After installing the PCE, perform these additional tasks.
Configure PCE Backups
You should maintain and perform regular backups of the PCE database based on your company's backup policy. Additionally, always back up your PCE database before upgrading to a new version of the PCE. See PCE Database Backup in the PCE Administration Guide.
Internal Syslog and Events Configuration Required
This section applies to you if you are:
- Performing a fresh installation of Illumio 20.2.0 or later rather than upgrading from a previous version, and
- You want to send events and traffic flow summaries to an external SIEM.
For new installations, you must configure the syslog and set up events forwarding.
In previous PCE versions, a local syslog configuration was created by default. This local setting is no longer created. If you want to gather events data, the internal syslog must be configured. This was previously an optional installation step.
You must configure the following:
- Set up the internal syslog. See (Optional) Configure PCE Internal syslog.
- Set up events forwarding. See Events Settings.
If you are upgrading from a previous PCE version, you can also do this configuration, if needed. However, it is more likely that you already have an appropriate configuration in place.
(Optional) Configure PCE Internal syslog
Configuring the PCE internal syslog is optional only if you are performing either of these tasks:
- You are upgrading to Illumio 21.2.0 or later from an earlier version where you already have an appropriate configuration in place.
- You are performing a fresh installation of Illumio 21.2.0 or later, but you don't care about gathering events data or sending events and traffic flow summaries to an external SIEM.
In every other case, it is required.
With the PCE internal syslog, you use the PCE web console to control and configure the relaying of syslog messages from the PCE to multiple remote destinations.
This feature eliminates the need to manage syslog on the PCE by yourself.
You can achieve a smooth transition from existing syslog installations by using a default configuration called “Local.” Using this default, the PCE internal syslog relays messages to the existing syslog.
Utilizing the internal syslog works well with the PCE's auditable events data. See the Events Administration Guide.
The PCE internal syslog has the following features:
- Syslog message routing to an unlimited number of remote destinations
- Auditable events for syslog service, as required by Common Criteria
- Integration with PCE Support Reports
- Common timestamps defined by RFC 3339, including fractional timestamps, such as milliseconds
- PCE log rotation and disk usage management
- SIEM support by enabling sending events to remote destinations
- Optional data-in-motion encryption
Do Not Write Additional Information to log_dir
Though not recommended, you can put the PCE internal syslog into operation while still running any syslog implementation you already have. However, keep the following information in mind.
Do not store auditable events in log_dir
If you continue to use a previously configured syslog (prior to Illumio Core version 18.2), Illumio recommends that your own local syslog configuration be changed to not store any additional information in log_dir. The log_dir parameter in runtime_env.yml defines where logs are written and by default is /var/log/illumio-pce. This recommendation includes avoiding storing your auditable events logs in this directory.
The PCE Support Report includes all data in this directory. Illumio considers the auditable event information as private, confidential data. Storing it in log_dir could inadvertently release this information by way of the PCE Support Report to persons other than your organization's auditors.
Configure Events and Syslog
After installing the PCE, configure events and the syslog server using the PCE web console.
For information, including configuring remote syslog destinations, see Events Settings.
(Optional) Customize PCE Log File Rotation
Internal PCE log file rotation is governed by two values: maximum file size (default: 100MB) and maximum retention (default: 10 files). In larger-scale deployments, these values could be an insufficient amount of log data to successfully troubleshoot runtime issues.
To customize the rotation of PCE log files, run the following command:
sudo -u ilo-pce illumio-pce-env logs --modify logfile[:size][/rotation]In logfile, enter the name of the file. If you do not already know the name of the log file, run this command to list all logs:
sudo -u ilo-pce illumio-pce-env logsIn size, specify a number and append m to specify a size in MB or g to specify a size in GB. In rotation, enter a number to control how many past rotated log files to keep. When this number is exceeded, the oldest file is deleted. To return to the default log rotation values of 100MB and 10 files, run this command with logfile alone, without the size or rotation parameters.
For example:
|
Argument |
Result |
|---|---|
haproxy.log:1g/20
|
Rotate the haproxy log when it reaches 1GB, and keep the last 20 rotated files. |
haproxy.log:3m
|
Set the haproxy.log to 3MB, indicated by the |
haproxy.log/5
|
Keep the 5 most recent |
nginx.log
|
Return the |
To confirm that the hosts have sufficient disk space to accommodate the log files with these rotation settings, run this command:
sudo -u ilo-pce illumio-pce-ctl check-envIt issues a warning if the log usage is too great for the partition size.
(Optional) Set Path to Custom TLS Certificate Bundle
When you enable Transport Layer Security (TLS) mutual authentication, the channel to the remote syslog destination can be secured by your own TLS CA certificate bundle. A CA bundle is a file that contains root and intermediate certificates. The end-entity certificate along with a CA bundle constitutes the certificate chain.
The value of the runtime_env.yml file optional parameter trusted_ca_bundle is the path to your own CA certificate bundle.
- When a custom TLS bundle is provided by the user during configuration, this bundle is used for certificate verification.
- When a custom TLS bundle is not configured for a particular destination, the PCE trust store is used (
runtime_env.ymlparametertrusted_ca_bundle).
Remote Destination Setup for Syslog Server
Enabling TLS with the syslog protocol allows you to secure the communication to your syslog service with public CA certificates or with TLS certificates from your own CA.
On the remote syslog server, ensure restricted access to the data by relying on the OS-level user access mechanisms. In addition, limit the number of users allowed access to the syslog storage itself. If possible, rely on an enterprise-class log management system to post-process the event data.
RFC 5424 Message Format Required
Ensure that your remote syslog destination is configured to use the message format defined by RFC 5424, The Syslog Protocol, with the exception.
Traffic flow summary messages include a prefix of an octal number, like the string 611 highlighted in bold at the beginning of the snippet of a LEEF record below. Ensure that your parsing programs on the remote syslog destination account for this prefix:
611 <14>1 2018-08-06T11:47:26.000000+00:00 core1-2x2devtest59 illumio_pce/collector 22724 - [meta sequenceId="3202"] sec=556046.963 sev=INFO
pid=22724 tid=30548820 rid=e163020f-32c5-4c59-ab06-dfb93b60ff4e LEEF:2.0|Illumio|PCE|18.2.0|flow_allowed|cat=flow_summary
...Notes on RFC 5424
- You must ensure that your remote syslog uses the
network(flags(syslog-protocol))form for receiving messages. - RFC 5424-formatted messages might not be fully functional with rsyslog versions earlier than 5.3.4.
Message Size: 8K
The size of the PCE internal syslog messages is up to 8K bytes. However, many implementations of syslog have a default message size of 4K bytes. Ensure that your remote syslog configuration is set for 8K message size. Configuring the remote destination's syslog message size depends on your implementation of syslog. Consult your vendor documentation for information.