Access logging for SSMC web and appliance

SSMC allows you to record all HTTP and TCP level access events into log files for any forensic analysis and anomaly detection.

When you enable HTTP access logs, the SSMC web server writes the HTTP access logs to /opt/hpe/ssmc/ssmcbase/data/logs/HTTP_Access_yyyy_mm_dd*.log

When you enable TCP access logs, the IP Tables journal control writes the TCP access logs to /var/log/kern.log

Enable or disable HTTP access logging

To enable HTTP access logs, execute the following command:

sudo /ssmc/bin/config_security.sh -o set_service_http_access -a enable -f

To disable HTTP access logs, execute the following command:

sudo /ssmc/bin/config_security.sh -o set_service_http_access -a disable -f

Here is a sample of HTTP access log: 

192.168.11.24 - - [18/Mar/2020:15:47:07 +0530] "GET / HTTP/1.1" 200 967 
192.168.11.24 - - [18/Mar/2020:15:47:07 +0530] "GET /ssmc/css/ssmc-super-table.css?version=3.7.0.27779 HTTP/1.1" 200 2498 
192.168.11.24 - - [18/Mar/2020:15:47:07 +0530] "GET /ssmc/css/ssmc-overrides.css?version=3.7.0.27779 HTTP/1.1" 200 2195 
192.168.11.24 - - [18/Mar/2020:15:47:07 +0530] "GET /libs/piano/css/compiled/hpe-piano.css?version=3.7.0.27779 HTTP/1.1" 200 94903 
192.168.11.24 - - [18/Mar/2020:15:47:08 +0530] "GET /libs/globalize/globalize.js HTTP/1.1" 200 5637 
192.168.11.24 - - [18/Mar/2020:15:47:08 +0530] "GET /libs/globalize/cultures/globalize.cultures.js HTTP/1.1" 200 91302

Enable or disable TCP access logging

To enable TCP access logs, execute the following command:

sudo /ssmc/bin/config_security.sh -o set_service_tcp_access -a enable -f

To disable TCP access logs, execute the following command:

sudo /ssmc/bin/config_security.sh -o set_service_tcp_access -a disable -f

Here is a sample of TCP access log: 


Mar 18 15:40:45 ssmc rsyslogd: No UDP socket could successfully be initialized, some functionality may be disabled.  [v8.2001.0]
Mar 18 15:40:45 ssmc rsyslogd: create UDP socket bound to device failed: No such device [v8.2001.0]
Mar 18 15:41:47 ssmc kernel: [764591.964870] New TCP access IN=ens160 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:08:00 SRC=192.168.11.24 DST=192.168.11.100 LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=14897 DF PROTO=TCP SPT=56556 DPT=22 WINDOW=65392 RES=0x00 SYN URGP=0
Mar 18 15:46:31 ssmc kernel: [764876.769608] New TCP access IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=16354 DF PROTO=TCP SPT=49098 DPT=9200 WINDOW=43690 RES=0x00 SYN URGP=0
NOTE:

Enable the Host access control feature before enabling TCP access logging. This is a prerequisite.

When you enable remote syslog exports, the HTTP access logs are emitted by rsyslog as local5 facility with DEBUG level of logging. Whereas the TCP access logs are emitted as kern facility with DEBUG level of logging.