ✓ |
Cluster Logs | Export Import Cluster | | | ✓ |
DSG Patch Installation | Cluster | Log all operations performed during installation of the
DSG patch | | ✓ |
You can delete the desired logs using the Purge button and view them in real-time using the Real-Time View button. When you finish viewing the logs, press Done to exit.
6 - Viewing User Notifications
All the messages that display when you log in to either to the Web UI or CLI Manager can be viewed here as well.
To view the user notifications, login to the CLI Manager, navigate to Status and Logs > User Notifications.