Saturday, September 15, 2018

Forcepoint SMC logserver rollup script

The forcepoint Security Management  Center allows for you to query logs. One issues, logs can  easily be pruned but no on board features   for log rollup to a remote-server like a  SFTP/SCP.


Here's a quick script that will allow you  to run a script via  cron job and on a  regular interval to   rollup logs from the SMC logServer to a remote  scp. This a bash script





/bin/bash 
#
# kfelix@socpuppets.com 
######## LOG ROLLER  IT ON UP  ########
# rev 1.0
#
   D=`date +Y%y_Moth%m_Day%d_%s`
# 
   H1="<insert the  rollup SFTP/SCP server name here >
   H2="<insert the  rollup SFTP/SCP server name here >

#  find all  files older than 180days in the /usr/local/forcepoint/smc/data/storage/

  LOG_DIR="/usr/local/forcepoint/smc/data/stor
age/"

   find $LOG_DIR -name "*.arch"  -mtime +180 > /tmp/logsarchs 

#  take  archive list and create  tarball.gz 
   tar czvf ROLLUP.$D.tar.gz --files-from  /tmp/logsarchs 

# delete  listed files 

   cat /tmp/logsarchs | xargs rm -f 

#  delete  logsarchs catalog text file

   rm /tmp/logsarchs
#
#  install at least two rollup destinations

   scp ./ROLLUP.$D.tar.gz  rollupusername:userpassword@$H1/ 
   scp ./ROLLUP.$D.tar.gz  rollupusername:userpassword@$H2/

#
# rm  old archive  gz tarball to  clear up  space

   rm -i  ROLLUP.$D.tar.gz



This can help  on  storage issues or before you have storage issues. You could even  set a trigger based on the diskutilizaion  % and have the script fire off if the   disk% is 75% or more

e.g



 C=` df -H | grep centos | awk '{  print $5 }' | cut -d % -f 1 `

if [ $C -lt 75 ]; then    

  exit 

elif [ $C -gt 75 ] ; then 

echo " Disk Usage is High  at   $C%  utilization  on $HOSTNAME " |  mail  -s " LogRoller SMC "  socteam_maillist@socpuppets.com   



  D=`date +Y%y_Moth%m_Day%d_%s`
#
   H1="<insert the  rollup SFTP/SCP server name here >
   H2="<insert the  rollup SFTP/SCP server name here >

#  find all  files older than 180days in the /usr/local/forcepoint/smc/data/storage/

  LOG_DIR="/usr/local/forcepoint/smc/data/stor
age/"

   find $LOG_DIR -name "*.arch"  -mtime +180 > /tmp/logsarchs

#  take  archive list and create  tarball.gz
   tar czvf ROLLUP.$D.tar.gz --files-from  /tmp/logsarchs

# delete  listed files

   cat /tmp/logsarchs | xargs rm -f

#  delete  logsarchs catalog text file

   rm /tmp/logsarchs
#
#  install at least two rollup destinations

   scp ./ROLLUP.$D.tar.gz  rollupusername:userpassword@$H1/
   scp ./ROLLUP.$D.tar.gz  rollupusername:userpassword@$H2/

#
# rm  old archive  gz tarball to  clear up  space


   rm -i  ROLLUP.$D.tar.gz

fi



Remember a  predefine alert exists for local Management  disk usage  if the  LogServer is local to the MgtServer








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----@---- socpuppets ---  "*"---com
     ^      ^
=(  @  @ )=
         o

        /  \

No comments:

Post a Comment