PowerFlex 4.x Configuring syslogs for Dell PowerSwitch and Cisco Nexus switches

Configuring syslogs for Dell PowerSwitch and Cisco Nexus switches

For the Dell PowerSwitch and Cisco Nexus switches, syslog can be transmitted through TLS and audit logs. Ensure TACACS (terminal access controller access-controller system) is used for the audit logs.

 Switches and their product documentation

PowerFlex audit log

This section describes how to enable audit logging in PowerFlex Manager.

It is recommended to be using PowerFlex Manager 4.6 before using the new audit log configuration. It will continue to work on older versions of PowerFlex Manager.

Using the audit policy and set up (instead of events to syslog, and syslog to syslog) narrows down the events and messages to "audit" (Facility 13).

Audit logs filter the Facility 13 messages. Adding syslog and events to rsyslog is allowed.

Ingress and events propagation to syslog

Use this procedure to ingress and events propagation to syslog.

Steps

1. Go to /opt/platform-provisioner/support_scripts and run the ./install_audit.sh script once from any of the MVM nodes. Provide the PowerFlex user credentials at the credential prompt.

# Enter the node
cd /opt/platform-provisioner/support_scripts; ./install_audit.sh # Installing observability, If there is issue break and repeat
# PFXUSER must be defined to the powerflex admin user, something like: # PFXUSER="admin" PFXPASSWORD="Scaleio123!" ./install_audit.sh
# Enter your PFX USER : Enter PFX PASSWORD :

This may take 20 minutes, do not close this terminal until this script completes successfully.

2. User credentials must be supplied in the environment or as a variable in the command line above. If the variable is missing, it prompts for it to be entered.
3. If the process failed or was interrupted, there might be a job running in the platform manager:

   "{"title": "An execution is already in progress", "description": "Please refer bedrock log for more details"}++ wait_for_done"
   ...
   No ID - check error
   

   
   

   The process can be run again when this job completes.

   The script checks for having 10 observability services as a check that it successfully completed the install observability part. Then it completes the platform installer configuration change.

    

   Define the audit policy notification policy

   Use this procedure to define a notification policy to forward events in the PowerFlex system to the rsyslog-forwarder (also known as the syslog-listener). Then, the rsyslog-forwarder forwards the events to the external destinations that are defined in the policy.

    

   Steps

   1. Create a source:
      1. Click Add a source and from the Source Type drop-down menu, select auditlog.
      2. Add the name and description.
   2. Create a destination:
      1. Go to Settings > Events and Alerts > Notification Policies.

   You can also use the following REST API: dispatch-destinations~1/post

   1. 2. Enter the destination name and description.
      3. From the Destination Type menu, select Audit Log.
      4. Click Next and enter the IP address, port, and protocol (TCP) of the target SIEM. Ensure that the SIEM IP address, port, and protocol are reachable.
   3. Create a new policy:
      1. Go to Settings > Events and Alerts > Notification Policies.

   You can also use the following REST API: dispatch-policies~1/post

   1. 2. Click Create New Policy.
      3. Enter a name and a description for the notification policy. For the policy name, you can enter: Powerflex audit events to external Syslog
      4. Set the Source Type to Auditlog.
      5. Set the Resource Domain to All (all resource domains must be selected).
      6. For Severity, select all the check boxes (all severity levels must be selected).
      7. Select one or more of the destinations you created above.