storagegrid and remote syslog integration

SebastienP · ‎2021-07-13

Hi,

forgive me if the answer is trivial, but after crawling the doc for some times I didn't manage to find a complete solution to properly integrate storagegrid and our SIEM.

The simplest solution would be to forward the syslog feed to our SIEM syslog but when I check the following KB (How to forward audit logs to Syslog server - NetApp Knowledge Base) it doesn't help a lot.

As we are planning to use the provided docker image, we need to ensure that the integration could be upgraded without worries and lost of syslog configuration.

If someone has a hint I will appreciate it....

elementx · ‎2021-07-13

I don't know what the KB article talks about but as it suggests you could ask the NetApp Partner or Account Team to figure it out for you.

I say I don't know what the KB is about because the docs say (https://docs.netapp.com/sgws-115/topic/com.netapp.doc.sg-s3/GUID-3266A961-C006-4BFF-8B30-445F4F888718.html?resultof=%22%61%75%64%69%74%22%20%22%6c%6f%...) that SG audit logs are not logged to syslog, but to a separate audit log file. As you can see from the documentation, you can get that log file exported read-only via NFS. The hard part is parsing it without missing any rows (personally I couldn't do it, but if you're good with regexp, you may be able to; or if you can get NetApp Professional Services to do this for you).

As for other (non-audit logs), it seems some may be forwarded to syslog. From my experience with (other NetApp apps) and Docker, it's not hard to forward Docker logs to Syslog and from there to a forwarder and/or SIEM, but you'd have to make changes to the OVA file (or possibly StorageGRID appliance configuration) after upgrades. Since these aren't documented, they aren't supported w/o FPVR request by NetApp partner or account team, so you'd still need to get this request done and approved to get the correct instructions and risk-free reapply it after upgrades.

SebastienP · ‎2021-07-15

thanks for the input.

what's bother me with the network shared audit file is that isn't a standard way of gathering event...

FYI we are currently in the process of also opening a support request on this topic with netapp.

elementx · ‎2021-07-15

I'll let someone from the SG product team officially comment on that, but you'd still have to parse and transform the audit log file.

One advantage of receiving logs via syslog would be near real-time logs. Compared to that, re-reading audit.log from NFS is possible but due to log file size it couldn't be done very frequently (maybe once an hour?) because the file can be large. It's probably more reasonable to check the share every X hours and deal with log files only after they've been rotated (i.e. they won't be updated, so they won't need to be re-read either). I know it's not the solution you want but I don't know of any other.

angelacheng · ‎2022-09-15

With StorageGRID 11.6, there is syslog forward feature. Please refer to this link for instruction how to configure external syslog server to receive StorageGRID log messages (including audit messages) and parse the messages for log analysis.