VEN Logging
The VEN captures logs of its operation and traffic flow summaries locally on the workload. There are several different application log files, each with one backup. Application logs are rotated from primary to backup when their size reaches 15 MB. Application log files are preserved at reboot, because application logs are stored in files on a workload.
VEN Traffic Logging
The VEN stores traffic flow summaries, rather than each individual traffic flow. For each connection, the traffic flow summary includes:
Source IP
Destination IP
Destination Port
Protocol
Number of connections
Querying Flow Log Databases
The sqlite command-line tool, which comes with the VEN, is used to query the flow log databases.
Linux/AIX/Solaris Database Query Examples
Query Type | Example |
|---|---|
Non-aggregated accepted flows | /opt/illumio_ven/bin/sqlite3 /opt/illumio_ven_data/log/flow.db "select * from flow_view" |
Non-aggregated dropped flows | /opt/illumio_ven/bin/sqlite3 /opt/illumio_ven_data/log/flow.db "select * from drop_flow_view" |
Aggregated accepted flows | /opt/illumio_ven/bin/sqlite3 /opt/illumio_ven_data/log/flowsum.db "select * from flow_view" |
Aggregated dropped flows | /opt/illumio_ven/bin/sqlite3 /opt/illumio_ven_data/log/flowsum.db "select * from drop_flow_view" |
Window Database Query Examples
Query Type | Example |
|---|---|
Non-aggregated accepted flows | "c:\Program Files\Illumio\bin\sqlite.exe" c:\ProgramData\Illumio\log\flow.db "select * from flow_view" |
Non-aggregated dropped flows | "c:\Program Files\Illumio\bin\sqlite.exe" c:\ProgramData\Illumio\log\flow.db "select * from drop_flow_view" |
Aggregated accepted flows | "c:\Program Files\Illumio\bin\sqlite.exe" c:\ProgramData\Illumio\log\flowsum.db "select * from flow_view" |
Aggregated dropped flows | "c:\Program Files\Illumio\bin\sqlite.exe" c:\Program Data\Illumio\log\flowsum.db "select * from drop_flow_view" |
List of Local Processes
The names of local process are captured in traffic flow data and stored in the PCE.
OS | Description |
|---|---|
Windows | Indicates whether auto resize of the Conntrack table is required. |
Linux, AIX, and Solaris | The VEN monitors the list of all processes with listening ports on TCP and UDP inbound connections, then matches process names to the list. Refreshes occur every 30 seconds. This process allows for a lower impact on the CPU. |
The data can be exported in near-real-time to a Security Information and Event Management (SIEM) or another collector.
VEN Firewall Script Logging
The Illumio firewall scripts log all errors and other key information into the platform.log file. This log file can help Illumio debug issues.
Traffic Flow Query Report
You can generate, schedule, and email reports which are based off saved and recent filters from Explorer for reporting. The CSV report is downloadable and can be emailed to the user.