SSH Log Using LogAway (V4.5+)
Note: LogAway Agent (compatible with XpoLog 4.5+)
The new version of LogAway is compatible with XpoLog 4.5+, and supports a higher transfer log rate (~300MB/Minute)
Summary
XpoLog’s agent-less architecture allows accessing logs located on remote machines over SSH, without the need to change or install anything on the remote machine. In order to do this, XpoLog utilizes the ‘less’ command on the remote machine, among other commands. In some environments, where the ‘less’ command is not available on the remote machine, XpoLog cannot work as described above.
XpoLog’s LogAway agent provides a solution for accessing logs located on remote machines over SSH where the ‘less’ command is not available. It is important to note that the agent is passive, and does not run any process on the remote machine unless requested to do so by the XpoLog server.
Technical Details
XpoLog’s LogAway agent is a JAR file located in the home directory of the user that is used by XpoLog to access the remote machine. After the JAR file is deployed on the remote machine, it does not run any process. Instead, the XpoLog server automatically identifies that the LogAway agent is available on the remote machine, and uses it instead of utilizing traditional system commands.
All the data which is transferred by the LogAway agent to the XpoLog server is compressed, to minimize network traffic.
Deployment
- Verify that Java is installed on the remote machine:
- Log in to the remote machine using the same user that is used by XpoLog to access the remote machine.
- Run the command java -version (the LogAway agent requires Java version 1.4+ to run)
- Download XpoLog’s LogAway package compatible to the Java version installed on the remote machine:
Download LogAway for Java 1.4+: LogAway for JAVA 1.4+ - Copy XpoLog’s LogAway package to the remote machine (place it in the home directory of the user that is used by XpoLog to access the remote machine)
- Unpack XpoLog’s LogAway package by running the following commands:
- gunzip xpologAgent.tar.gz
- tar xvf xpologAgent.tar
- Verify that a folder named xpologAgent was created and contains several files
- Verify that XpoLog’s LogAway agent can be executed:
- Enter the xpologAgent folder
- Run the command sh runAgent.sh –v
- Verify that information regarding the agent is printed to the screen
- Verify on the remote server that TCP port forwarding is enabled:
- View the file /etc/ssh/sshd_config
- The parameter 'AllowTcpForwarding' specifies whether TCP forwarding is permitted (the default is ''yes''). Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders. In case 'AllowTcpForwarding' is set to "no" change it to "yes" and restart the SSH service.
- Go to XpoLog>Settings>General, and under the 'Connection Policies' configure the following:
- LogAway Agent forwarding port - a free port on the remote machine to use (try "netstat" to list ports in use). LogAway uses the port locally in order to use SSH port forwarding (for example: 5555). It is not recommended to use ports 0-1023, as these are usually system processes ports.
- LogAway Agent forwarding timeout - the allowed period of LogAway Agent inactivity before it's connection is terminated (default 1 minute)
- In order to verify that the agent can be used by the XpoLog server, add a log over SSH on this machine using direct access mode and check that everything works as expected.
Open XpoLog Support Portal > Activity Information and under SSH connections tab verify that the connection mode is Agent (instead of the default: Less).