PANCast™ Episode 27: The Importance of Making Use of Defender Logs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L4 Transporter
No ratings

 

Episode Transcript:

 

John:

Hello, and welcome back to PANCast™. In today's episode, we will discuss Defender logs and we have a special guest. Now Joy you have already been a part of PANCast™ previously but, could you start by telling us a bit more about yourself?

 

Joy:

Hi John, thanks for having me today. This is Joy and I am a Senior Technical Support Engineer for Prisma Cloud ComputeYi Zhao is a Senior Technical Support Engineer backed by years of support proficiency in Cyber Security. She is highly enthusiastic about sharing her knowledge and experience with customers.Yi Zhao is a Senior Technical Support Engineer backed by years of support proficiency in Cyber Security. She is highly enthusiastic about sharing her knowledge and experience with customers. with years of support experience in cyber security. 

 

John:

Thanks Joy. Now the topic for today is Defender logs. Can you tell us about them?

 

Joy:

Sure. First let me give an overview on the product. Prisma Cloud Compute Defender is a container security tool that helps protect your containerized applications from vulnerabilities and threats. 

 

Defender log is an important component of this tool that helps you monitor and troubleshoot issues that may arise within the environment.

 

Today I am here to help you navigate your way through the fascinating world of Defender log files and we will learn together on how Defender log can help with identifying, investigating and intervening! 

 

John:

So Joy, Why are the Defender Logs helpful?

 

Joy:

Well, let us take a look inside the Defender logs. It contains detailed information about various activities and events that occur within the environment as well as the Defender's activities. This information can be used to identify and diagnose issues with the deployment, as well as to track and investigate security incidents.

 

Here are some specific examples of how the Defender log can be useful:

 

First is Identify: by checking Defender logs, it can really offer great help with troubleshooting, the log file can help you identify and troubleshoot issues with your Prisma Cloud deployment. For example, if a container is not being scanned properly, the log file can provide much more information than what’s displayed on the UI about the source of the problem. 

 

John:

Now that we have identified the problem, what happens next?

 

Joy:

Then it comes with Investigate, Defender log also tells a lot about the changes and events that need to be tracked when it comes to auditing within the environment. This is especially important for compliance and regulatory requirements. Imagine now you are the auditor who wants to check which registries have been scanned and which have not, besides only checking on the web console, you can also turn to Defender logs to find out more.

 

What’s even more is that the log file can provide valuable information about security incidents within the environment. For example, if a container is found to be compromised, the log file can help us identify or understand how the attacker gained access and what actions were taken. 

 

Once you have identified and investigated the issue from Defender logs, it is easier for you to intervene and take actions to correct the issues.

 

There are so much more help that defender logs can offer when we utilize Prisma Cloud Compute in our environment, I am pretty sure I wouldn’t be able to list all here but in summary, the Defender log is an important tool for monitoring and troubleshooting issues within the environment, as well as for auditing and investigating security incidents.

 

John:

Great, so Defender logs contain a lot of detail. Can you share any real use cases?

 

Joy:

Okay, for sure real life examples will definitely help us understand better. Now, before we dive into the log file, let's remember that Defender is designed to secure cloud workloads and applications across a variety of environments, including public, private, and hybrid clouds.

 

As with any complex system, things can go wrong. And that's where the Defender log comes in handy for troubleshooting. It's a record of all the events and actions that have taken place within the Defender platform, including information on CPU usage, memory consumption, network connections, and more. When you want to take a closer look at the issue, look no further.

 

John:

So where do we start when looking at the Defender log?

 

Joy:

The first thing you will see in the Defender log after installing Defender is the basic system information. Therefore it is very easy for you to identify whether the hostname, IP and OS information are correct and as expected. Sometimes you might run into issues with Defender installation, it is important to verify the basic system information from the Defender log file to double check whether there is any compatibility issue or if there are any issues with fetching the system information from the container, host or cluster.

 

If everything goes fine with system information loading, the next step Defender is going to perform is to connect to the console via the specified address and port. And this is where sometimes things might go wrong. 

 

You might see errors like “connection refused”, “failed to resolve hostname” or “connection timeout”, these log information is vital to help troubleshoot further because they usually suggest whether the issue is with network setup, DNS setting, wrong hostname or wrong port. If you do see similar errors as above, look no further, I strongly suggest a deeper check on your network environment as well as whether you put the correct console details.

 

John:

So if it is not a connection issue, or it was and is now resolved, what other errors could we see?

 

Joy:

Well I have to say there are many more issues you could see in your real life environment but here let me just take some commonly seen examples. 

 

It is very common for us to use Defenders for registry scan. I am sure you know Prisma Cloud Compute supports multiple different types of registries to be integrated with, therefore sometimes the error might be specific registry related or it can be quite general. Here let’s take an example of one very frequently seen error message which is “x509: certificate signed by unknown authority”.

 

When you see this error in Defender log, it is most likely that you are using a custom certificate in your registry, and the host/cluster where the defenders are installed does not have the correct certificate in place. Although it seems like a difficult issue to resolve, it is actually an easy fix. Regarding how to fix this specific error, please refer to the document I have attached in the “Related Articles” section.

 

John:

Ok, once the registry scan error is fixed,  what else should we look for? For example, if the Defender is facing resource consumption, how do we locate this in the logs?

 

Joy:

In this example, you need to check for a log entry that provides some basic statistics about the Defender platform, including CPU usage, memory consumption, and the number of files and processes being monitored. And guess what, this is already provided in the Defender logs! 

 

All you need to do is to search with keyword “Stats” or “VmRSS” and you will be able to see the performance data of the Defender. It even tells you whether the Defender is connected to the console or not, isn’t this even more helpful? By checking out these loglines, you may also check your own system performance data such as “top”, “ps” and “lsof” which can be used together with Defender log to assist your troubleshooting process.

 

John:

This is good stuff. I had not realized that Defender logs can provide insights only if we knew how they can be applied to various scenarios.  Joy - what would be the key takeaways or lessons learnt?

 

Key Takeaways

 

Joy:

Well let me summarize the key points for the content today.

 

  • First, start by identifying the issue you're having with Defender log. 
  • Second, when you investigate, use tools like grep to filter the log file for specific keywords or phrases. 
  • Finally, intervene by modifying the firewall setting, adjusting the resource allocation, etc, depending on which issue you are facing. 

 

With practice and persistence, you can troubleshoot and fix the issues with Defender log in no time.

 

John:

Thank you, Joy, for sharing how we can use Defender logs for troubleshooting. You can find the transcript and some valuable links on live.paloaltonetworks.com under PANCast™.

 

Joy:

Thank you for having me! I am very certain Defender log will help with troubleshooting in a lot of ways. Do remember the key points and utilize defender log to the most. Hope to join you on another episode of PANCast™!

 

John:

That’s all for today PANCasters and remember if you have any topics you would like covered, please send in your feedback through the Ideas Submission page on LIVEcommunity.

Until next time. Bye!

 

Related Content:

Prisma Cloud  #Defender #Twistlock SaaS Security  

Rate this article:
Comments
L2 Linker

Thank you yizhao@paloaltonetworks.com for the good use cases on defender logs. This will definitely provide more insights on what work/ did not work and what will help us fix them in our environment. 

  • 3922 Views
  • 1 comments
  • 1 Likes
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎09-27-2023 12:19 PM
Updated by: