monitoring log management alerting - depot.ubiqube.comdepot.ubiqube.com/.../Service_Monitoring_log_management_alerting.… · Monitoring Log Management and Alerting 3 / 24 1. Centralized

Monitoring Log Management and Alerting

1 / 24


Services Description

February 2009


2 / 24

Contents

Monitoring Log Management and Alerting ........................................................ 1

1. Centralized Management ...................................................................... 3

1.1. Centralized management : .............................................................. 3

1.2. Multi Tenant Architecture : .............................................................. 5

2. SLA Management ................................................................................. 7

2.1. Health and Performances monitoring ................................................ 7

2.2. Graphical Real Time Monitoring Console : Mapview ............................. 9

2.3. Custom KPI monitoring ................................................................. 12

3. Log Management and alerting ............................................................. 15

3.1. Log Management ......................................................................... 15

3.2. Email Alerting .............................................................................. 18

3.3. Detailed Reports : ........................................................................ 22


3 / 24

1. Centralized Management

1.1. Centralized management :

The UBIqube MSActivatortm is a powerful but very easy-to-use solution for provisioning

management and monitoring for quick and cost effective delivery of security services on

multi-vendor CPE devices (routers, firewall, UTM) deployed in multisite networks.

The MSActivatortm profile based rule definition allows administrators to manage IPsec VPN,

Firewall, IPS and content filtering policies on group of devices (please refer to the portfolio

for more details on the managed services).


4 / 24

The MSActivatortm unified WEB portal centralized the provisioning, management and

monitoring of the devices and services. All the events sent (syslog or snmp ) by the

managed or monitored devices are collected, classified and analyzed centrally. SLA

management statistics, security dashboards and detailed report are available online on the

WEB portal to facilitate the troubleshooting throughout all the lifecycle of the devices and

services.


5 / 24

1.2. Multi Tenant Architecture :

The MSActivatortm unified WEB portal is built on a multi tenant architecture which supports

• VSOC (Vistual SOC) definition and customization

• Multiple accesses levels with Role based Access Control and delegation profile

• Per customer policies management

• Per VSOC configuration templates customization (Pattern files and PHP APIs)


6 / 24


7 / 24

2. SLA Management

2.1. Health and Performances monitoring

Health and availability of the managed devices is monitored in real time. Devices key

metrics monitored are :

• Access Availability

• Network Traffic

• CPU Load

• System Uptime

• VPN Tunnels History

• Network Delays : RTT (Round Trip Time) and TTL (Time To Live)

The MSActivatortm maintains a one year history with one minute granularity of each

metric.


8 / 24


9 / 24

Statistics can be compared between devices :

2.2. Graphical Real Time Monitoring Console :

Mapview

The status of the devices is also available on the graphical real time monitoring console

called the mapview.


10 / 24

Detailed information on the asset and statistics are displayed when you click on a device.

In addition to the status of the devices the mapview displays the profiles.


11 / 24

The Mapview allows management by graphically attaching or detaching devices to or from

profiles

Devices and VPN can be displays on a google map embedded in the Mapview :


12 / 24

2.3. Custom KPI monitoring

In addition the security profiles, administrators can create monitoring profile gives the

user the ability to create his own custom SNMP polling, configure threshold email alerting

and graphical rendering.

Monitoring profile gives the user the ability to create his own custom SNMP polling,

configure threshold email alerting and graphical rendering. This allows the monitoring of

any KPI (Key Performance Indicator) based on SNMP OID like the environmental

conditions such as temperature and humidity etc.


13 / 24

Monitoring profiles can be easily imported and exported using XML. This API streamlines

teh integration of the UBIqube with 3rd party OSS tools or opensource monitoring tools.

Below is an example of an XML file for monitoring teh packet loss :

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>

- <MonitoringProfile>

<comment />

<name>Packet Loss</name>

- <graphRendererList>

- <dataList>

<colorAsHexa>008080</colorAsHexa>

- <data>

<comment>number of input IP datagrams los</comment>

<defaultPolling>false</defaultPolling>

<fileName>ipInDiscards</fileName>

<id>0</id>

<maxValue>-1</maxValue>

<minValue>0</minValue>

<name>ipInDiscards</name>

<oid>1.3.6.1.2.1.4.8.0</oid>

<pollingType>67</pollingType>

<profileId>108</profileId>

<threshold>10</threshold>

<thresholdComparator>71</thresholdComparator>

<thresholdFrequency>78</thresholdFrequency>

</data>

<horizontalLabel>Input</horizontalLabel>

<rendererId>0</rendererId>

<snmpPollingId>0</snmpPollingId>

</dataList>

- <dataList>

<colorAsHexa>ff6600</colorAsHexa>

- <data>

<comment>number of output IP datagrams lost</comment>


<fileName>ipOutDiscards</fileName>

<id>1</id>



<name>ipOutDiscards</name>

<oid>1.3.6.1.2.1.4.11.0</oid>






14 / 24


</data>

<horizontalLabel>Output</horizontalLabel>

<rendererId>0</rendererId>

<snmpPollingId>1</snmpPollingId>

</dataList>

<id>0</id>

<name>Packet Loss</name>


<vertivalLabel>packet loss number</vertivalLabel>

</graphRendererList>

- <snmpPollingList>

<comment>number of input IP datagrams los</comment>


<fileName>ipInDiscards</fileName>

<id>0</id>



<name>ipInDiscards</name>

<oid>1.3.6.1.2.1.4.8.0</oid>






</snmpPollingList>

- <snmpPollingList>

<comment>number of output IP datagrams lost</comment>


<fileName>ipOutDiscards</fileName>

<id>1</id>



<name>ipOutDiscards</name>

<oid>1.3.6.1.2.1.4.11.0</oid>






</snmpPollingList>

</MonitoringProfile>


15 / 24

3. Log Management and alerting

3.1. Log Management

The MSActivatortm centralizes all the events (Syslog or SNMP) sent by the managed or

monitored devices. Events are available online via the WEB portal for 30 days. Then they

are archived securely using a tamper proof solution complaint to Sarbannes Oxley (SOX)

PCI or HIPPA recommendations.

The security dashboards available on the WEB portal provides event reporting overview

with search capabilities. This multiple entry table includes for each event category (IPS,

Firewall, Anti Virus, URL Filtering, Anti Spam, Alerts and logs) :

• Site top 5 of the month/week : the top 5 of the most attacked sites giving the

number of event and the associated percentage

• Alert top 5 of the month/week : the top 5 of the most received alerts giving the

number of occurrences and the associated percentage

• Historical performance charts (day, week, month, year)


16 / 24

The log analysis engine computes the security dashboard and provides for each managed

site a human readable monthly/weekly summary reports. Logs are displayed using

different colours and icons depending on the severity level.


17 / 24


18 / 24

The summary reports aggregate every minute the events on a per day basis. Reports can

be filtered per category or severity and events can be search by pattern.

Detailed views are available on a per event basis. This page displays all the events in raw

format.

3.2. Email Alerting

Emails Alarms can be sent :

• To inform of a link or device outage

• To alert on the reception of a security event flagged as an Alarm one


19 / 24

• To alert when a threshold is triggered

Emails alerts are sent, on a per site basis, to the site contact email and to the subscriber

contact email and copy to the SOC support email address. Each field can contains multiple

email addresses eg : [email protected]; [email protected].

The mail alert service is configurable at the site level on the second page of the site

creation or modification processes:

Proactive continuous (24x7) monitoring and alerting

Health and availability of the managed devices is monitored by the VSOC real time

monitoring console (RTMC).

A reachable device appears in green colour on the VSOC console. If the connectivity is

lost the device appears in orange colour during 5 minutes. After 5 minutes if the

reachability is still down the device appears in red colour and an email alert is

automatically sent.


20 / 24

This link or device outage, detected by the SOC, is called the Host Down event. An Host

Up event is generated when a device connectivity is up again and an informational email is

sent.

Early Warning of threat identification and detection

Email alerts can also be sent upon identification and detection of predefined events. The

VSOC console displays summary human readable events reports. Actions can be specified

on a par event per site basis. Actions can be either to discard the event because it is a

false positive one or to generate an email alert.

Alarms are summarized by date and the WEB interface provide alarm filtering by category

(Firewall, IPS, Anti Virus, AntiSpam, URL Filtering, log) severity or by reference.


21 / 24

As soon as an event with the email alerting flag set is received by the SOC Event Tracker,

a mail is sent. To avoid mail flooding a maximum of one Email Alerts per day per alert is

sent.

Threshold Alerting


22 / 24

Monitoring profile gives the user the ability to create his own custom SNMP polling, to

associate them to alerting threshold and graphical rendering.

Threshold definition is used to trigger mail alerting to the user. The alert frequency can be

configure per threshold from once to one per day, one per hour and even one per minute.

3.3. Detailed Reports :

The MSActivatortm console provides detailed reports, in PDF format, for security events

(Firewall, IDS/IPS, Anti Virus, Anti Spam, URL filtering, proxy) which occurred on a device.

This service (detailed reporting) is optional and can be activated on a per device basis.


23 / 24

These PDF reports are generated on daily and monthly basis. The screenshots below give

some examples of the monthly PDF report generated for a UTM device :


24 / 24

Documents

monitoring log management alerting - depot.ubiqube.comdepot.ubiqube.com/.../Service_Monitoring_log_management_alerting.… · Monitoring Log Management and Alerting 3 / 24 1. Centralized