Monitoring Syslog from OMS with non-oms agents

So this weekend I was tasked with trying to setup OMS syslog monitoring against Linux targets which was not supported as part of the OMS agents. Now the supported list of OMS Linux agents are the following:

Amazon Linux 2012.09 –> 2015.09 (x86/x64)
CentOS Linux 5,6, and 7 (x86/x64)
Oracle Linux 5,6, and 7 (x86/x64)
Red Hat Enterprise Linux Server 5,6 and 7 (x86/x64)
Debian GNU/Linux 6, 7, and 8 (x86/x64)
Ubuntu 12.04 LTS, 14.04 LTS, 15.04, 15.10 (x86/x64)
SUSE Linux Enteprise Server 11 and 12 (x86/x64)

Now since many have network devices which run non of these operating systems I needed to setup something which would allow me to forward the Syslog events from other devices and then forward it to OMS. So what I came up with was setting up a Syslog collector on a supported OMS agent operating system. So I setup a Ubuntu 14.04 virtual machine which was going to be used as a syslog collector

  

The simplest way was to use the built-in service rsyslog on ubuntu to configure it for remote collection, by default it is only used for local syslogging it does not accept remote syslogs.

Now as mentioned this requires a simple machine running Ubuntu 14.04 or 15.04. From the terminal we need to configure rsyslog.conf which is located under /etc folder

From there you need to change file, which can be done using VIM or VI. In the Conf file you need to remove # in front of the ModLoad and UDPServerRun which will allow the syslog daemon to gather from remote sessions.

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

Next you need to add this line before the GLOBAL DIRECTIVES part of the confing file.

$template RemoteLogs,»/var/log/%HOSTNAME%/%PROGRAMNAME%.log» *
*.*  ?RemoteLogs

This is used for the syslog daemon to create syslog files under /var/log where all the log files will be named after the remote host that forwards information.

After this is configured you need to restart the rsyslog feature,

sudo /etc/init.d/rsyslog restart

Now we should see that the syslog folder will be populated under the folder of the host name.

After this is done you need to install the OMS agent using the following commands

$> wget https://github.com/Microsoft/OMS-Agent-for-Linux/releases/download/v1.1.0-28/omsagent-1.1.0-28.universal.x64.sh

$> chmod +x ./omsagent-1.1.0-28.universal.x64.sh

$> md5sum ./omsagent-1.1.0-28.universal.x64.sh

$> ./omsagent-1.1.0-28.universal.x64.sh –upgrade -w <YOUR OMS WORKSPACE ID> -s <YOUR OMS WORKSPACE PRIMARY KEY>

After the OMS agent is configured. Then we need to configure the syslog collector from within OMS

Then we can go into Log Search, we can go into the Syslog viewer and drill into the different alerts.

So in this case I just configured regular Syslog setup from a Cisco ASA and a Citrix NetScaler to forward to the Ubuntu server.

#netscaler, #oms, #syslog

Wire Data in Operations Management Suite

Microsoft finally released a new solutions pack to Operations Management suite the other day, which I have been waiting for since Ignite! WireData!!!

This is an solution pack that gathers meta data about your network, it requires a local agent installed on your servers as with other solution packs but allows you to get more detailed information about network traffic happening inside your infrastructure.

So if you have OMS you just need to go into the solution pack and add the wire data pack

But note that after adding the solution pack It need a while to gather the necessery data to create a sort of baseline about the network traffic.

After it is done it groups together the communication that has happend on the agents to see what kind of protocols that are often in use

For instance I see that there is alot of Unknown traffic happening on my agent, I can do a drill down to see more info about that particular traffic. Then I can see in detail where the traffic is going

I can also do a drill down to se what kind of process is initiating the traffic going back and forth. Something I would like to see in this, is the ability to add custom info, lets say for instance if I have a particular application running which uses some custom ports and processes I would like to add a custom name to that application so It can appear in the logs and in the overview.

Other then that it provides some great insight in what kind of traffic is going back and forth inside the infrastrucutre, and Microsoft has added some great common queries.

#microsoft, #oms, #system-center

What new at Ignite! Nano Server, Containers, Azure Stack, OMS, ATA and so on

So this is my recap on what has happend at Ignite, sorted by subject of course but the focus and strategy at Microsoft is clear! “MOVE TO OUR CLOUD” of course they did not leave out the guys on the floor as well.

Microsoft announced numerous changes to their Azure platform, including more of an architechtural change to their IaaS platform (Which is due time) so to sum up Azure changes happening over the last two weeks.

• User defined routes (Which allow us finally define a routing table for each subnet)
• Reserved IP addresses (Allow us to move reserved IP addresses between services now!)
• Instance level public IP
• Multiple VIPs per Cloud Service
• Azure DNS (Which allows us to manage our DNS zones from Azure, whic also will eventually support DNSSEC and integrate with Traffic Manager)
• Networking support for resource manager
• Bring in BGP routes if you are using ExpressRoute
• 16 vNICs pr virtual machine
• Azure Automation with support for Graphical Authoring and integration with on-premises
• Azure Resource Manager which will allos us to build total services based upon JSON files, this will also play a huge role in Azure Stack
• IP forwarding on virtual appliances
• Announced a bunch of different virtual appliance partners which will arrive in the marketplace soon (For instance Citrix Netscaler, CheckPoint and so on)
• Role Based Access
• Exchange supported on Premium Storage in Azure

So as you can see there is much on Azure happening, specifically on networking which has been lacking for quite some time. So what about Office365 and EMS?

• Sway (Will be available to all later this month)
• New Office2016 Public Preview
• Skype for Buisness Broadcast meetings
• Announced one Sync client for OneDrive
• Mobile offline files IOS and Android OneDrive
• Save to OneDrive from OWA
• 20,000 file limit and 10GB max file site will be gone
• You can see more about the OneDrive Roadmap here http://www.zdnet.com/article/microsoft-fills-in-onedrive-roadmap-dates-details/)
• Intune announced support for Mac OSX
• Intune app wrapping for Android
• Support for Apple Volume Purchage Program
• Support for MAM in Outlook app
• Multi-identity
• Restrict Access to Outlook based upon compliance of device
• Windows 10 support for Intune
• Document Tracking with Azure RMS
• Cloud App Discovery GA
• Priviliged Identity Managment
• Also heard that eventually Intune will merge into Azure Active Directory

Other then these news Microsoft also announced a new bundle which is called OMS (Operations Management Suite) which consists of

• Azure Automation
• Azure Backup
• Azure Site Recovery
• Azure Operational Insights ( Which will later get support for components like networking logging, syslog tracking and CMDB options.

This suite can be tried now! Microsoft also announced that they will be opening for partners to add their own intelligence packs for their own monitoring solutions. Which means that more data moving to the cloud.

So what did Microsoft annonunce for the guys on the floor ? Well alot! For instance a lot of new capabiliteis in Server 2016.

• Microsoft Advanced Threat Analytics (Which is currently in preview is a combination of networking and log based monitoring to be able to detect attacks like Pass the Hash, accounts that have been comprimised and so on) This will become more advanced with capabilities like networking monitoring and be able to take action if there is an attack.
• PowerShell DSC support for Linux (Which just came out of nowhere!)
• Nano Server (Which is a newly created fashin of Windows Server, which is designed for delivering the next generation cloud services with a very low footprint in terms of RAM, DISK and CPU where Microsoft stripped most of the tradisional solutions away. ill be writing more about Nano Server but it essence it now looks more like ESX.
• Containers, Containers, Containers! (Also something I will be writing more about)
• Storage Spaced Direct (Shared Nothing File Cluster can also be combined with Hyper-V to deliver HCI)
• Storage Replica which is not like DFS-R.. Which allow us to Async or Syncronous replicate any volume.
• Storage QoS on a scale out file server
• Windows Defender not installed and enabled by default (even i Nano)
• Rolling Cluster Upgrades
• RDS support for OpenGL 4.4, OpenCL 1.1 + Support for GEN2 VMs and RemoteFX,
• Web Application Proxy, preauth for HTTP Basic, HTTP to HTTPS redirect
• Windows Server 2016 will support VXLAN
• Software loadbalancing capabilities
• Production Checkpoints and integration with VSS
• Linux SecureBoot
• Connected Standby
• Hyper-V manager and alternate Credetials
• ReFS more used in centralized SOFS
• Binary virtual machine configuration VMCX
• Hot Add and remove of memory and network adapters
• SMB 3.1.1 (Pre authentication integrity check, encryption improvements,
• The Network Controller which will allow central management of virtual and physical network devices
• Shielded VMs and Host Guardian Service
• JEA (Just Enough Administration
• Converged NIC across tenant and RDMA traffic
• Server Side Support for HTTP/2 including header compression and connecrtion multiplexing on IIS
• Online Resizing support for Shared VDHX
• PowerShell Direct to a virtual machine.

Now with all these capabilities in place in the fabric, there is only missing one thing. Which is something they announced in the Keynote which is Azure Stack, now Microsoft means buisness. They are moving in and competing with the likes of OpenStack and Cloudplatform and so on. Now many wondered if this was the new version of Azure Pack ( and it its! its the evolution of Azure Pack) Microsoft will continue to support Azure Pack for a while but the main development will be into Azure Stack. Now unlike Azure Pack, Stack is not so deeply dependant on System Center. Now of course you would still use this to manage the infrastructure, but the fabric connection between Azure Stack Providers would be against Hyper-V or clusters.

The Azure Stack will consist of an Azure like fabric controller and will also have the option to communicate with the network controller to manage the fysical and virtual network layer. Stack will also look and feel like the new portal which is currently in use in the preview portal and will come with a set of different provides to deliver specific services.

With the support of VXLAN in the fabric and some support for Vmware with DPM maybe Microsoft is moving with the Azure Stack and support for Vmware ?

Time will tell, and stay tuned for more.

#ata, #azure-stack, #containers, #nano-server, #oms