Managing Profiles
A profile contains the CipherTrust Manager logging criteria for CTE clients, Syslog server configuration, default logging level, LDT Quality of Service (QoS) settings, and other settings that can be used for several CTE clients.
A default profile, DefaultClientProfile
, is created automatically when either of the following happens:
On successful registration of the first client if no profile is specified during registration.
On creation of the first client group. A new client group is automatically linked to
DefaultClientProfile
.
When registering a CTE client, the installer prompts to specify a profile for the client. If not specified, DefaultClientProfile
is automatically linked to the client on successful registration. The linked profile can be modified later. It is recommended to not delete or modify DefaultClientProfile
.
Creating a Profile
To create a profile:
Open the CTE application.
In the left pane, click Profiles.
Click Create Profile.
Specify a unique Name for the profile. This is a mandatory field.
Provide a Description for the profile.
Click Create.
The newly created profile appears in the profiles list.
After you have created a profile, you can define client logging criteria, Syslog configurations, and QoS configurations. These configurations apply to the clients linked to this profile. Refer to the subsequent sections for details.
Setting Client Log Configuration
Client log configuration includes basic information such as the level of logs to capture, whether to enable the Syslog server, settings to upload logs to the CipherTrust Manager, and settings to store logs on clients.
To define client log configurations for a profile:
Open the CTE application.
In the left pane, click Profiles.
Under Name, click the desired profile. The edit view of the profile is dispayed. Profile settings are divided into three categories, as shown below:
Click CLIENT LOGGING CONFIGURATION to expand it. The client log configuration settings are categorized into basic, log upload to key manager, and log to the file on the clients.
Basic Settings
Specify the basic settings:
Field Description Log Level Level of logs to generate. It defines the detail and extent of information to be logged by the linked agents. In sequence, the options are:
• DEBUG: Fine-grained informational events that are targeted towards support engineers and developers.
• INFO: Informational messages that highlight the progress of the application at coarse- grained level.
• WARN: Potentially harmful situations.
• ERROR: Error events that might still allow the application to continue running. This is the default log level.
• FATAL: Severe error events that will presumably lead the application to abort.
Log levels are cumulative. The level that you select not only generates log entries for events that occur at that level, but all the levels below. For example, theWARN
level also includes events that occur on theERROR
andFATAL
levels.Duplicates Treatment for duplicate logs. The options are:
• SUPPRESS: Messages follow the configured Threshold as to how many times duplicate messages are sent to the CipherTrust Manager during the given Interval.
• ALLOW: All duplicate messages are captured and displayed in the log.Threshold (Used when the Duplicates field is set to SUPPRESS
.) Maximum number of duplicate messages the CTE Agent can send to the CipherTrust Manager within the time specified bySuppress Interval
(see below). The default value is5
messages.Suppress Interval (sec) (Used when the Duplicates field is set to SUPPRESS
.) Time in which the number of duplicate messages, specified by Threshold, can be uploaded to the CipherTrust Manager. When Suppress Interval exceeds, the count specified by Threshold starts again. The default interval is600
seconds (10 minutes).Enable Concise Logging Whether to enable Concise Logging for the linked clients. Select to enable, clear to disable. By default, Concise Logging is disabled.
When enabled, a reduced number of audit log messages are captured. Refer to Concise Logging for details.Syslog Enabled Whether the Syslog server is enabled. Select to enable, clear to disable. When you select Syslog Enabled, make sure that client Syslog configurations are defined. Refer to Setting Client Syslog Configuration for details.
When the Syslog server is disabled, the logs are sent to the client messages file such as/var/adm/messages
. On a Windows client, the messages are sent to the Event Viewer (Application events).Log Upload Settings
Configure settings to upload logs to the CipherTrust Manager:
Field Description Log Upload to Key Manager Whether to enable log upload to the CipherTrust Manager. Select to enable, clear to disable. When this option is selected, you can configure the settings listed below.
The logs are displayed under the Client Records page of the CipherTrust Manager GUI.Upload Log Level Level of logs to upload. In sequence, the options are:
• DEBUG: Fine-grained informational events that are targeted towards support engineers and developers.
• INFO: Informational messages that highlight the progress of the application at coarse- grained level.
• WARN: Potentially harmful situations.
• ERROR: Error events that might still allow the application to continue running. This is the default log level.
• FATAL: Severe error events that will presumably lead the application to abort.
Log levels are cumulative. The level that you select not only generates log entries for events that occur at that level, but all the levels below. For example, theWARN
level also includes events that occur on theERROR
andFATAL
levels.Connection Timeout (sec) Interval after which the connection attempt to the key manager expires. The default value is 59
seconds.Drop if Busy Whether to slow log generation and drop log files during periods of extreme logging (that is, when the server is busy). Select to drop, clear to keep trying. This setting is clear by default. Upload Timeout (sec) 1-900 Interval after which the log upload attempt expires. The default period is 600
seconds (10 minutes).Max Interval (sec) 1-1000 Maximum interval to wait before the CTE Agent can upload messages to the CipherTrust Manager. Use this option to update the log viewer even when the Message Upload Range has not been reached. Lower the interval if there is little CTE Agent activity.
The default maximum interval is20
seconds.Min Interval (sec) 1-30 Minimum interval to wait before the CTE Agent can upload messages to the CipherTrust Manager. Increase the interval if there is considerable CTE Agent activity, so the agents do not flood the network with log messages.
The minimum interval is10
seconds.Message Upload Range (100-1000) Maximum number of logs to upload at one time. When the specified number of logs is reached, they are uploaded to the CipherTrust Manager. The default number is 1000
.Cache Settings Settings to cache logs. The options are:
• Max Files: Maximum number of log files to cache. The default number is 200.
• Max Space (MB): Maximum log size to cache. The default value is100
MB.Log to File Settings
Configure settings to gather logs in files on clients:
Field Description Log to File Whether to write logs to files on clients. This option is selected by default. This means that, by default, the logs are written to files on clients.
The logs are sent to the/var/log/vormetric/vorvmd_root.log
file of a UNIX client, or a Windows equivalent, such as\Documents and Settings\All Users or WINDOWS\Application\ Data\Vormetric\DataSecurityExpert\agent\log\vorvmd.log
.
When the Log to File option is selected, you can configure the settings listed below.File Log Level Level of logs to capture in the log file. In sequence, the options are:
• DEBUG: Fine-grained informational events that are targeted towards support engineers and developers.
• INFO: Informational messages that highlight the progress of the application at coarse- grained level.
• WARN: Potentially harmful situations.
• ERROR: Error events that might still allow the application to continue running. This is the default log level.
• FATAL: Severe error events that will presumably lead the application to abort.
Log levels are cumulative. The level that you select not only generates log entries for events that occur at that level, but all the levels below. For example, theWARN
level also includes events that occur on theERROR
andFATAL
levels.Max File Size (1-1000 MB) Maximum size of a log file. The CTE Agent starts a new, empty log file when the specified limit is exceeded. The default maximum file size is 1000
MB.Max Old Files (1-100) The maximum number of old log files to keep. The default number is 100
.Allow Purge Whether to allow purging the old log files. Select to allow purge, clear to disallow. This option works in conjunction with the Max Old Files option (see above).
For example, set Max Old Files to3
and select the Allow Purge check box. After 3 log files are generated, the first log file,log1
, is deleted and a new log file,log4
, is created.If the Allow Purge check box is clear, log files continue to accumulate in the server database and you have to remove them manually. Click Apply.
The changes are effective immediately and apply to the clients linked with the profile.
The CTE client logs can be seen on the Keys & Access Management > Records > Client Records page of the CipherTrust Manager GUI. Filter the records by Client Type and look for the CTE records, as shown below.
Refer to Records for details.
Setting Client Syslog Configuration
When you have Syslog servers up and running in your environment, you can redirect your client logs to them. A CipherTrust Manager administrator can configure profiles to redirect client logs to Syslog servers.
To configure Syslog settings in a profile:
Open the CTE application.
In the left pane, click Profiles.
Under Name, click the desired profile.
Expand CLIENT SYSLOG CONFIGURATION.
Specify the following details:
Note
• You can configure up to four servers, labeled as Server 1, Server 2, Server 3, and Server 4. By default, Server 1 and Server 2 are visible. To view Server 3 and Server 4, click Show Additional Servers.
• This document describes steps to configure one server, Server 1. Extend the steps to suit your setup requirements.Field Description Log Level Level of logs to redirect. In sequence, the options are:
• DEBUG: Fine-grained informational events that are targeted towards support engineers and developers.
• INFO: Informational messages that highlight the progress of the application at coarse- grained level.
• WARN: Potentially harmful situations.
• ERROR: Error events that might still allow the application to continue running. This is the default log level.
• FATAL: Severe error events that will presumably lead the application to abort.
Log levels are cumulative. The level that you select not only generates log entries for events that occur at that level, but all the levels below. For example, theWARN
level also includes events that occur on theERROR
andFATAL
levels.Local Whether logs are sent to the client. If selected, the logs are saved on the client at /var/log/messages
. By default, the option is clear.Server 1 Hostname or IP Hostname or IP address of the Syslog server. Port Port of the Syslog server. Message Format Format in which the log messages are transferred to the Syslog server. The options are:
• Plain Message
• CEF
• RFC5424
• LEEF
The default log format isRFC5424
. This format adheres to the Syslog Protocol RFC 5424 guidelines.Protocol Transport protocol for the Syslog connection. The options are UDP
,TCP
, andTLS
. The default protocol isTCP
.
When you selectTLS
, the following fields appear:
• CA Certificate: Click Browse to select the CA certificate.
• Certificate: Click Browse to select the certificate.
• Private Key: Click Browse to select the private key.Click Apply.
The Syslog server settings are configured.
Setting Quality of Service Configuration
The QoS configuration settings apply to clients that have the LDT feature enabled on them. Administrators use these settings to maintain operational efficiencies in their systems in conjunction with LDT operations. They can specify percentage of CPU usage or a rekey rate and schedules for LDT operations. Refer to the CTE-Live Data Transformation with CipherTrust Manager for best practices about using LDT and QoS.
A CipherTrust Manager administrator can configure LDT QoS on the CipherTrust Manager.
To configure LDT QoS settings in a profile:
Open the CTE application.
In the left pane, click Profiles.
Under Name, click the desired profile.
Expand QUALITY OF SERVICE CONFIGURATION.
Specify the rekey option. The options are:
Rekey by Rate: Select to rekey by rate (in MB/s). This is the default setting. Specify the LDT QoS Rekey Rate. The default value is 0.
Rekey by CPU: Select to rekey by CPU usage. By default, LDT operations use all of the available CPU memory.
Optionally, you can reserve percentage of the clients' CPU for LDT rekey operations. To do so:
i. Select Cap CPU Allocation. The CPU Percentage field becomes editable.
ii. Enter the CPU Percentage. The value must be greater than 0.
Specify a QoS schedule to run LDT. Under QoS Schedules, select an LDT QoS Schedule. The options are:
Name Time Ranges Description ANYTIME Sunday 12:00 AM - Saturday 11:59 PM LDT runs any day at any time of the week WEEKNIGHTS Monday 12:00 AM - Monday 07:00 AM
Monday 09:00 PM - Tuesday 07:00 AM
Tuesday 09:00 PM - Wednesday 07:00 AM
Wednesday 09:00 PM - Thursday 07:00 AM
Thursday 09:00 PM - Friday 07:00 AM
Friday 09:00 PM - Friday 11:59 PMLDT runs between midnight to 7:00 AM from Monday to Friday WEEKENDS Sunday 12:00 AM - Monday 07:00 AM
Friday 09:00 PM - Saturday 11:59 PMLDT runs between 9:00 PM Friday to 7:00 AM on Monday CUSTOM < Custom Range > LDT runs at a custom schedule (described below) Creating a Custom LDT Schedule
To create a custom LDT schedule:
Select CUSTOM from the LDT QoS Schedule drop-down list. Now, the Create New QoS Schedule button is available.
Click Create New QoS Schedule. The Create QoS Schedule dialog box is displayed.
Select the Starting Day. The LDT process will start on this day of the week. The default starting day is Monday.
Specify the Starting Time in the
HH:MM AM/PM
format. Use the arrows to select time in hours (1 to 11) and minutes (00 to 59). Select AM or PM from the drop-down list. The default starting time is1:00 AM
.Select the Ending Day. The LDT process will end on this day of the week. The default ending day is
Monday
.Specify the Ending Time in the
HH:MM AM/PM
format. The default ending time is2:00 AM
.
Click Create. The custom LDT QoS schedule is displayed on the screen. The specified Time Ranges are also displayed.
Click Apply. The configuration is saved successfully.
Note
• To create a new custom schedule, click Create New QoS Schedule.
• To delete a custom schedule, click Delete corresponding to the schedule you want to delete.
Concise Logging
CTE's standard operational logging sends audit messages for every file system operation. An audit message is sent every time a file is opened, read, updated, or written. Standard logging can generate high volumes of log data. Security administrators might not need most of these logs to monitor file system activities on the protected clients.
A CipherTrust Manager administrator can enable or disable Concise Logging for a profile. After Concise Logging is enabled or disabled, CTE Agent generates a log message to record that event:
"[CGA] [INFO] [CGA3201I] [08/07/2020 10:57:18] Concise logging enabled"
"[CGA] [INFO] [CGA3202I] [08/07/2020 10:57:27] Concise logging disabled"
Advantages
Concise Logging:
Helps security administrators to focus on relevant audit messages and important actionable messages such as errors and warnings.
Can eliminate repetitive and unimportant audit messages generated by read and write activities on a file, read and write directory attributes, and other file system activities.
Eliminates audit messages:
For each block read by a user or an application. Only one audit message is sent for every read/write activity.
That read the attributes, basic information of file set attributes, and other event-based messages.
For directory open, read directory attributes, and directory close.
Considerations
Concise Logging:
Changes the set of messages that are sent to Security Information and Event Management (SIEM) software systems. If this results in loss of data required for customer reports, then disable Concise Logging.
Applies to all GuardPoints and for all users of the clients linked with a profile. There is no fine-grained control such as per GuardPoint, user, or message type.
Applies to the existing clients and the new clients to be linked with the profile subsequently.
Is supported by CTE secfs only.
Should not be used with Learn Mode.
Modifying Profiles
To modify a profile:
Open the CTE application.
In the left pane, click Profiles.
Under Name, click the desired profile.
Alternatively, click the overflow icon () corresponding to the desired profile and click Edit.
Expand CLIENT LOGGING CONFIGURATION.
Modify the settings, as appropriate. Refer to Setting Client Log Configuration for details.
Click Apply.
Expand CLIENT SYSLOG CONFIGURATION.
Modify the settings, as appropriate. Refer to Setting Client Syslog Configuration for details.
Click Apply.
Expand QUALITY OF SERVICE CONFIGURATION.
Modify the settings, as appropriate. Refer to Setting Quality of Service Configuration for details.
Click Apply.
The profile settings are updated.
Deleting Profiles
Single or multiple profiles can be deleted from the CipherTrust Manager GUI in one go. Before deleting a profile make sure that no clients or client groups are linked to it.
Deleting Individual Profiles
To delete a profile:
Open the CTE application.
In the left pane, click Profiles.
Click the overflow icon () corresponding to the desired profile.
Alternatively, select the desired profile and click the delete icon ().
4.Click Delete.
The selected profile is removed from the profiles list.
Deleting Multiple Profiles
To delete multiple profiles:
Open the CTE application.
In the left pane, click Profiles.
Select the check boxes corresponding the desired profiles.
To select all profiles visible on the page for deletion, select the top check box to the left of the Name heading.
Click the delete icon (). A dialog box appears prompting to confirm the action.
Click Delete.