Skip to content

HOWTO supervise customer equipments

Why do that

In a cybersecurity context you have to raise alerts when some equipments of your customer become silent, in order to have a strong supervision. The goal of this HOWTO is to show the mecanism to track efficiently the customer equipments.

There are two goals :

  1. To have a kibana dashboard with all equipments in real time
  2. To raise alerts when a device doesn\'t send logs during a specific period of time.

Prerequisites

This HOWTO concerns only Log Management platforms (LMC) because it uses the result of Parsing.

You need : - a processing cluster (apache storm) - a queuing cluster (apache kafka) - an indexing cluster (elasticsearch) - an alerting motor (elastalert)

What to do

Understand the supervision chain

To reduce the equipment supervision impact on the platform performance, we have implement severals mecanisms :

image

Configure the processing to keep only the last seen equipment

This type of processing runs in apache Storm. We use a statefull punchlet to convert many events per host by only one equipment message with the last timestamp seen.

The punchlet update in memory a map containing all equipments. At each period configured in "punchlet_tick_frequency", the map is sent to the next component (elasticsearch or kafka).

Take a look first on your PunchPlatform configuration to keep a more recently version of the Punch - resources/punch/standard/common/). Here is an example of the punchlet : equipments_supervision.punch

HOW TO use it ?

  • Simply add the punchlet to your processing topology
  • Configure the next component to send theses messages in the right elasticsearch

Warning

the format of theses messages are different from the events. You have to custom your configuration. Take a look on the last section of the documentation.

Configure your Kibana to construct the equipment supervision dashboard

Add a new index pattern

The default value is equipments--supervision

Construct your dashboard

A good point may be to display:

  • the count of equipments
  • the repartition of equipments by channel/technology
  • the repartition of equipents by time
  • the list of equipments (search)
  • the repartition of alerts if configured
  • the content of alerts if configured

For instance :

image

Configure the Alerting

The PunchPlatform provides the specific Elastalert type of rule called SupervisionEquipmentsRule.

You have to filled the following parameters:

  • field: the field of the equipment, for instance "host"
  • timestamp_to_track: the timestamp to check the health of the host, for instance "obs.ts"
  • buffer_time_monitoring: the period of time to check the health. If timestamp_to_track is not in the last buffer_time_monitoring, an alert is raised. For instance: minutes: 5

Example of elastalert configuration here : equipments_supervision.yml

Schedule alerting in Shiva

The PunchPlatform provides a resilient backend to run scripts called Shiva.

With shiva, you have :

  • Resilience
  • Monitoring (PunchPlatform Admin)
  • Configuration management (git)

Example of configuration is coming soon. Please wait by reading the Shiva chapter.

Additional explanations

Equipment message structure

Bug

TODO