Solved

Monitor Nutanix logs with IBM Qradar

  • 28 October 2022
  • 9 replies
  • 826 views

Badge

Hi everyone;

I want to monitor all the activities in Nutanix env, by sending the logs to qradar siem; the objectif is to identify malicious activities (by attackers) in our env.

My question are :

1- where can I find Nutanix logs ?

2- what types of logs provided by Nutanix ?

3- how to send these logs to The SIEM solution ?

Thank you in advance.

icon

Best answer by Kcmount 29 October 2022, 11:39

View original

This topic has been closed for comments

9 replies

Userlevel 4
Badge +6

Hello,

1) under /home/nutanix/data/logs

2) loads, many more than you'd ever imagine

3) I'd definitely use syslog for this, can be configured within UI/CLI

Badge

Thank you very much @Kcmount for your response.

Userlevel 4
Badge +6

No worries at all. Let me know if you need any help with the config, we have lots of syslog setup!

Badge

Thank you so much @Kcmount

For now I still need to know what are the types of the logs. for example, if I want to detect brute force, I will need auth logs ... I would be very thankfull if you could tell me all the types of the logs in nutanix, so I could know what I can detect and what I could not.

And also I want to know the license type of these services :

  • File analytics
  • Flow security central 

Thank you.

Userlevel 4
Badge +6

Sure no problem I'll prepare some advice for you later when I'm at my computer :)

Badge

Okay thank you so much.

Userlevel 4
Badge +6

Hey,

Sorry for the delay.

So first things first a quick how-to on configuring Syslog itself - How to Send Logs to a Remote Syslog Server

Crucially, listed in this KB are also the modules you can configure (copied for ease)

  • ACROPOLIS - The acropolis services are responsible for task scheduling, execution, stat collection, publishing, etc. For more information, see Acropolis Services in the Nutanix Bible.
  • AUDIT - Seeds the "consolidated_audit.log" which is used to track ergon tasks that result in changes to the cluster and UVMs.
  • CASSANDRA - Stores and manages all of the cluster metadata
  • CEREBRO - Responsible for replication and DR capabilities
  • CURATOR - Responsible for managing and distributing tasks throughout the cluster
  • GENESIS - Responsible for any services interactions (start/stop/etc.) as well as the initial configuration
  • PRISM - Management gateway for component and administrators to configure the cluster, monitor the cluster and track logins (successful and unsuccessful) .
  • STARGATE - Responsible for all data management and I/O operations
  • APLOS - API requests
  • SYSLOG_MODULE - SSH logins and a lot of information about local root account usage (starting processes for example)
  • ZOOKEEPER - Stores all of the cluster configuration

We then have the various levels of logging:

  • EMERGENCY
  • ALERT
  • CRITICAL
  • ERROR
  • WARNING
  • NOTICE
  • INFO
  • DEBUG

(Debug is insanely busy, be careful here)

 

A recent customer deployment we did with a security orientated customer settled on the following:

 

  • API_AUDIT – Level = INFO & Include Monitor Logs = TRUE
  • AUDIT – Level = INFO & Include Monitor Logs = TRUE  
  • SYSLOG_MODULE – Level = INFO & Include Monitor Logs = TRUE  
  • PRISM – Level = INFO & Include Monitor Logs = TRUE  
  • APLOS – Level = INFO & Include Monitor Logs = TRUE  


There are loads of things involved here, I'd recommend enabling them slowly, and monitor the traffic and search queries to find useful information :)

Re your other questions on license type, I'm not quite sure what you mean so apologies if I've misunderstood..

File analytics is just a VM you can deploy to monitor your Nutanix Files deployment, it's not licensed separately. For Syslog or other hardening here check out the Nutanix Files User Guide - Security Hardening  near the bottom of the page. There is a hosted product called Nutanix Data Lens which is as I understand it the future of File Analytics - more info available from Nutanix Data Lens  - good blog explanation here - Nutanix Data Lens Powers Data Management and Ransomware Protection  and a contact point datalens@nutanix.com  if you need to get some better info than I have :)

Flow Security Central is another hosted / SaaS offering to extend the functionality of Flow on-premises and add on cloud magic - Flow Security Central Guide

Hopefully, some of this helps, shout if you need anything further  :)

Cheers,

Kim

Badge

Thanks a lot @Kcmount, that was extremely helpful.

Userlevel 4
Badge +6

No worries good luck :)