Logging/Alert System

[rwinstanley1]

📜 Description

Linked to issue alan-turing-institute/data-safe-haven-production#40 as part of requirements to have a system

• 6.1.1
  • system to identify data security and protection breaches
  • to work with the DSP Toolkit incident reporting tool?
• 6.1.4
  • potentially an alert to those responsible for data security built into the system?

requirements don't specify that for either of these it has to be a technical solution, but, was discussed previously that there was a desire for a technical logging solution by the team so think it's worth looking into. could be a combination of technical and manual processes for March (especially for the 'alert' part of requirement).

🍓 Desired behaviour

To have an (ideally) technical solution for logging and alerts.

📄 Tasks

Include specific tasks (if any) in the order in which they need to be done.

• Identify potential logging options that could be deployed in existing infrastructure.
• Find out if there is a way to automate system alerts at least partly, if not what would manual process look like?

[JimMadge]

Identify potential logging options that could be deployed in existing infrastructure.

Currently we use Azure Log Analytics to query logs in Azure Monitor(?). Feedback is that querying data is not very straightforward. How hard is it to integrate non-Azure things into this system, for example generic Linux logs in /var/log or logs in a container?

Alternatives worthconsidering,

• Graylog
• Logstash
• journalcheck
• logwatch

Find out if there is a way to automate system alerts at least partly, if not what would manual process look like?

A fully automated system seems unlikely, how can we automatically determine what should raise concern?

With one of the dashboard type solutions we could configure searches/dashboards to help filter useful information (e.g. authentication logs, antivirus logs). These should also let us create alerts for events which obviously merit investigation (e.g. antivirus positive results).

[JimMadge]

There is a question here of what needs to be logged. For example, we could (presumably) extract text and journald logs from the containers running internal webapps (GitLab, HackMD). I expect this would take more effort than getting similar data from the host OS on a VM and it feels like this information is less important. Due to the isolation model of the safe haven, if there is malicious activity on one of these webapps then the safe haven has already be compromised. (But maybe we should be more worried about people breaking out?)

Similarly, I expect we don't want to keep logs of users command history.

[JimMadge]

Graylog

• Ingest logs from journald, syslog, Windows eventlog, text, JSON via HTTP and others
• Uses elastic search
• Ansible role! and docker image options
• Alerts
• It looks like we might need to use Azure Monitor to interface with Azure logs (via Log Analytics)

[jemrobinson]

I think Docker can log to /var/log/syslog on the host OS. Also, I'm happy to take another look at auditd for ensuring that user-initiated events are logged in the syslog on the DSVM.

[JimMadge]

Plan

Technical

• Implement a centralised logging system using Graylog
• Log important information to the centralised system
  • DSVM activity
  • Malware alerts (clamav)
  • Internet facing services
• Alternatively, log more information than is necessary and rely on filters to find what is important/relevant
• Create alerts for obvious problems using Graylog API

Policy template

• The <safe haven admin> should respond to any alerts immediately by contacting the <person with overall responsibility for data security>
• Additionally the <safe haven admin> should regularly (every <1> <days/weeks>) inspect the items on the logging system for any problems and raise any issues as above

[JimMadge]

Current scope

• Deploy graylog server to SHM and configure for ingesting syslog
• Create 'events' on graylog for sudo access and clamav threats
• Configure DSVMs to send syslog data to graylog server

Future work

• Create email alerts (requires an SMTP email account)
• Ingest windows logs using https://docs.graylog.org/en/4.0/pages/sending/windows.html
• Ingest Azure logs using https://github.com/miguelangelopereira/azuremonitor2syslog as Azure function (using beats input for graylog)

[martintoreilly]

@JimMadge @jemrobinson Can someone spend a decent amount of time working with the Azure logging and log analytics / monitoring / reporting services to see if these can meet our needs? I feel we've not spent much serious effort on this yet. This feels like a good area to collaborate with closely with IT colleagues on, as they may well already be using some of these services to monitor our enterprise systems on Azure.

[martintoreilly]

In the GrayLog context, can we write to Azure storage / database with append only rights and access these for analysis / reporting / monitoring / alerting with read only rights?

[martintoreilly]

Looks like we can configure custom logs via Powershell for the Azure log analytics workspace.

[jemrobinson]

@martintoreilly There are certainly some logs (especially those to do with the Azure fabric/infrastructure) that are difficult to capture except with LogAnalytics. However, the main advantage of GrayLog is that it's not dependent on Azure which makes it easier to port to AWS (which is important for several potential endusers of this setup).

It looks like we should be able to forward Azure Monitor Logs to GrayLog using an Azure function. If this works then I'm reasonably comfortable in using GrayLog for log aggregation/alerting and possibly providing a useful dashboard which can ingest data:

• directly from Linux and Windows VMs
• indirectly from LogAnalytics for Azure-only components

This seems like the easiest way to plan for a multi-platform future.

[martintoreilly]

@jemrobinson Ok. I totally get the cross-platform argument, especially if it's also less / no more work that getting the Azure-only option working. My main concern is that ability to delete / edit logs is as restricted as possible, ideally to no more than the group who can deploy / delete infrastructure. Can we configure the underlying datastore for GrayLog so that only infrastructure admins can edit / delete log data and within-safe-haven-admins, local root on the Gray Log box or local root on any box contributing logging data to Gray Log can't?

[JimMadge]

Azure Monitor & Azure Sentinel

Azure Monitor

• Log aggregation (Monitor), querying (Log Analytics), dashboards and alerts
• Azure resource
• Requires log analytics agent on hosts (supports Ubuntu 18.04, 20.04 Windows Server 2016, 2019) or log analytics VM extension
• Agent forwards
  • syslogs on Linux hosts
  • Windows logs
  • VM Performance
• (Installation instructions, log analytics details/credentials are given at install time) Agent/VM extension can be installed via Powershell. See Setup_SRE_Logging.ps1 and Deployments.psm1#L845 for how we currently install the extension on SRE VMs.
• Custom logs are definable via Powershell (see example is docs)
• Logs are sent via HTTPS (over the internet? It is unclear whether this is only for 'on-prem') https://docs.microsoft.com/en-us/azure/azure-monitor/platform/log-analytics-agent#firewall-requirements
• Log analytics workspace must have globally unique name 🤯

Sentinel

• security information event management (SIEM) (focused on searching, visualising and querying logs rather than collecting)
• $2.46 per GB ingested pay-as-you-go pricing

[martintoreilly]

Setup_SRE_Logging.ps1 also used to configure the collection of various Windows and Linux performance counters and activation of Log Analytics insight features, but these seem to be missing from master. I can find them in commit 76127bd and they seem to be present when PR #877 was merged.

@jemrobinson @JimMadge Either of you know where we lost this?

Edit: It looks like it didn't actually make it into the original PR #743 merge where the changes were made, though I'm struggling to figure out why. The lines are definitely present in commit 198d960 via the "commits" tab of PR #743, but don't appear at all in the history of Setup_SRE_Logging.ps1 (going back from commit 98e1790) via the "files" tab of PR #743.

[jemrobinson]

@martintoreilly I think this is in Setup_SHM_Logging.ps1

[martintoreilly]

@martintoreilly I think this is in Setup_SHM_Logging.ps1

Yep. There it is. Thanks. I thought I was going mad.

My eyes weren't working and I didn't spot that it was the SHM logging setup file rather than the SRE one in commit 198d960.

[jemrobinson]

@JimMadge Here are some Microsoft docs that might be useful: how to bring syslog data into LogAnalytics and overview of Azure Monitor agents.

[JimMadge]

Ingesting Azure Monitor logs into Graylog

The scheme set out by the Forward Azure Monitor Logs to Syslog action looks fairly complicated. It involves,

• Azure Monitor
• Azure EventHub
• Function service
• Syslog server (in our case Graylog)

[JimMadge]

Steps required to ingest syslog from Linux VMs

• Deploy log analytics workspace and VM
• Create entries for each syslog facility (note that names are significant), enabling all severities, in log analytics workspace (seems only automatable through powershell)
• Install Azure Monitor for VMs using log analytics workspace name and primary (or secondary) key to link VMs to the workspace

Rough powershell,

$ResourceGroup = ""
$WorkspaceName = ""
$WorkspaceId = ""
$WorkspaceKey = ""
$VMName = ""
$Location = ""
$FacilityNames       = @()
$FacilityNames      += 'auth'
$FacilityNames      += 'authpriv'
$FacilityNames      += 'cron'
$FacilityNames      += 'daemon'
$FacilityNames      += 'ftp'
$FacilityNames      += 'kern'
$FacilityNames      += 'mail'
$FacilityNames      += 'syslog'
$FacilityNames      += 'user'
$FacilityNames      += 'uucp'

$Count = 0
foreach ($FacilityName in $FacilityNames) {
    $Count++
    $null = New-AzOperationalInsightsLinuxSyslogDataSource `
    -ResourceGroupName $ResourceGroupName `
    -WorkspaceName $WorkspaceName `
    -Name "Linux-syslog-$($Count)" `
    -Facility $FacilityName `
    -CollectEmergency `
    -CollectAlert `
    -CollectCritical `
    -CollectError `
    -CollectWarning `
    -CollectNotice `
    -CollectDebug `
    -CollectInformational
}

$Settings = @{
    "workspaceId" = $WorkspaceId
}
$ProtectedSettings = @{
    "workspaceKey" = $WorkspaceKey
}

Set-AzVMExtension -Name OMSLinux -ExtensionType OmsAgentForLinux -Publisher Microsoft.EnterpriseCloud.Monitoring -TypeHandlerVersion "1.13" -ResourceGroupName $ResourceGroup -VMName $VMName -Location $Location -Settings $Settings -ProtectedSettings $ProtectedSettings

[martintoreilly]

Azure monitor private endpoint

There's an Azure Monitor Private Endpoint that ensures two-way restriction of DSH / Monitor instance (i.e. our DSH can only connect to our Monitor instance and vice-versa) and that traffic to the various Azure monitor service endpoints runs over the Azure internal network.

Credit: Microsoft's Azure TRE design uses this.