Hello,

1) under /home/nutanix/data/logs

2) loads, many more than you'd ever imagine

3) I'd definitely use syslog for this, can be configured within UI/CLI

Thank you very much @Kcmount for your response.

No worries at all. Let me know if you need any help with the config, we have lots of syslog setup!

Thank you so much @Kcmount

For now I still need to know what are the types of the logs. for example, if I want to detect brute force, I will need auth logs ... I would be very thankfull if you could tell me all the types of the logs in nutanix, so I could know what I can detect and what I could not.

And also I want to know the license type of these services :

• File analytics

• Flow security central 

Thank you.

Sure no problem I'll prepare some advice for you later when I'm at my computer :)

Okay thank you so much.

Hey,

Sorry for the delay.

So first things first a quick how-to on configuring Syslog itself - How to Send Logs to a Remote Syslog Server

Crucially, listed in this KB are also the modules you can configure (copied for ease)

• ACROPOLIS - The acropolis services are responsible for task scheduling, execution, stat collection, publishing, etc. For more information, see Acropolis Services in the Nutanix Bible.
• AUDIT - Seeds the "consolidated_audit.log" which is used to track ergon tasks that result in changes to the cluster and UVMs.
• CASSANDRA - Stores and manages all of the cluster metadata
• CEREBRO - Responsible for replication and DR capabilities
• CURATOR - Responsible for managing and distributing tasks throughout the cluster
• GENESIS - Responsible for any services interactions (start/stop/etc.) as well as the initial configuration
• PRISM - Management gateway for component and administrators to configure the cluster, monitor the cluster and track logins (successful and unsuccessful) .
• STARGATE - Responsible for all data management and I/O operations
• APLOS - API requests
• SYSLOG_MODULE - SSH logins and a lot of information about local root account usage (starting processes for example)
• ZOOKEEPER - Stores all of the cluster configuration

We then have the various levels of logging:

• EMERGENCY
• ALERT
• CRITICAL
• ERROR
• WARNING
• NOTICE
• INFO
• DEBUG

(Debug is insanely busy, be careful here)

A recent customer deployment we did with a security orientated customer settled on the following:

• API_AUDIT – Level = INFO & Include Monitor Logs = TRUE
• AUDIT – Level = INFO & Include Monitor Logs = TRUE  
• SYSLOG_MODULE – Level = INFO & Include Monitor Logs = TRUE  
• PRISM – Level = INFO & Include Monitor Logs = TRUE  
• APLOS – Level = INFO & Include Monitor Logs = TRUE  

There are loads of things involved here, I'd recommend enabling them slowly, and monitor the traffic and search queries to find useful information :)

Re your other questions on license type, I'm not quite sure what you mean so apologies if I've misunderstood..

File analytics is just a VM you can deploy to monitor your Nutanix Files deployment, it's not licensed separately. For Syslog or other hardening here check out the Nutanix Files User Guide - Security Hardening  near the bottom of the page. There is a hosted product called Nutanix Data Lens which is as I understand it the future of File Analytics - more info available from Nutanix Data Lens  - good blog explanation here - Nutanix Data Lens Powers Data Management and Ransomware Protection  and a contact point datalens@nutanix.com  if you need to get some better info than I have :)

Flow Security Central is another hosted / SaaS offering to extend the functionality of Flow on-premises and add on cloud magic - Flow Security Central Guide

Hopefully, some of this helps, shout if you need anything further  :)

Cheers,

Kim

Thanks a lot @Kcmount, that was extremely helpful.

No worries good luck :)