Monitoring Virtual Agents in SCSP Through Syslog Aggregation
Abstract: A short HOW-TO article depicting steps for setting up virtual agents in SCSP 5.2 RU8 MP4 for monitoring unsupported platforms via syslog.
Most UNIX-flavored systems allow forwarding of syslog messages to remote systems. This mechanism can be used to monitor syslog events as virtual events on remote systems. This solution is elegant and convenient without transferring syslog files. It also allows the administrator to monitor logs as soon as they are forwarded.
The logs from the systems you wish to monitor – systems or platforms not supported by SCSP - should be sent to one or more nodes with the SCSP agent installed (referred to here as a SCSP Collector Node). The SCSP Collector Node acts as an aggregation point for syslog or other information you wish to monitor.
In this article, we’re providing an example of configuring a single SCSP server and a single supported SCSP agent to monitor syslog information aggregated from one or more unsupported systems.
- Using a Linux collector node is only an example. Any SCSP supported Operating system can be used as a collector node.
- Please ensure that the network firewalls allow forwarding of syslog messages from remote host to the collector node.
- You may need to adapt syslog daemon configurations instructions from this article for both the SCSP collector node and the remote systems in your environment.
The steps given in this article will allow the automatic creation and registration of virtual agents for the unsupported systems being monitored, using the syslog collector.
Summary of Required Steps
- Configure SCSP Management Console to automatically register Virtual Agent
- Update LocalAgent.ini on the/a designated syslog collector node.
- Configure syslog daemon on the collector node.
- Configure syslog forwarding on the unsupported node(s).
- Create the Virtual Agent syslog policy.
1. Configure SCSP Management Console to automatically register Virtual Agent:
Our first step is to enable the server function that will automatically register new virtual agents. Automatic registration of virtual agents is enabled on the server by the performing the following steps in the SCSP console:
a. Go to the Master View by clicking on the appropriate top tab.
b. Select the Admin tab on the left
c. Under the Admin heading, select System Settings
d. Select the Agent Settings tab in the System Settings frame.
e. Turn on both checkboxes under Virtual Agents.
f. Click the Save button to save the setting update.
2. Update the LocalAgent.ini on the Collector Node
The local configuration file for the loghost agent needs to be modified so the syslog collector can derive and route virtual agent events. The configuration file to be modified is named LocalAgent.ini and, for a default install, resides in the directory “/opt/Symantec/scspagent/IDS/system”.
To turn on automatic derivation of virtual agents for the syslog collector, open the LocalAgent.ini file in an editor. Find the section with the heading
and modify the line for the setting “Derive Virtual Agents” to turn on this feature. By default, the option is both turned off and commented out, so it’s necessary to remove the comment character from the beginning of the line and then to change the value of the setting from ‘0’ to ‘1’:
Save your changes, then restart the IDS service on the agent. For our example Linux system, this can be accomplished using the service command:
3. Configure Syslog Aggregation on the Collector Node
Example using rsyslogd (RHEL 6)
When using rsyslogd(8), it’s necessary to enable syslog aggregation. Uncomment the lines shown below under “Provides UDP syslog reception” and “Provides TCP syslog reception”.
Then follow by restarting the rsyslog daemon:
Example using syslogd (RHEL 5 or earlier)
Enable remote syslog connections to this agent
Open the /etc/sysconfig/syslog file and add "-r" option to the variable SYSLOGD_OPTIONS as shown below:
Restart the syslog service:
4. Configuring Syslog Forwarding on the Unsupported System
The next step is to configure the syslog daemon on the unsupported system to forward syslog entries to the loghost.
On our example Linux system, we configure the log forwarding by editing /etc/syslog.conf to add an entry that causes syslogd to send a copy of all messages to our loghost.
Edit the syslog.conf file as shown below by adding the below line and IP address of the loghost:
*.* <Tab><Tab> @<IP address of loghost>
Note: The syslog.conf file uses Tab characters to delimit fields. Refer to the man page for syslogd(8) for details of the file format.
Restart the syslog service:
5. Create the Virtual Agent Syslog policy:
The final step in setting up monitoring for virtual agents will require creating a policy with a custom rule for monitoring the syslog on your loghost.
The policy detailed below will cause all events from the loghost to be sent to the SCSP server. This is adequate for illustration, but you may need to tune the policy to determine appropriate priority or to set event patterns to be ignored, etc.
In the Detection tab, under Policies, create a copy of the Unix_Template_Policy. Name the policy as you like and move it to an appropriate folder.
Edit the policy to add a custom rule, name the rule and set the category to “syslog”:
Click Finish to save the new custom rule. Under the section called My Custom Rules, open the Settings and turn on the checkbox for “Syslog Rule Options”. This will enable the rule.
Select OK to save the new rule, update the policy revision, and apply it to the loghost agent.
Once the new policy is successfully applied, new syslog entries from remote, unsupported nodes should trigger the creation of new virtual agents in the server. To see the agents in the SCSP console and examine their events, go to the Master View/Assets/Virtual Agents and select the Virtual Agent for which you want to see events.