Allow only specific hosts to log to vRealize Log Insight

Today a college of mine was asked by a customer if it would be possible to only allow specific host to send logs to VMware vRealize Log Insight (vRLI).

And as it is running on a Linux platform iptables is built in, so I figured why not?

iptables is a in kernel firewall built in to almost any Linux distribution.

Why would you limit who can send logs to your vRLI. This is not something that I hear many customers ask for, but I can certainly understand why you would not want any host or user without permission to spam you logs. And even though the filtering in vRLI is very good, you could potentially run out of disk space, and miss log that you actually wanted. Also it would be possible for an attacker to disguise his whereabouts with generated false logs. This would not be a foolproof method to avoid this, as I can easily think of a couple of ways to accomplish this anyway.

Well lets get to it.

Start by allowing the traffic from the validated hosts, and block other traffic on port 514. You can use the following commands from the shell or using ssh to the vRLI server.

# We will be adding the allow rules to the input chain
# Run these commands for each IP you want to allow.
iptables -A INPUT -p tcp --dport 514 -s <ip-address> -j ACCEPT
iptables -A INPUT -p udp --dport 514 -s <ip-address> -j ACCEPT

# We are adding both TCP and UDP. It is not strictly nessesary, as we normally only use
# one of the protocols, but you need to make sure that you block both protocols.
# As the default INPUT chain policy is ALLOW on vRLI we need to create drop rules.
iptables -A INPUT -p tcp --dport 514 -j DROP
iptables -A INPUT -p udp --dport 514 -j DROP

# You can easily check the rules for you appliance using this command
iptables -L -n -v

These settings will non survive a reboot, so you will have to save them. Turns out that VMware did their own iptables config, so all the usual methods for making iptables rules persistent will not work.

You have to add your new rules to the file: /opt/vmware/etc/li-iptables.cfg I do not know if these changes will survive a vRLI upgrade.

I recommend taking a backup of the default configuration in case something goes wrong.

# Copy default config
cp /opt/vmware/etc/li-iptables.cfg /opt/vmware/etc/li-iptables.bak

# Save new config
iptables-save > /opt/vmware/etc/li-iptables.cfg

If you later need to add more hosts you will have to insert it before the drop rule, the easiest way to do that is to take a look in the cfg file, and change it using an editor. Afterwards you can load the config by rebooting of just loading the config file manually.

iptables-restore < /opt/vmware/etc/li-iptables.cfg

Hope this was helpful. Remember all changes are at your own risk.

One thought on “Allow only specific hosts to log to vRealize Log Insight”

  1. Editing /etc/systemd/scripts/ip4save also works. It did not survive the last upgrade, however.

Leave a Reply

Your email address will not be published. Required fields are marked *