zVirt 3.0–3.1: source configuration · MaxPatrol SIEM

Setting up sourcesVirtualization systems. Event collection

zVirt 3.0–3.1: source configuration

You must configure a source under the root account.

If the corporate IT infrastructure uses a firewall or other means of network traffic control, you must configure rules allowing traffic between the source host and the MP 10 Collector host on port UDP 514 or TCP 1468 (depending on the protocol used) in the direction of the MP 10 Collector host.

The source can record syslog events. If a source uses the rsyslog service, to send events to an MP 10 Collector, you must create a file with the service options and set up the service configuration file.

To create a file with the service options:Create the file /etc/rsyslog.d/11-zvirt.conf with access permissions 644.Add the following lines to the file:

 module(load="imfile" PollingInterval="10")
input(
    type="imfile"
    File="/var/log/ovirt-engine/engine.log"
    Tag="zvirt syslog"
    Severity="info"
    Facility="local7"
    startmsg.regex="[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2},[0-9]{3}"
)

Add the following rule lines to send events to the MP 10 Collector host:

To send events to port UDP 514:

local7.info @<MP 10 Collector IP address>:514

To send events to port TCP 1468:

local7.info @@<MP 10 Collector IP address>:1468

Save your changes, and close the file.The file with the service options is created.To set up the service configuration file:Open the /etc/rsyslog.conf configuration file.Add the following line to the beginning of the file:

$MaxMessageSize 64k

Uncomment or add the following line:

$IncludeConfig /etc/rsyslog.d/11-zvirt.conf

Or:

$IncludeConfig /etc/rsyslog.d/*.conf

Or:

include(file="/etc/rsyslog.d/*.conf" mode="optional")

If you have configured sending of events to a TCP port, add the following lines to configure an event sending queue:

 $ActionQueueType LinkedList
$ActionQueueFileName syslog_queue
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on
$ActionQueueMaxDiskSpace 1024m
$ActionQueueTimeoutEnqueue 0

If a source uses the systemd-journald service for logging, add the following line to the file:

$imjournalRatelimitInterval 15

If a source does not use the systemd-journald service, add the following lines to the file:

 $SystemLogRateLimitBurst 20000
$SystemLogRateLimitInterval 15

Save your changes, and close the file.If a source uses the systemd-journald service for logging, add the line RateLimitBurst=20000 to the configuration file /etc/systemd/journald.conf.Restart rsyslog.If a source uses the systemd-journald service for logging, restart it.The service configuration file is set up.

	module(load="imfile" PollingInterval="10")
	input(
	type="imfile"
	File="/var/log/ovirt-engine/engine.log"
	Tag="zvirt syslog"
	Severity="info"
	Facility="local7"
	startmsg.regex="[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2},[0-9]{3}"
	)

	$ActionQueueType LinkedList
	$ActionQueueFileName syslog_queue
	$ActionResumeRetryCount -1
	$ActionQueueSaveOnShutdown on
	$ActionQueueMaxDiskSpace 1024m
	$ActionQueueTimeoutEnqueue 0

	$SystemLogRateLimitBurst 20000
	$SystemLogRateLimitInterval 15