8. vCloud Operations Control : 8.9 Access and Security Management : 8.9.3 Log Management
8.9.3 Log Management
Providing log data to customers is an important capability for providers offering vCloud services. The primary advantages include the following:
*Regulatory compliance – Aggregate log data for security review and analysis through applicable controls. Archive historical data and retrieve based on audit window containing relevant data. Logs showing specific events such as a user authentication with a timestamp are examples of satisfactory evidence for auditors
*Tenant requirements – Tenants (customers or clients) should have access to logs that pertain to the use of their particular compute resources. Tenant log requirements are similar to those for a provider, but the ability to offer the data that corresponds to the specific tenant is an important capability in a vCloud environment.
*Event correlation – Log data can be forwarded to Security Information and Event Management (SIEM) tools for analytic analysis and correlation with unique behavioral signatures. This enables the possibility of early and possibly real-time detection of an attack, misconfiguration, and secondary capacity utilization reporting.
*Operational monitoring – For the automation of health and status reporting, logs can provide data that can be checked when required for state changes to applications, operating systems, and virtual machine hosts.
*Simple troubleshooting – Many applications and operating systems provide the capability to enable more verbose logging detail during runtime. When troubleshooting unexpected behavior, this additional detail can provide the information needed when attempting to remediate most problems. Logging and Architecture Considerations
*Redundancy – The leading logging platform is Syslog. Syslog is a UDP-based protocol, so the delivery of all log data is not guaranteed. To facilitate the integrity of log delivery over networks try the following:
*Design physical redundancy on logging equipment (redundant network interfaces, others).
*Specify multiple syslog targets.
*If only one remote syslog target is possible, configure local logging as well as one remote target.
*Host the log targets on DRS enabled hosts so that vCenter can manage availability of the syslog virtual machine and service.
*ScalabilityWhen compared with customer-generated events, vCloud infrastructure components generate considerably less log data. However, customer components such as the vCloud Networking and Security Edge firewall generate a very high volume of logging. Logs from performance data such as IOPS, network throughput, and CPU utilization are critical, so the design guideline is to define standalone disk partitions for log collection and archiving on a collection server. Additionally, if possible, this data should be part of the vCloud monitoring solution using vCenter Operations Manager.
*Logs need to be available to customers in raw format from both vCloud Director and vCloud Networking and Security Edge that pertain specifically to their organization and networks.
*Within vCloud Director, customer-specific activity is specified as an identifier for the customer’s organization.
*vCloud Networking and Security Edge applies descriptive and unique names to organization-specific traffic that SIEM products use to correlate log messages. Logging as a Service
When enabling a formalized service for log collection and processing, a provider should consider offering the following types of log services to a customer:
*Provider log management of customer logs for systems within the vCloud organization – The customer sends logs to a provider for analysis and report generation of customer-specific events.
*Logs can be sent over private VLAN within the provider’s environment.
*Cost savings for customer of licensing SIEM tools.
*Difficult to customize analysis and correlation to other customer-specific events.
*Dedicated resources are required even with low utilization.
*Billing does not follow IaaS model because resource consumption is primarily for storage and analysis.
*Provider forwarding logs to customer for management – Logs from provider resources such as network equipment, host server, and firewall appliances are sent to customer system for collection and analysis.
*vCloud resources are scalable and rely on distributed analysis within customer environment.
*Customer uses tool of choice for analysis and reporting.
*Creates duplicate copy of infrastructure log for audit purposes.
*Log transmission requires network resources.
*Due to multitenancy within the vCloud, a potentially complex implementation is required as a result of the need for an in-built intelligence engine in the log forwarding mechanism.