IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Log Forwarder Configuration in IBM Security Identity Governance and Intelligence Virtual Appliance (IGI-VA)

By Sachin Patil posted Thu January 24, 2019 12:00 AM

  

Introduction


Starting from IGI V5.2.4, virtual appliance (VA) has provided a feature to forward all the logs in VA to the centralized log management server. Internally, VA uses “filebeat” as an agent to forward all the VA logs. A user can configure the filebeat from the VA panel by navigating through Manage -> Maintenance -> Log forwarder configuration.

The logs that are forwarded from the VA can be consumed by the external Logstash server or ELK (Elastic Search, Logstash, Kibana dashboards). A user can configure the ELK stack to filter the VA logs, generate various dashboards, etc.




Configuring Log Forwarder in VA


Log forwarder can be configured with Logstash server that is running in non-SSL or SSL. Following are the required fields to configure:


Host name or Port fields are mandatory (this is the logstash server host or port). The Tags field is optional, but this field will be useful while filtering out the VA logs on the logstash server or for any other log analysis purposes. If the logstash server is running in SSL, then provide the logstash server SSL port and select the SSL check box. Refer the VA documentation to configure the log forwarder.

Sample Logstash Server Configuration


Following are the simple steps to configure the logstash server.

  1. Download the logstash install bundle. For example, logstash-5.4.2.tar.gz.
  2. Extract on any Linux server.
  3. Create a configuration file. For example, config, ssl.config.
  4. Run the logstash server.

For example:

$Logstash_install_path/bin/logstash -f non_ssl.config &

A sample non_ssl.config, which outputs logs to text file is as follows:


A sample ssl.config, which outputs logs to text file is as follows:



Java Required for Logstash


Use OpenJDK or Oracle Java to run the logstash server. The Logstash server must run with a non-IBM version of Java, Version 1.8 or higher.

Sample SSL Certificate Creation


To configure the logstash server in SSL, openssl can be used to generate certificates.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt


Note: If the server hostname is provided in ssl.config and IP is used while configuring log forwarder in VA, then logs may not get forwarded. For this operation to work, while creating the certificates specify the subject alternative name as follows:




#IGI
1 comment
16 views

Permalink

https://community.ibm.com/community/user/blogs/sachin-patil1/2019/01/24/log-forwarder-configuration-ibm-security-identity

Comments

Danie Weideman
Fri April 09, 2021 03:58 AM

Hi

Does anyone have examples pipelines and suggested best practices to be used as an example I do not see the use of having snmp log type messages wend to ELK - I would rather just drop them in the pipeline as I cannot modify the filebeats.yml file.

Another example is the message type differences between SystemOut (liberty) and message (xml) formats?

Do we need trace file details per default on ?