chapter 18 Flashcards
the system health page provides information on:
the health of the primary and DR vaults
Number of concurrent sessions on the PSM
Connectivity status for PVMA, CPM, PSM, and PTA
number of accounts managed by the CPM
You can export consolidated information about the system health using the (blank)
REST API
system health - components
the following information is provided for each component:
ip address
version
component user
connectivity status: connected or disconnected
last log on date: the date when this component user last logged on to the vault
[none]
best practice - monitoring components
after installing the components, you can configure email notification to be sent out if the components user or users become disconnected
this should be done for all component users you wish to monitor
examples include:
PVWAAppUser
PasswordManager
DR
Backup
[none]
enabled component monitoring - step 1
there is an email template that you can customize by going to options/notification settings/notification agent rules
locate the rule Component is inactive - template ID 206
Searching for 206 will bring you to the template, where you can edit the body parameter
[none]
Enable component monitoring - step 2
Use the (blank) to enable monitoring of a specific cyberark component user account:
select the user and click update
in the general tab, check the box for: send email notification if component is not connected
PrivateArk Client
enable component monitoring - step 3
in (blank), you will need to add the parameter:
ComponentMonitoringInterval
A vault of 1 means one minute will pass between checks
dbparm.ini
enabling component monitoring - step 4
the actions taken when the vault detects that a component is disconnected are defined in the parameter: ComponentNotificationThreshold
eg: CPM, Yes, 720, 1440
meaning: the CPM will be checked
Notifications will be sent
The first after 720 minutes
Subsequent notification will be sent every 1440 minutes
[none]
enabling component monitoring - step 5
in the event of a loss of communication between the component and the vault, there will now be an ITAlog error indicating the component’s loss of communication
and because we have enabled email notifications, (blank) (blank) will also get a notification in their inbox
vault admins
monitor via SNMP with remote control agent
remote control
the cyberark remote control feature enables users to carry out a number of remote operations on the vault, DR vault, and ENE components, it consists of two elements
(blank)(blank)(blank) - installed as part of the vault, both the primary and DR. A windows service
Remote control client - a utility that runs from a command line interface. Executes tasks on a vault component where the remote control agent is installed. Does not require any other vault components to be installed on the same computer, not even the privateark client
remote control agent
remote monitoring
the remote control agent can use (blank) to send vault traps to a remote terminal. This enables users to receive both operating system and vault information.
operating system information:
- CPU, memory and disk - usage
- event log notifications
- service status
component specific information
- primary and DR vault status
- primary and DR vault logs
Cyberark provides two MIB files (for SNMP v1 and SNMP v2) that describes the SNMP notifications that are sent by the vault. These files can be uploaded and integrated into the enterprise monitoring software
SNMP
remote monitoring - SNMP parameters
SNMPCommunity - the name of location where the SNMP traps originated
MonitoredEventLogNames - the names of the event logs of activities that have taken place since the server started, such as application, security, and system in linux, specify the following files: /var/log/messages and /var/log/kernal
SNMPTrapsThresholdCPU - the interval in seconds between checks for CPU usage and the usage percentage threshold for SNMP traps, and the type of alerts that are written in the log. the threshold, retires, retries interval and state-full values are optional
SNMPHostIP - the ip address of the remote computer where SNMP traps will be sent
SNMPTrapPort - the port through which SNMP traps will be sent to the remote computer. Specify either port 161 or 162
SNMPTrapInterval - the number of seconds that pass between notifications
[none]
remote administration
the (blank) allows administrators to do the following from the client:
-retrieve logs
- set parameters
-restart the vault
- restart services
-reboot the vault server
-retrieve machine statistics such as memory and processor usage
remote control agent
vault health monitoring via SIEM
to increase the visibility of cyberark’s solution, measurements can be sent from the vault via the syslog protocol and can be aggregated in the SIEM tool.
the vault can be configured to send health statistics to SIEM applications such as Splunk and ArcSight. This is done by setting the SendMonitorMessage parameter in sbparm.ini to yes
Statistics include transaction queue/execution time, number of tasks, cpu usage, and more
you should create a baseline specific to your environment to identify system trends and thresholds
monitor statistics regularly in order to detect variations from your baseline
[none]
application monitoring sample dashboards (splunk)
shows systemic issues with specific platforms
additional drill down can show trends for specific error messages
platforms a top of list can be prioritized to address most widespread issues first
shows overall vault activity over time
can be customized by time range
trends can be stacked to compare current loads to historical loads
visualized impact from various replication cycles and EVD jobs
[none]
monitoring backup and DR replications
it is critical to be notified ASAP when backup and DR are not operating
the vault can be configured to send email notifications when the backup or DR users fail to connect after a specific time period
by default, these notifications are sent to the members of the vault admins group, although they can be sent to any predefined recipients.
in addition, a relevant message will be written to the (blank)
ITALog.log
enabling backup monitoring
to activate the backup status notification, you need to add the BackupNotificationThreshold parameter to (blank)
BackupNotificationThreshold=yes, yes, 48, 24, 12
1st Yes - Configures the vault to monitor missing replication
2nd Yes - Sends notifications whenever a missing replication is detected according to the following timeframes.
48 - First notification will be sent 48 hours after the missing procedure is detected
24 - subsequent notifications will be sent every 24 hours after that
12 - the backup replication status will then be checked every 12 hours
dbparm.ini
enabling monitoring of DR replications
to activate DR monitoring, you need to add the DRNotificationThreshold parameter to (blank)
DRNotificationThreshold=yes,yes,2,24,30m
1st yes - configures the vault to monitor missing DR user connections
2nd yes - sends notification whenever a missing connection is detected according to the following timeframes
2 - first notification will be sent 2 hours after the missing procedure is detected
24 - subsequent notification will be sent every 24 hours
30m - the DR status will then be checked every 30 minutes
dbparm.ini
CPM log rotation
during daily CPM operations, the log files folder and its subfolder can grow to a huge amount of data
- extremely large log files can lead to disk space issues on the CPM server and can make troubleshooting difficult
all the CPM log files can be automatically uploaded to a safe in the vault on a regular basis, according to the predefined time period.
LogCheckPeriod - the interval in hours after which the log files will be uploaded to the vault, it is recommended to upload CPM log to a safe
LogSafeName - the name of the safe where the log files will be saved, and then automatically purge old and obsolete logs files
[none]
CPM log rotation - configuration
Configure the (blank) to archive logs to the vault periodically using the LogCheckPeriod, LogSafeName and parameters in the CPM settings.
Once the log safe has been defines, an automatic process will periodically remove old log files
CPM
Clearing Safe History
Periodically, you need to clear the Safe history
Only file versions and Safe history logs that have been help for longer than the time specified in the Safe Properties History window can be deleted
To clear the Safe History, select Clear Expired History from the Tools menu in the PrivateArk client, then Safe
When you open a Safe via the PrivateArk Client, you will be prompted to clear expired safe history
[none]
Recommended tasks
Weekly: check ITAlog.log once a week for a month
- if not much noise is found, change interval to every two weeks
- if you don’t know what Normal look like, it is harder to identify when something Abnormal occurs
Use M&R guide and search the customer community to understand messages.
example of noise: message “itats319w firewall contains external rules” will appear every 15 min with the default value in the dbparm.ini: MonitorFWRulesInterval
Quarterly: Check license capacity to make sure you are not approaching license limits.
Check free space to make sure systems have adequate capacity
- if space is limited, check monthly or every other month
[none]
Recommended tasks
Quarterly: review, manage and test directory mappings
periodically, quarterly, annually, test master account and password login procedure
periodically quarterly, annually, test DR/BC failover procedures, including password reset disk for the vault host administrator
annually: schedule a formal cyberark security services health check annually, periodically
[none]
recommended tasks
use the build in capabilities of syslog and SIEM to monitor your environment
use remote control agent for monitoring via SNMP
know where the logs are
diagram your environment with server names, IPs, and server function and current cyberark version
make sure archive logs setting is adequate for the amount of time traces and LC (logic container) logs that need to be archived
- ideally having 24 hours of archived traces would be preferred from a support perspective
- vault traces and LC logs are located in the same archive folder
make sure you provide support with the correct log when requested
have a tool like logexpert to read logs and search logs for troubleshooting
[none]
recommended tasks
make sure the CPMs are configured to auto-rotate logs
configure the Send Email Notification if Component is not Connected option
