I want to monitor all the activities in Nutanix env, by sending the logs to qradar siem; the objectif is to identify malicious activities (by attackers) in our env.
My question are :
1- where can I find Nutanix logs ?
2- what types of logs provided by Nutanix ?
3- how to send these logs to The SIEM solution ?
Thank you in advance.
Best answer by KcmountView original
1) under /home/nutanix/data/logs
2) loads, many more than you'd ever imagine
3) I'd definitely use syslog for this, can be configured within UI/CLI
Thank you very much
@Kcmount for your response.
No worries at all. Let me know if you need any help with the config, we have lots of syslog setup!
Thank you so much
For now I still need to know what are the types of the logs. for example, if I want to detect brute force, I will need auth logs ... I would be very thankfull if you could tell me all the types of the logs in nutanix, so I could know what I can detect and what I could not.
And also I want to know the license type of these services :
Sure no problem I'll prepare some advice for you later when I'm at my computer :)
Okay thank you so much.
Sorry for the delay.
So first things first a quick how-to on configuring Syslog itself - How to Send Logs to a Remote Syslog Server
Crucially, listed in this KB are also the modules you can configure (copied for ease)
We then have the various levels of logging:
(Debug is insanely busy, be careful here)
A recent customer deployment we did with a security orientated customer settled on the following:
There are loads of things involved here, I'd recommend enabling them slowly, and monitor the traffic and search queries to find useful information :)
Re your other questions on license type, I'm not quite sure what you mean so apologies if I've misunderstood..
File analytics is just a VM you can deploy to monitor your Nutanix Files deployment, it's not licensed separately. For Syslog or other hardening here check out the Nutanix Files User Guide - Security Hardening near the bottom of the page. There is a hosted product called Nutanix Data Lens which is as I understand it the future of File Analytics - more info available from Nutanix Data Lens - good blog explanation here - Nutanix Data Lens Powers Data Management and Ransomware Protection and a contact point firstname.lastname@example.org if you need to get some better info than I have :)
Flow Security Central is another hosted / SaaS offering to extend the functionality of Flow on-premises and add on cloud magic - Flow Security Central Guide
Hopefully, some of this helps, shout if you need anything further :)
Thanks a lot @Kcmount, that was extremely helpful.
No worries good luck :)