VMware vcenter Log Insight Security Guide



Similar documents
VMware vcenter Log Insight Security Guide

VMware vsphere Replication Security Guide

VMware vcenter Log Insight Getting Started Guide

VMware vcenter Log Insight Getting Started Guide

Installing and Configuring vcloud Connector

VMware Identity Manager Connector Installation and Configuration

Installing and Configuring vcenter Multi-Hypervisor Manager

Installing and Configuring vcenter Support Assistant

VMware vcenter Log Insight Administration Guide

vsphere Upgrade vsphere 6.0 EN

vrealize Air Compliance OVA Installation and Deployment Guide

Installing and Configuring vcloud Connector

Reconfiguring VMware vsphere Update Manager

Migrating to vcloud Automation Center 6.1

Upgrading VMware Identity Manager Connector

VMware vcenter Log Insight Installation and Administration Guide

vcenter Server Appliance Configuration

Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1

Managing Multi-Hypervisor Environments with vcenter Server

Deployment and Configuration Guide

Advanced Service Design

vsphere Upgrade Update 1 ESXi 6.0 vcenter Server 6.0 EN

vsphere Replication for Disaster Recovery to Cloud

Offline Data Transfer to VMWare vcloud Hybrid Service

Installing and Administering VMware vsphere Update Manager

Management Pack for vrealize Infrastructure Navigator

Upgrading Horizon Workspace

vcenter Chargeback User s Guide

vcloud Director User's Guide

Getting Started with ESXi Embedded

vsphere Replication for Disaster Recovery to Cloud

VMware vcenter Operations Standard Installation and Administration Guide

VMware vcenter Log Insight User's Guide

Active Directory Solution 1.0 Guide

Virtual Web Appliance Setup Guide

OnCommand Performance Manager 1.1

vcenter Support Assistant User's Guide

F-Secure Messaging Security Gateway. Deployment Guide

Reconfiguration of VMware vcenter Update Manager

Preinstallation Requirements Guide

vshield Administration Guide

vsphere Security ESXi 6.0 vcenter Server 6.0 EN

Reconfiguring VMware vsphere Update Manager

VMware Identity Manager Administration

vshield Quick Start Guide vshield Manager 4.1 vshield Edge 1.0 vshield App 1.0 vshield Endpoint 1.0

VMware vcenter Configuration Manager and VMware vcenter Application Discovery Manager Integration Guide

vcloud Automation Center Support Matrix vcloud Automation Center 5.2

Installing and Configuring VMware Workspace Portal

Syncplicity On-Premise Storage Connector

vcenter CapacityIQ Installation Guide

Administering View Cloud Pod Architecture

vsphere App HA Installation and Configuration Guide

vcloud Automation Center Support Matrix vcloud Automation Center 5.1

VMware vcenter Discovered Machines Import Tool User's Guide Version for vcenter Configuration Manager 5.3

VMware vcloud Air Networking Guide

vcenter Operations Manager for Horizon Supplement

OnCommand Performance Manager 1.1

VMware vcenter Log Insight Developer's Guide

VMware Identity Manager Administration

ACE Management Server Deployment Guide VMware ACE 2.0

Management, Logging and Troubleshooting

VMware Software Manager - Download Service User's Guide

ACE Management Server Administrator s Manual VMware ACE 2.6

VMware vcenter Log Insight User's Guide

Virtual Managment Appliance Setup Guide

IBM Security QRadar Version (MR1) WinCollect User Guide

Configuring Multiple ACE Management Servers VMware ACE 2.0

ESX 4 Patch Management Guide ESX 4.0

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

vcenter Configuration Manager Backup and Disaster Recovery Guide VCM 5.3

SNMP Adapter Installation and Configuration Guide

vrealize Operations Manager Customization and Administration Guide

vcenter Chargeback User s Guide vcenter Chargeback 1.0 EN

Quick Setup Guide. 2 System requirements and licensing Kerio Technologies s.r.o. All rights reserved.

Installation and Configuration Guide for Windows and Linux

vshield Quick Start Guide

Core Protection for Virtual Machines 1

Request Manager Installation and Configuration Guide

SolarWinds Log & Event Manager

VMware Workspace Portal Reference Architecture

Introduction to VMware EVO: RAIL. White Paper

Enterprise Manager. Version 6.2. Installation Guide

Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide. Revised February 28, :32 pm Pacific

Secure Segmentation of Tier 1 Applications in the DMZ

Using the vcenter Orchestrator Plug-In for vsphere Auto Deploy 1.0

Table of Contents Introduction and System Requirements 9 Installing VMware Server 35

vcloud Suite Licensing

VMware vcenter Configuration Manager Backup and Disaster Recovery Guide vcenter Configuration Manager 5.4.1

VMware vrealize Operations for Horizon Security

Integrated Virtual Debugger for Visual Studio Developer s Guide VMware Workstation 8.0

Web Application Firewall

Advanced Service Design

CounterACT 7.0 Single CounterACT Appliance

vsphere Host Profiles

Setting Up Resources in VMware Identity Manager

VMware vcenter Update Manager Administration Guide

VMware vrealize Operations for Horizon Security

VMware vcenter Support Assistant 5.1.1

Veeam Backup Enterprise Manager. Version 7.0

Transcription:

VMware vcenter Log Insight Security Guide vcenter Log Insight 2.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs. EN-001425-00

VMware vcenter Log Insight Security Guide You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright 2014 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.

Contents About VMware vcenter Log Insight Security Guide 5 1 Log Insight Security Reference 7 Ports and External Interfaces that the Log Insight Virtual Appliance Uses 7 Log Insight Configuration Files 9 Log Insight Public Key, Certificate, and Keystore 10 Log Insight License and EULA File 10 Log Insight Log Files 10 Log Insight Firewall Recommendations 12 Log Insight User Accounts 12 Security Updates and Patches 13 Index 15 VMware, Inc. 3

VMware vcenter Log Insight Security Guide 4 VMware, Inc.

About VMware vcenter Log Insight Security Guide The VMware vcenter Log Insight Security Guide provides a concise reference to the security features of Log Insight. To help you protect your Log Insight installation, this guide describes security features built in to Log Insight and the measures that you can take to safeguard it from attack. External interfaces, ports, and services that are necessary for the proper operation of Log Insight Configuration options and settings that have security implications Location of log files and their purpose Required system accounts Information on obtaining the latest security patches Intended Audience This information is intended for IT decision makers, architects, administrators, and others who must familiarize themselves with the security components of Log Insight. VMware, Inc. 5

VMware vcenter Log Insight Security Guide 6 VMware, Inc.

Log Insight Security Reference 1 Use the Security Reference to learn about the security features of your Log Insightinstallation and the measures that you can take to safeguard your environment from attack. This chapter includes the following topics: Ports and External Interfaces that the Log Insight Virtual Appliance Uses, on page 7 Log Insight Configuration Files, on page 9 Log Insight Public Key, Certificate, and Keystore, on page 10 Log Insight License and EULA File, on page 10 Log Insight Log Files, on page 10 Log Insight Firewall Recommendations, on page 12 Log Insight User Accounts, on page 12 Security Updates and Patches, on page 13 Ports and External Interfaces that the Log Insight Virtual Appliance Uses The operation of Log Insight depends on certain services, ports, and external interfaces. Communication Ports Log Insight uses several communication ports and protocols. Log Insight network traffic has several sources. Admin workstation User workstation System sending logs Log Insight Windows Agent The machine that a system administrator uses to manage the Log Insight virtual appliance remotely. The machine on which a Log Insight user uses a browser to access the web interface of Log Insight. The endpoint that sends logs to Log Insight for analysis and search. For example, endpoints include ESXi hosts, VMs or any system with an IP address. The agent that resides on a Windows machine and sends Windows events and logs to Log Insight over APIs. VMware, Inc. 7

VMware vcenter Log Insight Security Guide Log Insight appliance Log Insight master node Any Log Insight virtual appliance, master or worker, where the Log Insight services reside. The base operating system pf the appliance is SUSE 11 SP3. In cluster mode, Log Insight consists of multiple nodes, including one master node and several worker nodes. When you issue a query, it goes first to the master node. The master node processes the query, distributes the work to multiple worker nodes, collects and aggregates the result, and sends it back to you. You use the Log Insight master node to configure the entire system. In standalone mode, the only node is both the master node and the worker node. Source Destination Port Protocol Service Description Admin workstation User workstation User workstation System sending logs System sending logs Log Insight Windows Agent Log Insight appliance Log Insight appliance Log Insight appliance Log Insight appliance Log Insight appliance Log Insight appliance 22 TCP SSH: Secure Shell connectivity 80 TCP HTTP: Web interface 443 TCP HTTPS: Web interface 514 TCP, UDP Syslog data 1514, 6514 TCP Syslog data over SSL 9000 TCP Log Insight Ingestion API Log Insight appliance NTP server 123 UDP NTPD: Provides NTP time synchronization NOTE The port is open only if you choose to use NTP time synchronization Log Insight appliance Log Insight appliance 59778, 16520-16580 TCP Log Insight services Log Insight appliance Mail Server 465 TCP SMTPS: MTP mail service over SSL Log Insight appliance Log Insight master node 12543 TCP Postgres database server NOTE Port 12543 is open only on the Log Insight master node. The Postgres database server runs on the master node. Log Insight master node Log Insight master node DNS server 53 TCP, UDP DNS AD server 389 TCP, UDP Active Directory NOTE The port is open only if you enable Active Directory integration. 8 VMware, Inc.

Chapter 1 Log Insight Security Reference Source Destination Port Protocol Service Description Log Insight master node Log Insight master node Log Insight master node AD server 636 TCP Active Directory over SSL NOTE The port is open only if you enable Active Directory integration. AD server 3268 TCP Active Directory Global Catalog NOTE The port is open only if you enable Active Directory integration. AD server 3269 TCP Active Directory Global Catalog SSL NOTE The port is open only if you enable Active Directory integration. The following ports are open but not used by Log Insight, and can be safely blocked by a firewall. They will be closed by default in a future release. Destination Port Protocol Service Description Log Insight appliance 111 TCP, UDP RPCbind service that converts RPC program numbers into universal addresses Log Insight appliance Tomcat service 9007 TCP Tomcat services Log Insight Configuration Files Some configuration files contain settings that affect Log Insight security. NOTE All security-related resources are accessible by the root account. Protecting this account is critical to the security of Log Insight. Table 1 1. Log Insight Configuration Files File /usr/lib/loginsight/application/etc/jaas.conf /usr/lib/loginsight/application/etc/3rd_confi g/server.xml /usr/lib/loginsight/application/etc/loginsightconfig-base.xml /storage/core/loginsight/config/loginsightconfig.xml#number /storage/var/loginsight/apachetomcat/conf/tomcat-users.xml /usr/lib/loginsight/application/3rd_party/apach e-tomcat-*/conf/server.xml /usr/lib/loginsight/application/3rd_party/apach e-tomcat-*/conf/tomcat-users.xml Description The default system configuration for Log Insight. The modified (from the default) system configuration forlog Insight. The configuration for active directory integration. The system configuration for Apache Tomcat server. The system configuration for Apache Tomcat server. The system configuration for Apache Tomcat server. User information for Apache Tomcat server. VMware, Inc. 9

VMware vcenter Log Insight Security Guide Log Insight Public Key, Certificate, and Keystore The public key, the certificate, and the keystore of Log Insight are located on the Log Insight virtual appliance. NOTE All security-related resources are accessible by the root account. Protecting this account is critical to the security of Log Insight. /usr/lib/loginsight/application/etc/public.cert /usr/lib/loginsight/application/etc/loginsight.pub /usr/lib/loginsight/application/etc/3rd_config/keystore /usr/lib/loginsight/application/etc/truststore /usr/lib/loginsight/application/3rd_party/apache-tomcat-*/conf/keystore Log Insight License and EULA File The end-user license agreement (EULA) and license file are located on the Log Insight virtual appliance. NOTE All security-related resources are accessible by the root account. Protecting this account is critical to the security of Log Insight. File License License License License Key file End-user license agreement Location /usr/lib/loginsight/application/etc/license/loginsight_dev.dlf /usr/lib/loginsight/application/etc/license/loginsight_cpu.dlf /usr/lib/loginsight/application/etc/license/loginsight_osi.dlf /usr/lib/loginsight/application/etc/license/loginsight_license.txt /usr/lib/loginsight/application/etc/license/eula.txt Log Insight Log Files The files that contain system messages are located on the Log Insight virtual appliance. File /storage/var/loginsight/runtime.log /storage/var/loginsight/pi.log /storage/var/loginsight/usage.log /storage/var/loginsight/ui.log /storage/var/loginsight/watchdog_log* /storage/var/loginsight/vcenter_operations.log /storage/var/loginsight/loginsight_daemon_stdout.log /storage/var/loginsight/upgrade.log Description Used to track all run time information related to Log Insight Used to track database start or stop events Used to track all queries Used to track events related to the Log Insight user interface Used to track the run time events of the watch dog process, which is responsible for restarting Log Insight if it is shutdown for some reason Used to track events related to the vcenter Operations Manager integration Used for the standard output of Log Insight daemon Used to track events that occur during Log Insight upgrade 10 VMware, Inc.

Chapter 1 Log Insight Security Reference File /storage/var/loginsight/apache-tomcat/logs/*.log /storage/var/loginsight/plugins/vsphere/li-vsphere.log /storage/var/loginsight/pgsql.log /var/log/firstboot/stratavm.log /storage/var/loginsight/phonehome.log /storage/var/loginsight/alert.log /storage/var/loginsight/systemalert.log /storage/var/loginsight/systemalert_worker.log Description Used to track events from Apache Tomcat server Used to trace events related to integration with vsphere Used to track the events of the Postgres server Used to track the events that occur at first boot and configuration of the Log Insight virtual appliance Used to track information about trace data collection sent to VMware (if enabled). Used to track information about user defined alerts that have been triggered. Used to track information about system alerts that Log Insight sends. Each alert is listed as a JSON entry. Used to track information about system alerts that a Log Insight worker node sends. Each alert is listed as a JSON entry. Log Messages Related to Security The runtime.log file contains user audit log messages in the following format. [2013-05-17 20:40:18.716+0000] [http-443-5 INFO /127.0.0.1] [com.vmware.loginsight.web.actions.misc.loginactionbean][user logged in: Name: admin Role: admin] [2013-05-17 20:39:51.395+0000] [http-443-5 INFO /127.0.0.1] [com.vmware.loginsight.web.actions.misc.loginactionbean][user logged out: Name: admin Role: admin] [2013-09-18 12:39:34.823-0700] [http-9443-3 WARN /127.0.0.1] [com.vmware.loginsight.web.actions.misc.loginactionbean][bad username/password attempt (username: myusername)] [2013-09-18 12:40:08.761-0700] [http-9443-3 INFO /127.0.0.1] [com.vmware.loginsight.web.actions.misc.loginactionbean][user logged in: Active Directory User: SAM=myusername, Domain=vmware.com,UPN=myusername@vmware.com] [ 2013-09-18 12:40:20.232-0700] [http-9443-3 INFO /127.0.0.1] [com.vmware.loginsight.web.actions.misc.loginactionbean][user logged out: Active Directory User: SAM=myusername, Domain=vmware.com,UPN=myusername@vmware.com] [2013-09-18 12:40:36.933-0700] [http-9443-3 INFO /127.0.0.1] [com.vmware.loginsight.web.actions.misc.loginactionbean][user logged in: Local User: Name=myusername, Role=user] [2013-09-18 12:40:40.429-0700] [http-9443-3 INFO /127.0.0.1] [com.vmware.loginsight.web.actions.misc.loginactionbean][user logged out: Local User: Name=myusername, Role=user [2013-11-13 23:26:21.569+0000] [http-443-4 INFO /127.0.0.1] [com.vmware.loginsight.web.actions.settings.usersactionbean] [Created new user: Active Directory User: SAM=username, Domain=vmware.com, UPN=username@vmware.com] [2013-11-14 22:44:11.017+0000] [http-443-6 INFO /127.0.0.1] [com.vmware.loginsight.web.actions.settings.usersactionbean] [Created new user: Local User: Name=username, Role=admin] VMware, Inc. 11

VMware vcenter Log Insight Security Guide [2013-12-05 21:03:36.751+0000] [http-443-3 INFO /127.0.0.1] [com.vmware.loginsight.web.actions.settings.usersactionbean] [Removed users: [Active Directory User: SAM=username, Domain=vmware.com, UPN=username@vmware.com]] [2013-12-05 21:04:16.707+0000] [http-443-3 INFO /127.0.0.1] [com.vmware.loginsight.web.actions.settings.usersactionbean] [Removed users: [Local User: Name=username, Role=admin]] [http-9443-3 INFO /127.0.0.1] [com.vmware.loginsight.web.actions.settings.usersactionbean] [Created new group: (domain=vmware.com, group=vmware Employees, role=user)] [2013-12-05 13:07:04.108-0800] [http-9443-2 INFO /127.0.0.1] [com.vmware.loginsight.web.actions.settings.usersactionbean] [Removed groups: [(domain=vmware.com, group=vmware Employees, role=user)]] Log Insight Firewall Recommendations To protect sensitive information gathered by Log Insight, place the server or servers on a management network segment protected by a firewall from the rest of your internal network. Required Ports The following ports need to be open to network traffic from sources that send data to Log Insight. Port 514/UDP, 514/TCP 1514/TCP, 6514/TCP 9000/TCP Protocol Syslog Syslog-TLS (SSL) Log Insight Ingestion API The following ports need to be open to network traffic that needs to use the Log Insight UI. Port 80/TCP 443/TCP Protocol HTTP HTTPS The following set of ports should only be open on a Log Insight master node for network access from worker nodes for maximum security. Port 16520:16580/TCP 59778/TCP 12543/TCP Protocol Thrift RPC log4j server database server Log Insight User Accounts You must set up a system and a root account to administer Log Insight. Log Insight Root User Log Insight currently uses the root user account as the service user. No other user is created. Unless you set the root password property during deployment, the default root password is blank. You must change the root password when you log in to the Log Insight console for the first time. SSH is disabled until the default root password is set. 12 VMware, Inc.

Chapter 1 Log Insight Security Reference The root password must meet the following requirements. Must be at least 8 characters long Must contain at least one uppercase letter, one lowercase letter, one digit, and one special character Must not repeat the same character four times Log Insight Admin User When you start the Log Insight virtual appliance for the first time, Log Insight creates the admin user account for its Web user interface. The default password for admin is blank. You must change the admin password in the Web user interface during the initial configuration of Log Insight. Active Directory Support Log Insight supports integration with Active Directory. When configured, Log Insight can authenticate or authorize a user against Active Directory. See topic Enable User Authentication Through Active Directory in the Log Insight Administration Guide. Privileges Assigned to Default Users The Log Insight service user has root privileges. The Web user interface admin user has the administrator privileges only to the Log Insight Web user interface. Security Updates and Patches The Log Insight virtual appliance uses SUSE Linux Enterprise Server 11 (x86_64), version 11, patch level 3 as the guest operating system. You can apply the latest security update or patch by using a conventional approach, for example, rpm upgrade. Before you apply an upgrade or patch to the guest operating system, take into account the dependencies. See Ports and External Interfaces that the Log Insight Virtual Appliance Uses, on page 7. VMware, Inc. 13

VMware vcenter Log Insight Security Guide 14 VMware, Inc.

Index A admin privileges 12 C certificate 10 configuration files 9 D default root password 12 disabled SSH 12 E EULA 10 F firewall recommendations 12 firewall ports 12 G glossary 5 guest OS 13 H http 7 https 7 I intended audience 5 K keystore 10 ports 7 postgres 7 public key 10 public.cert 10 R required ports 12 root privileges 12 S security reference 7 security updates 13 sendmail 7 server.xml 9 services 7 smtp 7 SSH 12 sshd 7 syslog 7 system logs 10 T tcp 7 tomcat-users.xml 9 truststore 10 U udp 7 L license file 10 loginsight-config-base.xml 9 loginsight-config-projects.xml 9 loginsight.pub 10 logs 10 logsight-config.xml 9 N ntp 7 P patches 13 VMware, Inc. 15

VMware vcenter Log Insight Security Guide 16 VMware, Inc.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information