Eyeglass Clustered Agent vApp Install Guide (Ransomware Defender for ECS)

• Overview
• ECA Cluster Sizing and Performance Considerations
• Firewall Requirements
• ECS Setup Steps
• Example of a configuration with 6 ECA nodes
• ECA Setup Steps

Overview

This guide covers installation of the ECA VM's to protect Dell ECS storage.  A unified Isilon/Powerscale and Dell ECS installation is also possible.  This guide covers unified and standalone deployment.  The ECS to ECA forwarding supports Active passive processing with HA and backup ECA VM processing.

This guide should be followed after ECA deployed for Isilon or Powerscale or if deploying ECA nodes for ECS only.

ECA Cluster Sizing and Performance Considerations

1. A single 3 VM ECA cluster can protect up to 4 ECS clusters

Firewall Requirements

NOTE: All other ECA Ransomware Defender ports are required in addition to the ports below. 

ECS Setup Steps

NOTE:  The syslog path is not related with the ECS version (choose the one with valid syslog output)  

ssh to ECS cluster: 

cat /var/log/vipr/emcvipr-object/dataheadsvc-access.log 
cat /opt/emc/caspian/fabric/agent/services/object/main/log/dataheadsvc-access.log   

Setup the correct log path ("File" tag in ECS syslog configuration)   
This procedure must be replicated on each ECS node: 
Create an rsyslog file at /etc/rsyslog.d/push-dataheadsvc-access-log.conf following the example below with the following edits:  
logged as admin:  
Run command: 

sudo vi /etc/rsyslog.d/push-dataheadsvc-access-log.conf 

two instances of Target="ip_address" with the IP address of your ECA nodes 2 and 3 respectively (yellow highlight). The first line (node 2) will be the active listener. 
The second line will take over if the first ECA VM is down.   

Tag="vdc1" will need to be updated if you change the name of your VDC  

#$DebugFile /home/admin/rsyslog.debug 
#$DebugLevel 2 
module(load="imfile" PollingInterval="1") #needs to be done just once 
ruleset(name="ecsaccesslogs") { 
action(type="omfwd" Target="172.25.1.6" Port="514" Protocol="tcp") 
action(type="omfwd" Target="172.25.1.7" Port="514" Protocol="tcp" 
action.execOnlyWhenPreviousIsSuspended="on") stop 
} 

input(type="imfile" ruleset="ecsaccesslogs" 
File="/var/log/vipr/emcvipr-object/dataheadsvc-access.log" 
Tag="vdc1" 
Severity="info" 
Facility="local7")  

Restart the rsyslog process for the changes to take effect  

sudo systemctl restart rsyslog   

Check the rsyslog process status:  

sudo systemctl status rsyslog   

NOTE Mandatory: Repeat the above rsyslog configuration on each ECS node in the ECS cluster.

Example of a configuration with 6 ECA nodes

#$DebugFile /home/admin/rsyslog.debug 
#$DebugLevel 2 
module(load="imfile" PollingInterval="1") #needs to be done just once 
ruleset(name="ecsaccesslogs") { 
action(type="omfwd" Target="172.25.1.6" Port="514" Protocol="tcp") 
action(type="omfwd" Target="172.25.1.7" Port="514" Protocol="tcp" 
action.execOnlyWhenPreviousIsSuspended="on") 
action(type="omfwd" Target="172.25.1.8" Port="514" Protocol="tcp" 
action.execOnlyWhenPreviousIsSuspended="on") 
action(type="omfwd" Target="172.25.1.9" Port="514" Protocol="tcp" 
action.execOnlyWhenPreviousIsSuspended="on") 
action(type="omfwd" Target="172.25.1.10" Port="514" Protocol="tcp" 
action.execOnlyWhenPreviousIsSuspended="on") stop }  

input(type="imfile" ruleset="ecsaccesslogs" 
File="/var/log/vipr/emcvipr-object/dataheadsvc-access.log" 
Tag="vdc1" Severity="info" 
Facility="local7")

ECA Setup Steps

1. ECS forwards syslog messages to the ECA VM's running syslog
2. Make sure the turboaudit syslog server is enabled in eca-env-common.conf before cluster up:
3. Login to eca node 1
4. nano /opt/superna/eca/eca-env-common.conf
   1. Add variable below line to the file
   2. export TURBOAUDIT_ECS_SERVER_ENABLED=true 
   3. export RSW_ONLY_CFG=true
      
   4. control+x and yes to save
5. If the cluster is running shutdown and restart
   1. ecactl cluster down
   2. ecactl cluster up --skip-validation
6. done.
7. Complete Licensing and remaining configuration following the guide here.