PowerNSX has been a focus of mine for a little while. I also have a penchant for Log Insight. I like the product. I have outlined previously a blog here for approaching the segmentation of any application with Log Insight and NSX Distributed Firewall.
I have created a tool that has taken my learnings of segmenting production Log Insight instances and built a set of rules against it. These predefined Security Groups and rules capture the legitimate traffic against Log Insight and protect the cluster.
The Log Insight Segmenter is designed to work on Log Insight Clusters using an Integrated Load Balancer (ILB). When running the code a user is prompted for the following:
- The IP address assigned to LogInsightLoadBalancerIPAddress in the script will be used as the Log Insight ILB IP address. Warning text will give a prompt if this is correct displaying the current IP address assigned to variable.
- Second warning explains what is about to occur and if the user wants to proceed.
- Any No prompt will abort the script.
An administrator can define a custom ILB IP address appending the following -LogInsightLoadBalancerIPAddress
- .\segmentLI.ps1 -LogInsightLoadBalancerIPAddress 10.100.0.9
The IP address used here is subsequently used in the rules that are created. It is the destination IP address for external based communication.
Running the script results in this:
After this has run all an administrator needs to do is add an IP Set or object to the Security Group SG-Administrative-Sources and access is granted.
Because this is a generic script for many environments some little tweaks may be needed. I would suggest modifying the ANY from the sources field and append the relevant vCenter Objects and IP ranges for syslog sources.
Download the script and let me know how you fare.