Introduction

JS7 - Log Management is offered with JOC Cockpit acting as a central point of view for monitoring of log output created by JS7 products 

The Log Management Notification Service is available from JOC Cockpit within the scope of JS7 - Services.

• Service
  • The service is compliant to RFC5424, aka Syslog Protocol.
  • The Log Management Notification Service offers restart capabilities: in case of fail-over or switch-over of JOC Cockpit the Log Management Notification Service will become available from the active JOC Cockpit instance.
• Clients
  • The JS7 products, JOC Cockpit, Controller and Agents can act as clients to the Log Management Notification Service. The products can be configured to report warnings and errors from log output to the JS7 Log Management Notification Service.
  • Users have a choice to enable forwarding of log output per instance of a JS7 product Controller and Agent during installation or later on by adjusting the Log4j2 configuration.
  User Interface
  • JOC Cockpit offers the user interface to access and to query log output.

Configuration

The Log Management Notification Service is configured with JOC Cockpit's Settings page:

• Log_server_active (Default: false)
  • Specifies that the Log Management Notification Service is started with JOC Cockpit.
• log_server_port (Default: 4245)
  • Specifies the UDP port to which the Log Management Notification Service will listen.
• log_server_max_messages_per_second (Default: 1000)
  • Specifies the max. number of messages per second that the Log Management Notification Service will process.

Life Cycle

...

• • .

Users can specifiy the retention period for log data with the Cleanup Service..

Delimitation

Due to limitations of the underlying Syslog Protocol the JS7 Log Management Notification Service does not meet elaborated requirements for security, resiĺience and high availability.

The Log Management Notification Service is offered for convenience purposes, the authoritative source of log output remains with log files created by JS7 products.

Security

The Syslog Protocoll does not cover authentication of Clients:

• Log messages could can be faked by malicious 3rd-party components as the JS7 Log Management Notification Service cannot authenticate and reliably identify the source of log output.
• Users are warned in case that they take action based on messages arriving with the JS7 Log Management Notification Service: severe messages that suggest immediate action should be verified from the JS7 product's log files.

...

• Flooding of messages is a possible scenario for attacks that which is not covered by the Syslog Protocol.
• The JS7 Log Management Notification Service will try to identify such scenarios and will limit processing of messages. The behavior is intended to keep the JOC Cockpit operational in case of DNS attacks.

Resilience

The Log Management Notification Service accepts messages sent via the UDP protocol only.

• TCP connections are out of scope due to their blocking nature.
• UDP messages are accepted if they do not exceed 4000 characters..

The Log Management Notification Service performs input sanitization.

• Messages sent to the Log Management Notification Service must be compliant to the above Log4j configuration and otherwise will be dropped.
• Messages carrying unacceptable input will be dropped.

High Availability

The JS7 Log Management Notification Service offers restart capabilities when operated from a JOC Cockpit cluster:

• This allows the service to switch from a current JOC Cockpit instance to the next active JOC Cockpit instance.
• Switching to a different host operating the active JOC Cockpit instance includes that the hostname of the Log Management Notification Service will change. Users can set up a Proxy Service that will forward log messages to the currently active JOC Cockpit instance.

...