18-PAM-ADMIN-System-Monitoring.pdf
Document Details
Uploaded by FancySarod
CyberArk University
2023
Tags
Full Transcript
PAM Administration System Monitoring and Common Administrative Tasks © 2023 CyberArk Software Ltd. All rights reserved Agenda By the end of this session, you will be able to:...
PAM Administration System Monitoring and Common Administrative Tasks © 2023 CyberArk Software Ltd. All rights reserved Agenda By the end of this session, you will be able to: Monitor the system health via various methods: − REST − Email − SIEM − SNMP Monitor replications and DR status Perform common administrative tasks related to system maintenance © 2023 CyberArk Software Ltd. All rights reserved Monitoring components via REST and the System Health pane System Monitoring components via email Monitoring notifications Monitoring components via SIEM Monitoring components via SNMP Monitoring replications and DR 3 Copyright © 2023 CyberArk Software Ltd. All rights reserved. Monitoring System Health via REST © 2023 CyberArk Software Ltd. All rights reserved System Health You can export The System Health page provides information on: consolidated information about the system health using the REST API The health of the Primary and Connectivity status DR Vaults Accounts for PVWA, CPM, managed by CPM PSM and PTA PSM concurrent sessions System Health - Components The following information is provided for each component: IP Address Version Component User Connectivity Status: ⎼ Connected ⎼ Disconnected Last Log On Date: ⎼ The date when this component user last logged on to the Vault © 2023 CyberArk Software Ltd. All rights reserved Monitoring via Email Notifications © 2023 CyberArk Software Ltd. All rights reserved Best Practice – Monitoring Components After installing the components, you can configure email notifications to be sent out if the components’ user or users become disconnected. This should be done for all component users you wish to monitor. Examples include: ⎼ PVWAAppUser ⎼ PasswordManager ⎼ DR ⎼ Backup © 2023 CyberArk Software Ltd. All rights reserved Enabling Component Monitoring – 1 There is an email template that you can customize by going to: Locate the rule Component is inactive - Options / Notification Settings / Notification Agent Rules Template ID: 206 Searching for "206" will bring you to the template, where you can edit the Body parameter Enabling Component Monitoring – 2 Use the PrivateArk Client to enable monitoring of a specific CyberArk component user account: Select the user and click Update In the General tab, check the box for: Send email notification if component is not connected © 2023 CyberArk Software Ltd. All rights reserved Enabling Component Monitoring – 3 In dbparm.ini, you will need to add the parameter: ComponentMonitoringInterval A value of 1 means one minute will pass between checks. © 2023 CyberArk Software Ltd. All rights reserved Enabling Component Monitoring – 4 The actions taken when the Vault detects that a component is disconnected are defined in the parameter: ComponentNotificationThreshold E.g.: CPM, Yes, 720, 1440 CPM will be checked. Notifications will be sent. The first after 720 minutes Subsequent notifications sent every 1440 minutes. © 2023 CyberArk Software Ltd. All rights reserved Enabling Component Monitoring – 5 In the event of a loss of communication between the component and the Vault, there will now be an ITAlog error indicating the component’s loss of communication And because we have enabled email notifications, Vault Admins will also get a notification in their in-box. © 2023 CyberArk Software Ltd. All rights reserved Monitor via SNMP With Remote Control Agent © 2023 CyberArk Software Ltd. All rights reserved Remote Control The CyberArk Vault Remote Control feature enables users to carry out a number of remote operations on the Vault, DR Vault, and ENE components. It consists of two elements: Remote Control Installed as part of the Vault, both the Primary and DR Agent Windows service A utility that runs from a command line interface. Executes tasks on a Vault component where the Remote Control Agent Remote Control is installed. Client Does not require any other Vault components to be installed on the same computer, not even the PrivateArk Client. © 2023 CyberArk Software Ltd. All rights reserved Remote Monitoring The Remote Control Agent can use SNMP to send Vault traps to a remote terminal. This enables users to receive both Operating System and Vault information: Operating System Component-specific Information Information CPU, memory, and disk usage Primary and DR Vault status Event log notifications Primary and DR Vault logs Service status CyberArk provides two MIB files (for SNMP v1 and SNMP v2) that describe the SNMP notifications that are sent by the Vault. These files can be uploaded and integrated into the enterprise monitoring software. © 2023 CyberArk Software Ltd. All rights reserved Remote Monitoring – SNMP Parameters For a complete list of parameters, refer to the CyberArk PAM Self Hosted documentation: https://docs.cyberark.com Remote Administration The Remote Control Agent allows administrators to do the following from the Client: Retrieve logs Set parameters Restart the Vault Restart services Reboot the Vault server Retrieve machine statistics such as memory and processor usage © 2023 CyberArk Software Ltd. All rights reserved Monitor via SIEM © 2023 CyberArk Software Ltd. All rights reserved Vault Health Monitoring via SIEM To increase the visibility of CyberArk’s solution, measurements can be sent from the Vault via the syslog protocol and can be aggregated in a SIEM tool. The Vault can be configured to send health statistics to SIEM applications such as Splunk and ArcSight. This is done by setting the SendMonitorMessage parameter in dbparm.ini to yes. Statistics include transaction queue/execution time, number of tasks, CPU usage, and more. You should create a baseline specific to your environment to identify system trends and thresholds. Monitor statistics regularly in order to detect variations from your baseline. cyberark.com © 2023 CyberArk Software Ltd. All rights reserved Application Monitoring Sample Dashboards (Splunk) Shows systemic issues with specific platforms Additional drill-down can show trends for specific error messages Platforms at top of list can be prioritized to address most widespread issues first © 2023 CyberArk Software Ltd. All rights reserved Application Monitoring Sample Dashboards (Splunk) Shows overall Vault activity over time Can be customized by time range Trends can be stacked to compare current loads to historical loads Visualizes impact from various replication cycles and EVD jobs © 2023 CyberArk Software Ltd. All rights reserved Monitoring Replications © 2023 CyberArk Software Ltd. All rights reserved Monitoring Backup and DR Replications It is critical to be notified ASAP when Backup and DR are not operating. The Vault can be configured to send email notifications when the Backup and DR users fail to connect after a specific time period. By default, these notifications are sent to the members of the Vault Admins group, although they can be sent to any predefined recipients. In addition, a relevant message will be written in ITALog.log. © 2023 CyberArk Software Ltd. All rights reserved Enabling Backup Monitoring To activate the Backup Status Notification, you to need add the BackupNotificationThreshold parameter to dbparm.ini BackupNotificationThreshold=Yes,Yes,48,24,12 Configures the Vault to monitor missing replication Sends notifications whenever a missing replication is detected according to the following timeframes First notification will be sent 48 hours after the missing procedure is detected Subsequent notifications will be sent every 24 hours after that The backup replication status will then be checked every 12 hours © 2023 CyberArk Software Ltd. All rights reserved Enabling Monitoring of DR Replications To activate DR monitoring, you need add the DRNotificationThreshold parameter to dbparm.ini DRNotificationThreshold=Yes,Yes,2,24,30m Configures the Vault to monitor missing DR User connections Sends notifications whenever a missing connection is detected according to the following timeframes First notification will be sent 2 hours after the missing procedure is detected Subsequent notifications will be sent every 24 hours after that The DR status will then be checked every 30 minutes © 2023 CyberArk Software Ltd. All rights reserved Common Tasks Rotate CPM Logs Clearing Safe history Other common tasks © 2023 CyberArk Software Ltd. All rights reserved CPM Log Rotation During daily CPM operations, the log files folder and its subfolder can grow to a huge amount of data. Extremely large log files can lead to disk space issues on the CPM Server and can make troubleshooting difficult All the CPM log files can be automatically uploaded to a Safe in the Vault on a regular basis, according to a predefined time period. LogCheckPeriod The interval in hours after which the log files will be uploaded to the Vault It is recommended to upload CPM logs to a Safe LogSafeName The name of the safe where the log files will be saved And then automatically purge old and obsolete logs files © 2023 CyberArk Software Ltd. All rights reserved CPM Log Rotation - Configuration Configure the CPM to archive logs to the Vault periodically using the LogCheckPeriod, LogSafeName and parameters in CPM Settings. Once the log Safe has been defined, an automatic process will periodically remove old log files. © 2023 CyberArk Software Ltd. All rights reserved Clearing Safe History Periodically, you need to clear the Safe history Only file versions and Safe history logs that have been held for longer than the time specified in the Safe Properties History window can be deleted To clear the Safe History, select Clear Expired History from the Tools menu in the PrivateArk Client, then Safe When you open a Safe via the PrivateArk Client, you will be prompted to clear expired Safe history © 2023 CyberArk Software Ltd. All rights reserved Recommended Tasks WEEKLY Check ITAlog.log once a week for a month. If not much noise is found, change interval to every two weeks. If you don’t know what Normal looks like, it is harder to identify when something Abnormal occurs. Use M&R guide and search the Customer Community to understand messages. Example of noise: Messages "ITATS319W Firewall contains external rules." will appear every 15 min with the default value in the dbparm.ini: MonitorFWRulesInterval QUARTERLY Check license capacity to make sure you are not approaching license limits. Check free space to make sure systems have adequate capacity. If space is limited, check monthly or every other month. © 2023 CyberArk Software Ltd. All rights reserved Recommended Tasks QUARTERLY Review, manage, test directory mappings. Periodically (quarterly, annually) test Master account and password login procedure. Periodically (quarterly, annually) test DR/BC failover procedures, including password reset disk for the Vault host administrator. ANNUALLY Schedule a formal CyberArk Security Services Health Check annually / periodically. © 2023 CyberArk Software Ltd. All rights reserved Recommended Tasks Use the built-in capabilities of Syslog and SIEM to monitor your environment. Use Remote Control Agent for monitoring via SNMP. Know where the logs are. Diagram your environment with server names, IPs, and server function, and current CyberArk version. Make sure archive logs setting is adequate for the amount of time traces and LC (Logic Container) logs that need to be archived. ⎼ Ideally having 24 hours of archived traces would be preferred from a support perspective. ⎼ Vault traces and LC logs are located in the same archive folder. Make sure you provide Support with the correct log when requested. Have a tool like LogExpert to read logs and search logs for troubleshooting. Check the Visio/PowerPoint Stencils here: https://cyberark-customers.force.com/s/article/Official-Visio-and-PowerPoint-CyberArk-icons © 2023 CyberArk Software Ltd. All rights reserved Recommended Tasks Make sure the CPMs are configured to auto-rotate logs. Configure the Send Email Notification if Component is not Connected option. © 2023 CyberArk Software Ltd. All rights reserved Summary © 2023 CyberArk Software Ltd. All rights reserved Summary In this session we covered: Monitoring various CyberArk components Common Administrative Tasks © 2023 CyberArk Software Ltd. All rights reserved Documentation Additional Resources CyberArk Technical Community Support Vault cyberark.com