NXLog User Guide
- OS Support
- Enterprise Edition Reference Manual
- NXLog Manager
- 154. Introduction
- 155. System Requirements
- 156. Supported Platforms
- 157. Installation
- 158. Dashboard and Menu
- 159. Fields
- 160. Patterns
- 161. Correlation
- 162. Agents
- 163. Templates
- 164. Agent Groups
- 165. Certificates
- 166. Settings
- 167. Users, Roles, and Access Control
- NXLog Add-Ons
To configure various system components, click on the SETTINGS menu item under the ADMIN menu. Each tab is discussed in the successive sections.
The agent manager is responsible for connecting to the NXLog agents or accepting connections to establish a secure trusted channel which is used to manage and administer the agents remotely. Each NXLog agent is queried by the agent manager every 60 seconds for status information.
The above screenshot shows the Agent manager tab where its parameters can be configured.
The agent manager can both accept and initiate connections to the agents. Enable the Accept agent connections checkbox to let the agent manager accept incoming connections from agents.. Enable the Initiate connection to agents checkbox to let the agent manager initiate the connection.
|For these settings to work, the agents must be configured accordingly. See the Agent Connection type configuration parameter.|
These options have the following configuration parameters:
- Listen address
When Accept agent connections is requested, the IP address of the interface must be specified. Use 0.0.0.0 to listen on all interfaces.
When Accept agent connections is requested, the port number must be specified where the agent manager will listen on for incoming connections.
The CA configured here is used to verify the certificate presented by the NXLog agent during the SSL handshake.
The certificate configured here will be used to authenticate to the NXLog agent during the SSL handshake.
For security reasons certificate private keys in the database are stored in an encypted form. These are encrypted with a master key which is accessible to users who have ROLE_ADMINISTRATOR and/or ROLE_CERTIFICATE access rights. The agent manager’s private key is required to be able to estabilish the trusted control connection with the agents. Enable the Don’t encrypt agent manager’s private key option for the system to be able to operate in an unattended mode. Otherwise the agent manager connection will only work after a reboot/restart after a successfull admin login.
Another security option is Subject Name Authorization. There are 3 options:
- Warn if untrusted.
When this option is selected, agent manager will accept agents which try to authorize with Subject Name other than their reverse DNS, and will mark them as Forged.
- Reject agent.
When this option is selected, agent manager will reject agents which try to authorize with Subject Name other than their reverse DNS.
When this option is selected, agent manager will ignore the mismatch between Subject Name and reverse DNS for connected agents.
Due to Subject Name Authorization and the specifics of some networks, like NAT for example, agent manager must have some policy for names of connected agents which will appear on the Agent list. Agent manager supports 3 options for Agent name:
- Use reverse DNS name, else IP address.
When this option is selected, agent manager will try to resolve the Fully Qualified Domain Name of connected agents. If resolving fails, it’ll use agent’s IP address.
- Use reverse DNS name, else certificate subject name.
When this option is selected, agent manager will try to resolve the Fully Qualified Domain Name of connected agents. If resolving fails, it’ll use agent certificate’s Subject Name.
- Use certificate subject name.
When this option is selected, agent manager will always use agent certificate’s Subject Name. This option is the only reasonable choice for NAT networks.
|When one of last 2 options is selected and a NXLog agent doesn’t authorize with valid client certificate, but the manager demands Subject Name, the agent will be rejected.|
There can be defined also per agent rules for Subject Name Authorization and Agent Name by clicking the button "Add override". The following dialog will appear:
There are 3 types of hosts which can be defined: exact name or IP address; name or IP address regular expression and IP address range. An option exists to verify host definition against real host. The overridden rules will appear as list under the global manager rules.
Later on these specific rules can be modified and/or deleted.
Click Save & Restart to apply the changes. The Status field will display the status of the agent manager.
This form is divided in two sections: Certificate defaults and Certificates provider:
- Certificate defaults
This form can be used to set common parameters which are used during certificate creation. Most of these attributes are pretty common, though there are some that deserve a direct mention:
- Encrypt private keys
If this is enabled, certificate keys will be stored encrypted in the database, see certificates encryption for more information.
|By default on a new system with a blank database, this setting will be disabled. If this setting is enabled, you must always have an available administrator user which can unlock the keys after log-in. Losing the encryption key in one way or another will make private keys practically lost and the certificates unusable.|
|This feature must be taken very seriously and practice special care when enabling it.|
- Keystore type
This is the type that NXLog Manager will use during runtime when dealing with certificates. By default it is BKS, which is considered more secure than default java keystore JKS. However on rare occasions BKS does not have enough support for some certificates, one of which is Elliptic Curve certificates, that is created by some external tools (NXLog Manager uses only RSA encryption). If such certificates are planned for use, there is an option to change the keystore type to JCEKS instead.
|RSA encryption is the default type until another type of certificate has been used. For example, if EC certificate is imported in the system, it switches to EC encryption.|
- Signature hash algorithm
By default - SHA256 though it can be changed.
- Key size
By default - 2048. Currently considered as unbreakable. In the near future it is recommended that a longer length be used. Currently 3072 is considered safe until year 2030 with existing hardware architectures. A length of 4096 is practically unbreakable.
- Certificates provider
The Certificates provider option makes it possible to use a PKCS11 compliant backend to store certificates and private keys instead of using the default configuration database. The PKCS11 API is implemented by most smart cards and HSM devices, which can be used to securely store private keys.
To be able to send notification emails, an SMTP server is required. The Mail tab provides a form where the SMTP server settings can be specified.
The full NXLog Manager configuration can be backed up to an encrypted file. The configuration can be restored using a backup file on the same form. This configuration backup can be scheduled to make it run automatically at a specific time. The system will send an email notification if an email address is provided.
The License tab provides a form where the license file can be uploaded and the license details are shown.
If the license is invalid or expired, a message will be displayed in a horizontal red band as shown in the following image.
This form is divided in two sections: Settings and Change password:
The User Settings tab allows to the logged in user to change his/her name, email address, user interface language and theme. The email address will be used for system notifications.
- Change password
The Change Password tab allows to the logged in user to change his/her password.