Blog

CloudPassage Logging and Alerting: Part 2

To actually see the Special Events log entries, from the Portal main menu go to “Servers” and then “Security Events”.  This is one of the places where the “Critical” flag comes into play; from the menu of available groups and the lists of specific servers you immediately get a count of both critical and non-critical events.  Pick a server with one or more events and you’ll see a list of events from that server in reverse time order.  Critical events get a red exclamation point to the left.

Previously — Logging and Alerting – Part 1: Creating Alerts and Logs

To actually see the Special Events log entries, from the Portal main menu go to “Servers” and then “Security Events”.  This is one of the places where the “Critical” flag comes into play; from the menu of available groups and the lists of specific servers you immediately get a count of both critical and non-critical events.  Pick a server with one or more events and you’ll see a list of events from that server in reverse time order.  Critical events get a red exclamation point to the left.

A second menu item under Servers, “Security Events History”, allows you to do more detailed searches through _all_ your machines, not just a single machine at a time.  Choose “Filter Results” and you’ll be able to select alerts based on server group, individual server, time range, event type, and criticality.  For example, if I notice a failed Ghostport login attempt, I might want to come back to this screen and search for all Ghostport login failures (select “Event Type”: “Ghostport failure”) to see if this was an isolated incident or could have been an attack on multiple accounts.

Logs from the Configuration Policies show up under Servers, Configuration Risks.  Like above, pick a server and you’ll see the current configuration issues, again with a “Critical” red exclamation point.

Just in case you were wondering, firewall logs don’t show up the same way as either logs or alerts.  If you check off the “Log” button next to a firewall rule, the log entries for each packet matching that rule get sent to syslog on the local system itself.

Next — Logging and Alerting – Part 3: Sending Alerts Somewhere Useful

Related Posts