monitoring log management alerting -...
TRANSCRIPT
Monitoring Log Management and Alerting
1 / 24
Monitoring Log Management and Alerting
Services Description
February 2009
Monitoring Log Management and Alerting
2 / 24
Contents
Monitoring Log Management and Alerting ........................................................ 1
1. Centralized Management ...................................................................... 3
1.1. Centralized management : .............................................................. 3
1.2. Multi Tenant Architecture : .............................................................. 5
2. SLA Management ................................................................................. 7
2.1. Health and Performances monitoring ................................................ 7
2.2. Graphical Real Time Monitoring Console : Mapview ............................. 9
2.3. Custom KPI monitoring ................................................................. 12
3. Log Management and alerting ............................................................. 15
3.1. Log Management ......................................................................... 15
3.2. Email Alerting .............................................................................. 18
3.3. Detailed Reports : ........................................................................ 22
Monitoring Log Management and Alerting
3 / 24
1. Centralized Management
1.1. Centralized management :
The UBIqube MSActivatortm is a powerful but very easy-to-use solution for provisioning
management and monitoring for quick and cost effective delivery of security services on
multi-vendor CPE devices (routers, firewall, UTM) deployed in multisite networks.
The MSActivatortm profile based rule definition allows administrators to manage IPsec VPN,
Firewall, IPS and content filtering policies on group of devices (please refer to the portfolio
for more details on the managed services).
Monitoring Log Management and Alerting
4 / 24
The MSActivatortm unified WEB portal centralized the provisioning, management and
monitoring of the devices and services. All the events sent (syslog or snmp ) by the
managed or monitored devices are collected, classified and analyzed centrally. SLA
management statistics, security dashboards and detailed report are available online on the
WEB portal to facilitate the troubleshooting throughout all the lifecycle of the devices and
services.
Monitoring Log Management and Alerting
5 / 24
1.2. Multi Tenant Architecture :
The MSActivatortm unified WEB portal is built on a multi tenant architecture which supports
• VSOC (Vistual SOC) definition and customization
• Multiple accesses levels with Role based Access Control and delegation profile
• Per customer policies management
• Per VSOC configuration templates customization (Pattern files and PHP APIs)
Monitoring Log Management and Alerting
6 / 24
Monitoring Log Management and Alerting
7 / 24
2. SLA Management
2.1. Health and Performances monitoring
Health and availability of the managed devices is monitored in real time. Devices key
metrics monitored are :
• Access Availability
• Network Traffic
• CPU Load
• System Uptime
• VPN Tunnels History
• Network Delays : RTT (Round Trip Time) and TTL (Time To Live)
The MSActivatortm maintains a one year history with one minute granularity of each
metric.
Monitoring Log Management and Alerting
8 / 24
Monitoring Log Management and Alerting
9 / 24
Statistics can be compared between devices :
2.2. Graphical Real Time Monitoring Console :
Mapview
The status of the devices is also available on the graphical real time monitoring console
called the mapview.
Monitoring Log Management and Alerting
10 / 24
Detailed information on the asset and statistics are displayed when you click on a device.
In addition to the status of the devices the mapview displays the profiles.
Monitoring Log Management and Alerting
11 / 24
The Mapview allows management by graphically attaching or detaching devices to or from
profiles
Devices and VPN can be displays on a google map embedded in the Mapview :
Monitoring Log Management and Alerting
12 / 24
2.3. Custom KPI monitoring
In addition the security profiles, administrators can create monitoring profile gives the
user the ability to create his own custom SNMP polling, configure threshold email alerting
and graphical rendering.
Monitoring profile gives the user the ability to create his own custom SNMP polling,
configure threshold email alerting and graphical rendering. This allows the monitoring of
any KPI (Key Performance Indicator) based on SNMP OID like the environmental
conditions such as temperature and humidity etc.
Monitoring Log Management and Alerting
13 / 24
Monitoring profiles can be easily imported and exported using XML. This API streamlines
teh integration of the UBIqube with 3rd party OSS tools or opensource monitoring tools.
Below is an example of an XML file for monitoring teh packet loss :
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
- <MonitoringProfile>
<comment />
<name>Packet Loss</name>
- <graphRendererList>
- <dataList>
<colorAsHexa>008080</colorAsHexa>
- <data>
<comment>number of input IP datagrams los</comment>
<defaultPolling>false</defaultPolling>
<fileName>ipInDiscards</fileName>
<id>0</id>
<maxValue>-1</maxValue>
<minValue>0</minValue>
<name>ipInDiscards</name>
<oid>1.3.6.1.2.1.4.8.0</oid>
<pollingType>67</pollingType>
<profileId>108</profileId>
<threshold>10</threshold>
<thresholdComparator>71</thresholdComparator>
<thresholdFrequency>78</thresholdFrequency>
</data>
<horizontalLabel>Input</horizontalLabel>
<rendererId>0</rendererId>
<snmpPollingId>0</snmpPollingId>
</dataList>
- <dataList>
<colorAsHexa>ff6600</colorAsHexa>
- <data>
<comment>number of output IP datagrams lost</comment>
<defaultPolling>false</defaultPolling>
<fileName>ipOutDiscards</fileName>
<id>1</id>
<maxValue>-1</maxValue>
<minValue>0</minValue>
<name>ipOutDiscards</name>
<oid>1.3.6.1.2.1.4.11.0</oid>
<pollingType>67</pollingType>
<profileId>108</profileId>
<threshold>10</threshold>
<thresholdComparator>71</thresholdComparator>
Monitoring Log Management and Alerting
14 / 24
<thresholdFrequency>78</thresholdFrequency>
</data>
<horizontalLabel>Output</horizontalLabel>
<rendererId>0</rendererId>
<snmpPollingId>1</snmpPollingId>
</dataList>
<id>0</id>
<name>Packet Loss</name>
<profileId>108</profileId>
<vertivalLabel>packet loss number</vertivalLabel>
</graphRendererList>
- <snmpPollingList>
<comment>number of input IP datagrams los</comment>
<defaultPolling>false</defaultPolling>
<fileName>ipInDiscards</fileName>
<id>0</id>
<maxValue>-1</maxValue>
<minValue>0</minValue>
<name>ipInDiscards</name>
<oid>1.3.6.1.2.1.4.8.0</oid>
<pollingType>67</pollingType>
<profileId>108</profileId>
<threshold>10</threshold>
<thresholdComparator>71</thresholdComparator>
<thresholdFrequency>68</thresholdFrequency>
</snmpPollingList>
- <snmpPollingList>
<comment>number of output IP datagrams lost</comment>
<defaultPolling>false</defaultPolling>
<fileName>ipOutDiscards</fileName>
<id>1</id>
<maxValue>-1</maxValue>
<minValue>0</minValue>
<name>ipOutDiscards</name>
<oid>1.3.6.1.2.1.4.11.0</oid>
<pollingType>67</pollingType>
<profileId>108</profileId>
<threshold>10</threshold>
<thresholdComparator>71</thresholdComparator>
<thresholdFrequency>68</thresholdFrequency>
</snmpPollingList>
</MonitoringProfile>
Monitoring Log Management and Alerting
15 / 24
3. Log Management and alerting
3.1. Log Management
The MSActivatortm centralizes all the events (Syslog or SNMP) sent by the managed or
monitored devices. Events are available online via the WEB portal for 30 days. Then they
are archived securely using a tamper proof solution complaint to Sarbannes Oxley (SOX)
PCI or HIPPA recommendations.
The security dashboards available on the WEB portal provides event reporting overview
with search capabilities. This multiple entry table includes for each event category (IPS,
Firewall, Anti Virus, URL Filtering, Anti Spam, Alerts and logs) :
• Site top 5 of the month/week : the top 5 of the most attacked sites giving the
number of event and the associated percentage
• Alert top 5 of the month/week : the top 5 of the most received alerts giving the
number of occurrences and the associated percentage
• Historical performance charts (day, week, month, year)
Monitoring Log Management and Alerting
16 / 24
The log analysis engine computes the security dashboard and provides for each managed
site a human readable monthly/weekly summary reports. Logs are displayed using
different colours and icons depending on the severity level.
Monitoring Log Management and Alerting
17 / 24
Monitoring Log Management and Alerting
18 / 24
The summary reports aggregate every minute the events on a per day basis. Reports can
be filtered per category or severity and events can be search by pattern.
Detailed views are available on a per event basis. This page displays all the events in raw
format.
3.2. Email Alerting
Emails Alarms can be sent :
• To inform of a link or device outage
• To alert on the reception of a security event flagged as an Alarm one
Monitoring Log Management and Alerting
19 / 24
• To alert when a threshold is triggered
Emails alerts are sent, on a per site basis, to the site contact email and to the subscriber
contact email and copy to the SOC support email address. Each field can contains multiple
email addresses eg : [email protected]; [email protected].
The mail alert service is configurable at the site level on the second page of the site
creation or modification processes:
Proactive continuous (24x7) monitoring and alerting
Health and availability of the managed devices is monitored by the VSOC real time
monitoring console (RTMC).
A reachable device appears in green colour on the VSOC console. If the connectivity is
lost the device appears in orange colour during 5 minutes. After 5 minutes if the
reachability is still down the device appears in red colour and an email alert is
automatically sent.
Monitoring Log Management and Alerting
20 / 24
This link or device outage, detected by the SOC, is called the Host Down event. An Host
Up event is generated when a device connectivity is up again and an informational email is
sent.
Early Warning of threat identification and detection
Email alerts can also be sent upon identification and detection of predefined events. The
VSOC console displays summary human readable events reports. Actions can be specified
on a par event per site basis. Actions can be either to discard the event because it is a
false positive one or to generate an email alert.
Alarms are summarized by date and the WEB interface provide alarm filtering by category
(Firewall, IPS, Anti Virus, AntiSpam, URL Filtering, log) severity or by reference.
Monitoring Log Management and Alerting
21 / 24
As soon as an event with the email alerting flag set is received by the SOC Event Tracker,
a mail is sent. To avoid mail flooding a maximum of one Email Alerts per day per alert is
sent.
Threshold Alerting
Monitoring Log Management and Alerting
22 / 24
Monitoring profile gives the user the ability to create his own custom SNMP polling, to
associate them to alerting threshold and graphical rendering.
Threshold definition is used to trigger mail alerting to the user. The alert frequency can be
configure per threshold from once to one per day, one per hour and even one per minute.
3.3. Detailed Reports :
The MSActivatortm console provides detailed reports, in PDF format, for security events
(Firewall, IDS/IPS, Anti Virus, Anti Spam, URL filtering, proxy) which occurred on a device.
This service (detailed reporting) is optional and can be activated on a per device basis.
Monitoring Log Management and Alerting
23 / 24
These PDF reports are generated on daily and monthly basis. The screenshots below give
some examples of the monthly PDF report generated for a UTM device :
Monitoring Log Management and Alerting
24 / 24