Scribd
Upload
399 views23 pages

Conjur Fundamentals: Troubleshooting & Reporting

This document provides an overview of troubleshooting and reporting capabilities in a Conjur implementation. It describes the available documentation resources, log file locations for the Conjur server and CLI, how to view log files in a Docker container, common errors and troubleshooting steps, and Conjur's audit and reporting functionality including integrating logs with a SIEM like Splunk.

Uploaded by

karthik chithari
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
399 views23 pages

Conjur Fundamentals: Troubleshooting & Reporting

This document provides an overview of troubleshooting and reporting capabilities in a Conjur implementation. It describes the available documentation resources, log file locations for the Conjur server and CLI, how to view log files in a Docker container, common errors and troubleshooting steps, and Conjur's audit and reporting functionality including integrating logs with a SIEM like Splunk.

Uploaded by

karthik chithari
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 23

CONJUR FUNDAMENTALS

Troubleshooting & Reporting

CyberArk Training
1
LESSON OBJECTIVES

This lesson provides an overview of troubleshooting, reporting, and auditing a Conjur implementation.
Upon completion of this lesson the participant will be able to:
• Get familiarized with the documentation and resources available to support Conjur
• Locate and review the location of critical configuration and log files for Conjur
• Review Conjur reporting functionality

2
2
DOCUMENTATION & RESOURCES

3
CYBERARK ONLINE DOCUMENTATION

https://docs.cyberark.com
• Access anytime from any device

• Fully searchable and indexed


• v10.1 to Latest
• Categorized by product and
function for ease of navigation
• Highlight and print features

4
LOG FILES & DEBUG LEVELS

5
CONJUR SERVER: FILE LOCATIONS
Configuration & Administration File Locations
/etc/conjur/nginx.d/ # Conjur server configuration files directory
/etc/nginx/ # nginx webserver configuration files directory
/etc/service/conjur/ # start/stop services directory
/opt/conjur/ # Conjur server base installation directory
/usr/local/bin # Conjur server binary executable file
/var/lib/gems/ # Ruby Gems Conjur server API files directory

Log File Locations


/var/log/syslog # Primary operating system log file
/var/log/conjur/ # Conjur server audit logs directory (audit.log & audit.json)
/var/log/evoke.log # Conjur server Evoke messages log file
/var/log/nginx/ # nginx webserver log files (access.log and error.log)

6
CONJUR CLI: FILE LOCATIONS

User CLI Specific File Locations


$HOME/.conjurrc # Conjur CLI user configuration file
account: # Define Organization name

plugins: # Define plugins for CLI

appliance_url: # Define URL for Conjur Server

cert_file: # Location to user SSL Certificate

$HOME/<filename>.pem # Unique user SSL Certificate

i User CLI files created during conjur init process

7
VIEW LOG FILE DATA: DOCKER CONTAINER

Docker Container
• Viewing log file information in
real-time from the Conjur
Server follows same
conventions as Linux/Unix
administration

• Use docker exec


<container_name>commands
to execute commands on the
embedded docker container

• Conjur Audit Logs Directory:

/var/log/conjur

8
COMMON ERRORS &
TROUBLESHOOTING

9
CONJUR CLI: HELP

Conjur CLI Help


• Obtain useful information and
health status using the Conjur
CLI
• Invoke help using the
conjur --help command

10
CONJUR SERVER HEALTH

• Gather critical real-time status


monitoring and health data using
the Conjur API
• Connect to the following API
URL:
https://<conjur_server>/health
• Services with status “ok” are
enabled and running
• Services with status “disabled”
or “connection refused” have
either been stopped and/or
having issues starting and not
currently running

11
CONJUR SERVER INFO

• Return detailed Conjur Server


and CLI software package
information
• Connect to the following API
URL:
https://<conjur_server>/info
• “status: “i” indicates the
package is installed
• “version:” provides the version
number
• “arch:” provides the underlying
hardware environment

… stdout truncated …

12
CONJUR SERVICES: STOP/START/RESTART

Conjur Server Services


• List services located in
/etc/service/conjur

• Connect to Conjur Server


terminal using
docker exec -it <container>
/bin/bash

• Stop/Start/Restart Conjur Server


service using
sv [stop | start | restart]
conjur

• Stop/Start/Restart a specific
Conjur Service service module
(authn, ldap-sync, ui, etc.) using
sv [stop | start | restart]
conjur/<service_module>

13
REPORTING

14
AUDIT & REPORTING OVERVIEW
Conjur Audit Trail
• Centralized audit database that collects a series of immutable permission
Audit Database Architecture
events and records of changes from the entire infrastructure (Event
records can never be modified) Leader Server
How it works? Leader Audit Records

• Records all access permission events and activity


• Records all changes to resources/roles
Main Audit Standby
Standby
Authentication ID of user w/ access permission Database Standby
Replicates to Master
Event Roles for both user and others involved in event Archive Audit Standby Master
Records Database
Include: Resources involved
Event information (includes source IP address) Replicates to
Followers
Architecture
main (db) – Records all master-server activity Follower
• Logs all events related to changes in permission models Standby
Standby
Follower Audit
(replicated to all followers) Master
Records
Master
archive (db) – Stores the audit records for Conjur server environment
• All permission modification records are permanently stored in both main and archive

15
AUDIT: ARCHITECTURE & SPECIFICATIONS

Conjur audit service captures all access-permission events and activity


• Full audit record can only be accessed via the Master Server
• Uses syslog protocol output → audit.log (RFC5424) & audit.json (JSON format)
• Audit Limit → number of entries and age entries capped by default
• Periodic purging of older entries with whitelist immunity for changes to permission model never
purged

• All records are accessible via the Web UI, DAP CLI, and REST API
• Easy integration with Third Party SIEM tools like Splunk, ELK, or LogRythm
• By default, tailer setup to print all messages to /var/log/conjur/audit.log

• Logrotate set up to rotate audit log files daily

16
CONJUR UI: RESOURCE/ROLE AUDIT INFORMATION

• Use the Conjur UI to view


audit records and event data
information

• Must be authenticated using


a user with the proper
authorizations

• read privileges on resource


or role

• View Resource/Role Updates

• View Resource/Role Audit


Events

17
CONJUR LOGS: AUDIT.LOG & AUDIT.JSON

• Audit records are printed in Sample Output: audit.log


Syslog and JSON format

• /var/log/conjur/audit.log

• /var/log/conjur/audit.json

• Audit data can be viewed in


real-time or exported to other
SIEM log management
systems to extended
reporting, notifications, and Sample Output: audit.json
alarming events.
Clear

18
SIEM INTEGRATION:
SPLUNK

19
SIEM INTEGRATION: SPLUNK

Splunk Integration Workflow


1. Install Splunk Universal Forwarder on Docker Host
running Conjur Server
2. Enable-on-Reboot and Start Splunk Universal
Forwarder
3. Create & Enable Receiving Listener Port on Splunk
Server
4. Add Splunk Forwarder Server on Universal
Forwarder Client
5. Add Monitor to Universal Forwarder Client for Conjur
Audit Logs
6. Restart Splunk Universal Forwarder Service
7. Enable Forwarder Monitoring Service on Splunk
Server

20
SUMMARY

21
SUMMARY

In this session we discussed:


• Documentation & Resources
• Configuration & Log Files
• Common Errors & Troubleshooting
• Audit & Reporting

22
22
THANK YOU

23

You might also like