Critical System Protection

 View Only

How to monitor ESXi Host with CSP Agent Collector Node 

Aug 19, 2013 07:00 AM

Content:

  • Overview
  • Installation & Configuration
  • Troubleshooting

 

Overview

 

In an ESX environment, you can install a native Symantec Critical System Protection agent and apply policies to monitor and protect the local host. However, ESXi does not allow agent installation or local enforcement. Instead, a Symantec Critical System Protection observer system is used to monitor the ESXi host remotely by using VMware-supported APIs and command line tools such as vCLI. This observer system is referred to as the Symantec Critical System Protection Collector host and is similar to the VMware Management Assistant (VMA). VMA is a virtual machine that manages agents that interact with ESXi hosts. VMA is not used because it no longer supports the capture of forwarded ESXi Syslog events and the choice of deployment scenarios is limited.

 

Symantec recommends that the Symantec Critical System Protection Collector system should be a single-purpose system that is dedicated to monitor a set of ESXi servers. The Symantec Critical System Protection Collector system contains account and password information for the monitored ESXi servers, copies of ESXi server configuration files and logs, and VM guest configuration files. Therefore, you should limit login access to the Symantec Critical System Protection Collector system in the same way you limit login access to the ESXi servers or vCenter Servers. The ESXi credential store and other ESXi files are protected by operating system ACLs – only the root user has access to them. Symantec recommends you to use Symantec Critical System Protection Prevention and Detection policies for additional protection of the Collector host system, as you would with any other important server in the organization.

 

Symantec Critical System Protection Collector systems can be either SLES 10 (32-bit and 64-bit), SLES 11 (32-bit and 64-bit), or Red Hat 5.5 (32-bit and 64-bit). The Symantec Critical System Protection Collector system does not require many system resources, so configuring it as a virtual machine makes the most sense from a manageability standpoint.

 

The Symantec Critical System Protection Collector system includes the following components:

■ Base Linux Platform (SLES, RHEL)

■ VMware vCLI

■ Symantec Critical System Protection agent

■ Remote File Synchronization (RFS)

 

Installation & Configuration

 

Note: All the below steps require to be logged in as root user.

 

ESXi Host Configuration

 

ESXi Host Configuration from vSphere:

  • ESXi Shell set to Start and stop with host:
    • Configuration tab > Software > Security Profile > Services > Properties > ESXi Shell > Options…
  • ESXi clock synchronized:
    • Configuration tab > Software > Time Configuration > Properties
  • Enable syslog forwarding (outgoing UDP port 514):
    • Configuration tab > Software > Security Profile > Firewall > Properties

ESXi Host Configuration:

  • ESXi Host set with static IP:
    • Login locally > Configure Management Network > IP Configuration

 

Installation of the Collector Node Linux Based Platform

 

Preparing the Linux Based Platform

 

Setup a virtual machine for RHEL 5.5 or SLES 10/11.

  • Disable the firewall
  • Disable SELinux (RHEL)/AppArmore (SLES)
  • Install VMware tool

 

Note: CentOS 5.5 is an alternative to RHEL. The configuration is the same as for RHEL.

 

Installing vCLI on Linux Systems with Internet Access

 

Before you can install the vCLI package on a Linux system with Internet access, that system must meet following prerequisites.

Internet access. You must have Internet access when you run the installer because the installer uses CPAN to install prerequisite Perl modules.

Development Tools and Libraries. You must install the Development Tools and Libraries for the Linux platform that you are working with before you install vCLI and prerequisite Perl modules.

Proxy settings. If your system is using a proxy for Internet access, you must set the http:// and ftp:// proxies, as follows:

export http_proxy=<proxy_server>:port

export ftp_proxy=<proxy_server>:port

 

Installing Required Prerequisite Software for Linux Systems with Internet Access

 

If required prerequisite software is not installed, the installer stops and requests that you install it. Installation of prerequisite software depends on the platform that you are using.

 

Installing Required Prerequisite Software

 

Platform

Installation

 

RHEL 5.5, 32-bit

RHEL 5.5, 64-bit

 

Install prerequisites using yum, the RHEL package installer (recommended), or from the installation DVD. For example:

yum install openssl-devel libxml2-devel e2fsprogs-devel

 

 

SLES 10, 32 bit

SLES 10, 64 bit

 

Install the prerequisite packages from the SLES 10 SDK DVD. When you insert the DVD, it offers to auto run. Cancel the auto run dialog box and use the yast package installer to install OpenSSL or other missing required packages.

 SLES 10, 64 bit. yast -i openssl-devel libxml2-devel-32bit e2fsprogs-devel-32bit

 SLES 10, 32 bit. yast -i openssl-devel libxml2-devel e2fsprogs-devel

Some users might be authorized to use the Novell Customer Center and use yast to retrieve missing packages from there.

Note that SLES 10 includes libxml2 version 2.6.23. The vCLI client require 2.6.26 or higher. Upgrade to 2.6.26 or higher.

 

 

SLES 11, 32 bit

SLES 11 SP1, 32 bit

SLES 11, 64 bit

SLES 11 SP1, 64 bit

 

Install the prerequisite packages from the SLES 10 and SLES 11 SDK DVD. When you insert the DVD, it offers to auto run. Cancel the auto run dialog box and use the yast package installer to install OpenSSL or other missing required packages.

 SLES 11 64 bit. yast -i openssl-devel libuuid-devel libuuid-devel-32bit

 SLES 11 32 bit. yast -i openssl-devel libuuid-devel

Some users might be authorized to use the Novell Customer Center and use yast to retrieve missing packages from there.

 

 

Installing the vCLI Package on a Linux System with Internet Access

 

Download vCLI 5.1 from VMware website.

 

Install the vCLI package and run a command to verify installation was successful.

 

To install vCLI

 

  1. Untar the vCLI binary that you downloaded.
tar –zxvf VMware-vSphere-CLI-5.X.X-XXXXX.i386.tar.gz

A vmware-vsphere-vcli-distrib directory is created.

  1. If your server uses a proxy to access the Internet, and if your http:// and ftp:// proxy were not set when you installed prerequisite software, set them now.
export http_proxy=<proxy_server>:port

export ftp_proxy=<proxy_server>:port

If your server does not use a proxy to access the Internet, set the http:// and ftp:// proxy as follows:

export http_proxy=

export ftp_proxy=
  1. Run the installer from the vmware-vsphere-vcli-distrib directory itself.
./vmware-install.pl
  1. To accept the license terms, type yes and press Enter.

The installer connects to CPAN and installs prerequisite software. Establishing a connection might take a long time.

  1. On RHEL, when prompted to install precompiled Perl modules, type no and press Enter to use CPAN.

The installer connects to CPAN and installs prerequisite software. Establishing a connection might take a long time.

  1. Specify an installation directory, or press Enter to accept the default, which is /usr/bin.

A complete installation process has the following result:

■ A success message appears.

■ The installer lists different version numbers for required modules (if any).

■ The prompt returns to the shell prompt.

If you accepted the defaults during installation, you can find the installed software in the following locations:

■ vCLI scripts – /usr/bin

■ vSphere SDK for Perl utility applications – /usr/lib/vmware-vcli/apps

■ vSphere SDK for Perl sample scripts – /usr/share/doc/vmware-vcli/samples

See the vSphere SDK for Perl documentation for a reference to all utility applications. After you install vCLI, you can test the installation by running a vCLI command or vSphere SDK for Perl utility application from the command prompt.

 

Installing the Critical System Protection Agent

 

  1. Export the agent binary file and the agent-cert.ssl file (agent certificate) on the Collector Node Server,
    • For RHEL 5.5, 32-bit: agent-linux-rhel5.bin
    • For RHEL 5.5, 64-bit: agent64-linux-rhel5.bin
    • For SLES 10, 32-bit: agent-linux-sles10.bin
    • For SLES 10, 64-bit: agent64-linux-sles10.bin
    • For SLES 11, 32-bit: agent-linux-sles11.bin
    • For SLES 11, 64-bit: agent64-linux-sles11.bin
  2. Change the permissions for the binary file.
chmod a+x <agent_binary_file>
  1. Run the binary file to start the agent installation.
./agent64-linux-rhel5.bin
  1. Follow the prompts until the installation completes.

 

Note: Make sure to enter the agent name during installation (see Troubleshooting for details).

 

  1. Restart the computer if prevention was enabled.

That completes the installation of the agent.

 

Installing the Remote File Synchronization (RFS) Support Utility Tool

 

About the Symantec Critical System Protection ESXi Support Utility

 

Remote File Synchronization (RFS) is a support utility tool that is installed on the Collector host to help the Symantec Critical System Protection agent monitor multiple ESXi hosts. RFS periodically synchronizes ESXi host configuration files, Virtual Machine Configuration files (VMX files), and selected ESXi log files. The local agent computer with policies applied performs the file integrity and log monitoring activities.

 

The files that are available for monitoring are specifically exposed by the VMware APIs. Not all the files that are visible when you log into the ESXi host are available for monitoring purposes.

 

RFS performs the following functions:

■ Remote access to a designated ESXi host by using a VMware-encrypted credential store.

■ Discovery and transfer of changed ESXi host configuration files.

■ Discovery and transfer of changed ESXi host log files of interest to Symantec Critical System Protection ESXi detection policy.

■ Discovery and detection of VMs that are registered or de-registered from the ESXi host.

■ Discovery and transfer of changed Virtual Machine VMX configuration files for VMs that are registered with the ESXi host.

 

RFS is periodically executed based on a scheduled interval that is configured by the administrator. For example, the interval might be 10 minutes, 30 minutes, 2 hours and so on. After an initial one-time file population, only the files that are changed on the ESXi host are copied to the local Collector host.

 

Note: During the initial one-time file population, you may see a lot of File Create events in the console.

 

The ESXi Syslog log file is handled separately from RFS. Syslog configuration settings at the ESXi host are used to forward its Syslog to the Symantec Critical System Protection Collector node for monitoring purposes.

The Symantec Critical System Protection agent performs file integrity monitoring based on the mirrored files. Monitoring includes checking for changes in last modification date, size, name, and file content. The policy, as configured by the Symantec Critical System Protection console users, determines the event severity, rule name, and other parameters associated with FIM and log monitoring events.

Each ESXi host can be viewed as a virtual agent on the 5.2.9 console. All the events generated for a particular ESXi host will be available to be viewed for that virtual agent.

 

Installing and Setting up the ESXi Support Utility

 

The following Perl modules are prerequisites for the Symantec Critical System Protection ESXi support utility. You must ensure that these modules are present before you use the support utility:

■ Date::Parse

■ File::Copy

■ File::Path

■ File::Basename

■ Sys::Hostname

■ Text::CSV

■ Text::CSV_XS (optional)

 

To download a Perl module

Install cpanm to make installing other modules easier.

◆ Open a terminal window and run the following command:

cpan App::cpanminus

◆ Then run the following command for each module to install:

cpanm <Module>::<Name>

For example, cpanm Date::Parse

 

To install and set up ESXi utility

  1. The ESXi Support utility is installed as a part of Symantec Critical System Protection 5.2.9 agent installation on a Linux operating system. The default directory for the ESXi support utility is:
/opt/Symantec/scspagent/IDS/bin/esxi_fim
  1. When you install ESXi support utility for the first time, open a terminal window, and run the following command located in the default directory:
rfs_config.sh -setup
  1. Specify a directory where you want to store the ESXi host files that are retrieved by the tool, or press Enter to accept the default, which is /fim/scspfim.
  1. When prompted for the synchronization interval, type a valid interval between 3 to 60 minutes. It adds a cron job to the root user's crontab to run the RFS utility based on the specified synchronization interval.

 

Note: If you want to create a synchronization interval of more than 60 minutes, type 60 when you run the setup, and then manually edit the cron-tab entry /etc/crontab file to change the synchronization interval.

 

You can also run the setup silently by providing the above information in the following way:

rfs_config.sh -setup -fimpath <path for the root directory> -syncinterval <interval in minutes>

 

  1. The ESXi support utility can now be configured to add, modify, delete, and list ESXi Hosts.
rfs_config.sh -addHost -server=<addr> -username=<user> -password=<passwd>

 

After you provide all the values, the setup script configures the following settings on the local system:

■ Updates the conf/esxi_fim_host.conf file by setting the ESXi_HOSTS entry to ESXi host name/IP address.

■ Creates a credential store under conf/esxi_fim_hostcred by using a vCLI command. It also populates the store with an entry for the ESXi host and the user account credentials.

■ Creates the CollectorNode_<hostname> directory under /fim/scspfim/ for the Collector Node.

■ Creates a directory named with the IP address of the monitored ESXi host under /fim/scspfim/.

■ If the Syslog mode is on:

■ Adds an entry in the etc/syslog-ng/syslog-ng.conf file to accept the forwarded syslogs from the ESXi host.

■ Configures the remote ESXi host to forward its events to the local collector by using a vCLI command.

 

When you install the ESXi support utility for the first time, you should apply the vSphere ESXi Detection Policy to start monitoring the ESXi Hosts. You can only apply the vSphere ESXi Detection Policy after you have run the setup.

 

  1. Once the policy applied, run the first synchronization.
./rfs_config.sh –runrfs

 

About RFS OPTIONS parameters (rfs_config.sh)

 

OPTIONS

Description

-help

Print this message.

-version

Prints the RFS Package Version Information.

-setup

Runs interactive setup of the RFS utility (Default mode). Allows you to enter the directory where local copies of ESXi files are stored and the synchronization interval for these files.

 

You can also run the setup via command line using the following options:

■ -fimpath=<fimrootdir>

Set the directory where local copies of ESXi files are stored.

The default directory path is /fim.

■ -syncinterval=<mins>

Set the synchronization interval in minutes. By default, the synchronization interval is 30 minutes.

 

For example:

rfs_config.sh –setup -fimpath=<fimrootdir> -syncinterval=<mins>

 

Note: The directory specified to store the local copies of the ESXi files are appended with the path /scspfim. Therefore, the local files are stored in the directory <fimrootdir>/scspfim. Each ESXi host that is being monitored has its own sub-directory under <fimrootdir>/scspfim. When you uninstall, it removes the /scspfim folder.

-addHost

Adds a new ESXi Host to monitor.

rfs_config.sh -addHost <Mandatory Options> [Optional Options]

 

Following are the supported options:

■ -server=<IP address or host name>

Set the ESXi Server Address. This option is mandatory.

■ -username=<user>

Set the ESXi Username. This option is mandatory.

■ -password=<passwd>

Set the password for the ESXi user. This option is mandatory.

■ -protocol=<protocol>

Set the protocol (https or http) for RFS to use to communicate with ESXi server. The default protocol is https. This option is optional.

■ -port=<port>

Set the port to use to communicate with the ESXi server. The default port number is 443. Valid port number range from 1 to 65535. This option is optional.

■ -syslogon

Enable ESXi Syslog forwarding. This is the default value. This option is optional.

■ -syslogoff

Disable ESXi Syslog forwarding. This option is optional.

 

For example:

  • rfs_config.sh -addHost -server=<addr> -username=<user> -password=<passwd>
  • rfs_config.sh -addHost -server=<addr> -username=<user> -password=<passwd> -protocol=<protocol> -port=<port>
  • rfs_config.sh -addHost -server=<addr> -username=<user> -password=<passwd> -protocol=<protocol> -port=<port> -syslogoff

 

Note: When you add a host, verify if the syslog messages are reported from the ESXi host that contain IP address or host name as the source. Depending on the ESXi host, use either the IP address or the host name.

Note: The server information that is used here < IP address or host name> is used to name the Virtual Agent that contains the logs.

-modifyHost

Allows you to modify ESXi Host Information. Specify the ESXi Host that should be modified.

rfs_config.sh -modifyHost <Mandatory Options> [Optional Options]

 

Following are the supported options:

■ -server=<addr>

Set the ESXi Server Address. This option is mandatory.

■ -username=<user>

Set the ESXi Username. This option is optional.

■ -password=<passwd>

Set the password for the ESXi user. This option is optional unless you intend to change the username.

■ -protocol=<protocol>

Set the protocol (https or http) for RFS to use to communicate with ESXi server. The default protocol is https. This option is optional.

■ -port=<port>

Set the port to use to communicate with the ESXi server. The default port number is 443. Valid port number range from 1 to 65535. This option is optional.

 

For example:

  • rfs_config.sh -modifyHost -server=<addr> -username=<user> -password=<passwd>
  • rfs_config.sh -modifyHost -server=<addr> -protocol=<protocol>
-deleteHost

Allows to delete a single ESXi host or all ESXi hosts.

rfs_config.sh -deleteHost <Mandatory Options>

 

Following are the supported options:

■ -server=<addr>|all

Set the ESXi Server Address. This option is mandatory.

■ -username=<user>

Set the ESXi Username. This option is mandatory. If you specify -server=all then you do not require the username.

 

For example:

  • rfs_config.sh -deleteHost -server=<addr> -username=<user>
  • rfs_config.sh -deleteHost -server=all
-listHost

Allows to view all the ESXi hosts currently monitored.

-upgrade

Allows you to upgrade the older ESXi Support Utility to version 5.2.9.

-runrfs

Run the ESXi support utility on demand.

 

Troubleshooting

 

Troubleshooting and verifying steps for RFS

 

RFS Setup

 

  • If during the RFS Setup it fails to create the /fim/scspfim directory, create it manually and update the conf/esxi_fim_root with an entry that identifies the directory for the FIM root.
  • If during the installation of the CSP Agent you do not enter its name, the Collector Node folder will be created as SCSPCollectorNode_ and will be reporting to the Management Server as such.

The only way to fix this is by reinstalling the CSP agent and enter its name during the installation process.

 

RFS Synchronization fails

 

  • Review the rfs.log located in the /fim/scspfim/CollectorNode_<hostname> directory for errors.
  • Check that the directory with the ESXi IP address is created under /fim/scspfim/.
  • Enable Trace mode to get more details:
    • Edit esxi_fim_host.conf by changing the last 0 to 1 on the ESXHOST= line.

 

Uninstall RFS Utility

 

Uninstalling the RFS Utility requires to uninstall the Critical System Protection Agent.

 

  1. Make sure no Prevention policy other than NULL is applied to the Agent,
  2. Run rpm –e SYMCcsp,
  3. Reboot the server to complete the uninstallation.

 

Troubleshooting and verifying steps for VMware vCLI & ESXi

 

Uninstall VMware vCLI

 

  1. Go to to the directory where you installed vCLI (default is /usr/bin).
  2. Run the vmware-uninstall-vSphere-CLI.pl script.

 

The command uninstalls vCLI and the vSphere SDK for Perl.

 

ESXi syslog settings

 

  • Check that syslog forwarding is configured from vSphere > Configuration tab > Software > Advanced Settings > Syslog. You should see the following in the Syslog.global.logHost setting:

udp://<collectornode_IP_address>:514

 

References

 

VMware vCLI Download link

https://my.vmware.com/group/vmware/details?downloadGroup=VSP510-VCLI-510&productId=285

Vmware vCLI Documentation

http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vcli.getstart.doc/cli_install.4.5.html

SCSP Agent Installation

https://www-secure.symantec.com/connect/articles/how-install-scsp-agent-windows-unix-and-solaris

SCSP vSphere Support Guide

https://www-secure.symantec.com/connect/articles/symantec-critical-system-protection-52-ru9-docs

CPAN

http://www.cpan.org/modules/

YUM (RHEL)

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/c1-yum.html

YaST (SLES)

http://www.novell.com/developer/yast.html

(Internal) Virtualization Policy.pdf

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Aug 21, 2013 03:44 AM

Great Article!

Related Entries and Links

No Related Resource entered.