HPE SimpliVity

OVC Log to Splunk Server?

 
SOLVED
Go to solution
DavS
Advisor

OVC Log to Splunk Server?

Can OVC logs be forwarded to a Splunk server?

Dave
10 REPLIES 10
scott_svt
Frequent Advisor

Re: OVC Log to Splunk Server?

Hi DavS,

There is no formal doc right now, but sure you can.

I'll stay away from the straight Linux side of things with rsyslog, as I assume you are already familiar with that (I can find some links if you need them). A standard set of logs collection examples are below, but is there some specific part of system operation you want to gather?

vi /etc/rsyslog.d/svt.conf
$ModLoad imfile

# Additional log files to feed to Splunk

# /var/svtfs/0/log/svtfs.log
$InputFileName /var/svtfs/0/log/svtfs.log
$InputFileTag svtfs
$InputFileStateFile svtfs
$InputRunFileMonitor

# /var/svtfs/0/log/hyperproxyserver.log
$InputFileName /var/svtfs/0/log/hyperproxyserver.log
$InputFileTag hyperproxy
$InputFileStateFile hyperproxy
$InputRunFileMonitor

# /var/svtfs/0/log/eventmgr.log
$InputFileName /var/svtfs/0/log/eventmgr.log
$InputFileTag event-manager
$InputFileStateFile event-manager
$InputRunFileMonitor
service rsyslog restart

Thanks,

Scott


Accept or Kudo
DavS
Advisor

Re: OVC Log to Splunk Server?

Scott,

Here are some for our requirements...

Audit Event

Frequency

Authentication Events:
(1) Logons (Successful/Failure)
(2) Logoffs (Success)

Continuous

   

User and Group Management events:

(1) User add, delete, modify, suspend, lock (Success/Failure)

(2) Group/Role add, delete, modify (Success/Failure)

Continuous

 

Use of Privileged/Special Rights events:

(1) Security or audit policy changes (Success/Failure) (2) Configuration changes (Success/Failure)

 

Continuous

Admin or root-level access (Success/Failure)

Continuous

Privilege/Role escalation (Success/Failure)

Continuous

Audit and log data accesses (Success/Failure)

Continuous

System reboot, restart and shutdown (Success/Failure)

Continuous

 

Thank you.

Dave
DavS
Advisor
Solution

Re: OVC Log to Splunk Server?

Some of this should be in the "standard" /var/log log files...

Dave
scott_svt
Frequent Advisor

Re: OVC Log to Splunk Server?

Hi DavS,

OK perfect. It sounds like in this case it is beyond SimpliVity specific system operation (the info I provided) and it has moved towards general Linux auditing. In this case you are free to gather any and all logs dirct from the Linux side of things, and all the usual logging that you collect from other Linux boxes. At this level it is in every way a standard linux distro.

Going in to this in great detail may be outside of a forum chat and may be better placed in Support ticket. If you have any issues with your 'standard' compliance requirements, i'd suggest opening a case so that we address specific issues.

Thanks,

Scott


Accept or Kudo
DavS
Advisor

Re: OVC Log to Splunk Server?

Scott,

Thanks for the information. I should have asked the question a different way. I should have asked if the Ubuntu implementaion in the OVC support standard auditing and credition scans.

Your response, "At this level it is in every way a standard linux distro", answered the question.

Dave

Dave
scott_svt
Frequent Advisor

Re: OVC Log to Splunk Server?

Not a bother Dave!


Accept or Kudo
DavS
Advisor

Re: OVC Log to Splunk Server?

If logging to a syslog server is configured for an OVC, is the configuration persistent after a reboot?

Certain configurations are reset after reboot. For example Splunk can be installed, configured and works well, however, the Splunk agent is removed from the OVC configuration after reboot.

Second question, is there are way to script custom configurations that are persistent after a reboot?

Logging to Splunk is the preferred solution! Is it possible to have the Splunk agent installed and remain persistent over reboots?

Dave
BSDUKJ
Occasional Visitor

Re: OVC Log to Splunk Server?

Did you ever get a reply to this?

I'm looking to do the same thing, not quite splunk but shipping to a syslog server

Sunitha_G
Moderator

Re: OVC Log to Splunk Server?

Hello @BSDUKJ , 

Thank you for posting! Since you have posted in an old topic and there is no response yet, I would recommend you to create a new topic using the create "New Discussion" button.

Thanks,
Sunitha G
I'm an HPE employee.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo