I am working to get Ziti to report to a SIEM solution. I can not find the logs for the controller and router and I was wondering where the log path is
the Exact logs I want
The logs location depend on how you deploy it, but if you follow the quickstart and start the controller and router using a systemd service, the logs will go to journald.
There are no "web page authentication" or "traffic" logs. For those I would think you would configure the metrics reporting and ship the metrics to your data lake. see https://docs.openziti.io/docs/learn/core-concepts/metrics/
Back in in December at the meetup forum Chad was asking about doing this. There was a person at that meeting (openziti) who was working at that time to ingest this into elasticsearch. I just did a quick google and could not find any reference to a guide or QuickStart. Is there something that he can publish about his progress etc.
CloudZiti - the SaaS offering of OpenZiti by NetFoundry does exactly this too. I’ll see if I can get someone from that side of the house to comment on exactly how it’s done. I’m pretty sure they use the “file reporter” and then use the beats shipper to store the data in elastic.
If memory serves, also mentioned at that meeting was the zitified version of beats which is cool because then you can ship the logs using ziti itself and not need to have open firewall rules etc…:
See this doc for more info on events and metrics you can get from ziti:
Add something like to your controller config to get traffic data:
events:
utilizationLogger:
subscriptions:
- type: fabric.usage
version: 3
handler:
type: file
format: json
path: /var/log/ziti/utilization-usage.log
maxsizemb: 1024
maxbackups: 5
From here you can use something like Elastic Filebeat to pick up the logs and ship them right to Elasticsearch. Since the data is already JSON it works with ES quite nicely.
As for logs, there’s not a great way yet to go from journalctl to Elastic, we use Filebeat for that as well and we pipe the logs to syslog with a custom rsyslog config.
# Log ziti processes to their own files
if $programname == "ziti-controller" then /var/log/ziti/controller.log
$RepeatedMsgReduction on
& stop
if $programname == "ziti-router" then /var/log/ziti/router.log
$RepeatedMsgReduction on
& stop
Thanks for the quick replies I will check it out
I've added the above events configuration and it does create the log file and log some information that was not the best but I also didn't configure what I want. I could be missing it but is there a configuration flag for users connecting to the ziti overlay or failed connections
All of the logs and metrics coming from ziti are id-based, so you don’t typically find names in them. There are two ways to view connections and and failed connections:
subscriptions:
- type: fabric.circuits. # every time an endpoint tries to dial a service, you'll get a fabric.circuit event
include:
- created. # this is an identity successfully dialing a service
- failed. # this is an identity trying but failing to dial a service
- pathUpdated
If you want more of just the metrics around this instead of the raw events, use the services namespace. That will give you counters around success, failures, timeouts, etc.
subscriptions:
- type: services