Hello,
We have IBM VIOS servers running AIX and we need to monitor them, mainly in term of Security.
Is there anyone having experience on that? Did you installed a Splunk Universal Forwarder or are you sending data out via syslog?
Thanks a lot,
Edoardo
Hello @edoardo_vicendo,
We have been venturing into the world of VIOS to Splunk ourselves. VIOS is an animal all on its own. We can tailor these 'appliances' any way we choose from a logging and monitoring perspective. We don't mess with the O/S or the base purpose of the appliance, which is virtualizing Ethernet and physical I/O Adapters. Since we drive off NMON which is base O/S code, we won't break anything on an upgrade. NMON has been around for decades.
Using Metricator for nmon, and the Splunk Universal Forwarder, we are able to get our VIOS data into a Splunk index and the Metricator dashboards come to life! It's a beautiful thing! We have 36 VIOS in our IBM i footprint to install. We have over 100 to do including the IBM z mainframe as well. If we get it working for one, we can easily install it on all of them relatively quick.
@guilmxm has done a fabulous job!
We had to work with our internal Splunk team that understood the forwarder part as well as understood all the Addon install and configuration steps.
The our VIOS admins then installed the forwarder and configured the nmon collection scripts and the setup of the /etc/inittab to start it all up on IPL.
I've been digging into the dashboards and finding all the data, deciding what I wanted monitored and alerted and what reporting I may want.
Only drawback I have found to date is this:
The capture of the virtual I/O adapter info is not collected or sent to Splunk to show what system virtually is using what physical adapter.
But overall, this is way better than staring at an AIX command prompted NMON screen.
Next steps will be syslogs for auditing as well. But we are walking before running.
Cheers!
Hi @edoardo_vicendo as per my understanding, AIX should be fine to install a UF and pull logs.
as this post is from 2019 and it also suggests the UF installation procedure of .TAR file..
so, i would suggest you to have a test box with AIX with IBM VIOS and install UF thru .tar format and try to send out security logs. it should be fine, it may give some issues, but it should not trouble you much.
if these things didnt work out, then, syslog is your friend(ours as well)
best regards,
Sekar
Hi
as VIOS is special kind of appliance type of AIX instance I also suppose @tscroggins way to use syslog as a standard way to get those event's out of it. To installing anything other than IBM have approved to this instance probably broken it later (e.g. in update) and then you need to rebuild it and hope that this haven't generated too much issues to real AIX instances on those boxes.
r. Ismo
In past environments, I did not install the UF on VIOS partitions; however, your IBM and Splunk sales engineers may have suggestions. I had the convenience of the Tivoli suite for infrastructure monitoring. You may need to engage IBM support to configure syslog forwarding in a "supported" manner. As an IBM customer, I'm sure you're familiar with the machinations necessary to keep Big Blue happy. 😉