Deploy, Configure, and Microsegment Log Insight

Building on a couple of recent blog posts I have made some PowerShell functions that wrap elements of the Log Insight JSON REST API. Using a mixture of PowerCLI, PowerNSX, and Power LogInsight commands it is possible to deploy Log Insight end to end.

Power Log Insight can do the following in this release:

  • Create a default user
  • Create a new connection to Log Insight
  • Validate Version
  • Retrieve a licence
  • Configure a licence

 

This allows it to be used in future scripts. Scripts that can be used in conjunction with PowerCLI and PowerNSX functions.  I have created a script that uses the three modules together. The script will do the following:

  • Deploy a Log Insight
  • Configure Log Insight
    • Wait for API service
    • Configure Default User
    • Connect to Log Insight server
    • Add defined License to server
  • Gets all hosts in all clusters and points syslog to Log Insight on 514
  • Segment Log Insight with NSX DFW

The screen looks like this below after deployment

Screenshot 2016-05-20 21.22.59

Variables can be modified for any environment. They are in the first parameter block. You must append a valid Log Insight license as all servers do count as an OSI.

Download the script here

Please note that this is should be tested and validated first. This is used internally to help validate and test different types of deployments.

Download Power LogInsight here

I plan to add clustering, node configuration, content pack installation, and vCenter integration at a later time. These have been working but not tested and in this release.

PowerNSX Log Insight Segmenter

PowerNSX has been a focus of mine for a little while. I also have a penchant  for Log Insight. I like the product. I have outlined previously a blog here for approaching the segmentation of any application with Log Insight and NSX Distributed Firewall.

I have created a tool that has taken my learnings of segmenting production Log Insight instances and built a set of rules against it. These predefined Security Groups and rules capture the legitimate traffic against Log Insight and protect the cluster.

Screenshot 2016-05-13 13.20.04

The Log Insight Segmenter is designed to work on Log Insight Clusters using an Integrated Load Balancer (ILB). When running the code a user is prompted for the following:

  • The IP address assigned to LogInsightLoadBalancerIPAddress in the script will be used as the Log Insight ILB IP address. Warning text will give a prompt if this is correct displaying the current IP address assigned to variable.
  • Second warning explains what is about to occur and if the user wants to proceed.
  • Any No prompt will abort the script.

An administrator can define a custom ILB IP address appending the following  -LogInsightLoadBalancerIPAddress

  •  .\segmentLI.ps1 -LogInsightLoadBalancerIPAddress 10.100.0.9

The IP address used here is subsequently used in the rules that are created. It is the destination IP address for external based communication.

Running the script results in this:

Screenshot 2016-05-13 13.50.23

After this has run all an administrator needs to do is add an IP Set or object to the Security Group SG-Administrative-Sources and access is granted.

Because this is a generic script for many environments some little tweaks may be needed. I would suggest modifying the ANY from the sources field and append the relevant vCenter Objects and IP ranges for syslog sources.

Download the script and let me know how you fare.