This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Working with Status and Logs

The Status and Logs screen allows you to access system monitor information, examine top memory and CPU usage, and view appliance logs. You can access it from the CLI Manager main screen. This screen shows the hostname to which you are connected, and it allows you to view and manage your audit logs.

The following figure shows the Status and Logs screen.

Status and Logs Screen

In addition to the existing logs, the following additional security logs are generated:

  • Appliance’s own LDAP when users are added and removed.
  • SUDO commands are issued from the shell.
  • There are failed attempts to log in from SSH or Web UI.
  • All shell commands: This is a PCI-DSS requirement.

1 - Monitoring System Statistics

Using System Monitor, you can view the following system statistics.

  • CPU usage
  • RAM
  • Disk space free or in use.
  • If more hard disks are required, and so on.

To view the system information, login to the CLI Manager, navigate to Status and Logs > System Monitor.

System Monitor Screen

2 - Viewing the Top Processes

Using Top Processes, you can examine in real-time, the processes using up memory or CPU.

To view the top processes, login to the CLI Manager, navigate to Status and Logs > Top Processes.

Top Processes Memory/CPU Screen

3 - Working with System Statistics (SYSSTAT)

The System Statistics (SYSSTAT) is a tool to monitor system resources and their performance on LINUX/UNIX systems. It contains utilities that collect system information, report CPU statistics, report input-output statistics, and so on. The SYSSTAT tool provides an extensive and detailed data for all the activities in your system.

The SYSSTAT contains the following utilities for analyzing your system:

  • sar
  • iostat
  • mpstat
  • pidstat
  • nfsiostat
  • cisfsiostat

These utilities collect, report, and save system activity information. Using the reports generated, you can check the performance of your system.

The SYSSTAT tool is available when you install the appliance.

On the Web UI, navigate to System > Task Scheduler to view the SYSSTAT tasks. You must run the following tasks to collect the system information:

  • Sysstat Activity Report to collect information at short intervals
  • Sysstat Activity Summary to collect information at a specific time daily

The following figure displays the SYSSTAT tasks on the Web UI.

SYSSTAT Task Scheduler

The logs are stored in the /var/logs/sysstat directory.

The tasks are disabled by default. You must enable the tasks from the Task Scheduler for collecting the system information.

4 - Auditing Service

The Linux Auditing System is a tool or utility that allows to monitor events occurring in a system. It is integrated with the kernel to watch the system operations. The events that must be monitored are added as rules and defined to which extent that the event must be tracked. If the event is triggered, then a detailed audit log is generated. Based on this log, you can track any violations to the system and improve security measures to prevent them.

In Protegrity appliances, the auditing tool is implemented to track certain events that can pose as a security threat. The Audit Service is installed and running in the appliance for this purpose. On the Web UI, navigate to System > Services to view the status of the service. The Audit Service runs to check the following events:

  • Update timezone
  • Update AppArmor profiles
  • Manage OS users and their passwords

If any of these events occur, then a low severity log is generated and stored in the logs. The logs are available in the /var/log/audit/audit.log directory. The logs that are generated by the auditing tool, contain detailed information about modifications triggered by the events that are listed in the audit rules. This helps to differentiate between a simple log and an audit log generated by the auditing tool for monitoring potential risks to the appliance.

For example, consider a scenario where an OS user is added to the appliance. If the Audit Service is stopped, then details of the user addition are not displayed and logs contain entries as illustrated in the following figure.

Logs

If the Audit Service is running, then the same event triggers a detailed audit log describing the user addition. The logs are illustrated in the following figure.

Audit Logs with Auditing Service

As illustrated in the figure, the following are some audits that are triggered for the event:

  • USER_CHAUTHOK: User attribute is modified.
  • EOE: Multiple record event ended.
  • PATH: Recorded a path file name.

Thus, based on the details provided in the type attribute, a potential threat to the system can be monitored.

For more information about the audit types, refer to the following link:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-audit_record_types

On the Web UI, an Audit Service Watchdog scheduled task is added to ensure that the Audit Service is running. This task is executed once every hour.

Caution: It is recommended to keep the Audit Service running for security purposes.

5 - Viewing Appliance Logs

Using Appliance Logs, you can view all logs that are gathered by the appliance.

To view the appliance logs, login to the CLI Manager, navigate to Status and Logs > Appliance Logs.

These logs are listed in the following table:

Table: Appliance Logs

Logs
Logs Types
Description
Appliances Specific
ESA
DSG
System Event Logs
Syslog
All appliance logs.
Installation
Installation logs contain all of the information gathered during the installation procedure. These logs include all errors during installation and information on all the processes, resources, and settings used for installation.
Patches
Patches installed on appliance
Patch_SASL
Proxy Authentication (SASL) related logs
  
Authentication
Authentication logs, such as user logins.
Web Services
Logs generated by the Web Services modules.
Web Management
Logs generated by the Appliance Web UI engine
Current Event
Current event logs contain all the operations performed on the appliance. It gathers all information from different services and appliance components.
Kernel
System kernel logs.
Web Services Server
Web Services Apache logs
Patch_Logging
Logging server related logs such as installation log: logging server and so on.
Web Services Engine
Web Services HTTP-Server logs
Appliance Web UI related logs.
Service Dispatcher
Access Logs
Service Dispatcher Access Logs
Server Logs
Service Dispatcher Server Logs
Logging
Startup
ESA logging and reporting mechanism specific logs.
 
WatchDog
 
 
Database Access Layer
 
 
Database Engine
 
 
PEP Server
 
Logs received from PEP Server that is located on the FPV and DSG.
 
Cluster Logs
Export Import
Cluster
  
DSG Patch Installation
Cluster
Log all operations performed during installation of the DSG patch
 

You can delete the desired logs using the Purge button and view them in real-time using the Real-Time View button. When you finish viewing the logs, press Done to exit.

6 - Viewing User Notifications

All the messages that display when you log in to either to the Web UI or CLI Manager can be viewed here as well.

To view the user notifications, login to the CLI Manager, navigate to Status and Logs > User Notifications.

Messages for User