Introduction

JS7 allows offers Log Management with JOC Cockpit offering a central view for monitoring of log output and dispatch of notifications created by JS7 products.Controller, Agents & JOC Cockpit instances.

• JS7 - Notifications from Logs
  • Service
    • The JS7 - Log
    Management
    • Notification Service is
    compliant to RFC5424, aka Syslog Protocol.
  • The Log Management Service is available from JOC Cockpit within the scope of JS7 - Services.
  • • used to collect warnings and errors from log output of Controller & Agent instances. JOC Cockpit notifications are created directly and without use of the service.
    • The service is compliant to RFC5424, aka Syslog Protocol and offers restart capabilities
    The Log Management Service offers restart capabilities: in case of fail-over or switch-over of JOC Cockpit the Log Management Service will become available from the active JOC Cockpit instance
    • .
  • Clients
    • The JS7
    products, JOC Cockpit, Controller and Agents
    • Controller & Agent instances can act as clients to the Log
    Management
    • Notification Service. The products can be configured to report log output to the Log
    Management
    • Notification Service
    .In addition, log output of JS7 products is always written to local log files.
    • , for details see JS7 - Log Configuration for use with System Notifications
    • Users have a choice to enable forwarding of log output per instance of
    a JS7 product
    • Controller & Agent during installation or later on by adjusting the
    Log4j2
    • Log4j configuration.
     
  • User Interface
    • The JOC Cockpit offers System Notifications from the JS7 - Monitor view.
    • The JOC Cockpit offers JS7 - Notifications - Configuration for forwarding notifications by mail, from command line tools etc.
• Access to Logs
  • The JOC Cockpit offers near real-time access to logs of distant Controller and Agent instances.
  • Log Replication is offered to store logs to a central location.

Notifications from Logs

Notifications are introduced with the following releases:

Log Management Service becomes available from

Service

The JS7 - Log Notification Service is available from the active JOC Cockpit instance within the scope of JS7 - Services.

The service creates notifications from warnings and errors of Controller & Agent instances.

Clients

...

By default the Log4j configuration of JS7 products Controller & Agent instances will not make use of the Log Management Notification Service. Instead, users choose for which instances of JS7 products they want to send log output forward warnings and errors to the Log Management Notification Service.

Controller Log4j2 Configuration

The following Log4j2 configuration is available from the log4j2.xml-example file in the Controller's <controller-data>/config directory:

<Appenders>
    <Syslog name="RFC5424" format="RFC5424" host="localhost" port="4514"
            protocol="UDP" charset="UTF-8" facility="LOCAL0" newLine="false">
        <PatternLayout pattern="<134>1 %d{ISO8601}{ETC/UTC}Z ${hostName} JS7 Controller {
"host":"${hostName}",
"controllerId":"${ControllerId}",
"thread":"%t",
"level":"%p",
"logger":"%c{1}",
"message":"%enc{%m}{JSON}",
"thrown":"%enc{%throwable{10}}{JSON}"
}"
        />
    </Syslog>
</Appenders>

Explanations:

• tbd

Agent Log4j2 Configuration

The following Log4j2 configuration is available from the log4j2.xml-example file in the Agent's <agent-data>/config directory:

<Appenders>
    <Syslog name="RFC5424" format="RFC5424" host="localhost" port="4514"
            protocol="UDP" charset="UTF-8" facility="LOCAL0" newLine="false">
        <PatternLayout pattern="<134>1 %d{ISO8601}{ETC/UTC}Z ${hostName} JS7 Controller {
"host":"${hostName}",
"controllerId":"${ControllerId}",
"agentId":"...",
"level":"%p",
"logger":"%c{1}",
"message":"%enc{%m}{JSON}",
"thrown":"%enc{%throwable{10}}{JSON}"
}"
        />
    </Syslog>
</Appenders>

Explanations:

• tbd

JOC Cockpit Log4j2 Configuration

The following Log4j2 configuration is available from the log4j2.xml-example file in the JOC Cockpit's <jetty-base>/resources/joc directory:

<Appenders>
    <Syslog name="RFC5424" format="RFC5424" host="localhost" port="4514"
            protocol="UDP" charset="UTF-8" facility="LOCAL0" newLine="false">
        <PatternLayout pattern="<134>1 %d{ISO8601}{ETC/UTC}Z ${hostName} JS7 Controller {
"host":"${hostName}",
"controllerId":"${ControllerId}",
"agentId":"...",
"level":"%p",
"logger":"%c{1}",
"message":"%enc{%m}{JSON}",
"thrown":"%enc{%throwable{10}}{JSON}"
}"
        />
    </Syslog>
</Appenders>

Explanations:

• tbd

Delimitation

The JS7 Log Management Service offers access to log output of JS7 products from JOC Cockpit as a central point of monitoring & control.

Due to limitations of the underlying Syslog Protocol the JS7 Log Management Service does not meet elaborated requirements for security, resiĺience and high availability.

The Log Management Service is offered for convenience purposes, the authoritative source of log output remains with log files created by JS7 products.

Security

The Syslog Protocoll does not cover authentication of Clients:

• Log messages could be faked by malicious 3rd-party components as the JS7 Log Management Service cannot authenticate and reliably identify the source of log output.
• Users are warned in case that they take action based on messages arriving with the JS7 Log Management Service: severe messages that suggest immediate action should be verified from the JS7 product's log files.

The Syslog Protocol is exposed to denial-of-service attacks:

• Flooding of messages is a possible scenario for attacks that is not covered by the Syslog Protocol.
• The JS7 Log Management Service will try to identify such scenarios and will shut down. The behavior is intended to keep the JOC Cockpit operational in case of DNS attacks.

Resilience

The Log Management Service accepts messages sent via the UDP protocol only.

• TCP connections are out of scope due to their blocking nature.
• UDP messages are accepted if they do not exceed 4000 characters..

The Log Management Service performs input sanitization.

• Messages sent to the Log Management Service must be compliant to the above Log4j configuration and otherwise will be dropped.
• Messages carrying unacceptable input will be dropped.

High Availability

The JS7 Log Management Service offers restart capabilities when operated from a JOC Cockpit cluster:

• This allows the service to switch from a current JOC Cockpit instance to the next active JOC Cockpit instance.
• Switching to a different host operating the active JOC Cockpit instance includes that the hostname of the Log Management Service will change. Users can set up a Proxy Service that will forward log messages to the currently active JOC Cockpit instance.

If no JOC Cockpit instance is active, then no log messages can be picked up:

...

See JS7 - Log Configuration for use with System Notifications

User Interface

The JS7 - Monitor view is available to display System Notifications.

Access to Logs

Access to log files from JOC Cockpit is introduced with the following releases:

...