Eyeglass All Product Installation and Upgrade Guides Publication

Eyeglass Clustered Agent vApp Install Guide (Ransomware Defender for ECS)

Home

 


Overview

This guide covers installation of the ECA VM's to protect Dell ECS storage.  A unified Isilon/Powerscale and Dell ECS installation is also possible.  This guide covers unified and standalone deployment.  The ECS to ECA forwarding supports Active passive processing with HA and backup ECA VM processing.

This guide should be followed after ECA deployed for Isilon or Powerscale or if deploying ECA nodes for ECS only.

ECA Cluster Sizing and Performance Considerations

  1. A single 3 VM ECA cluster can protect up to 4 ECS clusters


Firewall Requirements

NOTE: All other ECA Ransomware Defender ports are required in addition to the ports below. 

Port
Direction
Comments
rsyslog TCP 514

ECS --> ECA VM's (all 6 VM's)
Each ECS node requires these ports open

HTTPS TCP 443 TCP		Eyeglass --> ECS management IP
needed for API access from Eyeglass to managed ECS nodes


ECS Setup Steps


NOTE:  On 3.7 ECS version use the log path  /opt/emc/caspian/fabric/agent/services/object/main/log/dataheadsvc-access.log 

This procedure must be replicated on each ECS node

  1. Create an rsyslog file at /etc/rsyslog.d/push-dataheadsvc-access-log.conf following the example below with the following edits:
    1. two instances of Target="ip_address" with the IP address of your ECA nodes 2 and 3 respectively (yellow highlight). The first line (node 2) will be the active listener. The second line will take over if the first ECA VM is down.
    2.  Tag="vdc1" will need to be updated if you change the name of your VDC
#$DebugFile /home/admin/rsyslog.debug
#$DebugLevel 2
module(load="imfile" PollingInterval="1") #needs to be done just once
ruleset(name="ecsaccesslogs") {
action(type="omfwd" Target="172.25.1.6" Port="514" Protocol="tcp")
action(type="omfwd" Target="172.25.1.7" Port="514" Protocol="tcp"
action.execOnlyWhenPreviousIsSuspended="on")
stop
}

input(type="imfile" ruleset="ecsaccesslogs"
File="/var/log/vipr/emcvipr-object/dataheadsvc-access.log"
Tag="vdc1"
Severity="info"
Facility="local7"
StateFile="ecstosyslog")

  1. Restart the rsyslog process for the changes to take effect
    1. sudo systemctl restart rsyslog 
  2. NOTE Mandatory: Repeat the above rsyslog configuration on each ECS node in the ECS cluster.


ECA Setup Steps

  1. ECS forwards syslog messages to the ECA VM's running syslog
  2. Make sure the turboaudit syslog server is enabled in eca-env-common.conf before cluster up:
  3. Login to eca node 1
  4. nano /opt/superna/eca/eca-env-common.conf
    1. Add variable below line to the file
    2. export TURBOAUDIT_ECS_SERVER_ENABLED=true 
    3. export RSW_ONLY_CFG=true
    4. control+x and yes to save
  5. If the cluster is running shutdown and restart
    1. ecactl cluster down
    2. ecactl cluster up --skip-validation
  6. done.
  7. Complete Licensing and remaining configuration following the guide here.

 

 

 


© Superna Inc